Injected or Infected Process and How to

[randy]

i'm wondering on how to :

When a Critical or Any other Process ( SvcHost ...etc ) is Injected or Infected by a Malware , how an AV should react ?
Normally the Injected / Infected Process should be Stopped ( From Memory ) to avoid Infection spread , But as for a Critical Process like the WinLogon or SvcHost they cannot be Stopped , here What an AV is Supposed to do ?
I know about the On Next Reboot Disinfection / Delete / Quaranting Queuing but How about these Critical Processes  How on the Next Reboot the Av will deal with Them ?

Thank you

[arebc]

That's a good question.
 
Injected and infected are two totally different things. If the malicious file is injected into a critical process, usually what happens is the malware will be deleted on reboot. Since the injected file has been deleted/quarantined on reboot the critical process should be okay depending on what settings were changed. Critical processes usually can not be killed because this will make the OS unstable.

If the critical process has been infected, this adds a much more complicated process because a clean routine has to be written to repair the infected critical process.

Does that help?

[randy]

Thank you arebc , let's assume that's NO AV is installed and an XProcess is Injected if i Reboot the Machine will this XProcess will be Clean ?

[arebc]

Depends, has the process/file been deleted? If not, then most likely the file will still inject into the Xprocess on reboot. Usually the malicious file writes some type of setting to protect itself so it resumes on reboot.

[MysteryFCM]

If a file is injected into a process, you can bet your life that it's written at least a file and reg key, to re-inject it on re-boot.

[randy]

thank you MysteryFCM  , If i detect this File and Reg Key before re-booting my machine will be still Injectable or Infectable ?

[MysteryFCM]

Depends entirely on the infection. Some can be killed before re-boot (though rarely), others require booting into safe mode, others require removal with specialist tools such as GMER - there is no "one size fits all" when it comes to infections.

[arebc]

If a file is injected into a process, you can bet your life that it's written at least a file and reg key, to re-inject it on re-boot.

I wouldn't bet your life  There are cases of malware (especially worms) that just stay memory resident and never write themselves to disk. The slammer worm is a good example of this: http://www.f-secure.com/v-descs/mssqlm.shtml

But MysteryFCM is basically right most malware that infect a box will write some file or reg-key to disk. Do you know what critical process the malware is injected to? If you know what malicious file needs to be deleted you could always use Killbox to delete the file on reboot? Odds are you won't be able to manually delete the file using explorer because the file will have a handle open.   

[MysteryFCM]

In the case of older malware this was certainly sometimes the case. However, I've not seen anything in the last 24 months that doesn't do *something* to ensure it survives a reboot.

[valkyriex]

In many cases, the malicious process will be monitored by another one. If it is killed, it will reborn, sometimes, there is a good tangling and monitoring linkage between 2-3 processes to ensure its survival.

For the cleaning scheme, if you have got a sample on hand, you could simply send it to some online sandbox like anubis for analysis in the first round of analysis, identifying any signature has been released and understand what kinds of impact/changes/addition it made in registry/filesystem/process/network connection.

For critical system, it is good to always making a regshot (registry snapshot) for every new production deployment as we cannot guarantee server will be safe forever. When incidence strikes, comparison against the initial regshot for issue detection.

Regards,
Dark Floyd
Valkyrie-X Security Research Group, Hong Kong