I recently had a Hyper-V server commissioned in a data center for a specific project. Unfortunately the engineers who commissioned the server did not install any Windows Updates and ‘secured’ the server with a very weak password. As a result, the server I received had been compromised and infected with crypto-mining malware within a few hours. This post details how I resolved this issue and what tools and techniques I used.
To resolve this issue I used the steps that Mark Russinovich detailed in a Tech-ed talk a few years ago titled Malware Hunting with Sysinternals Tools.
I immediately suspected something was not quite right with the server when I logged in for the first time. I noticed that a Cyrillic keyboard had been configured and set as the default keyboard. See image below.
I started working on the server and noticed that it was extremely slow. I downloaded and ran Sysinternals Process Explorer to see if I could identify what was causing this performance issue. When I opened up Process Explorer I identified the problematic process. As you can see from the image below, Update.exe was utilizing over 80% of the CPU resources.
Update.exe seemed like a legitimate process. However, as you can see from the Process Explorer image the executable was not signed. The high CPU utilization and the fact that the process causing the high CPU was not signed meant the server was most likely infected with some form of malware.
Malware Cleaning Steps
In Mark Russinovich’s talk he outlines six steps to cleaning malware which are:
- Disconnect from the network
- Identify malicious processes and drivers
- Terminate identified processes
- Identify and delete malware autostart
- Delete malware files
Step 1 – Disconnect from the network
The infected server was hosted in a data center and I only had remote access to it. I could therefore not implement the first step of disconnecting the server from the network.
Step 2 – Identify malicious processes and drivers
I had already identified Update.exe as a malicious process. On further investigation using Process Explorer, I discovered that Update.exe was in fact a ‘child process’ that was dependent on another process named rdphost.exe This primary process was also not signed which made me suspect that it was an additional malicious process.
I then used Process Explorer to check the properties of each suspicious process. You can see the screenshot of each process in the images below. You will also note that I used the ‘Submit to VirusTotal’ functionality that has been built into Process Explorer and confirmed that these two processes were in fact malicious. You can see the result in the annotated blocks in the images below.
Step 3 – Terminate identified processes
I now terminated the two malicious processes by right-clicking on the parent process (rdphost.exe) and clicking on ‘Kill Process Tree’ as shown in the image below.
Step 4 – Identify and delete malware autostart
Once I had terminated the malicious processes the server’s CPU utilization returned to normal. However the malicious processes were still on the server and if I were to restart or logoff and then log back on the malware would reignite. As per Mark’s methodology the next step was to identify the autostart triggers and delete these to prevent the malware from reigniting. For this task I used SysInternals Autoruns . I ran the tool and quickly identified the autostart for rdphost.exe and disabled it by unticking the selection box as highlighted in the image below. As Update.exe was a dependent of rdphost.exe disabling this autorun resolved the issue. I logged off and back on again and the malware was now permanently disabled.
Step 5 – Delete malware files
The malware was now permanently disabled but the malware files were still resident on the server. As I knew the location of the malware thanks to the detail provided by Process Explorer and Autoruns, I searched for the files in the relevant locations but could not find them using explorer as shown in the images below.
Clearly the files had been hidden and I was dealing with some form of stealth technology such as a rootkit. I then downloaded and ran Malwarebytes Anti-Rootkit to see if the application could find this stealthy malware. The application successfully identified Update.exe but rdphost,exe was not discovered as show in the image below.
Looks like it was time to go old school and use the command prompt. I ran the command prompt as administrator, navigated to the relevant directory and ran the command dir rd* /a. As you can see in the image below it successfully found rdphost.exe.
I then ran dir up* /a and also found Update.exe as shown in the image below
Now that I had identified the location and the hidden attributes of the two malicious files, I then ran the following two commands to delete them:
- del /a:h rdphost.exe /F
- del /a:h Update.exe /F
The remediation was now completed and my server was no free of malware. Many thanks to Mark Russinovch for the tools and processes used to accomplish this.
For those who want a sample of the malware I discovered, you can find it here: https://github.com/chrislazari/Malware