I’m sure you’ve seen one of these signs. You know what I’m talking about.
You’ve certainly seen houses or other buildings with a rather generic sign on the front lawn that says “This House Protected By A Security System.” It’s very likely that the house actually has no security system at all. The owner just went out and bought the sign and stuck it in front of the house. After all, a sign is far cheaper than a real security system, and for a certain class of burglars, is just as effective. The point is, if the bad guys think you have a burglar alarm, they are likely to bypass your house, whether you really have one or not.
A recent talk by Jarno Niemelä of F-Secure described a similar technique to combat malware. It’s deceptively simple, and like the lawn sign, costs way less than any anti-malware software you might install. Here’s how it works:
Many types of malware (especially the more advanced sort) are designed to resist analysis. That is, they are designed in a way so that if they detect that you are trying to analyze or reverse engineer them, they “play dumb,” and do nothing. The malware writers do not want you to figure out what they’re doing, so they check your computer to see if you’re using a debugger or other tool to analyze their malware. If they detect the presence of analysis tools, the malware will not execute its malicious code. Instead, it will do something innocuous so as not to give itself away. A malware analyst would then conclude that the malware isn’t malicious, or at least would not be able to figure out how the malware works.
So here’s a brilliantly simple idea: what if you fool the malware into thinking it’s being analyzed? What if you configure your PC so that the malware thinks you are a hot-shot malware analyst? The malware will play dumb and not do anything malicious. You simply fool the malware just like you fool the burglars with the sign.
So how do you do this? You simply create some files and registry keys that look like real analysis tools.
For example, you can pretend you’re running in a VMWare environment by adding the following keys to your registry:
"HKEY_LOCAL_MACHINE/SYSTEM/ControlSet001/Services/DiskEnum field ”0” Value ”VMWare” ”HKEY_LOCAL_MACHINE/SOFTWARE/VMWare, inc./VMWare Tools ” field ”InstallPath” Value ”c:program filesVMWare”
You can also create dummy files. Copy a simple program (like notepad.exe) and rename it to look like these:
C:/Program Files/WinPcappcapd.exe
C:/Program Files/WireSharkawshark.exe
C:/Program Files/Etherealethereal.html
C:/Program Files/wiresharkwireshark.exe
C:/Program Files/Microsoft Network Monitor 3/netmon.exe
C:/program files/ollydbg/Ollydbg.exe
C:/program files/sysinternals/Procmon.exe
C:/program files/sysinternals/Procexp.exe
C:/program files/sysinternals/Diskmon.exe
C:/program files/sysinternals/Autoruns.exe
C:/program files/debugging tools for windows/Windbg.exe
To be even sneakier, create a bunch of dummy processes. Name them like these real analysis tools, then execute them on startup:
Vbox.exe
Vmware.exe
wireshark.exe
regshot.exe
procmon.exe
filemon.exe
regmon.exe
procdump.exe
cports.exe
procexp.exe
squid.exe
dumpcap.exe
sbiectrl.exe
You can use a simple compiled batch file that sits in an endless loop. It takes very little memory or CPU time. Here’s an example:
Start: echo off
Sleep 600
Goto start
Note: you can find the sleep utility in the Windows Resource Kit, or you can download a similar one here.
Once you’ve added these keys and processes, your PC will look like you’re a professional malware analyst, and lots of malware will simply refuse to execute.
Of course, not all malware looks for the presence of these tools, so this method won’t stop all malware. But like the lawn sign, it’s a simple and cheap method of adding protection to your PCs.
Very nice. I’m going to give it a try. Nice analogy of the lawn sign.