版权说明:本文档由用户提供并上传,收益归属内容提供方,若内容存在侵权,请进行举报或认领
文档简介
SEC309
AdvancedMalwareCleaningMarkRussinovichTechnicalFellow,PlatformandServicesDivisionMicrosoftCorporationmark.russinovich@AboutMeTechnicalFellow,MicrosoftCo-founderandchiefsoftwarearchitect
ofWinternalsSoftwareCo-authorofWindowsInternals,4theditionandInsideWindows2000,3rdEditionwithDavidSolomonAuthoroftoolson
HomeofblogandforumsSeniorContributingEditor,WindowsITProMagazinePh.D.inComputerEngineeringWhyIsManualCleaningNecessary?Howdousersgetmalware?Theydownloadappsthatincludeadwareandspyware
TheyclickonmisleadingpopupsorbannersTheyvisitsitesthatuseexploitstoinjectmalwareManyusersstilldon’tpatchordon’tuseantivirusorantispywareWhydoesn’tantivirusandantispywarestopmalware?TheyaredependentonsignaturesMalwaredirectlyattacksitAlwaysperformmanualcleaningafteryou’verunavailableantivirusandantispywareMalwareCleaningStepsDisconnectfromthenetworkIdentifymaliciousprocessesanddriversTerminateidentifiedprocessesIdentifyanddeletemalware
autostartsDeletemalwarefilesRebootandrepeatIdentifyingMalwareProcessesWhatAreYouLookingFor?Processesthat……havenoicon…havenodescriptionorcompanyname…unsignedMicrosoftimages…liveinWindowsdirectory…arepacked…includestrangeURLsintheirstrings…haveopenTCP/IPendpoints…hostsuspiciousDLLsorservicesWhatAboutTaskManager?TaskManagerprovideslittleinformationaboutimagesthatarerunningProcessExplorerProcessExploreris“SuperTaskManager”RunsonWindows95,98,Me,NT,2000,XP,Server2003Alsosupports64-bit(x64)andVistaHaslotsofgeneraltroubleshootingcapabilities:DLLversioningproblemsHandleleaksandlockedfilesPerformancetroubleshootingHungprocessesWe’regoingtofocusonitsmalwarecleaningcapabilitiesTheProcessViewTheprocesstreesortshowsparent-childrelationshipsIcon,description,andcompanynamearepulledfromimageversioninformationMostmalwaredoesn’thaveversioninformationWhataboutmalwarepretendingtobefromMicrosoft?We’lldealwiththatshortly…UsetheWindowFinder(inthetoolbar)toassociateawindowwithitsowningprocessUsetheGooglemenuentrytolookupunknownprocessesButmalwareoftenusestotallyrandomorpseudo-randomnamesRefreshHighlightingRefreshhighlightinghighlightschangesRed:processexitedGreen:newprocessChangeduration(default1second)inOptionsPressspacebartopauseandF5torefreshCausedisplaytoscrolltomakenewprocessesvisiblewithShowNewProcessesoptionProcess-typeHighlightsBlueprocessesarerunninginthesamesecuritycontextasProcessExplorerPinkprocesseshostWindowsservices(we’lllookatservicesshortly)Purplehighlightingindicatesanimageis“packed”PackedcanmeancompressedorencryptedMalwarecommonlyusespacking(e.g.UPX)tomakeantivirussignaturematchingmoredifficultPackingandencryptionalsohidesstringsfromviewThereareafewothercolors,butthey’renotimportantformalwarehuntingTooltipsProcesstooltipsshowthefullpathtotheprocessimageMalwaremoreoftenhidesbehindSvchostandRundll32TooltipforRundll32processesshowshostedDLLTooltipforserviceprocessesshowshostedservicesServicescoveredindetailshortly…DetailedProcessInformationDouble-clickonaprocesstoseedetailedinformationImage
tab:Description,companyname,version(from.EXE)FullimagepathCommandlineusedtostartprocessCurrentdirectoryParentprocessUsernameStarttimeImageVerificationAll(well,most)MicrosoftcodeisdigitallysignedHashoffileissignedwithMicrosoft’sprivatekeySignatureischeckedbydecryptingsignedhashwiththepublickeyYoucanselectivelycheckforsignatureswiththeVerifybuttonontheprocessimagetabSelecttheVerifyImageSignaturesoptiontocheckallAddtheVerifiedSignercolumntoseeallNotethatverificationwillconnecttotheInternettocheckCertificateRevocationList(CRL)serversWindowsServicesServicescanstartwhenthesystembootsandrunindependentlyofthelogged-onuserExamplesincludeIIS,Themes,Server,Workstation,…CanrunastheirownprocessorasaserviceDLLinsideaSvchost.exeTheservicestabshowsdetailedserviceinformation:Registryname(HKLM\System\CurrentControlSet\Services\...)DisplaynameDescription(optional)DLLpath(forSvchostDLLs)StringsOn-diskandin-memoryprocessstringsarevisibleontheStringstabThere’sonlyadifferenceiftheimageiscompressedorencryptedStringscanhelpprovidecluesaboutunknownprocessesLookforURLs,namesanddebugstringsYoucanalsodumpstringswiththecommand-lineStringsutilityfromSysinternalsTheDLLViewMalwarecanhideasaDLLinsidealegitimateprocessWe’vealreadyseenthiswithRundll32andSvchostTypicallyloadsviaanautostartCanloadthrough“dllinjection”PackinghighlightshowsinDLLviewaswellOpentheDLLviewbyclickingontheDLLiconinthetoolbarShowsmorethanjustloadedDLLsIncludes.EXEandany“memorymappedfiles”CansearchforaDLLwiththeFinddialogDLLstringsarealsoviewablefromtheDLLmenu`LoadedDriversThereareseveraltoolsforviewingconfigureddrivers:Start->Run->Msinfo32BuiltinSCcommand:scquerytype=driverDeviceManagerwithView->ShowHiddenDevicesProcessExplorerDLLviewfortheSystemprocessshowsloadeddriversEvendriversthatdeletetheirimagefilesSamepathandversioninfoasstandardDLLviewSimplyidentifythemnowUsuallythey’renotstoppableDeletetheirfilesandautostartsettingslaterTCPViewLookforsuspiciousnetworkendpointswithTCPViewYoucandothisbylookingattheTCP/IPtabofeachprocess,butthat’sslowTCPViewalsousesrefreshhighlightingTCPViewincludesa“closeconnection”capability…butyoushouldbedisconnectedfromthenetworkTerminatingMaliciousProcessesDon’tkilltheprocessesMalwareprocessesareoftenrestartedbywatchdogsInstead,suspendthemNotethatthismightcauseasystemhangforSvchostprocessesRecordthefullpathtoeachmaliciousEXEandDLLAftertheyareallasleepthenkillthemWatchforrestartswithnewnames…CleaningAutostartsInvestigatingAutostartsWindowsXPMsconfig(Start->Run->Msconfig)fallsshortwhenitcomestoidentifyingautostartingapplicationsItknowsaboutfewlocationsItprovideslittleinformationAutorunsShowseveryplaceinthesystemthatcanbeconfiguredtorunsomethingatboot&logonStandardRunkeysandStartupfoldersShell,userinitServicesanddriversTasksWinlogonnotificationsExplorerandIEaddins(toolbars,BrowserHelperObjects,…)Moreandevergrowing…EachstartupcategoryhasitsowntabandallitemsdisplayontheEverythingtabStartupname,imagedescription,companyandpathIdentifyingMalware
AutostartsZoom-inonadd-ons(includingmalware)byselectingtheseoptions:VerifyCodeSignaturesHideMicrosoftEntriesSelectanitemtoseemoreinthelowerwindowGoogleunknownimagesDouble-clickonanitemtolookatwhereitsconfiguredintheRegistryorfilesystemHasotherfeatures:CandisplayotherprofilesCanalsoshowemptylocations(informationalonly)IncludescomparefunctionalityIncludesequivalentcommand-lineversion,Autorunsc.exeDeletingAutostartsDeletesuspiciousautostartsYoucandisablethemifyou’renotsureAfteryou’redonedoafullrefreshIftheycomeback,runProcessMonitor(orFilemonandRegmon)toseewho’sputtingthembackYoumighthavemisidentifiedamalwareprocessItmightbeahidden,system,orlegitimateprocessRootkitsWhat’saRootkit,Anyway?HoglundandButlerwritein“Rootkits:SubvertingtheWindowsKernel”: Arootkitisasetofprogramsandcodethatallowsapermanentorconsistent,undetectablepresenceonacomputer.
Mydefinition: Softwarethathidesitselforotherobjects,suchasfiles,processes,andRegistrykeys,fromviewofstandarddiagnostic,administrative,andsecuritysoftware.Hoglund’sreviseddefinitionfromRonFebruary4: Arootkitisatoolthatisdesignedtohideitselfandotherprocesses,data,and/oractivityonasystem.TheEvolutionofMalwareMalware,includingspyware,adwareandviruseswanttobehardtodetectand/orhardtoremoveRootkitsareafastevolvingtechnologytoachievethesegoalsCloakingtechnologyappliedtomalwareNotmalwarebyitselfExamplerootkit-basedviruses:W32.Maslan.A@mm,W32.Opasa@mmRootkithistoryAppearedasstealthvirusesOneofthefirstknownPCviruses,Brain,wasstealthFirst“rootkit”appearedonSunOSin1994Replacementofcoresystemutilities(ls,ps,etc.)tohidemalwareprocessesModernRootkitsRootkitscanhidevirtuallyanything:ProcessesFiles,directories,RegistrykeysServices,driversTCP/IPportsThereareseveraltypesofrootkittechnology:User-modehookingKernel-modehookingCodepatchingHidinginotherprocessesistheprimaryrootkitforumExampleRootkitCloakingAttackuser-modesystemqueryAPIsExamples:HackerDefender,AfxTaskmgr.exeNtdll.dllRootkitExplorer.exe,
Winlogon.exeusermodekernelmodeExplorer.exe,Malware.exe,Winlogon.exeRootkitDetectionAllcloakshaveholesLeavesomeAPIsunfilteredHavedetectablesideeffectsCan’tcloakwhenOSisofflineRootkitdetectionattacksholesCat-and-mousegameRootkitDetectionTypesThreeclassesofrootkitdetection:SignaturebasedMicrosoftMaliciousSoftwareRemovalToolAnomalydetectionSystemVirginityVerifier:http:///tools.htmlGMER:http:///index.phpIceSword:/tools/200509/IceSword_en1.12.rarCross-viewcomparisonF-SecureBlacklight:
/blacklight/Sysinternals
RootkitRevealerUsemorethanonetool!RootkitRevealerRootkitRevealer(RKR)runsonlineRKRtriestobypassrootkittouncovercloakedobjectsAllcross-viewdetectorslisteddothesameRKRscansHKLM\Software,HKLM\SystemandthefilesystemPerformsWindowsAPIscanandcompareswithrawdatastructurescanRootkitRevealerRootkitWindowsAPIRawfilesystem,
RawRegistryhiveFilteredWindowsAPIomitsmalwarefilesandkeysMalwarefilesandkeys
arevisibleinrawscanRootkitRevealerLimitationsRootkitshavealreadyattackedRKRdirectlybynotcloakingwhenscannedRKRisgiventruesystemviewWindowsAPIscanlookslikerawscanWe’vemodifiedRKRtobeahardertodetectbyrootkitsRKRisadoptingrootkittechniquesitselfRootkitauthorswillcontinuetofindwaysaroundRKR’scloakIt’sagamenobodycanwinAllrootkitdetectorssufferthesamevulnerabilityLocalKernelDebuggingWindbgsupports“localkerneldebugging”(LKD)WorkslikestandardkerneldebuggingwhichrequirestwocomputersRequiresMicrosoftDebuggingToolsForWindows(freedownloadfromMicrosoft)CanexaminekernelstructuresofalivesystemSupportedonXPandhigherincluding64-bitForNT4andWindows2000useSysinternals’Livekd
BothrequirematchingkernelsymbolsUseMicrosoft’ssymbolserver(documentedinhelpfile)LKDRootkitHuntingListrunningprocessesandcomparewithProcessExplorer:!process00ListloadeddriversandcomparewithProcessExplorer:.reloadlmkvLookforkernelhot-patches:!chkimg-dntDumpthesystemservicetableandinterruptdispatchtable(IDT):dd
kiservicetable!idt-aFindingandDeletingMalwareFilesSigcheckScanthesystemforsuspiciousexecutableimagesLookforsamecharacteristicsassuspiciousprocessesBeespeciallywaryofitemsinthe\WindowsdirectoryInvestigateallunsignedimagessigcheck-e-u-sc:\DeletingHard-to-DeleteFilesFilesthatareopenormappedcan’tbedeletedFindowningprocesswithProcessExplorersearchTerminatetheprocessanddeletethefileIfyoustillcan’tdeleteit(itmightbeprotectedbyadriverorsystemprocess):TryrenamingitIfthatfails,scheduleitfordeletionatthenextrebootwithSysinternals’Movefile:Ifitstillwon’tgoaway,deleteitfromanoff-lineOSmovefile
malware.exe“”DeletingHard-to-DeleteRegistryKeysWatchforkeysecuritySomeantispywaretoolsdon’treportaccess-deniederrorsUseRegmontocheckforerrorsUseRegedittochangesecuritypermissionsSomekeyshave
温馨提示
- 1. 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。图纸软件为CAD,CAXA,PROE,UG,SolidWorks等.压缩文件请下载最新的WinRAR软件解压。
- 2. 本站的文档不包含任何第三方提供的附件图纸等,如果需要附件,请联系上传者。文件的所有权益归上传用户所有。
- 3. 本站RAR压缩包中若带图纸,网页内容里面会有图纸预览,若没有图纸预览就没有图纸。
- 4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
- 5. 人人文库网仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对用户上传分享的文档内容本身不做任何修改或编辑,并不能对任何下载内容负责。
- 6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
- 7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。
最新文档
- 2025年中职机电基础(机电认知)试题及答案
- 2025年高职汽车修理(汽车底盘改装)试题及答案
- 2025年中职宠物养护与驯导(宠物训练技巧)试题及答案
- 禁毒教育安全课件
- 禁毒与反洗钱培训课件
- 普华永道中国影响力报告2025
- 陕西省安康市汉阴县2025-2026学年八年级上学期1月期末生物试题
- 2026广西百色市平果市卫生健康局公益性岗位人员招聘1人备考题库及答案详解(新)
- 高2023级高三上学期第5次学月考试地理试题
- 福建省莆田市秀屿区莆田市第二十五中学2025-2026学年九年级上学期1月期末化学试题(无答案)
- 重庆市配套安装工程施工质量验收标准
- 2024新能源集控中心储能电站接入技术方案
- 河南省信阳市2023-2024学年高二上学期期末教学质量检测数学试题(含答案解析)
- 北师大版七年级上册数学 期末复习讲义
- 零售行业的店面管理培训资料
- 2023年初级经济师《初级人力资源专业知识与实务》历年真题汇编(共270题)
- 培训课件电气接地保护培训课件
- 污水管网工程监理月报
- 安徽涵丰科技有限公司年产6000吨磷酸酯阻燃剂DOPO、4800吨磷酸酯阻燃剂DOPO衍生品、12000吨副产品盐酸、38000吨聚合氯化铝、20000吨固化剂项目环境影响报告书
- GB/T 17215.322-2008交流电测量设备特殊要求第22部分:静止式有功电能表(0.2S级和0.5S级)
- 英语音标拼读练习
评论
0/150
提交评论