How to identify, analyze and clean malware yourself
Mark Russinovich from Sysinternals (Microsoft) shows how you can use the tools from Sysinternals to identify, analyze and clean malware.
For example it includes:
- how to find running processes that doesn't have valid signatures
- how to find unsigned running DLL files
- how to identify the different techniques malware uses to launch itself at startup, including how some re-launches itself if you end the process
- why Safe Boot with Command Prompt is the best way to clean malware
(Safe Boot without Command Prompt might allow the malware to start)
If you're interested in security in general I highly recommend watching this:
(1h 18 min)
Another advice in finding suspicious running processes is to use Process Explorers colour coding. Processes in purple are obfuscated, which is not normal for most programs.
Obfuscation is a technique to hide the code in a program. The purpose for that is most likely either to protect critical parts of the code that handles for example license handling or sensitive algorithms, or it could be to try to avoid antivirus scanners in determining if the code is malicious.
Regarding obfuscation, I found an interesting article(although scary reading) that describes how a malware can go undetected from all antiviruses:
What they came up with is known as the “crypting” service, a service that has spawned an entire industry that I would argue is one of the most bustling and lucrative in the cybercrime underground today.
Put simply, a crypting service takes a bad guy’s piece of malware and scans it against all of the available antivirus tools on the market today — to see how many of them detect the code as malicious. The service then runs some custom encryption routines to obfuscate the malware so that it hardly resembles the piece of code that was detected as bad by most of the tools out there. And it repeats this scanning and crypting process in an iterative fashion until the malware is found to be completely undetectable by all of the antivirus tools on the market.
Here's basically the same content and advice as in the video:
Microsofts conclusion is:
Unfortunately, the process of ridding a computer of malware is likely to become much harder over the next few years. Malware has become a lucrative business for the criminals who create and distribute it, and they have a financial incentive to find new ways to evade detection and make malicious files and processes harder to remove. Understanding how malware spreads, operates, and defends itself at a fundamental level should be considered a prerequisite for IT professionals charged with protecting their users from attack and containing outbreaks when they occur.