Security Tips: Identify Malware Hiding in Windows' System Folders Andrew Brandt From the July 2005 issue of PC World magazine It's no fun to go into Task Manager and discover that a bunch of mysterious processes are running on your PC. In the case of the unknowns, you may ask yourself how much of this stuff you actually want. Or more seriously, if anything on your machine is actually doing harm. Unfortunately, few of us have more than a passing familiarity with what's under Windows' hood: the programs that run it and that run alongside it. In this column, I'll explain how to identify most Windows system files (and to research an unknown file) so you can tell the good ones from the miscreants. I'll also show you how to trace every application running on your PC, including the newest menace to emerge--hidden rootkit files. Of course, as with tremors on the San Andreas Fault, you can never know where or when the next security breach will open up and swallow your data whole. Even if you run a firewall, use up-to-date antivirus and anti-spyware scanners, and maintain strict download discipline, you can still end up with the latest and meanest infectious agents in your PC. Antivirus and other security tools need frequent and detailed updates to work effectively; they can't block a piece of malware that they haven't seen before. Consequently, these programs always suffer a period of vulnerability between the time when source code for a new worm hits the Internet, for example, and the time when the antivirus definitions to block or clean the infection are available for download. Whether it's for a few minutes or for many days, that window always gapes open when new threats appear. Fortunately, once identified, malware is usually fairly easy--albeit tedious--to clean up. So follow my detection procedures, and your PC will be in good shape. Safety First First, and most important, remember that this is the operating system you're dealing with, so don't leap into your system files, deleting things willy-nilly as soon as you suspect trouble. If you blow it, you may render Windows unbootable. Second, cover your behind at every step. System Restore (in Windows XP and Me) can safely return you to the point just before you crashed. Click Start, Programs (All Programs in XP), Accessories, System Tools, System Restore, select Create a restore point, and step through the wizard. Make a new restore point before each change. You may also need to make your system files visible. Open Explorer or any folder window, and click Tools, Folder Options, View. Click Show hidden files and folders, and make sure that both 'Hide extensions for known file types' and 'Hide protected operating system files (Recommended)' are unchecked. Click Yes if you see any Windows warnings. (More on warnings later.) Run your up-to-date antivirus and anti-spyware apps. Finally, delete a file only if you strongly believe it's part of a malware infestation. For example, don't use the following techniques to remove old DLLs from your system folders. Find Out What's Running Now you're ready to determine what programs and services are currently running on your PC. Windows' Task Manager can't authenticate each of your running apps, so download a copy of the free Process Explorer from Sysinternals Any processes running from the Temp folder should raise a red flag. Spyware tends to install itself in and run from such out-of-the-way nooks as the Temp folder. Likewise, if a running process points to a DLL in the Temp folder, be wary. The only occasion when something should be running from the Temp folder is when you are installing an application that uses an installer program such as InstallShield. In addition to Explorer.exe, Windows XP users will likely find other processes running, including smss.exe, winlogon.exe, services.exe, alg.exe, and lsass.exe. All of these are critical Windows files. Don't nix any of them. One legitimate Windows file that bears a little more scrutiny when found in the running-processes list is rundll32.exe. Some forms of malware, distributed as DLL files, hide themselves by using this program as a launching pad. Task Manager indicates only that the rundll32 program is running, but Process Explorer's Command Line field shows you which DLL rundll32 is associated with. Still, keep in mind that some device drivers use rundll32 for legitimate purposes, so before killing the process, make sure it's actually doing damage. The folder name at the end of the file path should give you a clue about the process's legitimacy. Identify Mystery Processes You likely have several other Windows program files running in addition to these OS files, including ones for applications and services running in the background, and drivers for your hardware. These files normally start with Windows. Examine the Description, Company Name, and Command Line information for each process. You should be able to identify most of the programs associated with processes as software you installed or that was preinstalled on your PC. When a software maker has failed to include a Description and/or Company Name for its program, you'll need to dig a little deeper. Right-click its entry in Process Explorer's list, and choose Properties. If the information under the Image tab leaves you scratching your head, click the Services tab. Some legitimate services that are listed in the indented column below 'services.exe' in Process Explorer's main window (without text in their Description field) will appear under this tab. For example, Process Explorer once showed two processes running on my PC without Description or Company Name entries. One was 'slee81.exe' (see Figure 2); when I looked at the process's entry under the Services tab, it identified the file as Steganos Live Encryption Engine. I had installed the Steganos software myself, so I wasn't surprised to find its components running in the background. This isn't a security threat, but unless I'm using Steganos to encrypt and decrypt files, I can save some CPU cycles by turning the service off until I need it. The second file, 'WLTRYSVC.EXE', was even easier to puzzle out from its Services entry. While the name of the process ('WLTRYSVC service') isn't any more illuminating than its file name, a slightly indented file sits just below it in Process Explorer's main window, which means that 'WLTRYSVC' launched another app, called 'BCMWLTRY.EXE'. That file is identified as the 'Broadcom Wireless Network Tray Applet,' which I installed to display Wi-Fi signal strength. Since I'm likely to be using my Wi-Fi connection frequently, that's a process I want to keep. Follow these steps to identify all of your running services and background apps. The tricky part comes when something you find doesn't identify itself and doesn't seem to serve a purpose. That's when it's time to look to the Internet for answers. Online Vermin Trackers If I suspect a DLL might be bogus, the first place I check is Microsoft's DLL Help Database (see Figure 3), which lets me search for information about a DLL by name. If I suspect a file may be connected to spyware, I'll dig around in Computer Associates' Spyware Information Center. Another great resource is the Pest Encyclopedia at the PestPatrol Center for Pest Research, which provides information about more than 27,000 forms of malware. If I can't tell whether a file is legitimate, I check the Task List Programs pages at AnswersThatWork.com (see Figure 4) for info about legitimate software as well as spyware and viruses. Tools such as WinPatrol and Uniblue's WinTasks 5 Professional offer insight into whether a program or DLL is malware. Both offer an online database containing information about thousands of DLLs and apps you might encounter, though WinTasks also can "blacklist" specific processes so that they can't run again. If you hunt for malware on a regular basis, Neuber Software's Security Task Manager lets you evaluate every executable, driver, or DLL, whether or not it's running. Bottom Line: You can't always trust the first few results when you research an unknown file on the Web. Even if a hundred small sites post data about a suspected piece of malware, one page on a Microsoft site that explains the legitimate use of the file can trump those analyses. The more you find out about a file before you search online, the less likely it is that you'll kill a legitimate program or DLL. Security Toolbox: Hunting Hidden Files The last stop on our processes tour concerns a new breed of malware called kernel-level rootkits. These tools permit malicious hackers to hide their tracks (and files) on an infected PC. Fortunately, several available programs will help you spot, and in one case, remove, these dangerous rootkit files For sheer analytical power, no competing rootkit remover can outperform Sysinternals' RootkitRevealer, which ferrets out files and Registry keys that might be associated with rootkits. The program is far from foolproof, however: Not all of the items it uncovers are malware. Learn how RootkitRevealer works, and how to use it effectively. For point-and-click ease, F-Secure's BlackLight tool (free while it's in beta) puts the antivirus company's knowledge to use in a rootkit scanner that finds and disarms rootkit files on your hard drive. Though spartan in design, the tool won't leave a hidden Trojan horse in place.