Tuesday, April 7, 2015

Using Autoruns to Deal with Startup Processes and Malware

In the olden days, software would start itself automatically by adding an entry to the Startup folder in the Start Menu, or adding a value into the Run key in the registry, but as people and software became more savvy at finding unwanted entries and deleting them, the makers of questionable software started finding ways to get more and more sneaky.
These shady crapware companies started figuring out how to automatically load their software through browser helper objects, services, drivers, scheduled tasks, and even through some extremely advanced techniques like image hijacks and AppInit_dlls.
Checking for each of these conditions manually would not only be time-consuming, but nearly impossible to do for the average person.
That’s where Autoruns comes in and saves the day. Sure, you can use Process Explorer to look through the process list and delve deep into threads and handles, and Process Monitor can figure out exactly which registry keys are being opened by which process and show you incredible amounts of information. But neither one stops crapware or malware from being loaded again the next time you boot your PC.
Of course, a smart strategy would be to use all three together. Process Explorer sees what is currently running and using up your CPU and memory, Process Monitor sees what the application is doing under the hood, and then Autoruns comes in to clean things up so they don’t come back.
Autoruns allows you to see nearly every single thing that is loaded automatically on your computer, and disable it as easy as clicking a checkbox. It’s incredibly easy to use, and nearly self-explanatory, except for some of the really complicated things you need to know to understand what some of the tabs actually mean. That’s what this lesson is going to teach.

Working With the Autoruns Interface

You can grab the Autoruns tool from the SysInternals web site just like all of the rest and run it without installing. You’ll want to do that before proceeding.
Note: Autoruns doesn’t require running as administrator, but realistically it makes the most sense to just do that, since there are a few features that won’t work as well otherwise, and there’s a good chance your malware is running as administrator as well.
When you first launch the interface you’ll see a ton of tabs and a list of things that are being started automatically on your computer. The default Everything tab shows everything from every tab, but it can be a little confusing and lengthy, so we’d advise to just go through each tab separately.

It’s worth noting that by default, Autoruns hides everything that is built into Windows and set to automatically start. You can enable showing of those items in the options, but we wouldn’t recommend it.

Disabling Items

To disable any item in the list, you can just remove the check box. That’s all you have to do, just go through the list and remove everything you don’t need, reboot your computer, and then run it again to make sure everything is good.
Note: some malware will constantly monitor the locations where they trigger autostart from, and will immediately put the value back. You can use the F5 key to rescan and see if any of the entries came back after disabling them. If one of them showed up again, you should use Process Explorer to suspend or kill that malware before disabling it here.

The Colors

Like most SysInternals tools, the items in the list can be different colors, and here is what they mean:
  • Pink – this means that no publisher information was found, or if code verification is on, means that the digital signature either doesn’t exist or doesn’t match, or there is no publisher information.
  • Green – this color is used when comparing against a previous set of Autoruns data to indicate an item that wasn’t there last time.
  • Yellow – the startup entry is there, but the file or job it points to doesn’t exist anymore.
Also just like most of the SysInternals tools, you can right-click on any entry and perform a number of actions, including jumping to the entry or image (the actual file in Explorer). You can search online for the name of the process or the data in the column, see the detailed properties, or see if that entry is running by doing a quick search through Process Explorer — although many processes have a loader that then launches something else before exiting, so just because that feature shows no results doesn’t mean anything.

If you clicked Jump to Entry, you’ll be taken straight over to the Registry Editor, where you can see that particular registry key and look around. If the entry was something else, you might be taken to a different utility, like the Task Scheduler. The reality is that most of the time, Autoruns displays all of the same information right in the interface, so you don’t usually need to bother unless you want to learn more.

The User menu allows you to analyze a different user account, which can be really useful if you’ve loaded up Autoruns on a different account on the same computer. It’s worth noting that you would obviously need to be running as administrator to see other user accounts on the PC.

Verifying Code Signatures

The Filter Options menu item takes you to an options panel where you can select one very useful option: Verify Code Signatures. This will check to make sure that each digital signature is analyzed and verified, and display the results right in the window. You’ll notice that all the items in pink in the screenshot below are not verified or the publisher information does not exist.
And for extra credit, you might notice that this screenshot below is almost the same as the one near the beginning, except in that one some of the items in the list where not marked as pink. The difference is that by default without the Verify Code Signatures option turned on, Autoruns will only alert you with the pink row if no publisher information exists.

Analyze an Offline System (As in Hooking Up a Hard Drive to Another PC)

Imagine that your friend’s computer is completely messed up and either won’t boot or just boots so slowly that you can’t really use it. You’ve tried safe mode and recovery options like System Restore, but it doesn’t matter because it is unusable.
Rather than pull the “reinstall” card, which is often just the “I give up” card, you could yank out the hard drive and hook it up to your PC or laptop with your handy USB hard drive dock. You do have one, right? Then you just load up Autoruns and go to File -> Analyze Offline System.

Browse to find the Windows directory on the other hard drive, and the user profile of the user you are trying to diagnose, and click OK to start.

You’ll need write access to the drive, of course, because you will want to save the settings to remove whatever nonsense you end up finding.

Comparing Against Another PC (Or Previous Clean Install)

The File -> Compare option seems nondescript, but it can be one of the most powerful ways to analyze a PC and see what has been added since the last time you scanned, or to compare against a known clean PC.
To use this feature, just load up Autoruns on the PC you are trying to inspect, or using the Offline mode we described earlier, then head to File -> Compare. Everything that has been added since the compared file version will show up in bright green. It’s as simple as that. To save a new version, you’d use the File -> Save option.

If you really want to be a pro, you could save a clean configuration from a new install of Windows and put that on a flash drive to take with you. Save a new version every time you touch a PC for the first time to make sure you can quickly identify all of the new crapware the owner has added.

This tab checks all of the “normal” locations in Windows for things to automatically be loaded, including the Registry’s Run and RunOnce keys, the Start Menu… and a lot of other places. As it turns out, there are 43 different “normal” places that software can insert itself to start up automatically at logon or logoff. No wonder there are such huge malware, crapware, and spyware problems in Windows!
Our advice: liberally uncheck everything  you don’t need. You can always re-enable it if you want.

Explorer

This tab lists all of the add-on components that can load themselves into Windows Explorer. Since we didn’t have any to illustrate on our test system, we won’t show you a screenshot, but these will largely be context menu add-ons and other things like that.
If you are experiencing slow performance when browsing files, using the context menu, or just all around Windows, this is a likely culprit. You can disable anything you feel like here, though you might lose some functionality for certain applications.

Internet Explorer

This tab is immensely useful when working on other people’s computers, since they are much more likely to be using Internet Explorer than our readers are. This tab lists out all of the browser extensions, toolbars, and browser helper objects that are usually used by malware to either spy on you or show you ads. We’d recommend unchecking just about every single thing you see.

Scheduled Tasks

This is one of the trickiest ways that malware is hiding itself these days. Rather than hide using any of the places that people know to look for, the malware creates a scheduled task to reinstall itself, show ads, or do all sorts of nefarious things. The problem is compounded by how confusing the Task Scheduler can be, so most people would never even know to look here. Thankfully Autoruns makes this one easy.
We’d recommend removing almost everything that you don’t recognize and definitely isn’t from Microsoft. This is one example where using the Verify Code Signatures option is really useful.

Services

After tasks, one of the most common and insidious places that malware is hiding itself these days is by registering a Service in Windows, or in some cases, by creating a service that helps make sure that the other malware processes are still running.
You’ll want to be a little more careful when disabling things on this tab, as some things may be legit and necessary. In the screenshot below, you’ll see some Google, Microsoft, and Mozilla services that are just fine. While it wouldn’t be a big deal if we disabled them, it is still worth doing some extra research before disabling things, unless you have identified it as crapware or malware already.

Drivers

Believe it or not, but some crapware and malware makers have actually created device drivers that contained malware or very sketchy components that spy on you. After our test machine was infected with a bunch of crapware, we noticed that this driver showed up attached to one of them. We’re still not quite sure what it does, but given how it got there, it probably isn’t anything good.
You’ll definitely want to be much more careful on this screen. Disabling the wrong drivers can break your computer, so do your research, right-click on each of them and search online, and only disable something if it is most likely tied to spyware. In the example below, we had already identified the folder in the Image Path for the highlighted row as being crapware, so it was logical to disable it.

Codecs

These are libraries of code that are used to handle media playback for videos or audio, and unfortunately they have been abused by malware as a way to automatically start on the computer. You can disable them here if necessary.

Boot Execute

This one you probably won’t have to deal with, but it is used for things that start up during system boot, like when you schedule a hard drive check to happen at boot time since it can’t happen while Windows is actually loaded.

Image Hijack

If you read our second lesson about Process Explorer, you would have learned that you can replace Task Manager with Process Explorer, but you probably had no idea how this actually happens, much less that malware can and does use the same technique to hijack applications on your computer.
You can  set a number of  settings in the registry that control how  things are loaded, including hijacking all executables and running them through another process, or even assigning a “debugger” to any executable — even if that application is not a debugger.
Essentially, you can assign values in the registry so that if you try to load notepad.exe, it will load calc.exe instead. Or any application can be swapped out and replaced with another application. This is one of the ways that malware blocks you from loading MalwareBytes or other anti-malware tools.

You can see it for yourself — on the left-hand side is the name of the executable, and on the right-hand side the “Debugger” key is set to the instance of Process Explorer that is running off my desktop. But you can change that to anything you want on either side and it will work. It would probably make a great prank that almost nobody would ever be able to figure out.

If you see anything in the Image Hijacks tab other than the values for Process Explorer, you should immediately disable them.

AppInit 

In yet another example of why Windows has so much crapware and spyware, the AppInit_dlls entries in the registry are surprising and amazing. At some point Microsoft wrote a feature into Windows that loads all DLL files listed in a particular registry key… into every single process that starts.
Well, technically, whenever an application loads the Windows user32.dll library, it checks the value of the registry key and then loads any of the DLLs found in the list into the process, allowing every application to be hijacked by malware.
In Windows Vista and later versions, they finally decided to lock this down a little bit by requiring that the DLLs be digitally signed… unless the RequireSignedAppInit_DLLs key is set to 0, which makes Windows still load them anyway. As you can imagine, malware has taken advantage of this, as you can see in the example below.

Remember back in lesson 3 when we showed you how Conduit was hijacking and inserting its DLL files into your browser’s processes? This is how that was done. You can see the spvc64loader.dll in the screenshot above, which was then used to load up the SPVC64.dll file into the browser.
Evil.

KnownDLLs

This key makes sure that Windows uses a particular version of a DLL file. For the most part you won’t need to worry about it unless malware has messed with this list — the primary goal of using this tab is just to make sure that everything listed there is really a verified Windows component, which is pretty easy.

Winlogon, Winsock Providers, Print Monitors, LSA Providers, Network Providers

You shouldn’t usually have to worry about these tabs, as they simply contain add-ons that extend various aspects of Windows – the Winlogon and LSA tap into the logon and authentication system, Winsock and Network handle networking, and Print Monitors are third-party applications that deal with your printer.
If you do have values in these tabs, it is worthwhile to investigate before disabling them. It is certainly possible for malware to hijack these things.

No comments:

Post a Comment