The Case of the Intelligent Spambot

This is the second case study that was sent to Mark Russinovich, Microsoft, which earned me signed a copy of the 5th Edition of Windows Internals.

I woke up last Sunday to my friend’s unforgivable rumblings about the Internet Speed sitting at the lone desktop in our room. I quickly ducked my head under the covers, what would I expect from a 128 Kb line, 13 or maybe 14 Kbps transfer speed? I tried to convince him half sleepily that it was natural, but when he said he had been downloading a 642 KB Word Document for the past 15 minutes, I had to sit up in bed. We never had a speed issue with the ISP, was hoping this was a first.

I quickly opened the Windows Task Manager, expecting to see any unheard process trying to steal my bandwidth. The processes didn’t look funny, at least not all of them, because I hardly have 15 different processes running on my system. But two things stood out. There were an unexpected number of svchost.exe running and a process called rs32net.exe. I quickly fired up Process Explorer for a more detailed look and to see what new services were being run. The Process Monitor’s Image tab of the Properties for rs32net.exe quickly confirmed my suspicions about its intentions.

I had seen files like these before. Although I wasn’t sure what was eating my bandwidth yet. I fired up the prompt and type netstat –a. I almost fainted at the speed at which the screen went by. My computer was trying to connect to the smtp ports of several systems online! I was taken aback at my systems betrayal. Here’s a snipped output from netstat.

I needed professional help. I quickly fired up TCPView from Sysinternals. Looking at the hundreds of connections being requested did not hurt as much as knowing which processes were responsible.

I had to finally agree that my system was infected by a spambot. Anybody else would have been terrified, I was excited. This was the first time that I had come face to face (well not literally) with a spambot. I still couldn’t figure out how rs32net.exe fit into the picture. So I simply killed it to take a look at it later. The spambot was connecting first to multiple http servers, presumably to download a list of addresses to which it had to attempt connection. It then proceeded to connect to the several computers that were visible in the list in TCPView.

I first checked the strings in memory for one of the svchost and saved them for later analysis. The strings that I saw were definitely not part of svchost.

Since svchost was involved, I opened up the Management Console and checked what services where running on my system. Two services looked out of place, without any descriptions, and set to automatic yet not started.

I had never heard of them before, decided to take a look at their properties to determine what executable it was. Was surprised to see a colon in the filename of the executable. I immediately realised what it was. I honestly had not expected an NTFS Alternate Data Stream SpamBot to affect my system.

The ext.exe that comes after the svchost is an NTFS ADS or Alternate Data Stream. To access an ADS you have to specify the “host” file followed by a colon and the filename of the ADS. By default all files on an NTFS partition have an ADS, the data in the file itself is stored as an ADS without any name as filename::$DATA

That was interesting enough to wet my appetite to go on. I took a quick morning break, freshened up myself and sat back at the desk to continue my investigation. So I now knew the exact file that was causing the issue. I wanted to extract the ADS and store it in the collection of malware that I have on my computer. I used Streams from Sysinternals to view the ADS size. Streams provides you an option to delete the ADS but I wanted to extract it.

That is when I had to use a GUI tool that I had written long long ago, called NTStream for a software competition when I was still in college. I ran NTStream, just to be safer, on the whole Windows Directory. NTStream scanned 2318 directories and 26802 files in under a minute and displayed the search result in its ListView Interface.

I extracted the stream for later research and then deleted it and the FCI and the ICF services entry from the Windows Registry under the HKLM\System\CurrentControlSet\Services\FCI and HKLM\System\CurrentControlSet\Services\ICF respectively. I then deleted rs32net from the System32 directory, just in case, and then proceeded to enable my Network Connection that I had disabled to prevent the ISP calling up or disconnecting me forever from the online world for using my system to spam.

As soon as I enabled the Internet Connection, the flurry of Network Activity was reported again by TCPView. Damn! This was definitely the sign of an executable in memory or some driver or dll that was still doing what it was supposed to do, spam.

I fired up Procmon to view disk activity just in case to see if svchost was acting funny elsewhere on the hard drive. Never before in my life was I greeted with this by Procmon.

I was sure I was an Administrator on my system. Very sure about it. I checked just in case wondering whether I was downgraded to a limited user by a hitherto unknown power. The command net user %username% at a command prompt told me I was very well an Administrator and a member of the Debuggers Group. I ran Procmon again and viewed its properties in Process Explorer to make sure I had the SeLoadDriverPrivelege enabled. I very well had.

This was weird. The only hope I now had was Sysinternals’ RootKit Revealer. I quickly pulled it out of my toolkit and ran it scanning in default mode. I was hoping it would return something more concrete.

The scan revealed several discrepancies, but what caught my attention was the lone result from the file system right at the bottom of the 3576 entries. Now the only way to access the file, that I thought of was to boot from an alternate medium and check. But luckily I had installed a copy of the Recovery Console on my system. I restarted the computer in Recovery Console, navigated to the C:\Windows\System32\Drivers directory and issued a dir tj* command. I was delighted to see the file there. Although I had not exactly figured out the role of the TJTXSGTX.SYS driver in this whole case, I was nevertheless delighted to see that the file was at least visible under the recovery console. I promptly deleted the file and restarted the computer normally. I then enabled my Internet Connection and waited with bated breath for the sequence to start again. After 5 minutes of suspense, when nothing happened, I decided to close the case after running an sfc /scannow.

PS: By the way, my friend installed a popular antivirus and managed to clean other infections later in the evening. He claimed it took him little over 30 minutes, unlike me. I appreciate his humor.

The Aftermath.

This incident happened somewhere in February 2008.

I was woken by the shrill ringing of my dad’s alarm clock. I jumped up in bed and rummaged around to silence the annoying ring still wondering why the alarm was ringing in my room. I finally managed to find it tucked under the bed covers in the most inaccessible corner of the bed. Silencing it I rubbed my eyes looking at the time that it displayed. 4:00!! Never in my 12 years of schooling, 2 years of high school and 4 years of Engineering did I ever wake up at 4:00.. This was absurd. I shook the damn clock, picked up my mobile phone and checked the time again. It showed 4:04 AM, but the 4 additional minutes towards another lazy morning didn’t warm my spirits. I chucked the clock on the table in some far reclusive corner under a pile of programming books and slumped back in the warmth of my bed, sinking in its soft clutches stretching my legs as far as they would go in the depth of my bed covers. I had just pulled the pillow over my head when the door knocked. I ignored the first 3 knocks but then they came harder. 6 knocks in line, loud and resonating, probably produced with hands the size of dustbin lids. Wondering if there could be a mountain troll standing out ready to nail me at this unearthly hour, I reluctantly pulled myself up, heaved my drowsy legs on to the floor and swayed towards the door muttering under my breath. The energy required to walk across my room to the door was devastatingly colossal. The knocks sounded again, louder this time. I prayed it wasn’t my youngest brother playing another of his out of the box tricks on me. If it was, I would drown him in the tub. I turned the knob and yanked the door a bit.

My father pushed the door open and half walked, half ran in. Jubilant and with twinkling eyes, as though he had won an argument with my mom, he put on the lights and starting rambling something incoherent to my drowsy ears. “Are u even listening!!??”, he was almost towering over me. “Haan dad, what happened, its 4:00 in the morning…. (yawn..) for heaven’s sake can we like talk at 10:00 or something… (yaaaaawwwwwn…)”.

“My son this is not the time to sleep, this is the time to exercise, to keep yourself fit, to work out, to play…” I looked at him, “What are you saying dad?? Exercise?? Play?? I come to Goa so that I can escape the monotonous and hectic life of Bangalore and sleep peacefully, and you wake me up at 4:00 in the morning, no prior warnings, nothing, and half expect me to exercise?? What’s got into you?” I wasn’t rude, but was satisfied that I had put my point across firmly. I thought that this argument would silence him. “Son, my dear son you do not understand. You are naive. Your company is manipulating you. You don’t have to worry about Internet and Web Security, there are loads of people out there who can take care of that. I understand it sounds all cool to be called a Hacker, but son you do not see the long term consequences that your job might offer you.” I looked at him mouth open, with an absurd expression. He had found 4:00 AM as a convenient time to express his opinion about my career?? I slumped on the chair nearest to me and looked at him. He took it as a cue to continue. “There are bigger things out there. What all do you expect to do with your salary, that does not even suffice your needs back there. Times are changing son, and it’s in the books that you have to flow with time.” I still couldn’t see where he was going. I didn’t protest this time, but looked at him awe struck allowing my pupils to dilate and stare beyond him. “So dad, what do you want me to do? Tell me quickly so that I can find some of my lost sleep.” I didn’t want to look at my bed. My skin crawled with nostalgic memories of the soft feel of my bed, pillow, the sheets and my pyjamas… “I have a gift for you” he suddenly announced. I wondered what it could be. Was silently hoping it would be Raymond Chen’s The Old New Thing or Harry Potter and The Deathly Hallows in hardcover. “Go, freshen up first, we have a long morning ahead.” It was less of a request and more of an order. I reluctantly obeyed.

The hands obscenely gestured 4:35 on my wrist watch by the time I was ready. I took a last loving longing look at my soft bed, the pillows, the sheets and my inside out pajamas, locked my room and walked down to the living room. Both my brothers had already donned tracks, tees and sports shoes and were smiling triumphantly. The whole house had gone mad, I presumed, I looked appealingly towards my brothers, who just smiled stupidly. I missed my mother. Wished I could teleport to Mumbai, to my cousins, and sleep there, in her lap. That Jumper guy was fabulous. I was shaken out of my psionic stupor when my dad called out to me and placed a long heavy object concealed inside a thick plastic covering, in my hands. I looked down at it. With my brothers gasping and ooohh-ing in the background, I pulled the object from the depths of the cover just like Hrithik Roshan pulling out his sword out of the scabbard in Jodha Akbar. There I was holding a gleaming willow bat!! I ricocheted under the shock and irony of the whole situation. My dad wanted us to play cricket at this unearthly hour. What next?? I stood there, emotions of mutiny rising from every inch of my body. My youngest brother let out a war whoop similar to the one George of the Jungle lets out occasionally in well, George of the Jungle. “Dad, for all my forsaken years that I have lived, I haven’t played cricket. I haven’t even been on a pitch. For God’s sake I haven’t even lifted a bat before!!!” My father calmly replied, “Of course you have lifted a bat before. Don’t you remember when Santosh’s dog had chased you?? I could vaguely recollect that incident that had happened 3 years ago. But I had used the bat defensively, that to on to the dog for heaven’s sake. And I remember missing the animal by miles. “Dad I couldn’t hit a Labrador with this” I said lifting the bat “do you expect me to hit a ball?? That too when it’s thrown at me at 60 odd mph!!!” I swear I could hear my brothers making fun of me. My father was nevertheless adamant. And pushed us out. I had never seen my brothers happier then this. I walked in silence holding the bat over my shoulders like a mace. It was almost dawn now. The place where I live is beautified by the silence it envisages occasionally to be broken by the chirping of birds or kids playing Ring a Ring o’ Roses…

I opened the gate to my house, with my brothers tearing off in short sprints across the lawn to the common ground that we shared with 24 other houses in the locality. I was surprised to see the ground crowded with people. Kids of all ages and sizes. I saw several familiar faces. There were even mothers feeding sandwiches (or something similar) to their wards while they wielded bats. India is gone crazy I thought. I stood there watching everybody, the tantrums that some were throwing on becoming out. I was even surprised to see Nikita standing beautiful as ever, a pretty girl I vied for when I was in college.

Somebody tapped on to my shoulders from behind. I turned around to see another cricket enthusiast in complete field attire. He put forth his glove wrapped right hand. Out of instinct and base sanity I shook his hand and helloed him back. At this he removed his heavy, constricting looking helmet. I faltered where I stood. There stood Imran, a renowned bully and my brother’s old pal. Having strict parents were no consolation to him. I remember how the entire locality would stand in their balconies at precisely 9:45 on the Saturday that our results were declared when in school just to see his reddened report card fly out of his balcony and land on the road below. Then came the usual hollow “Aai ga, no dad I’m sorry… agli baar aise nahi hoga… sorry dad sorry… aaaaaaaaahhhh.” The tortures by his parents were constant reminders to us. He was bad, no, bad would be a mild word, disastrous would better define it, at studies. He was already 17 and was still to appear his 10th Standard Exams in March. My friends said he was caned every night before going to bed just because he didn’t study and played a lot… Those stories would send shivers down my spine and God knows where else. But today he appeared vibrant and fresh. I searched for words to console his condition and to put some sense into his big fat head. Before I could speak, he asked me “Bhai for how many days are you going to be here??” I was defensive on that. I thought what were his ulterior motives involved. I wasn’t related to him or his dealings in any sort of way. The truth would be harmless I assumed. “Another 2 days probably” I replied. “How come you are out playing today? I thought your parents forced you to study and stuff.” I tried to look as innocent as possible, but with my drowsy eyes and lopsided body it wasn’t easy. He smiled at the question and delightedly replied “I don’t know what got into my father yesterday. He went and bought me a full cricket kit and asked me to play as much as I want. Wants to make a Dhoni out of me. Told me I could grow my hair as long as I wanted.” I wanted to laugh at him, but considered my situation; I too was in the same boat. He donned back his helmet and gestured me to come along.

My brother, it so happens, is pretty well known in the local fraternity. Kids kind of rally around him. I wasn’t surprised though with him being good friends with Imran. I walked to the end of the pitch and sat down on the grass boundary behind the wicket while my brother gave orders to 12 or so other kids. I had just started to visualize myself in my bed back at home when suddenly two pairs of arms lifted me off the ground and somebody pushed a helmet onto my head. Gloves were thrust into my hands, I looked around for help and noticed around ten boys, several of them my age standing looking at me. I imagined myself with a helmet and gloves on, must have looked funny because most of the boys snickered at me. Nikita too let out a gasp at seeing me on the ground probably realizing I wasn’t meant to be there. My brother came forth and pushed my new bat into my shivering hands and directed me towards the wicket. I faltered. God was this The End. Could it all be happening?? Give me a hundred application modules to write in Visual Basic, I’ll do it. Ask me what the full name of Albus Percival Wulfric Brian Dumbledore is, I’ll tell you. Order me to check some Russian Banking website for SQL Injection and Cross-Site Scripting, I’ll gladly do it, Ask me to parse Nessus XML files using C# and .NET and create Database Insert statements, I’ll really really do it… but don’t let me go on the pitch… please God… please…

I walked with all my courage, I’ll be honest I didn’t have any, to the pitch. A sudden silence had fallen over the place. I turned to look at Nikita, she was standing with her hands folded looking upwards expecting Gabriel to intervene. I faked a smile at her, even though she wasn’t looking at me. Her beautiful eyes were closed, I assumed she was praying or she did not have the heart to see me hit by a projectile moving over 60 mph. I turned around to see who was going to bowl me over. I wished I hadn’t seen him. It was a boy over 6 feet tall, heavily built and almost bald. Those dudes from Resident Evil looked milder. I gulped the last ounce of strength I had. Time seemed to slow down. Voices went all hoarse and electrified. A droplet of sweat from my forehead appeared to defy gravity and fall the length to the ground in what seemed like eternity. The bowler rushed up with all his speed, even in slow-mo he was faster then usual. It was then I realized I hadn’t worn my guard!! I panicked and dropped my bat and raising my right hand signaling the bowler to stop and with the left covering my possessions. Too late. The ball came at the speed of light and whhhhhhhhhhhaaaaaaaaaaammmmm…

I woke up with a scream… I felt around my bed and body sweating profusely. My room mate woke up with my cry and put on the lights wondering whether I had seen Jigsaw or Lord Voldemort himself. I returned to my senses. One scary nightmare that was. Damn the IPL, damn the cricketers, damn the auction and damn 20Twenty. I’m happy doing what I do. My room mate wore a concerned expression. I looked at him and smiled and giving no explanation told him to sleep. Poor chap he hasn’t slept the whole of last week. His parents want him to come down to Goa for the annual State Cricket Selections threatening him with dire consequences if he refuses. I identified my nightmare with his reality. Hope he and his family survives his appraisal in one piece. Then I turned around and went back to warmth of my soft bed, the sheets, the pillow and my pajamas.

USB Drives and the Autorun.inf

USB drives have made our lives so much easier. You can move data between computers and store large files with ease for long term usage. Virus writers didn’t want to lag behind and they saw this as the perfect channel for distribution of malicious files. Worms, viruses, trojans and other malicious files cause more damage if the infected system is able to proliferate copies of the malicious files and distribute them to other systems either with the help of users or through other programmed actions.

Most computer users who have used a removable drive have come in contact with a malicious file (virus, worm or trojan) residing on their. Normally an antivirus on the system should be able to detect and clean the infection, but often the drive remains infected. It then comes down to the user to be able to detect and delete an infected file on the drive manually.

Most malicious files that reside on the USB drive infect your computer when the user open the removable drive via My Computer or when the default action is performed via the Windows AutoRun feature. Even merely double clicking on the drive can cause a system to get infected.

An autorun.inf file is a plaintext configuration file that resides at the root of a drive (Local hard drives, USB drives, CD-ROMs, DVDs etc) and contains information about the actions to do when a user performs the default action on the drive. The default action is the one that is set in bold in the right click context menu of the drive in My Computer (for any Windows object for that matter). For example the default action on a folder or a drive would be to Open the folder or drive. For a file it would be to open the file with the associated program. For the Local Area Connection Object in Network Connections it would be to show the Status of the connection.

An autorun.inf file normally contains the name of the file that has to be opened when the user performs the default action, which icon to use etc. You may have encountered legitimate autorun.inf files on CD-ROMs and DVDs. When you insert a CD-ROM containing software or game installation files (if AutoRun is enabled and if an autorun.inf file is present) the installation menu pops up allowing you to install the software. This executable is run automatically since Windows reads the autorun.inf file to find the name of the executable to be run, if any.

A simple autorun.inf file would contain the following:

Viruses go a step further in concealing their presence on the drive. They hide the autorun.inf file and the executable using the hidden and system attribute so that the file is not visible even after you ask Explorer to show hidden files. There are various ways to confirm the presence of an autorun.inf file in the root of your removable drive. The easiest would be to go to Start > Run > J:\autorun.inf where J is the drive letter for your USB drive. If notepad opens with the contents of the file then the file is obiviously present, else Windows will dsiplay a location unavailable error. The other method would be to open a command prompt instance and navigate to the drive and use the attrib command to see the attributes of the files in the root of the drive. If there is an autorun.inf file then you should be curious. If it has the S and H attribute set then you have to be suspicious.

Now that’s time consuming, some would say. I agree. Hence to ease my pain, I modified the right click menu of the drives using the Windows registry and added an option to view the attributes of files in the root of the drive.

Here’s how:
Open the Windows Registry Editor by going to Start > Run > regedit
Navigate to HKEY_CLASSES_ROOT\Drive\shell using the left hand side tree structure. Right click on shell and select New > Key. Name the key as anything you want. Right click on the Default value on the right hand side under the new key you just created and select Modify. Change the Value data in the text box provided to any string that you want to see in the right click menu of the drives. Click on OK.

Right click the new key that you created and create another key below it and name it to command. Double-click the Default value under the command key and type the following in the Edit String box that pops up:

cmd /k echo Showing File Attributes && pushd “%1” && attrib && type autorun.inf && echo . && pause && exit

Select OK and close the registry editor. If everything was done as explained above, then you should have another option in the right click menu of the drives in My Computer. The new option now created will allow you to see the attributes of the files and their names in the root of the drive and the contents of the autorun.inf file if it exists, without opening the drive itself. The command prompt window will close when any key is pressed.

As the autorun.inf file provides the name of the executable, you can easily delete it using the path from the autorun.inf file. If the executable also has the S and H attributes set then use attrib -s -h -r to remove the attributes and then a simple del would delete the file. You could then delete the autorun.inf file by removing its attributes through the command prompt and then deleting it using the delete command. Safely remove the USB drive and reinsert it to complete the task.

This Microsoft knowledgebase article provides an excellent procedure to disable autorun completely:

USB removable drive cleaned, without an antivirus. Time for some coffee.

Update: Download the file using the link given below. Extract the driveattrib.reg file and double click it to add the contents to the Windows Registry to automate the entire process. Click on Yes when presented with a dialog box asking for confirmation.

The Case of the Persistent Executable

This is the first of the 2 case studies which won me a signed copy of Windows Internals, 4th Edition, by Mark Russinovich, Microsoft last year.

I woke up last Saturday around 11:00 in the morning to find my friend sitting at the computer typing some document in MSWord, he then minimized the document and proceeded to open the D: drive from My Computer. My usually fast Windows responded extremely slowly to the double click. I sat bolt upright in my bed and asked him to repeat the procedure with the other drives. The same delay was noticed on the other drives too. I then asked him to right click on any drive expecting a change in the context menu due to the presence of an autorun file. The menu was intact. I then got down and sat at the chair and used the attrib command at the prompt for each drive. This is what I got.

Certainly signs of malicious presence. I used the type command to read the contents of autorun.inf although I knew what it would point at.

I then immediately fired Process Explorer to see if the process was running. Failing to find the process or a handle to it, I then used the attrib –s –h –r fppg1.exe to reset attributes and proceeded to delete it using del fppg1.exe. I repeated the same procedure with the autorun.inf file. Since I have 6 partitions on my hard drive, I wrote a bat file, named it clean.bat and saved it in %systemroot% with the following contents.

@echo off
attrib -s -h -r fppg1.exe
del fppg1.exe
attrib -s -h -r autorun.inf
del autorun.inf
echo All done

I then ran clean.bat from the console on each partition. Happy that my system was back to normal, I restarted explorer to remove the effects of the autorun.inf file on the default open option on the drives. I then proceeded to open F: drive using the double click through My Computer. I was surprised to see the delay occurring again. The attrib command confirmed my doubts. The two files were back. I decided to dump the strings from the fppg1.exe file to see if I could find any clues. I ran the strings utility and piped the output to a text file called fppg1.text.

The file contained loads of ASCII characters and just three APIs that I recognized. That didn’t help much.

I then fired up Process Monitor to see what process was writing these files to disk. I used two filters with Path contains autorun.inf then include and Path contains fppg1.exe then include. I was surprised to see which process was writing, setting attributes and querying information.

It wasn’t only explorer.exe that drained my happiness out of me.

I then right clicked on Explorer to view its stack when IRP_MJ_CREATE Operation was performed. The stack had one unfamiliar entry.

I used the find handle or dll feature of Process Explorer to search for amvo0.dll. The returned results didn’t raise my spirits.

The dll had attached itself to other processes I had opened after restarting explorer. I then opened up cmd, changed to C:\Windows\System32\ and used the attrib command to confirm my suspicions about the attributes of amvo0.dll. I wasn’t disappointed.

I suspected that there could be an associated executable also present in the same directory and hence used attrib amv*. With my suspicions confirmed, I used strings.exe to dump strings from amvo.exe and did a file compare with fppg1.txt. Bingo! They were the same files in essence. The dll amvo0.dll was making explorer.exe and the system process to recreate the files fppg1.exe and autorun.inf whenever they were not found in the root of the drives. I used attrib again to remove the system and hidden attribute from amvo.exe and amvo0.dll and deleted amvo.exe through the command prompt. The file amvo0.dll was in memory and hence could not be deleted. One shortcoming of Process Explorer, I found would have really helped me, was to unload dlls which would have allowed me to delete the file immediately. I used autoruns.exe, another of Sysinternals creations, and found that amvo.exe created a registry entry in HKCU\Software\Microsoft\Windows\CurrentVersion\Run that caused it to be run at system startup. With the file gone, I restarted my system and then deleted amvo0.dll manually, fppg1.exe and the autorun.inf file using the bat file.

Case closed. I then went on to start my morning.