10

I've been reading about the ZeroAccess and looking into some bot's code source* and I found this piece of code which checks if filemon is running in the infected computer before running the bot. 

  int pmain3()
{
    std::vector<DWORD> SetOfPID;
    GetProcessID("filemon",SetOfPID);
    if (SetOfPID.empty())
    {
        // Nothing found running, Safe to execute bot.
    }
    else
    {
        // One of the process was found running, Exit install.

    ExitProcess(0);
    }
    return 0;
}

It's not the only one. There are others checking for Wireshark, tcpview, procmon, VM, VirtualBox, sandBox ...

In this case how can I analyze an infected computer? and how could I find the infected process?

PS: [*] taken from the IMbotMod V4.1 botnet

mcgyver5
  • 6,807
  • 2
  • 24
  • 45
Barttttt
  • 449
  • 4
  • 14
  • I'm supposing that one of the solution is to do the scan from an other computer in the network by targeting the infected host. But until now I can't find an other way to identify the infected process. – Barttttt Apr 05 '14 at 23:12

3 Answers3

3

Malware was detecting the presence of Rootkit Revealer, so they changed the way that program ran. It now is started by a windows service with a randomized executable name.

Similarly, you could use a supervisor process to launch procmon and any other detected executables under "assumed" names.

mcgyver5
  • 6,807
  • 2
  • 24
  • 45
  • Could you please show us an example of using a supervisor process to launch another software like you explained above? – Barttttt Jun 19 '14 at 19:15
3

It's an arms-race! Theoretically, you cannot inspect a system from within itself. You need to be one level above: if you want to inspect user-space malware, you need to be in kernel land. If you want to inspect kernel malware, be in the hypervisor.

Practically, for your case, you can try to change common analysis tools to avoid detection by the malware. For example you can rename filemon to fmon. Or you create your own analysis tools of which the malware author doesn't know about.

If you want to find a malware process which is checking for analysis tools, try hooking GetProcessID. After filtering noise, you'll discover malware which is using the function.

fel1x
  • 389
  • 1
  • 5
0

Another possibility would be static analysis of the binary using a disassembler (IDA Pro for example) to identify the programs it is looking for.

You could then patch the binary (using IDA or some Hex-Editor) to either skip the checks or modify the strings so that it would look for fileman or abcdefg instead of filemon.

asquared
  • 229
  • 1
  • 4
  • Sorry, i thought you mean analysing the binary, assuming that you are able to find them. – asquared Jun 17 '14 at 10:10
  • What if you can't find the binary because the malware would not let you use any monitoring software to find it? – Barttttt Jun 19 '14 at 22:45
  • 1
    Like mcgyver5 said: You could start your monitoring software giving it another/random name. But this only will help you with "simple" checks like the one in you example. If you have an open source monitoring software you could compile it and statically link it on another computer so that it is "immune" to modified libraries or hooked function calls. Maybe you can also check the documentation for tools like rkhunter to find some tricks to find software that hides itself. – asquared Jun 23 '14 at 07:43