I was inspired to write this article after becoming victim of a malware which infected my system while I was working at my office.
During my research work in office I had clicked a link on web which had installed some kind of malicious software without my knowledge. Although I am security guy, I have taken utmost precautions to secure my system with updated top antivirus software running with on access malware check capability enabled, firewall enabled still I was victimized.
The reason behind this was , the malware was the latest with no information available about it, so I was probably front runner victim of the malware and my antivirus software did not had signature although it was updated fully so it was unable to detect.
After infection my system became the malware storage lab, the installed malware created several files, and created backdoors, to my goodness the antivirus software was able to detect these files which were newly created by malware and stopped further infection, but it was not able clean the parent process which was creating these files as it did not had signatures updated to clean. So I had to re-ghost my system to solve the problem, I took a back up and did the same. Finally problem was solved but I thought my back up should be also infected.
When I scanned the back up with my own antivirus, It did not detect any malware infection although it was fully updated, but after few days when again I scanned after providing the latest update to the same antivirus , it detected and cleaned number of files and removed the malware.
I felt the any antivirus software or take any other security software it cannot provide you instantaneous security; everything in the world has limitations.
This incident made me think further
- How to identify if your system is affected by malware?
- Can we remove malware from malware Infected system without formatting it?
- What should one do if he is affected by latest malware and your antivirus vendor doesn't not have signature updated
Identifying if your system is infected by malware
1. The first step which you can do to identify if your system is affected by any malware is to find out the ports which are listening on your system. This can be accomplished by going to command prompt and using netstat.
The net stat command provides you with the details of the listening ports on your system.
| Command | Functionality |
| netstat –an | Gives you list of listening TCP and UDP ports |
| netstat –ano | Gives you list of listening TCP and UDP ports with the process id |
| netstat –anob | Gives you list of listening TCP and UDP ports with process ID and EXE name with DLL link |
| netstat –ano 1 | Gives you list of listening TCP and UDP ports with the process id and refreshes every 1 second |
The list of open ports thus open can be compared with the white list of common port and common service which are run by windows or any standard application. During the comparison ignore the local loopback ports (127.0.0.1) and focus on the “all network devices entry” (0.0.0.0) as well as those devices which have an IP address assigned.
List of standard ports:
http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/cnet/cnfc_por_gdqc.mspx?mfr=true
2. Unusual Processes:
Look for any unusual processes names running in the system. Unusual processes some times can be identified by the name of the process. e.g. YQSIW.exe, WSOCK32.DLL these process names look similar to window typical processes but are actually not, these processes running should be compared with the white list of standard processes running
Tools such as PSlist , Process explore from Sysinternals can be used to view these processes.
Sysinternal tools:
http://technet.microsoft.com/en-us/sysinternals/bb896682.aspx
Standard white list of windows processes:
http://www.lsa.umich.edu/lsait/admin/Common_Windows_Processes.htm
http://www.lsa.umich.edu/lsait/admin/Common_Windows_Processes.htm
3. Prefetch directory:
Prefetch Directory in windows keeps a shortcut to recently used programs in order to speed the launching time for most frequently used applications.
Click -> Start->Run->”Prefetch”
The only downside to this is that windows will never clear that directory automatically and this can be used by malwares. This is often a treasure trove of information on newly executed malware and can give us clues as to the software that ran, which DLLs were required to support it, and the date and time of initial execution etc.
4. Windows Registries
Malware can position itself on a system by adding and modifying registry entries. The Registry is a repository of system configuration settings and includes links to applications that need to be executed.
To access registry: Click Start->Run->”regedit”
Malware typically modifies the keys which control things like firewalls, anti-virus, windows update, etc,
Typical registry entries where security controls are located
HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center
FirstRunDisabled REG_DWORD 0x1
AntiVirusDisableNotify REG_DWORD 0x0
FirewallDisableNotify REG_DWORD 0x0
UpdatesDisableNotify REG_DWORD 0x0
AntiVirusOverride REG_DWORD 0x0
FirewallOverride REG_DWORD 0x0
If these registries are loaded with the odd values, security will be disabled.
Location in the registries such as
\HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\CurrentVersion
"Run"
"RunOnce"
"RunOnce\Setup"
"RunOnceEx"
"RunServices"
"RunServicesOnce"
The applications in these folders are what Windows executes immediately after a system is started up, malware typically modifies entries at these locations so that the malware executes when the system reboots.
There are other areas as well in registry entries were the malware infects.
5. Other Auto startup Locations
In C:/windows directory malware can modify System.ini and Win.ini and modify "run=" or "load=" sections of the files with malicious files, another place where you can find autostart entries are in the Start > (All) Programs > Startup folder.
Going Start Programs-> Run-> “sysedit” one can read content of all the autostart files.
6. Hidden Files:
The malware can install itself as hidden file, while searching for malware at prime suspected location make sure that
Going Start Programs-> Run->Explorer -> Tools->Folder Option-> View -> “Show hidden files is checked”
7. Local accounts:
Most of the time malware adds an account to the local machine, go to Start Programs-> Run->cmd and type “net users “to check for any suspected accounts added.
8. Odd things such as Notepad.exe, Winlogon.exe etc. communicating on the network via thread injection.
Re-formatting is always the first and easy advice to the people who know nothing about computers; unless the system files are totally destroyed there are always ways by which we can remove viruses or malware without formatting the system, the typical scenarios the way the antivirus do find and clean based on the signatures by cleaning the registries, deleting and killing the malicious files and processes.
Following things one has to take to avoid minimum effect from any malware and to avoid possibilities of formatting of the system.
- If you find your system is infected by the malware, first most thing you do is to disconnect your system from the internet.
- Take a back up, it is always important to take a backup of the files and data available before doing anything, if your system is not allowing and loading properly, try starting your system in a safe mode where minimum process are only loaded and which should allow you to take a backup.
- Turn off the system restore, as infection caused by the malware can be restored again.
- My Computer-> Properties->click the System Restore tab-> Click to select the Turn off System Restore check box
- Change all your password, as you cannot be sure what information is logged by the malware and sent to the attackers’ server
- Install and Scan your system with latest updated antivirus and spyware software to clean the malware or spyware, be sure to enable prompt for delete option before deleting any corrupted file, as the antivirus can delete files which can be a system file if they are not able to clean, which may lead to irregularities during next system re-boot, which might make your system down.
- Reboot your system and update all the antivirus signatures and again rescan your system your system with antivirus and spyware.
- If your system is still affected by the malware, then your operation system process running must be infected by the malware or spyware, to solve this issue you need to have live boot software CD BART PE (http://www.nu2.nu/pebuilder/ ) , and boot from the CD here in this scenario your infected operating system process will not be running , using the advance tools like HIJACK THIS can be used have more control over the operating system process and remove the infection.
