MalwareMalware

Fighting Spyware, Viruses, Fighting Spyware, Viruses, and Malwareand Malware

Ch 4Ch 4

How the Pros Do ItHow the Pros Do It

Test machinesTest machines

Easily replaced test OS imagesEasily replaced test OS images

Software to detect exactly what damage Software to detect exactly what damage an infection has causedan infection has caused– We now have all these things for free with We now have all these things for free with

virtual PCs and HijackThisvirtual PCs and HijackThis

Anatomy of an Infection Anatomy of an Infection

File systemFile system– Add, delete, or modify filesAdd, delete, or modify files

Spyware doesn’t usually modify or delete files, or Spyware doesn’t usually modify or delete files, or make many copies of itself; that’s what viruses domake many copies of itself; that’s what viruses do

Windows RegistryWindows Registry– All software installation modifies the RegistryAll software installation modifies the Registry– Avoid editing the Registry manually; if you Avoid editing the Registry manually; if you

must, set a Restore Point first (demonstration)must, set a Restore Point first (demonstration)

Anatomy of an InfectionAnatomy of an Infection

Internet Explorer and other ApplicationsInternet Explorer and other Applications– Change IE home page and security settingsChange IE home page and security settings

Prevents updates or online virus scansPrevents updates or online virus scans

Especially common with Especially common with Browser HijackersBrowser Hijackers

To remove browser hijackers, go to a clean To remove browser hijackers, go to a clean machine and download machine and download Stinger Stinger from McAfeefrom McAfee

– Link CNIT 30 Ch 4a, or /vil.nai.com/vil/stinger/ Link CNIT 30 Ch 4a, or /vil.nai.com/vil/stinger/

– Infect Outlook, send emails to people in your Infect Outlook, send emails to people in your Address bookAddress book

Anatomy of an InfectionAnatomy of an Infection

Windows SystemWindows System– May block Windows Update, or even show May block Windows Update, or even show

you a fake Windows Update Screenyou a fake Windows Update Screen– Some malware kicks out previous infections to Some malware kicks out previous infections to

steal zombies from other botmasterssteal zombies from other botmasters

System RestoreSystem Restore

Enables Windows XP machines to return Enables Windows XP machines to return the system files to the way they were on a the system files to the way they were on a previous dateprevious date– Fixes many problems, but not viruses or Fixes many problems, but not viruses or

wormsworms– Infections can hide in the Restore Points, so Infections can hide in the Restore Points, so

that later Restores re-infect a cleaned systemthat later Restores re-infect a cleaned system– Delete the Restore points before running Delete the Restore points before running

Stinger, and most other malware removal Stinger, and most other malware removal tools tootools too

Disabling System RestoreDisabling System Restore

System System PropertiesPropertiesTurning it off Turning it off deletes all the deletes all the Restore pointsRestore pointsDon’t do it Don’t do it casually, only casually, only when you when you know you are know you are infectedinfected

Safe ModeSafe Mode

Press F8 during startupPress F8 during startup

Startup items, like Startup items, like spyware, don’t runspyware, don’t run

But neither do antivirus But neither do antivirus and antispyware and antispyware programsprograms

Avoid “Safe Mode with Avoid “Safe Mode with Networking” for that Networking” for that reasonreason

Registry EditingRegistry Editing

The Registry stores thousands of system The Registry stores thousands of system settingssettings– Control Panel is the best way to modify the Control Panel is the best way to modify the

Registry for normal activitiesRegistry for normal activities– To manually change the Registry, useTo manually change the Registry, use

Start, Run, RegeditStart, Run, Regedit

Registry EditingRegistry Editing

You may need to remove items spyware You may need to remove items spyware puts into the Registry manuallyputs into the Registry manually– You can wreck your machine with a wrong You can wreck your machine with a wrong

registry editregistry edit– Set a Restore Point firstSet a Restore Point first– Project 3x guides you through a few fun Project 3x guides you through a few fun

Registry hacksRegistry hacks

CoolWebSearchCoolWebSearch

This is an example of very nasty malwareThis is an example of very nasty malware

Makes pop-upsMakes pop-ups

Blocks antispyware scansBlocks antispyware scans

Adds favorites to Internet ExplorerAdds favorites to Internet Explorer

Hijacks the home page and other pages Hijacks the home page and other pages via the Hosts filevia the Hosts file

Some variants are very difficult to removeSome variants are very difficult to remove– See links CNIT 30 Ch 4d, 4eSee links CNIT 30 Ch 4d, 4e

Hosts FileHosts File

C:\WINDOWS\system32\drivers\etc\HostsC:\WINDOWS\system32\drivers\etc\Hosts– Can be used to make networking faster and Can be used to make networking faster and

more reliablemore reliable– Can also be used to redirect traffic to spoofed Can also be used to redirect traffic to spoofed

sitessites““Pharming”Pharming”