版权说明:本文档由用户提供并上传,收益归属内容提供方,若内容存在侵权,请进行举报或认领
文档简介
SEC309
AdvancedMalwareCleaningMarkRussinovichTechnicalFellow,PlatformandServicesDivisionMicrosoftCorporationmark.russinovich@AboutMeTechnicalFellow,MicrosoftCo-founderandchiefsoftwarearchitect
ofWinternalsSoftwareCo-authorofWindowsInternals,4theditionandInsideWindows2000,3rdEditionwithDavidSolomonAuthoroftoolson
HomeofblogandforumsSeniorContributingEditor,WindowsITProMagazinePh.D.inComputerEngineeringWhyIsManualCleaningNecessary?Howdousersgetmalware?Theydownloadappsthatincludeadwareandspyware
TheyclickonmisleadingpopupsorbannersTheyvisitsitesthatuseexploitstoinjectmalwareManyusersstilldon’tpatchordon’tuseantivirusorantispywareWhydoesn’tantivirusandantispywarestopmalware?TheyaredependentonsignaturesMalwaredirectlyattacksitAlwaysperformmanualcleaningafteryou’verunavailableantivirusandantispywareMalwareCleaningStepsDisconnectfromthenetworkIdentifymaliciousprocessesanddriversTerminateidentifiedprocessesIdentifyanddeletemalware
autostartsDeletemalwarefilesRebootandrepeatIdentifyingMalwareProcessesWhatAreYouLookingFor?Processesthat……havenoicon…havenodescriptionorcompanyname…unsignedMicrosoftimages…liveinWindowsdirectory…arepacked…includestrangeURLsintheirstrings…haveopenTCP/IPendpoints…hostsuspiciousDLLsorservicesWhatAboutTaskManager?TaskManagerprovideslittleinformationaboutimagesthatarerunningProcessExplorerProcessExploreris“SuperTaskManager”RunsonWindows95,98,Me,NT,2000,XP,Server2003Alsosupports64-bit(x64)andVistaHaslotsofgeneraltroubleshootingcapabilities:DLLversioningproblemsHandleleaksandlockedfilesPerformancetroubleshootingHungprocessesWe’regoingtofocusonitsmalwarecleaningcapabilitiesTheProcessViewTheprocesstreesortshowsparent-childrelationshipsIcon,description,andcompanynamearepulledfromimageversioninformationMostmalwaredoesn’thaveversioninformationWhataboutmalwarepretendingtobefromMicrosoft?We’lldealwiththatshortly…UsetheWindowFinder(inthetoolbar)toassociateawindowwithitsowningprocessUsetheGooglemenuentrytolookupunknownprocessesButmalwareoftenusestotallyrandomorpseudo-randomnamesRefreshHighlightingRefreshhighlightinghighlightschangesRed:processexitedGreen:newprocessChangeduration(default1second)inOptionsPressspacebartopauseandF5torefreshCausedisplaytoscrolltomakenewprocessesvisiblewithShowNewProcessesoptionProcess-typeHighlightsBlueprocessesarerunninginthesamesecuritycontextasProcessExplorerPinkprocesseshostWindowsservices(we’lllookatservicesshortly)Purplehighlightingindicatesanimageis“packed”PackedcanmeancompressedorencryptedMalwarecommonlyusespacking(e.g.UPX)tomakeantivirussignaturematchingmoredifficultPackingandencryptionalsohidesstringsfromviewThereareafewothercolors,butthey’renotimportantformalwarehuntingTooltipsProcesstooltipsshowthefullpathtotheprocessimageMalwaremoreoftenhidesbehindSvchostandRundll32TooltipforRundll32processesshowshostedDLLTooltipforserviceprocessesshowshostedservicesServicescoveredindetailshortly…DetailedProcessInformationDouble-clickonaprocesstoseedetailedinformationImage
tab:Description,companyname,version(from.EXE)FullimagepathCommandlineusedtostartprocessCurrentdirectoryParentprocessUsernameStarttimeImageVerificationAll(well,most)MicrosoftcodeisdigitallysignedHashoffileissignedwithMicrosoft’sprivatekeySignatureischeckedbydecryptingsignedhashwiththepublickeyYoucanselectivelycheckforsignatureswiththeVerifybuttonontheprocessimagetabSelecttheVerifyImageSignaturesoptiontocheckallAddtheVerifiedSignercolumntoseeallNotethatverificationwillconnecttotheInternettocheckCertificateRevocationList(CRL)serversWindowsServicesServicescanstartwhenthesystembootsandrunindependentlyofthelogged-onuserExamplesincludeIIS,Themes,Server,Workstation,…CanrunastheirownprocessorasaserviceDLLinsideaSvchost.exeTheservicestabshowsdetailedserviceinformation:Registryname(HKLM\System\CurrentControlSet\Services\...)DisplaynameDescription(optional)DLLpath(forSvchostDLLs)StringsOn-diskandin-memoryprocessstringsarevisibleontheStringstabThere’sonlyadifferenceiftheimageiscompressedorencryptedStringscanhelpprovidecluesaboutunknownprocessesLookforURLs,namesanddebugstringsYoucanalsodumpstringswiththecommand-lineStringsutilityfromSysinternalsTheDLLViewMalwarecanhideasaDLLinsidealegitimateprocessWe’vealreadyseenthiswithRundll32andSvchostTypicallyloadsviaanautostartCanloadthrough“dllinjection”PackinghighlightshowsinDLLviewaswellOpentheDLLviewbyclickingontheDLLiconinthetoolbarShowsmorethanjustloadedDLLsIncludes.EXEandany“memorymappedfiles”CansearchforaDLLwiththeFinddialogDLLstringsarealsoviewablefromtheDLLmenu`LoadedDriversThereareseveraltoolsforviewingconfigureddrivers:Start->Run->Msinfo32BuiltinSCcommand:scquerytype=driverDeviceManagerwithView->ShowHiddenDevicesProcessExplorerDLLviewfortheSystemprocessshowsloadeddriversEvendriversthatdeletetheirimagefilesSamepathandversioninfoasstandardDLLviewSimplyidentifythemnowUsuallythey’renotstoppableDeletetheirfilesandautostartsettingslaterTCPViewLookforsuspiciousnetworkendpointswithTCPViewYoucandothisbylookingattheTCP/IPtabofeachprocess,butthat’sslowTCPViewalsousesrefreshhighlightingTCPViewincludesa“closeconnection”capability…butyoushouldbedisconnectedfromthenetworkTerminatingMaliciousProcessesDon’tkilltheprocessesMalwareprocessesareoftenrestartedbywatchdogsInstead,suspendthemNotethatthismightcauseasystemhangforSvchostprocessesRecordthefullpathtoeachmaliciousEXEandDLLAftertheyareallasleepthenkillthemWatchforrestartswithnewnames…CleaningAutostartsInvestigatingAutostartsWindowsXPMsconfig(Start->Run->Msconfig)fallsshortwhenitcomestoidentifyingautostartingapplicationsItknowsaboutfewlocationsItprovideslittleinformationAutorunsShowseveryplaceinthesystemthatcanbeconfiguredtorunsomethingatboot&logonStandardRunkeysandStartupfoldersShell,userinitServicesanddriversTasksWinlogonnotificationsExplorerandIEaddins(toolbars,BrowserHelperObjects,…)Moreandevergrowing…EachstartupcategoryhasitsowntabandallitemsdisplayontheEverythingtabStartupname,imagedescription,companyandpathIdentifyingMalware
AutostartsZoom-inonadd-ons(includingmalware)byselectingtheseoptions:VerifyCodeSignaturesHideMicrosoftEntriesSelectanitemtoseemoreinthelowerwindowGoogleunknownimagesDouble-clickonanitemtolookatwhereitsconfiguredintheRegistryorfilesystemHasotherfeatures:CandisplayotherprofilesCanalsoshowemptylocations(informationalonly)IncludescomparefunctionalityIncludesequivalentcommand-lineversion,Autorunsc.exeDeletingAutostartsDeletesuspiciousautostartsYoucandisablethemifyou’renotsureAfteryou’redonedoafullrefreshIftheycomeback,runProcessMonitor(orFilemonandRegmon)toseewho’sputtingthembackYoumighthavemisidentifiedamalwareprocessItmightbeahidden,system,orlegitimateprocessRootkitsWhat’saRootkit,Anyway?HoglundandButlerwritein“Rootkits:SubvertingtheWindowsKernel”: Arootkitisasetofprogramsandcodethatallowsapermanentorconsistent,undetectablepresenceonacomputer.
Mydefinition: Softwarethathidesitselforotherobjects,suchasfiles,processes,andRegistrykeys,fromviewofstandarddiagnostic,administrative,andsecuritysoftware.Hoglund’sreviseddefinitionfromRonFebruary4: Arootkitisatoolthatisdesignedtohideitselfandotherprocesses,data,and/oractivityonasystem.TheEvolutionofMalwareMalware,includingspyware,adwareandviruseswanttobehardtodetectand/orhardtoremoveRootkitsareafastevolvingtechnologytoachievethesegoalsCloakingtechnologyappliedtomalwareNotmalwarebyitselfExamplerootkit-basedviruses:W32.Maslan.A@mm,W32.Opasa@mmRootkithistoryAppearedasstealthvirusesOneofthefirstknownPCviruses,Brain,wasstealthFirst“rootkit”appearedonSunOSin1994Replacementofcoresystemutilities(ls,ps,etc.)tohidemalwareprocessesModernRootkitsRootkitscanhidevirtuallyanything:ProcessesFiles,directories,RegistrykeysServices,driversTCP/IPportsThereareseveraltypesofrootkittechnology:User-modehookingKernel-modehookingCodepatchingHidinginotherprocessesistheprimaryrootkitforumExampleRootkitCloakingAttackuser-modesystemqueryAPIsExamples:HackerDefender,AfxTaskmgr.exeNtdll.dllRootkitExplorer.exe,
Winlogon.exeusermodekernelmodeExplorer.exe,Malware.exe,Winlogon.exeRootkitDetectionAllcloakshaveholesLeavesomeAPIsunfilteredHavedetectablesideeffectsCan’tcloakwhenOSisofflineRootkitdetectionattacksholesCat-and-mousegameRootkitDetectionTypesThreeclassesofrootkitdetection:SignaturebasedMicrosoftMaliciousSoftwareRemovalToolAnomalydetectionSystemVirginityVerifier:http:///tools.htmlGMER:http:///index.phpIceSword:/tools/200509/IceSword_en1.12.rarCross-viewcomparisonF-SecureBlacklight:
/blacklight/Sysinternals
RootkitRevealerUsemorethanonetool!RootkitRevealerRootkitRevealer(RKR)runsonlineRKRtriestobypassrootkittouncovercloakedobjectsAllcross-viewdetectorslisteddothesameRKRscansHKLM\Software,HKLM\SystemandthefilesystemPerformsWindowsAPIscanandcompareswithrawdatastructurescanRootkitRevealerRootkitWindowsAPIRawfilesystem,
RawRegistryhiveFilteredWindowsAPIomitsmalwarefilesandkeysMalwarefilesandkeys
arevisibleinrawscanRootkitRevealerLimitationsRootkitshavealreadyattackedRKRdirectlybynotcloakingwhenscannedRKRisgiventruesystemviewWindowsAPIscanlookslikerawscanWe’vemodifiedRKRtobeahardertodetectbyrootkitsRKRisadoptingrootkittechniquesitselfRootkitauthorswillcontinuetofindwaysaroundRKR’scloakIt’sagamenobodycanwinAllrootkitdetectorssufferthesamevulnerabilityLocalKernelDebuggingWindbgsupports“localkerneldebugging”(LKD)WorkslikestandardkerneldebuggingwhichrequirestwocomputersRequiresMicrosoftDebuggingToolsForWindows(freedownloadfromMicrosoft)CanexaminekernelstructuresofalivesystemSupportedonXPandhigherincluding64-bitForNT4andWindows2000useSysinternals’Livekd
BothrequirematchingkernelsymbolsUseMicrosoft’ssymbolserver(documentedinhelpfile)LKDRootkitHuntingListrunningprocessesandcomparewithProcessExplorer:!process00ListloadeddriversandcomparewithProcessExplorer:.reloadlmkvLookforkernelhot-patches:!chkimg-dntDumpthesystemservicetableandinterruptdispatchtable(IDT):dd
kiservicetable!idt-aFindingandDeletingMalwareFilesSigcheckScanthesystemforsuspiciousexecutableimagesLookforsamecharacteristicsassuspiciousprocessesBeespeciallywaryofitemsinthe\WindowsdirectoryInvestigateallunsignedimagessigcheck-e-u-sc:\DeletingHard-to-DeleteFilesFilesthatareopenormappedcan’tbedeletedFindowningprocesswithProcessExplorersearchTerminatetheprocessanddeletethefileIfyoustillcan’tdeleteit(itmightbeprotectedbyadriverorsystemprocess):TryrenamingitIfthatfails,scheduleitfordeletionatthenextrebootwithSysinternals’Movefile:Ifitstillwon’tgoaway,deleteitfromanoff-lineOSmovefile
malware.exe“”DeletingHard-to-DeleteRegistryKeysWatchforkeysecuritySomeantispywaretoolsdon’treportaccess-deniederrorsUseRegmontocheckforerrorsUseRegedittochangesecuritypermissionsSomekeyshave
温馨提示
- 1. 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。图纸软件为CAD,CAXA,PROE,UG,SolidWorks等.压缩文件请下载最新的WinRAR软件解压。
- 2. 本站的文档不包含任何第三方提供的附件图纸等,如果需要附件,请联系上传者。文件的所有权益归上传用户所有。
- 3. 本站RAR压缩包中若带图纸,网页内容里面会有图纸预览,若没有图纸预览就没有图纸。
- 4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
- 5. 人人文库网仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对用户上传分享的文档内容本身不做任何修改或编辑,并不能对任何下载内容负责。
- 6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
- 7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。
最新文档
- 2026年当前最受欢迎的绿色建筑材料清单及应用领域解析
- 遨游学海益处多演讲稿
- 2026年单招动物医学综合知识题库
- 2026年制造业单项冠军培育知识竞赛题
- 文化馆岗位练兵演讲稿
- 科技馆参观演讲稿
- 2026年学习成长中的常见问题解
- 2026年音乐理论与音乐欣赏试题
- 足球比赛前激情演讲稿
- 2026年教师课堂言行及纪律要求测试题
- 危险化学品名录
- 有限空间监理实施细则
- 钣金厂规划方案
- 智慧树知到《新媒体概论(浙江传媒学院)》章节测试答案
- 201年报考中国民航飞行学院硕士研究生政审表
- JT-T-1209-2018公路工程SBS改性沥青加工设备技术要求
- JBT 9229-2024 剪叉式升降工作平台(正式版)
- 心脏介入手术谈话技巧
- 腾讯会议录制培训课件
- 法律顾问服务投标方案(完整技术标)
- 《电气控制与PLC》考试复习题库(含答案)
评论
0/150
提交评论