Deep anti-virus guide: quickly and effectively respond to malicious software events [2]

Step 3: malware Analysis

After controlling the spread of malware attacks, you must take some time to understand the nature of the emergency and perform more detailed analysis on the malware. If you do not perform this step, the possibility of re-infection is increased. If you do not know how malware works, you will not be able to ensure that the system has been cleaned up and will not be able to withstand future attacks.

Ideally, members of the Security Group will use dedicated applications and utilities (which can be used to automatically collect the required information) to perform analysis on malware. The following steps help you understand the nature of attacks.

Check operating system elements
Try to determine the OS introduced or modified by the attack. As part of this analysis, find the following changes:

• Active processes and services.
• Local registry.
• Microsoft? Windows? Files in the system folder.
• New users or group accounts, especially new users or group accounts with administrator privileges.
• Shared Folders (including hidden folders ).
• A new file with a normal file name but in an abnormal location.
• Open Network port.

Technologies that can be used to check these operating system elements are described in the following sections.

Check active processes and services
The infected system may introduce new processes in its memory.

To help minimize the number of entries in the process list and thus help identify any malicious process, close all valid applications and any valid background applications, such as Instant Messenger, email monitor, or third-party utilities that reside in the memory.

If the dedicated tool is unavailable, you can use the Windows "Task Manager" tool in all Microsoft Windows systems to quickly check the active processes running in the system. However, because "Task Manager" does not display the path of the image of the starting process, it is impossible to determine whether the malware attack started as "svrhost" is a legal process.

Follow these steps to use task manager to analyze the active process:

To analyze active processes on Windows computers, perform the following operations:

1. Press Ctrl + Alt + Del to bring up the "Windows Security" window and select "Task Manager ". Note: On Windows 9x, you will see a list of running programs instead of the "Task Manager" application.
 
2. Click the process tab.
3. Adjust the Windows "Task Manager" window to display as many active processes as possible on the screen.
4. Select the "View" option from the menu bar and click "Select column ...".
5. Select the check boxes in the following columns:

• PID (process identifier)
• CPU usage
• CPU time
• Memory usage
• Peak memory usage
• I/O read
• I/O write
 
6. Click "OK" and adjust the size of the window to display as many columns as possible. You can click any column title to sort the columns. Use this sorting method for each column listed and determine which processes use the resources.

Note: To obtain the printed output of this list for future reference, activate the Process Explorer or Windows "Task Manager" window and press Alt + Print Screen on the disk. A list of screen snapshots created on the computer clipboard can be pasted into a Windows Paint application or Microsoft Word for printing.

Display the process details of the Blaster worm as Microsoft Windows 2000? Active processes in Server "Task Manager.

Figure 4.3 displays the Windows 2000 Task Manager of the active blster worm process

Note: Some malware may try to prevent "Task Manager" from being started as a form of defense. In this case, you can go to Microsoft Windows? XP and Windows Server? 2003 the Tasklist command line utility (or the TList command line utility on a Windows 2000 computer) is used to generate a list of simple text files that can be copied to removable media for further analysis. Use the following command line syntax to generate a text file containing a list of all active processes:

Tasklist/v> TaskList.txt
This command line creates a file named TaskList.txt in the current working directory.

Use the following prompt to check the processes on the computer where some form of malware is suspected to be running:

• Check instances of the running Telnet or file transfer protocol (FTP) service.
 
• If you are not sure about the process, use the Internet search engine (such as Google) to try to find some information about it.
 
• Check the path of the image file that can recognize the process of its image name.
 
• Search for running and stopped services.

In addition to the msblast.exe process shown in, other suspicious processes include:

• ServuFTP
• Ocxdll.exe
• Kill.exe
• Mdm.exe
• Mdm. scr
• Mt.exe
• Ncp.exe
• Export xec.exe
• Win32load.exe

Check the Startup Folder
Malware can try to start by modifying the Startup folder of the system from the row.

Note: The exact paths of these folders are changed based on the analyzed operating system. The following information applies to operating systems running Windows XP, Windows Server 2003, or Windows 2000.

Check the two regions of the Startup File. The first is the "All users" folder, which can be found in the following default location:

C: Documents and SettingsAll UsersStart Menu

The second region is the path of the user configuration file of the account currently logged on. It is important to check all the configuration files created on the system, not just the account currently logged on. You will This information is found in Start Menu, where Is the login ID of the user defined on the system to be checked.

Check entries in each Startup Folder to ensure that no malware attempts are attempted during system startup.

Check the application of the plan
Malware may, but rarely, attempt to start unauthorized applications using the Windows scheduler service. To confirm that this condition does not exist, perform a simple check on the scheduler queue by completing the following steps:

To check the scheduler queue, perform the following steps:

1. Click Start and run, type at, and then press Enter
 
2. Check the list. If it shows any unauthorized or suspicious application, use the following command to create a report for further analysis:

• Click Start and run, type at> C: AT_Queue_Report.txt, and press Enter.
 
Run this command to create a text file in the root directory of the C: Drive, which should be moved to a removable disk for further analysis. Check the text file to determine whether any unauthorized applications are planned in the queue.

Once the complete analysis of the active and planned processes is completed, one or more processes introduced by the attack can be identified. Once these processes are recorded, restart the system and repeat the analysis to determine whether an attack is initiated at startup to damage other areas of the system and to allow malicious processes. If it is started, the system startup file and registry are analyzed to find a mechanism for maintaining one or more malicious processes.

Analyze the local registry
Because the completed system registry is a large and complex data storage, it is advantageous to create a copy of the entire system registry for detailed analysis after the attack recovery process is completed.

All the backup utilities in Windows can be used to back up and restore the entire registry. If you have used backups to regularly back up your hard disk, you can easily include the Registry in these backups. To use the backup application to back up the registry, select "system status" when selecting the drives, files, and folders to be included in the backup set ".

Because "system status" contains other system-specific information and registries, the size of these backup files may be several hundred MB. Another option is to use the Registry Editor utility that comes with all Windows versions. These utilities are suitable for generating registry copies. Windows XP and Windows Server 2003 have two registration table editing tools: regedit.exe and Reg.exe.

To use Regedit to generate a copy of the registry, perform the following operations:

1. Click Start and run, type Regedit, and then press Enter.
 
2. In the left-side pane, select "my computer" and select "Export" from the "file" menu ".
 
3.