Session DCIM-B368: Malware hunting with Sysinternals Tools. This was a great session by Mark Russinovich on how to use his Sysinternals tools to find and rid your system of malware. He had a number of demos showing exactly how his tools find, and then can be used to remove the malware. Check out the Channel 9 video to see all of his great demos.
Introduction
- The top 4 AV products detect less than 40% of all malware
- Malware cleaning steps: Disconnect from network, identify malicious process/drivers, terminate identified processes, identify and delete malware autostarts, delete malware files, reboot and repeat.
Identify Malware Processes
- Investigate process that: have no icon, have no description or company name, packed, live in user profile, open TCP/IP endpoints, suspicious DLLs
- Don’t use task manager, use Process Explorer
- A lot of malware uses randomly generated names
- “Search online” in process explorer is not that useful these days
- Pink processes host Windows services (background processes). Blue processes run as the user.
- Cyan color is Metro apps
- red/green show processes that are launched and terminated
- Packed executables are shown in purple. Packed can mean compressed or encrypted
- Add the “verified signers” column to the display view
Image Verification
- Most all Microsoft code is digitally signed
- New: VirusTotal Integration into Process Explorer
- Add “virus total” column
- Sigcheck -e -u -vr -s c:\ (file versioning tool)
- Strings: check the memory image for suspicious strings
Terminating Processes
- First put the process to sleep (suspend), then terminate it
Cleaning Autostarts
- Use “autoruns”
- Tell autoruns to only show images not signed by Microsoft
- Malware has started using WMI to start processes
Tracing Malware Activity
- If in doubt run Process Monitor
- Filtering is the key to using process monitor
- Category is “write” is the best filter
