Sunday, January 20, 2013

Introducing Prasadhak: Check running processes for known malwares using PowerShell

Once during a pen test, I got a complete acess to a box. It was a Windows 2008 server in a really bad shape. So bad that I wanted to check it for malwares as I was not sure about the integrity of the anti virus of the server. The client was also not sure as the server was just one of "those" servers who no one cared about as the services it offered were no longer required by business (I later gave a lecture to the client on why this is bad etc. etc.)

So I was in a fix, installing an AV was not an option and as always there was not enough time to do a manual sanity check of the system for malwares. I though of using Virustotal for this. Virustotal provides a nice API which could be used for automating the process of analysis of files. But there was a catch, I could not upload files from the system to the interent, confidentiality issues! So I decided to use search function for running processes. I would search for executables of running processes for malwares using Virustotal API, looks good.

So behold world, I give you, Prasadhak. A powershll script which will check running processes (actually their executables) for malware by searching md5 their md5 hashes on virustotal database. For those curious, Prasadhak means purifier in Sanskrit.

PowerShell being quite powerful there was not much of a problem getting the current processes and their corresponding executable. Please note that some of the process do not report their path.
A little problem was with the limitations on request by the API. Using the normal public API, one could make only 4 requests in a minute. So I have to adjust the code this way.

Another problem was that Virustotal API responded with JSON objects and I was unable to parse the responses properly. I tried various methods including this. The code worked fine for a single request but failed for a batch request. I got lazy and wrote the script for PowerShell v3 instead which comes with a ready made ConverFrom-Json cmdlet. This is my first script which would require powershell v3.

Prasadhak reports one of the following for each process whose executable path was detected based on the response from Virustotal:
  1. Not found in VT database for hashes which are not present in Virustotal Database.
  2. Something malicious is found with the link to complete analysis.
  3. This is reported clean for hashes which are reported clean.
  4. File queued for analysis.
You need to register a free account on virustotal to get the apikey which is required for using the API.

A sample run of Prasadhak on my machine with Administrator privilege




So two malicious processes were found, the first one is a known one and I ran it just to test Prasadhak. Second one is new for me, lets have a look at it.

So hfs server is detected as malware by many AVs. Interestingly, a modified meterpreter payload was not found in database as its hash was different from a "normal" meterpreter. A huge limitation of hash based detection (Do I sound like an AV vendor?)

Two major limitations I know of Prasadhak are:

1. Results of each process are not labelled with the process name. You will see that I have left commented portions of code for labelling the results, this was a quick attempt before this post. Please let me know if you modify the script to improve that.

2. The approach of Prasadhak is very limited. As we saw above, a meterpreter binary was not detected just because slight modifications were made to it. Many malwares are better in stealth.

Please note that only section of script which requires PowerShellv3 is the function "check". If you need to use this script using PowerShell v2, try using this code at codeplex.

The code could be found below


Prasadhak is available in Nishang's repository, please update your repos.

Hope this would be useful. There wold be a day when I will start writing non-ugly code.
Bugs, feedback and comments are welcome. 

Update - Minor changes  have been made to Prasadhak, the code above has been modified a bit.

P.S. - I planned to release Prasadhak later after some improvements but a similar blog post forced me to post this, now. Research collision anyone? Thanks to my friends who quickly consoled me when I was shocked after that post.. hee hee :)

5 comments:

  1. Hi,
    Sorry to hear that you were shocked after my post. Anyway, I'd like to thank you for the link to my post.

    May I suggest somes ideas to improve your script:
    -you should check for admin rights because Get-WmiObject Win32_process will be incomplete w/o admin rights.
    -As you use V3, you can use Invoke-Webrequest to make a POST request.
    -You may also add a Proxy support to your functions as many corporate network may have one.

    For your research, you may also have a look to a post I made in February last year
    http://p0w3rsh3ll.wordpress.com/2012/02/25/psh3-ctp2-malware-analysis-module-based-on-virustotal-com-api-v2/
    It uses the API v2 of Virustotal.com but it was developped with the CTP2 of PSHv3. It needs to be revised.

    I'm not super satisfied with the way it reads malware file into a byte array.
    I mean that I'm not 200% sure that Get-Content malware.file -Readcount 0 -Encoding byte won't infect the computer.

    ReplyDelete
    Replies
    1. Thanks Emin,

      I would implement an admin check and proxy support in future release. I chose not to use Invok-Webrequest as I wanted to keep the dependency on v3 to a minimum. If it was not JSON it would be v2 as I see v2 in most of the target environments.

      I am currently not looking to upload files to vt for analysis. Rather, the most significant improvement I would like to make is to output process name with each result.

      Delete
    2. Line 81 8<---
      $procs = (Get-Process).path
      8<---,
      is pure V3 coding notation.
      You cannot get the process name because you created an array of each process path.
      But if you choose to keep the full process object, you'll be able to display process names along later in the foreach loop after line 94

      Delete
    3. I know that $procs is an array of process path. The problem is the loop in "check" method. I would like to display process name there. For example, right now what we get is: "This is reported clean". I want to make this to "This is reported clean svchost.exe"

      So the problem is mapping the response from VT API to individual process. VT responds for a batch of 25 processes.

      Delete
  2. Hello, your script does not work anymore. Would you please check it?

    ReplyDelete