malware fighting spyware, viruses, and malware ch 4
TRANSCRIPT
![Page 1: Malware Fighting Spyware, Viruses, and Malware Ch 4](https://reader036.vdocument.in/reader036/viewer/2022082817/56649e315503460f94b22b10/html5/thumbnails/1.jpg)
MalwareMalware
Fighting Spyware, Viruses, Fighting Spyware, Viruses, and Malwareand Malware
Ch 4Ch 4
![Page 2: Malware Fighting Spyware, Viruses, and Malware Ch 4](https://reader036.vdocument.in/reader036/viewer/2022082817/56649e315503460f94b22b10/html5/thumbnails/2.jpg)
How the Pros Do ItHow the Pros Do It
Test machinesTest machines
Easily replaced test OS imagesEasily replaced test OS images
Software to detect exactly what damage Software to detect exactly what damage an infection has causedan infection has caused– We now have all these things for free with We now have all these things for free with
virtual PCs and HijackThisvirtual PCs and HijackThis
![Page 3: Malware Fighting Spyware, Viruses, and Malware Ch 4](https://reader036.vdocument.in/reader036/viewer/2022082817/56649e315503460f94b22b10/html5/thumbnails/3.jpg)
Anatomy of an Infection Anatomy of an Infection
File systemFile system– Add, delete, or modify filesAdd, delete, or modify files
Spyware doesn’t usually modify or delete files, or Spyware doesn’t usually modify or delete files, or make many copies of itself; that’s what viruses domake many copies of itself; that’s what viruses do
Windows RegistryWindows Registry– All software installation modifies the RegistryAll software installation modifies the Registry– Avoid editing the Registry manually; if you Avoid editing the Registry manually; if you
must, set a Restore Point first (demonstration)must, set a Restore Point first (demonstration)
![Page 4: Malware Fighting Spyware, Viruses, and Malware Ch 4](https://reader036.vdocument.in/reader036/viewer/2022082817/56649e315503460f94b22b10/html5/thumbnails/4.jpg)
Anatomy of an InfectionAnatomy of an Infection
Internet Explorer and other ApplicationsInternet Explorer and other Applications– Change IE home page and security settingsChange IE home page and security settings
Prevents updates or online virus scansPrevents updates or online virus scans
Especially common with Especially common with Browser HijackersBrowser Hijackers
To remove browser hijackers, go to a clean To remove browser hijackers, go to a clean machine and download machine and download Stinger Stinger from McAfeefrom McAfee
– Link CNIT 30 Ch 4a, or /vil.nai.com/vil/stinger/ Link CNIT 30 Ch 4a, or /vil.nai.com/vil/stinger/
– Infect Outlook, send emails to people in your Infect Outlook, send emails to people in your Address bookAddress book
![Page 5: Malware Fighting Spyware, Viruses, and Malware Ch 4](https://reader036.vdocument.in/reader036/viewer/2022082817/56649e315503460f94b22b10/html5/thumbnails/5.jpg)
Anatomy of an InfectionAnatomy of an Infection
Windows SystemWindows System– May block Windows Update, or even show May block Windows Update, or even show
you a fake Windows Update Screenyou a fake Windows Update Screen– Some malware kicks out previous infections to Some malware kicks out previous infections to
steal zombies from other botmasterssteal zombies from other botmasters
![Page 6: Malware Fighting Spyware, Viruses, and Malware Ch 4](https://reader036.vdocument.in/reader036/viewer/2022082817/56649e315503460f94b22b10/html5/thumbnails/6.jpg)
System RestoreSystem Restore
Enables Windows XP machines to return Enables Windows XP machines to return the system files to the way they were on a the system files to the way they were on a previous dateprevious date– Fixes many problems, but not viruses or Fixes many problems, but not viruses or
wormsworms– Infections can hide in the Restore Points, so Infections can hide in the Restore Points, so
that later Restores re-infect a cleaned systemthat later Restores re-infect a cleaned system– Delete the Restore points before running Delete the Restore points before running
Stinger, and most other malware removal Stinger, and most other malware removal tools tootools too
![Page 7: Malware Fighting Spyware, Viruses, and Malware Ch 4](https://reader036.vdocument.in/reader036/viewer/2022082817/56649e315503460f94b22b10/html5/thumbnails/7.jpg)
Disabling System RestoreDisabling System Restore
System System PropertiesPropertiesTurning it off Turning it off deletes all the deletes all the Restore pointsRestore pointsDon’t do it Don’t do it casually, only casually, only when you when you know you are know you are infectedinfected
![Page 8: Malware Fighting Spyware, Viruses, and Malware Ch 4](https://reader036.vdocument.in/reader036/viewer/2022082817/56649e315503460f94b22b10/html5/thumbnails/8.jpg)
Safe ModeSafe Mode
Press F8 during startupPress F8 during startup
Startup items, like Startup items, like spyware, don’t runspyware, don’t run
But neither do antivirus But neither do antivirus and antispyware and antispyware programsprograms
Avoid “Safe Mode with Avoid “Safe Mode with Networking” for that Networking” for that reasonreason
![Page 9: Malware Fighting Spyware, Viruses, and Malware Ch 4](https://reader036.vdocument.in/reader036/viewer/2022082817/56649e315503460f94b22b10/html5/thumbnails/9.jpg)
Registry EditingRegistry Editing
The Registry stores thousands of system The Registry stores thousands of system settingssettings– Control Panel is the best way to modify the Control Panel is the best way to modify the
Registry for normal activitiesRegistry for normal activities– To manually change the Registry, useTo manually change the Registry, use
Start, Run, RegeditStart, Run, Regedit
![Page 10: Malware Fighting Spyware, Viruses, and Malware Ch 4](https://reader036.vdocument.in/reader036/viewer/2022082817/56649e315503460f94b22b10/html5/thumbnails/10.jpg)
Registry EditingRegistry Editing
You may need to remove items spyware You may need to remove items spyware puts into the Registry manuallyputs into the Registry manually– You can wreck your machine with a wrong You can wreck your machine with a wrong
registry editregistry edit– Set a Restore Point firstSet a Restore Point first– Project 3x guides you through a few fun Project 3x guides you through a few fun
Registry hacksRegistry hacks
![Page 11: Malware Fighting Spyware, Viruses, and Malware Ch 4](https://reader036.vdocument.in/reader036/viewer/2022082817/56649e315503460f94b22b10/html5/thumbnails/11.jpg)
CoolWebSearchCoolWebSearch
This is an example of very nasty malwareThis is an example of very nasty malware
Makes pop-upsMakes pop-ups
Blocks antispyware scansBlocks antispyware scans
Adds favorites to Internet ExplorerAdds favorites to Internet Explorer
Hijacks the home page and other pages Hijacks the home page and other pages via the Hosts filevia the Hosts file
Some variants are very difficult to removeSome variants are very difficult to remove– See links CNIT 30 Ch 4d, 4eSee links CNIT 30 Ch 4d, 4e
![Page 12: Malware Fighting Spyware, Viruses, and Malware Ch 4](https://reader036.vdocument.in/reader036/viewer/2022082817/56649e315503460f94b22b10/html5/thumbnails/12.jpg)
Hosts FileHosts File
C:\WINDOWS\system32\drivers\etc\HostsC:\WINDOWS\system32\drivers\etc\Hosts– Can be used to make networking faster and Can be used to make networking faster and
more reliablemore reliable– Can also be used to redirect traffic to spoofed Can also be used to redirect traffic to spoofed
sitessites““Pharming”Pharming”