Mark Russinovich's presentation at BlackHat 2011:
Zeroday Malware Cleaning with Sysinternals Tools
http://download.sysinternals.com/Files/SysinternalsMalwareCleaning.pdf
Some of the highlights/points:
1. Identifying malware processes
using Process Explorer v15 for identifying malware processes, network and disk activity, Process tree sort, Svchost and service threads info and for malware cleaning
Malware processes have no versioning
Malware commonly uses packing and encryptionto defeat antivirus signature matching
Malware often hides behind Svchost, Rundll32 (hosted DLL) and Dllhost (hosted COM server)
The services tab and process tabs give detailed info on services and processes.
Sigcheck can be used for scanning the system for suspicious executable images.
ListDlls will scan running processes for unsigned DLLs
Strings tab will show the process strings that can provide clues about unknow processes
String Utility can be used to dump strings
Malware hides as a DLL inside a legitimate process (Rundll32, Svchost), loading via autostart or through 'dll injection'.
DLL view shows more than just loaded DLLs to include .exe and 'memory mapped files'.
2. Terminating Malicious Processes:
Don't kill the process but suspend the malicious process.
Record full path to each malicious exe and dll.
3. Cleaning Autostarts
Start-Run-Msconfig
Autoruns:
Identiy malware autostarts
Deals with the Case of Son's Adware
No comments:
Post a Comment