This weekend I had the opportunity to work along our security specialists (from PSSSec group) in what we can call the hottest situation involving hundreds of production servers either stopped or severely impacted by a new variation of a worm. As a new variation, the AV signature file wasn’t updated with the proper signature and once the first machine got inffected it immediately started spreading the worm accros the customer production environment…
Details like how the first machine got infected, how the worm spreads itself through the network or even which worm is the variation of, will be ommited here as this scenario will be usefull only to illustrate what the tip is about.
So, direct to the point:
While on site helping to control the situation, one of the steps in our action plan while the signature file for the AV was being built was to control the infection or in other words, stop the infected machines to keep infecting the others. Clean the machines was something we knew we wouldn’t be able to accomplish unless we could build an AV engine overnight
We isolated the worm itself to 2 executable files and a DLL. The executables are dropped during the infection and a registry key is changed in order to load them whenever the machine is booted. They also run as Local System, so you can’t just open the task manager, right click their processes, and select the “End process” option as this would cause a access denied. What you can do though, is to use the utility kill.exe together with the tlist.exe from Debugging Tools For Windows , build a script that will filter the tlist.exe’s output trying to find the specific processes names and then run kill.exe to kill them, and then you use the at.exe command or the Task Scheduler to schedule such a script to run. By using the Task Scheduler service your script will run as Local System and should be able to kill the processes running under the same security context.
Ok, but this does not prevent the process to get spawned again (for instance in the next boot) and even deleting the registry entries that could cause that, since the AV is not effective, this machine can get infected again and you will never know when to run the script again to stop the worm’s processes. We needed to find a way to prevent these specific processes to keep getting respawned…
So here is the tip for something you can use in different OS versions from Windows NT to Windows 2003 to accomplish that: There is a registry key called “Image File Execution Options” under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion which is normally used for debugging purposes. There is a specific string value that we can use to accomplish our demand of preventing the processes to run. It’s the “Debugger” SZ value. This value is used to include a debugger that should launch the process whenever there is a demand for the OS to spawn it. For instance: If you create a key named “Calc.exe” under “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options” and add a SZ value called “Debugger” and set it to, for instance, a debugger like cdb.exe (Debugger = c:\debuggers\cdb.exe) the effect will be such that whenever you try to execute the program calc.exe (regardless of user and regardless of how) the debugger cdb.exe will be called instead and it will spawn the calc.exe itself within the debugger.
All right, so now we just need to be creative and find a way to, instead of run a debugger, just prevent the process to be spawned. Here is one way:
1. Create a registry key with the name of the process you want to prevent to execute. Ex.: calc.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\calc.exe
2. Under this new key you’ve just created, create a SZ value called “Debugger” and set it to the following value:
SZ Debugger = “cmd.exe /c echo %time% %date% >> c:\ExecBlocked.log”
That’s it. You don’t need to restart anything or reboot the machine. From now on you will not only be unable to run calc.exe as whenever you try to do it the file ExecBlocked.log will get the attempt to execute recorded with the date/time information.
To enable the process the run again, simply remove the registry key.