WHAT ARE MALWARES
Types of malware:
- Virus: A virus is a malicious program that can replicate itself and affect normal operations of a system without knowledge or permission of the user. It attaches itself to executable code and runs every time the code is run, making multiple copies of itself. It corrupts the files, denies access to data and hence renders data useless.
- Worm: Unlike a virus, a worm is independent and doesn’t attach itself to any file or code. It is capable of spreading without need of any host file. It replicates by copying itself through network. Worms prominently attack only networks, sending its copies to all users in your address book, causing DoS (Denial of service) attack and affecting your internet functionality.
- Trojans: As the name goes, it hides inside a seemingly legitimate program and runs malicious code from there. Once run, the host computer gets infected and it starts replicating. It performs various activities like sending your data to its creator, or logging what you type (your passwords, bank account details) and sending them to its creator without your consent. It can even cause damage to your data by simply deleting it. Trojans have capability to change their code to trick the antivirus programs into not detecting them. Some are even scheduled to strike at preset dates.
- Spyware: Very similar to Trojans, these applications are solely designed to steal your data. But unlike Trojans, they don’t have the capability to replicate themselves.
- Cloaked malware: These are the new generation malware that are becoming a nightmare in computing sector. Cloaked malware are Rootkits that are invisible to windows explorer and hence to antivirus. They run hidden from task manager making it difficult to mark its presence. Its files are hidden on system and thus antivirus doesn’t detect them.
So,
these are malware. Once executed by us, they go active in system
memory, multiplying and applying constrains to privileges and adding
entries to registry to make sure that are run at least once when system
starts. They add malicious entries to registry to make sure that they
are masked by disabling task manager, registry editor and folder
options. They make files that enable them to be executed when drives
are opened and continuously monitors ours system to gain chance to
spread. But how do we identify their presence in our systems? These are
the symptoms….
Identification:
i. Unrecognised processes and files: The
presence of unrecognised processes running in task manager or presence
of unrecognised files on drives marks presence of malware.
The
key to identifying the presence is to keep vigil on the processes that
run in back ground. This begins from day you install a software, see
what process it runs. Also remember what all files you have present on
your hard drive. Any new file or folder with .exe extension, anything
with provocative name or cute icon can potentially be a result of
infection. In event of task manager being disabled, process explorer by sis internals can be used to analyse processes running.
ii. File and system behaviour: If
you ever notice that drives open in new windows, system taking more
time during startup, CPU showing excessive activity even on no load or
files or folders reappearing even after deleting them or not getting
deleted at all, there is a high probability that your system is
infected.
Files
in pendrive disappearing and being replaced by smaller folders (with
.exe extension if noticed) very clearly indicated presence of malicious
code.
File activity can be detected by using the application filemon. An expert view on file activity can easily uncover malicious activity.
iii. Network activity: If
you get complaints that some of your friends are getting strange
e-mails from you, with links to unknown sites or strange file
attachments, this could be a worm at work.
Increased network activity noticed in portmon etc also implies presence of network worms.
iv. Reduced privileges: Getting error messages of “ ….disabled by administrator….” on running RUN , Task manager or accessing Registry editor etc plainly implies your system is infected and malicious entries made in registry.
v. Malicious entries in registry: Same implies when you get errors on startup like file not found etc.
This is because of malicious programs making entries in registry to
auto start at system startup. This can also be analysed by using the
applicationautoruns from sis internals suit. Or simply run MSCONFIG in run menu and check startup applications.
These
symptoms confirm presence of malware in your PC. Now that you know that
you two aren’t alone, how do you zero in on the culprit, keeping in
mind that your loyal antivirus let it in? Here under is a step by step
procedure to catch the culprit and to kick it out. Stop all other
applications and disconnect the internet. Keep your weapons handy……..
War has begun!
Eradication of malware:
i. Identification of process in memory: Once
executed, the conventional malware tend to be active in system memory,
running a process that carries out the task the malware was designed to
do. Nowadays it is common that malware alters registry to disable task
manager, Run and registry editor, hence use process explorer to view active processes in memory. Tips to identification includes-
a. Usually a few malware are easily identified by very high CPU usage even when you aren’t running any CPU consuming application.
b. Many carry names that are suspicious to even laymen. Some includeKhatarnak.exe, khatra.exe, music.exe, new folder.exe, soundmix.exe, etc. Most of them run under the explorer section in process explorer.
c. Smart viruses today carry names that are spoofs of windows processes. LikeRegsvr32.exe is a windows application, but virus carry name Regsvr.exe. Similarly a malware spoofs the name of windows service host svchost.exe and run a processsvcshost.exe.
In such cases identification becomes tough and depends more on your
experience and logical approach. Obviously a process Regsvr.exe isn’t
expected to run always in your system. And a service host with odd
spelling that runs under explorer is suspicious. Assistance can always
be taken on-line regarding any suspicious process.
d. Repetitive
processes of same name present in memory, when just one or no such
application is running, also points out that the process is malicious
code. But svchost.exe is one exception, with 5 such processes running at
a time.
e. Reverse
analysis can be made by identifying all legitimate processes and their
triggering applications to identify the left out applications as
suspicious.
f. Cloaked
malware aren’t easily identified since they run hidden from explorer.
Their files and memory residency isn’t visible. Hence, their presence is
hard to verify. The sis internals tool Rootkit revealer does
a good job in detecting Rootkits. It scans registry and file system for
discrepancies and lets us know possible Rootkits that are actually
present but not mentioned in windows API. Extreme caution should be
taken while taking any action based on its result, since it just gives a
probable result and not certain. Rootkits are those set of malware
which I suggest are better removed using antiviruses.
Having
identified the malicious process in memory, the next task is to know
where it is executing from. This can easily be verified from process
explorer.
ii. Stopping the malicious code execution: The
next step is to stop the execution of malicious code. The malicious
code as long as active in memory can keep multiplying, and monitors
system to maintain its malicious action and keeps vigil on registry, not
allowing it to be rectified. This task can simply be done by task
manager/ process explorer or may even need a boot from secondary device.
Note: Now
on, don’t open any drives by double clicking on them, since this can
trigger drive autorun which is usually linked to auto running malicious
code using anautorun.inf file. Open drives by address
bar or explore instead. Do not open any new folders etc, since they can
probably be masked Trojans having folder icon!
a. The
basic step is to end task the identified malware to stop its execution.
This can be done directly by process explorer .In case a new malicious
process pops up on termination of the first process, probably its
running from another location. End task that process too. Preferably end
task the process tree, but be sure you have noted down where from it is
executing.
b. In case the process keeps on starting again and again, it probably got another file backing it up. In that case, using killbox,
end process and delete the file. To use killbox, it is required to know
the location of the file, which is obtained from process explorer.
Note: Even
if file was end tasked in step a. , it has to deleted using killbox.
The reason killbox isn’t given priority to end explorer shell is that
while deleting the file with ending explorer shell, it restarts the
windows explorer, which is often accompanied by malicious code executing
again. The best way is to end task the process using process explorer,
delete it using killbox. If file is in use, unlock it using the toolUnlocker, and then delete it.
c. Some
smart malware can’t be deleted even using killbox, sighting privileges
issues. Then it is required to boot from a secondary device, preferably
Bart’s PE live CD and delete the malicious files.
d. Rootkits
once identified can be deleted the same way as above using killbox or
by boot through a secondary device. Since the process they run is
hidden, it becomes tough verifying if the malware execution has stopped
or not. Rely on your instincts to see if every thing is ok or assume at
this stage that malware is not active in memory now.
iii. Regaining authority: Malware
usually limits our privileges to make sure it is hidden or cant be
detected. These include disabling task manager, Run, registry editor or
disabling registry import etc. The next step is to regain control of our
system.
a. In run type,
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f
And
run the command. This removes the entry in registry that had disabled
registry editing. Now registry editing is allowed, though windows
registry editor may still be disabled.
Note:
Type the above command in a notepad and store it. Change extension to
.bat , you get your own registry editing enabler tool!
b. Download the RatsCheddar tool and run it. This enables registry editor, task manager, folder options.
At
this stage if you realise that restored defaults are altered once again
to impose restrictions, this means malware is still active in memory.
Repeat the identification and stop its execution.
iv. Removing supporting restart mechanisms: Now
that malicious code isn’t active in memory, the next step is to remove
its supporting mechanisms. Every malware once executed, makes sure that
it is executed at least once on every system start up. This is achieved
by entries in registry or modifying autoexec.bat or config.sys etc. Entries in registry are the most preferred option by malware, and we will go by it.
a. Many
malware leave behind triggering files in drives that restarts the
malware in full force once the drives are double clicked. They work by
making a autorun.inf file linked to triggering malware file such that
every time drive is autorun, the malware is triggered again. Our first
priority is to remove such kind of start mechanisms.
Open my computer, go to folder options and enable view hidden files and folder, un-tick hide extensions of known file types & hide protected operating system files. Upon un-ticking hide protected operating system files,
a confirmation is asked, confirm positive. Once finished, apply the
settings. Now enter C: drive by address bar or by right clicking and
explore. You will now see many files that were hidden earlier.
Check
presence of any autorun.inf file. Open it by double clicking it (it
wont hurt!!) and if readable, check what file was meant to be auto run.
Caution: There
are many system files visible that are responsible for booting your
system. Do not go on a random deletion spree, lest your system doesn’t
boot again!! Some of the system files and folder are:
Autoexec.bat,
config.sys, hiberfil.sys, pagefile.sys, IO.sys, MSDOS.SYS, boot.ini,
NTDETECT.COM, ntldr and config.sys folder, system volume information
folder, recycler folder etc.
Delete
the file mentioned in autorun.inf file and also the autorun.inf file
itself. Also delete anything like a folder of any name with an .exe
extension. Also delete any other .BAT or .COM file other than those
mentioned above. Repeat the process for all drives, opening each of them
without double clicking them. In event of confusion, take help online,
preferably on another system.
Entries at registry are made to make sure that malware executes at every system startup and stays in memory. Use the tool autoruns from
sys internals to check start-up keys in registry. It lists all
processes and files scheduled to be autorun at startup, in the logon
tab. Search and delete any suspicious entries.
Another useful tool is HijackThis from
trend micro. This tool lists all non windows processes starting at
startup making it possible to have a clear picture of scenario. It has a
tool called ADS scanner that can be used to detect Rootkits as well.
All such malicious entries are to be simply deleted.
v. Finishing with cleaning all scrap: By
this time you will know what had struck you. Search on net for more
details regarding the infection and delete its sister files as well. Had
there been any entries that were left ignored by you, delete them too,
verifying them from net.
Clean
all temporary files, type temp, %temp%, prefetch in run command (one at
a time!) and open the locations. Delete all files stored in them. Use Unlocker to
unlock any locked files. Delete all cookies and other files in download
folders. Go for a manual hunt in documents and settings folder and
delete any last traces of infection.
Delete
all previous system restore points, since they may be hiding
infection. Keep an antivirus handy. Restart your system now. Check
startup time, verify task manager is working and check processes running
in it. If all things work fine, congrats!! You just won the battle!!
Any
cryptic error messages like file not found means start up entries for
malicious code are still present though code is not. Simply run autoruns
and in logon tab, search for a entry which has a file missing error
besides it, simply delete it. Install a good antivirus and update it.
Preferably re-install the web browser too.
Now
that your system is malware free, make a commitment to her that now on
you play clean, play safe. Keep updating your antivirus and be cautious
online, avoid dirty sites, install an antivirus with site advisor, be
extra cautious with removable media.
Hope you live happily hereafter!!
Note: A case study- Remove System security fake antivirus.
Due to popular demand noticed, I have posted the specific procedure to remove system security malware manually.
Kill processes:
Open Process explorer and kill the process named 1632575944.exe . It may also carry some other number as name. Kill it, after you note the location it is executing from.
Open Process explorer and kill the process named 1632575944.exe . It may also carry some other number as name. Kill it, after you note the location it is executing from.
Delete registry values:
Open
registry editor and delete the value. You may need to restore defaults
using my restore default tool to enable registry editing and other
defaults( Go to home page and download it from downloads section).
%UserProfile%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run “1632575944″
%UserProfile%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run “1632575944″
Else you can use the autoruns tool and delete this key from logon tab.
Delete files:
Search and delete the following files. You can use windows search too.
1632575944.exe, config.udb, init.udb, English.lng, German.lng, Spanish.lng, System Security.lnk
1632575944.exe, config.udb, init.udb, English.lng, German.lng, Spanish.lng, System Security.lnk
Delete directories:
c:\Documents and Settings\All Users\Application Data\538654387
c:\Documents and Settings\All Users\Application Data\538654387\Languages
C:\Documents and settings\All Users\Start Menu\Programs\System Security
c:\Documents and Settings\All Users\Application Data\538654387
c:\Documents and Settings\All Users\Application Data\538654387\Languages
C:\Documents and settings\All Users\Start Menu\Programs\System Security
Reboot and check if every thing is ok.
No comments:
Post a Comment