Welcome Guest ( Log In | Register )

Outline · [ Standard ] · Linear+

Virus/Malware Virus /Rootkits Thread, Work In Progress

views
     
TSAsenDURE
post Jun 18 2007, 04:11 PM, updated 17y ago

je suis desole. je n'y crois pas a ces conneries!!
Group Icon
VIP
2,496 posts

Joined: Jan 2003
From: LowYatDotNet Status:Agast
Virus Removal Steps

Keep the infection local.
Disconnect from the network/internet. I mean physically pull out your RJ45/RJ11 plug. This stops the virus from progating throughout your network or over the internet (worms/viruses), stop your data from leaving (calling home) your compromized system (trojans) through backdoors and stops your machine from participating in a zombie mob DOS attack.

Perform a Virus Scan.
This is the first attempt to determine if your system is truly infected. Do a deep scan of every single file and folder on the system. This may take several hours but it is necessary. Make sure your virus definition(Database) is updated. Many of them can update the database locally via a update file you can grab off the offical website.

Grab the prescribed removal tool. Once you've identified the virus infecting your system. you can now better deal with the particular infection by administering the proper "vaccine". You can go to any of the known antivirus companies website and grab a removal tool. This tool will delete any of the known virus-infected files and registry entry made by the virus. Take not of the virus "version" and download the corresponding tool. It will require you to do a scan and then reboot into safe mode and perform the scan again.

Removal Tools:
• AVG
http://free.grisoft.com/doc/8/lng/us/tpl/v5
• Kaspersky
http://www.kaspersky.com/removaltools
• Norton
http://www.symantec.com/enterprise/securit...emovaltools.jsp
• McAfee
http://us.mcafee.com/virusInfo/default.asp?id=vrt
• Panda
http://www.pandasoftware.com/download/utilities/

I also suggest downloading McAfee's Stinger and PC-Cilin's Virus Cleanup template (and their respective virus definition files) which are standalone/install-less virus removal engine.
• McAfee Stinger
http://vil.nai.com/vil/stinger/
• PC-Cilin VCT
http://www.trendmicro.com/download/dcs.asp

Additionally, you can scan your PC online with
• PC-Cilin Trendmicro's Housecall
http://housecall.trendmicro.com/
• Panda Antivirus Active Scan
http://www.pandasoftware.com/products/ActiveScan.htm
• Kaspersky Online Scanner
http://www.kaspersky.com/virusscanner
• McAfee File Scan
http://us.mcafee.com/root/mfs/default.asp
• Norton Fee Online Virus Scanner
http://kb.wisc.edu/helpdesk/page.php?id=2389

It is very important that you place any media you're using to trasfer the Removal tool, virus database update file or when performing a scan to read-only-mode until you are certain that your system is no longer infected. If you're media does not have read-only option then don't use it. If you have no choice, once it is put in the system, assume that it is also infected and treat it accordingly. These devices can be put into read-only mode by the sliding button on your device. Read your manual. Any portable media not on read-only mode are susceptible to being infected by the virus.

Check for unusual applications and processes.
A virus is just like a regular application and need to be running in order to work. It should also have a way to start itself up again when the system is rebooted (taking advantage of many of the ways programs automatically start-up in Windows). There are typically five ways that programs start-up automatically in windows and we need to look at these five ways to look for the virus.

1. The most rudimery is the Startup folder. Any application or shortcut that is located in the Startup folder will automatically start-up each time the system is booted into Windows. There are several of these folders located throughout the system notebly each user’s profile

• C:\Documents and Settings\<username>\Start Menu\Programs\Starup
(this includes Default and All Users profiles as well)
• C:\Documents and Settings\Default User\Start Menu\Programs\Startup and;
• C:\Documents and Settings\All Users\Start Menu\Programs\Startup

and Windows system files such as;

• c:\autoexec.bat
• c:\config.sys
• Windows\win.ini, wininit.ini, system.ini
• Windows\system\autoexec.nt, config.nt

more reading: http://www.aumha.org/a/loads.php

2. The most typically is from the Registry. Several locations in the registry that controls auto-startup of applications are contained. The HKEY_USERS and HKEY_CURRENT_USER run when the user logs in while settings under HKEY_LOCAL_MACHINE run when the system starts up. Some of the registry keys that you need to look it include:

Local User
HKEY_USERS\<User UID>\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\load
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\*CurrentVersion\RunOnce

Local Machine
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

a more extensive list of launch point can be found here:
http://www.silentrunners.org/sr_launchpoints.html

3. The current favorite is as a Service. Just like running from the registry, any viruses that installs itself as a service can run without user intervention upon start-up. It can also start back up when when you kill it because the service control has the option to restart the service upon a failure (in which case, manually killing it constitutes a failure).

user posted image

4. Less common is from a Script. The GPO is an enterprise-wide feature that enables the network administrator to write a script to perform certain tasks upon start-up/shutdown on multiple computers in a network/domain using scripting language such as VB, JS,etc. Your computer also has a local GPO and you need to launch the GPO editor console and to check if there are any suspicious scripts running on your system.

Running Scripts are located in

• Local Computer Policy\Computer Configuration\Windows Settings\Scripts (Startup/Shutdown)\Startup for programs that run when the computer is started and;

• Local Computer Policy\User Configuration\Windows Settings\Scripts (Logon/Logoff)\Logon for programs that run when the user logs in.

user posted image

If you don't do any scripting, aren't on a domain, then anything in here is considered highly suspicious.

5. Possibly, but rarely, from a Scheduled Task. A scheduled task has the ability to run applications on start up and on log in of a user. They also have the ability to run a program as a different user or as the system itself. The Scheduled Tasks can be found under the Control Panel.

it is very common to see virus writers use a combination of these steps so you need to cover all these basics.

Using Msconfig,Gpedit.msc,Services.msc
The Microsoft System Configuration Utility or simply MSCONFIG is a tool built into Windows that is designed to help you troubleshoot problems with your computer. You can see some of the programs that run in the background upon startup here together with some registry entries and it's a good place to start. To check your services you need to use Services.msc and to check scripts, as mentioned before, Gpedit.msc. All are run from Start > RUn >

user posted image

more information:
http://support.microsoft.com/kb/310560

for a more extensive utitily I would recommend AutoRuns from Sysinternals.
http://www.microsoft.com/technet/sysintern...s/Autoruns.mspx

Turn off System Restore.
There is some debate about whether to turn off system restore or not when during an infection. The reason why we need to be concerned with system restore is because system restore can at certain times cache a virus which will be restored with the other windows system state files during a system restore operation. Often times you will also get the AV complaining that it is unable to clean one or more files in the System Volume Information data store. The downside is that when you purge the restore points, you will be unable to restore your system to a previous system state if anything goes wrong.

QUOTE(http://support.microsoft.com/kb/831829)
Remove infected files that you cannot clean in the System Restore data archive
If you suspect that previous restore points contain copies of infected monitored files that your antivirus program was not able to clean, you can remove these files and all the related restore points from the System Restore archive. To do so, turn off System Restore, and then turn it on again.

Notes: When you turn off System Restore, you remove all the restore points. When you turn on System Restore again, new restore points are created as the schedule and events require.� Verify that all the signature or the definition files are current. Make sure that your antivirus program is configured to exclude the System Volume Information (SVI) folder (a hidden computer folder that is located in the computer root, or %SYSTEMDRIVE%).

To completely and immediately remove any infected file or files in the data store, turn off and then turn on System Restore. To do so, follow these steps:
1. Click Start, and then click Control Panel.
2. Click Performance and Maintenance, and then double-click System.
3. Click the System Restore tab, and then click to select the Turn off System Restore for all drives check box.
4. Click OK, and then click Yes to initiate the restore point deletion.
Use Task Manager
Get familiar with process running in the background on your own PC. once you're familiar with all the usual process then anything out of the ordinary will stand out like a sore thumb. most (not all) viruses tend to have weird filenames like Age_of_empire.exe (huh? i didn't play that game) and some try to look legitimate by taking similar names to common Windows processes. eg. svchost.exe instead of scvhost.exe.

Once you're comfortable with processes, you can opt to use Process Explorer from Sysinternal. Downloadable from here: http://www.microsoft.com/technet/sysintern...ssExplorer.mspx

this are normal processes
QUOTE(homenetworking help)
"System Idle Process"
"System" The Windows System Process
"SMSS.EXE" Session Manager Subsystem
"CSRSS.EXE" Client Server Runtime Subsystem
"WinLOGON.EXE" The Windows Logon process
"SERVICES.EXE" Services Control Manager
"LSASS.EXE" Local Security Authentication Server Service
"svchost.exe" Service Host
"spoolsv.exe" The print spooler service
"explorer.exe" Windows Explorer
"TASKMGR.EXE" The Task Manager
"regsvc.exe" Remote Registry Service
user posted image

as a general rule, take extra interest in any processes don't have a company name (with the exception of DPCs, Interrupts, System, SMSS, Services, System Idle Process and things mentioned above), verification signer (Process explorer auto verifies images) and version number attached to it. you can kill the process by right-clicking on it selecting Kill. process explorer also allows you to search for a specific process. you should also be interested in purple threaded processes.

QUOTE(mark russ ppt presentation slide)
Purple highlighting indicates an image is “packed”
Packed can mean compressed or encrypted
Malware commonly uses packing (e.g. UPX) to make antivirus signature matching more difficult
Packing and encryption also hides strings from view
user posted image

If you're unsure what a process is responsible for you can check it out here:
http://www.liutilities.com/products/wintas...ibrary/scvhost/

This post has been edited by AsenDURE: Jun 20 2007, 02:53 PM
TSAsenDURE
post Jun 19 2007, 08:33 PM

je suis desole. je n'y crois pas a ces conneries!!
Group Icon
VIP
2,496 posts

Joined: Jan 2003
From: LowYatDotNet Status:Agast
Rootkits

what are rootkits?
normally only sysadmins are concerned with these, but i'm seeing alot of these crap floating around in the home networking environment. could be coz alot of current Windows version seem to be based on NT/Server platform. a rootkit is program that that allows the a hacker to mask intrusion and gain root or privileged access to the computer. rootkits can then monitor traffic, grab keystrokes, steal passwords, or create a "backdoor" into the system for the hacker to administer the infected system remotely for almost anything he wishes to.

because rootkits can run at the kernel & API level, it can be hidden from the OS & the upper layer utils like Explorer (file viewers), does not show up in Task Manager (process viewers), will not leave visible entries in the startup folders or common startup locations mentioned above. It will also not show up on most antivirus scanners & antispyware. rootkits not only take advantage of the vulnerbilities in your OS but even in your antispyware/antivirus detector as well.

rootkits are not themselves not malware programs but ofthen times are used to hide the presence of malware programs/trojans/worms. detecting rootkits requires a specialist rootkit detector.

check rootkit threat alerts from here:
http://www.rootkit.com/board.hot.php

types of rootkit-run levels
QUOTE(M'zoft Technet)
The term rootkit is used to describe the mechanisms and techniques whereby malware, including viruses, spyware, and trojans, attempt to hide their presence from spyware blockers, antivirus, and system management utilities. There are several rootkit classifications depending on whether the malware survives reboot and whether it executes in user mode or kernel mode.

Persistent Rootkits
A persistent rootkit is one associated with malware that activates each time the system boots. Because such malware contain code that must be executed automatically each system start or when a user logs in, they must store code in a persistent store, such as the Registry or file system, and configure a method by which the code executes without user intervention.

Memory-Based Rootkits
Memory-based rootkits are malware that has no persistent code and therefore does not survive a reboot.

User-mode Rootkits
There are many methods by which rootkits attempt to evade detection. For example, a user-mode rootkit might intercept all calls to the Windows FindFirstFile/FindNextFile APIs, which are used by file system exploration utilities, including Explorer and the command prompt, to enumerate the contents of file system directories. When an application performs a directory listing that would otherwise return results that contain entries identifying the files associated with the rootkit, the rootkit intercepts and modifies the output to remove the entries.

The Windows native API serves as the interface between user-mode clients and kernel-mode services and more sophisticated user-mode rootkits intercept file system, Registry, and process enumeration functions of the Native API. This prevents their detection by scanners that compare the results of a Windows API enumeration with that returned by a native API enumeration.

Kernel-mode Rootkits
Kernel-mode rootkits can be even more powerful since, not only can they intercept the native API in kernel-mode, but they can also directly manipulate kernel-mode data structures. A common technique for hiding the presence of a malware process is to remove the process from the kernel's list of active processes. Since process management APIs rely on the contents of the list, the malware process will not display in process management tools like Task Manager or Process Explorer.


rootkit detectors

M'zoft's Sysinternal RootkitRevealer [from sysinternal, 'nuff said]
http://www.microsoft.com/technet/sysintern...itRevealer.mspx

X-Focus's Ice Sword [chinese, very good and for experienced users only]
http://www.xfocus.net/tools/200509/

M'zoft's Malicious Software Removal Tool
http://www.microsoft.com/downloads/details...&displaylang=en

Blacklight from F-Secure [non-free]
http://www.f-secure.com/blacklight/

Sophos Anti-Rootkit [Release Candidate 1]
http://sophos.com/products/free-tools/soph...ti-rootkit.html

RKDetector
http://www.rkdetector.com/

RootKit Hook Analyzer
http://www.resplendence.com/hookanalyzer

Rootkit removal
The difficulty with rootkit removal is lies problem that rootkits work by changing the OS itself at the kernal level, it may not be possible to remove the rootkit without causing Windows to become unstable or non-functioning.

For rootkits that are 'bundled' with spyware/malware, removing the malware hidden by the rootkit presents the normal problems of removing any malware but removing the rootkit itself may unstabilize your entire system to the point that the malware can not be completely removed.

This post has been edited by AsenDURE: Jun 20 2007, 11:08 AM
TSAsenDURE
post Jun 20 2007, 11:02 AM

je suis desole. je n'y crois pas a ces conneries!!
Group Icon
VIP
2,496 posts

Joined: Jan 2003
From: LowYatDotNet Status:Agast
ok folks, comment, correct, discuss, contribute...

Update
=====

• Panda Rootkit cleaner is in Alpha Stage (credits to havuk)
http://research.pandasoftware.com/blogs/re...it-cleaner.aspx

• GMER (credits to havuk)
http://www.gmer.net

• DarkSpy (credits to havuk)
http://www.softpedia.com/get/Antivirus/Dar...i-Rootkit.shtml

• Trendmicro's Rootkit Cleaner is in Beta Stage
http://www.trendmicro.com/download/rbuster.asp

• McAfee's Rootkit Detective is in Beta Stage
http://vil.nai.com/vil/stinger/rkstinger.aspx

It's good that alot of security/AV companies are taking rootkit seriously. In your next AV upgrade/purchase/license renewal, you may want to seriously consider this feature included in your AV package. smile.gif

This post has been edited by AsenDURE: Jun 21 2007, 10:32 AM

 

Change to:
| Lo-Fi Version
0.0142sec    0.17    7 queries    GZIP Disabled
Time is now: 29th March 2024 - 08:06 AM