There is probably no one who has not been directly or indirectly affected by computer viruses. Anti-virus companies charge a lot of money for their products which do not provide adequate protection. The question is, why bother installing anti-virus software at all?
System analysis. It is logical that in order to detect and disarm malicious code, an anti-virus program must exist. Prevention remains prevention For each type of malware respectively there are symptoms which are sometimes visible to the naked eye and sometimes invisible at all. What are the symptoms?
Since this is a computer connected to a network, the first symptom is excessively fast consumption, usually of outbound traffic. Of course, it may not be as noticeable on a gigabit link if the attack is as wide as a dialup connection, but as a rule it’s noticeable that the system slows down when opening Internet resources.
Next on the list is the inability to log in or update from the antivirus companies’ websites, CRC-error type program failures. This is due to the fact that quite a few commercial protectors support the function of checking the parity or integrity of an executable file (not only protectors, but also the developers of protections themselves), which is done to protect the program from hacking. There is no need to speak about the effectiveness of this method against crackers and reversers, but it can work perfectly well as an alarm to a virus infection. The fee for novice attackers is that when shutting down or rebooting the computer it takes a long time for any process to complete or the computer hangs on shutdown. I think about processes it is not necessary to speak, and also about a folder of autoloading, if there is something not clear or new, probably that, however about it later.
Frequent rebooting of the computer, crashing of the Internet, antivirus shutdown, unavailability of update servers, errors during antivirus update, appearance of unknown files), this is just a short list of symptoms of an infected machine. In addition to direct malicious codes there is so-called spyware, these are all kinds of keyloggers, key dumpers, browser helpers. They can be divided into two opposing camps in terms of detection method. If a keylogger attached to OS shell via dynamic library is hard to detect on-the-fly, then an (as a rule) donkey plugin should catch your eye straight away
Detection on the fly. Enough has already been said about mail worms, the algorithm is the same for all, but the method of spreading mail worms is so trivial, that if you manage to run the file from the attachment, this article won’t help anyway). To illustrate, an example from life, IRC-bot, undetectable by any antivirus (so far). The principle of propagation is quite simple, the vulnerability found in an axis. If you use your head, you may realize that the main way to get to a vulnerable machine is to challenge the ftp server on this machine. According to vulnerability statistics this is the infamous tftp.exe. The first symptom of these worms is the outgoing traffic; once on the machine, the worm starts searching for another vulnerable machine on the network, that is, it simply scans the IP address ranges. Then it’s very simple, the first thing to do is to look at the logs in the OS event log.
I.e. Control Panel Administration Event Log.
Here we are interested in notifications of running services and, more importantly, error notifications. For more than two years now worms have been asking for information about a bug in the DCOM server. Therefore any bug in the DCOM server is a good reason to think that there is a virus in the system. To be sure of the presence of the latter it is advisable to check the error report for the name and privileges of the user responsible for the error. If the user is an unspecified user or something similar, rejoice, maybe the infection was successful! Proceeding logically, the first thing to do is to close the hole in the system for future accesses and then to localize the viruses. As said before these viruses usually get in through tftp.exe, so remove it from the system. To do this, first remove it from the archive
, then from the OS upgrade folders, if any, then from
and then just from
The OS will probably say that the files are corrupted and ask for a disk with the distribution, don’t agree! Otherwise, it will restore and open the hole again. When all is behind you, you may start to localize the virus. To see which applications are using a network connection, a handy little program TCPView can help. However, some worms have a good encryption algorithm or can be attached to processes or masked to processes. The most common process to disguise itself is svhost.exe, there are even a handful of such processes in Task Manager and it is possible to create a program with the same name, making it nearly impossible to tell who is who. But there is a chance and it depends on attentiveness. Look through task manager first of all. For svhost.exe it is strangely enough M$, of course you can add false information into the virus code, but there are a couple of things here. The first and probably the main one is that a well written virus doesn’t contain any import table or data sections. Therefore, such a file has no resources and therefore cannot be written to the creator’s resources. Alternatively, it is possible to create a resource, but then there will be an excessive volume of file, which is extremely undesirable to a virtuermaker. Also it is necessary to tell about svhost.exe, it is a set of system services and each service is a running file with certain parameters.
Accordingly in the Control Panel Services Administration, contains all loaded services svhost.exe, further to count up quantity of working services and processes svhost.exe, if not converge, already all is clear (it is naturally necessary to compare with quantity of WORKING services). Perhaps among the services is a virus, it is possible to say one thing, the list of services is on MSDN and evenwhere else in the network, so that just take and compare the problem is not constitute a problem. After such actions, you can get the name of the file, which is probably a virus. For normal work of OS needs 5 files in root directory, so you can safely delete all other files, unless you don’t manage to install programs into root directory. Files for normal operation:
ntldr boot.ini pagefile.sys Bootfont.bin NTDETECT.COM
There should be nothing else. Naturally, a virus should be loaded at system startup, as a rule. Accordingly, check the following registry keys for suspicious programs:
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotify HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonUserinit HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonShell HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun HKLMSOFTWAREMicrosoftActive SetupInstalled Components HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerSharedTaskSchedulerHKLM SOFTWAREMicrosoftWindowsCurrentVersionShellServiceObjectDelayLoad HKCUSoftwareMicrosoftWindowsCurrentVersionRun
Of course this will work when identifying simple worms. Identifying a good virus is difficult. However, a good backdoor, keylogger, stealth, streaming or simple worm which uses API hooks (making it really invisible) can take a long time to detect! It’s true that such creations are really scarce, there are few real virtualizers these days. Frustrating
Spyware, or as the Germans call it, SpyWare. A simple spyware often hides behind an innocent looking toolbar. Know that if you, suddenly, out of the blue, appeared a new button or a search string in your browser, consider it a signal. Also clearly visible, if you suddenly changed the start page of the browser, there is nothing to talk about. Although viruses changing the start page are not necessarily spies.
There are three most common ways in which spies locate and operate on a victim’s machine.
The first one is registry and nothing else, virus may or may not be present on the computer but it has the same purpose – it replaces the start page of the browser via registry. If the virus or script has changed the start page only once, no questions, you just need to clear this key in the registry, but if after clearing the key appears again after some time, the virus is running and is constantly making reference to the registry. If you are experienced in working with debuggers like SoftIce, it is possible to set a breakpoint to access the registry (bpx RegSetValue) and trace which program makes registry accesses besides the standard ones. Further on by logic.
The second is specifically system event hooks, or hooks. Hooks are typically used more in keyloggers, and are a library that monitors and possibly modifies system messages. Usually there is already a program itself and a library attached to it, so examining the main program module will not get anything interesting.
The third way is attaching your library to the standard operating system programs, such as explorer.exe and iexplorer.exe, simply put writing plugins for these programs. There again, there are a couple of ways, this attachment using BHO, and simply embedding their library into executable. The difference, roughly, is that the Browser Helper Object is used as a plugin for the browser, while embedding libraries is not so much a plugin as a self-sufficient program, more like a file virus of yesteryear.
Registry keys where bad products, in the form of toolbars, buttons and browser home pages, can be written.
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain parameter StartPage. HKEY_USERSS-1-5-21-1214440339-507921405-839522115- 1000SoftwareMicrosoftInternet ExplorerMain parameter StartPage
Registering objects like buttons, toolbars, etc.
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects
This is where all the helpers are registered and if you don’t have any, the key should be empty, if not, you have to remove it.
For a more detailed analysis, you will need some tools, such as PETools by NEOx and PEiD. Probably, having checked the registry, you will not find any changes in the status page, and also will not find plugins registration in the browser. On closer inspection will turn out that this search string (toolbar) appears in all windows of the operating system. It already changes the crux of the matter a bit. Perhaps there are two independent spies involved in the process, using the introduction of a dynamic library. Here we need to distinguish that if the toolbar was only in the browser, it means it was embedded into the iexplorer.exe process, but it is everywhere, so it was necessary to check it in explorer.exe. Launch PETools and just watch what libraries are used by the browser. If system libraries from %SYSTEMROOT% have smt.dll in their background, with path going to TEMP somewhere, then our goal is achieved. Reboot in safe mode and remove this library, all is normal, spy killed. The only thing left is to call PETools again and right click on the process and rebuild the file. This is the easiest case
Yese must find and kill the toolbar. In the same way look at explorer.exe process, nothing catchy? The toolbar seems to be lost among libraries, look closer )). How do you distinguish a real library from a fake one? As you know, quickmakers strive to minimize and encrypt code. That is not a toolbar as a rule will not lie in an open form, firstly the code can be reduced, hence the need, and secondly if someone (often not even antivirus, but a competitor) would detect this library, it is easier to understand unencrypted code. This is why we take PEiD and perform mass scanning of imported libraries. Libraries from microsoft are naturally written in visual C and are not packed, so if you can see the packed or encrypted library, 99% of it is what you’re looking for. Check it or not is very simple, move it in safe mode and see the result.
If you cannot find the packed library, use a resource editor like Restorator to check the file versions. This is the kind of thing virtualizers get screwed over.
List of system services svhost.exe (WinXP)
The rights to this article belong to the author. Reprinting, using parts of it, etc. for personal purposes on other resources is only permitted with the author’s verbal agreement.
Copyright (C) 2005 Shturmovik
dumps cvv fullz bank logins