A Malware Recovery Scenario – Hacktool
A Malware Recovery Scenario – Hacktool
A former student sent me an email requesting assistance with a computer issue. Microsoft Security Essentials continued to post the message “error warning: HACKTOOL:WIN32/Keygen”. Hacktool malware was quarantined. Other symptoms started to appear. Following appropriate guidance, the student looked into the event viewer. The most often repeated error that the student noticed was “The driver detected a controller error on \Device\Harddisk1\DR1”. These two elements became the student’s focus, and lack of a resolution resulted in the request for assistance. Given a small excerpt from the Event logs, I could determine that the system had been removed from the network (nicely done!), generating a number of DHCP and network link down errors. Also from the small excerpt I noted a couple of less obvious kernel and registry errors. All symptoms of a more extensive malware infection.
The following scenario includes guidance offered to tackle a decidedly stressful, though solvable situation.
First isolate the system experiencing a problem. Isolate it so contamination and damage do not spread, not just single it out for its less than exemplary behavior. Then step back and look at the bigger picture. Start to calmly and methodically gather the facts. List out all the alternatives as you go. Prioritize your steps during your research and before you act.
I recommended the following approach and alternatives.
Microsoft provides only basic information on Hacktool, which is a very dangerous malware: Malware Protection Center.
You would do best to check out other support sites regarding the appropriate method and steps to remove this malware from your system. For instance, each of the following sites suggests alternative approaches.
Although I have provided two sites from which I have acquired useful material in the past, one never knows for certain whether the suggestion has been thoroughly tested or if the professional posting the recommendation has been provided all of the appropriate information before making their recommendation.
For instance, it would be best to know the make and model of computer for which a repair is desired, as well as the operating system, version, 32 or 64 bit, and latest service pack or update installed. Given that the error reported also generated driver and controller events in the Event Viewer, more specific platform and driver information would also be useful. Remember, sophisticated malware attacks seldom target only a single weakness, or create only a single symptom. All the details are often necessary to diagnose root cause. Without such information, you at best have only a modestly educated guess at the best resolution.
To apply the scientific method, keep gathering all of the facts. Then look for the patterns, develop a hypothesis, and test the hypothesis before attempting to implement a solution. Otherwise, you cloud the waters.
Remember that malware attacks are aimed at system weaknesses, and these weaknesses may be introduced by hardware, the firmware or drivers, the operating system, system settings, or user error. To properly target a repair, you need to understand the patient and the procedure.
As always, YOU MUST review the material provided by any support site first. Review and check the material for relevance and make certain that the proposed repair will not excessively complicate the scenario or the repair. Check the links offered on any site by right (Alt) clicking, saving the link (never opening it in a new window), and pasting it into Notepad for review and analysis. If you determine that the link might offer a helpful tool, then you may download the tool on a known working and clean system. When you perform the download of the tool, you should save the file to a USB or other external device so that you can scan the tool with one or more anti-malware tools before use. This also enables portability of the tool for potential repair and scanning of the infected system. Even some of the best support services, authorized by major vendors, create their revenue through advertising and selling lesser quality tools or services. Each of the sites offered provide viable advice, yet also contain links promoting the sale of specific software or services. Research and test the tool on a safe system or within a virtual environment before using it on a system containing valuable user data so that you know how it works, and what the outcomes should be (or might be if the tool fails to repair the problem).
Many sites, like Bleeping Computer, are communities. As such, they may be home to white hat, grey hat, and black hat hackers. You might want to research a support site’s safety based on recommendations from well known and approved vendors as one step toward validating content safety. For instance, Norton Safe Web reports that Bleeping Computer is a safe site.
Seldom, if ever, can a single anti-malware tool detect, quarantine, and repair all of the possible malware on a system. Once you have discovered malware, never trust a single scanning tool as the means to identify and repair the problem. Too often I have found that a single intrusion allowed other malware to enter. As the sources and varieties expand, the secondary infections tend to be more insidious and harder to purge. In other words, never rely on either a single security solution or a simple solution to assure the safety of your data.
The initial details provided suggest that your system has been infected by malware. The second piece of information indicates a controller error on ‘harddisk1\DR1’. You need to look at your hardware configuration through Device Manager in order to detect which device this references, and to determine if there are warning or error messages within device manager. You might also check and make a note of the location, version, and file characteristics for related device drivers. You should also research the Event Viewer error messages to determine possible root cause. One example for the recorded error message follows:
Further research suggests that this might be an error associated with a USB drive. Disk 0 is your hard drive hosting the active OS partition. Disk1-dr1 is most often identified as a USB controller issue given my online research, and lacking more accurate hardware specifications. Now what? The malware may be attempting to propagate itself. This is, after all, the modus operandi of a worm. Might you have a device plugged into a USB port, and if so, might it have become infected? Remember, when it comes to malware or an attack, step one is always to isolate the system. Disconnect it from the network and all other devices.
If needed, you could scan any USB attached media by attaching them to a separate and known good system. Attach and scan after the clean host system has been booted and scanned itself – you don’t want a root or boot virus to infiltrate your clean system because you plugged in the USB device prior to the system being fully operational.
Another consideration before you get started with a repair is the value of any applications or data on the damaged or infected system. Once you begin repairs, depending on the severity of the attack, it may be impossible to recover data. You might need to place data capture as your first plan of action, since re-imaging the system may be either your best or only recourse to assure that the malware is gone and will not return.
The given scenario suggested the use of Microsoft Security Essentials as having identified Hacktool, so it is likely the infection occurred in a Windows Vista, Windows 7, or Windows 8 system. Each of these operating systems is supported by a pre-execution environment, which might be used as the platform from which data capture and repair are initiated. I still believe that booting from an external operating system image, even if only a simplified Windows PE media, is the best alternative. From the Pre-Execution environment, you can create a full .wim image of the system using ImageX or DISM or you may navigate the internal drives while they are secondary in order to copy files to a local backup (USB, CD/DVD, alternate partition) – remember we don’t want this system attached to the network until it is repaired.
While in the Windows PE environment, you also have the option to use the System File Checker (SFC /Scannow), as a means to repair the installed operating system. This repair would include any potentially corrupted device drivers.
Since the hardware error suggests possible corruption of a USB driver, it might be the insertion of the USB device that created the problem. You might want to check other systems with which the USB device was used to prevent the spread of infection, or perhaps even to find ‘victim zero’, the first site of infection. Check the Reliability History Monitor to determine when system performance or issues might have first arisen. This might help you target initial problem introduction, or to identify a system Restore Point that might provide initial relief. (Never totally trust a system restore point given malware infection, since sophisticated malware can hide itself in an earlier system restore point.)
One test mechanism is always using known good hardware for comparative purposes. You might remove the hard drive from the infected system, and replace it with a known good drive to determine whether the problem is with the drive or with the motherboard or other system hardware. (Less likely in this case since malware was detected.)
While you have the drive from the infected system removed from the host, you might attach it within a disk USB case, and then use the clean system to fully scan the drive. I have found this to be an ideal solution when researching and recovering from a malware infection. Remember, no single tool can detect and repair all malware infections. In fact, very few of the anti-malware platforms will even allow themselves to co-exist. Build a clean system with multiple boot partitions, or perhaps virtualization like Microsoft Virtual PC or Client Hyper-V. If you prepare a clean system with multiple malware detection and repair tools, you can then use the clean system to repair infected drives attached within an external disk USB case.
Once you have removed any suspected malware, you need to repair the files damaged by the malware, or damaged and removed by your repair process. In the given scenario, you will need to scan and replace all corrupted system components and drivers. Fortunately Windows 7 and Windows 8 offer recovery tools from the install DVD or within the Recovery Environment for this purpose. Make certain to backup user data whenever possible, and to test the recovery process before you run it on a production system. Some recovery alternatives restore the image by overwriting the entire system image.
There is no ‘fast’ solution when it comes to repairing or recovering from a malware intrusion. As a result, it is always best to spend some of your time trying to identify the root cause. Failure to identify root cause and close that opening will result in duplicating the recovery effort in the future. Either on the initially infected system or on another system in the same environment.
If the customer is concerned about the time and cost, ask them about the value of their data. If the data is properly stored elsewhere, then your simplest solution might be to re-image the system from the onset. Fortunately, Windows 7 and Windows 8 provide powerful and simple tools to affect a new image – if the image, application images, licenses, and data are available.
Always remember, there is seldom only one alternative. Take a methodical approach and you will find a solution.
Mike Danseglio teaches Security classes at Interface Technical Training. His classes can be attended in Phoenix, Arizona or online from anywhere in the world with RemoteLive.
- CISSP (Certified Information Systems Security Professional)
- Certified Ethical Hacking and Countermeasures v8
- CompTIA Security + Certification Skills
You May Also Like
In this video, you will gain an understanding of Agile and Scrum Master Certification terminologies and concepts to help you make better decisions in your Project Management capabilities. Whether you’re a developer looking to obtain an Agile or Scrum Master Certification, or you’re a Project Manager/Product Owner who is attempting to get your product or … Continue reading Agile Methodology in Project Management
One of the coolest new features in Window Server 2012 and Windows Server 2012 R2 is the ability to clone a Domain Controller. In the past, if we had virtualized Domain Controllers and we actually took a snapshot of it and then rolled back to that snapshot, it would break the logon service on that … Continue reading How to clone a Windows Server 2012 or 2012 R2 Domain Controller
How does an investigator hunt down and identify unknown malware? In this recording of our IT Security training webinar on April 21, 2015, Security expert Mike Danseglio (CISSP / CEH) performed several malware investigations on infected computers and identify symptoms, find root cause, and follow the leads to determine what’s happening. He demonstrated his preferred … Continue reading Detailed Forensic Investigation of Malware Infections – April 21, 2015