Malware Related > Compromised Servers

Injected or Infected Process and How to

<< < (2/2)

randy:
thank you MysteryFCM  , If i detect this File and Reg Key before re-booting my machine will be still Injectable or Infectable ?

MysteryFCM:
Depends entirely on the infection. Some can be killed before re-boot (though rarely), others require booting into safe mode, others require removal with specialist tools such as GMER - there is no "one size fits all" when it comes to infections.

arebc:

--- Quote from: MysteryFCM on May 08, 2009, 03:25:08 pm ---If a file is injected into a process, you can bet your life that it's written at least a file and reg key, to re-inject it on re-boot.

--- End quote ---

I wouldn't bet your life  ;) There are cases of malware (especially worms) that just stay memory resident and never write themselves to disk. The slammer worm is a good example of this: http://www.f-secure.com/v-descs/mssqlm.shtml

But MysteryFCM is basically right most malware that infect a box will write some file or reg-key to disk. Do you know what critical process the malware is injected to? If you know what malicious file needs to be deleted you could always use Killbox to delete the file on reboot? Odds are you won't be able to manually delete the file using explorer because the file will have a handle open.   

MysteryFCM:
In the case of older malware this was certainly sometimes the case. However, I've not seen anything in the last 24 months that doesn't do *something* to ensure it survives a reboot.

valkyriex:
In many cases, the malicious process will be monitored by another one. If it is killed, it will reborn, sometimes, there is a good tangling and monitoring linkage between 2-3 processes to ensure its survival.

For the cleaning scheme, if you have got a sample on hand, you could simply send it to some online sandbox like anubis for analysis in the first round of analysis, identifying any signature has been released and understand what kinds of impact/changes/addition it made in registry/filesystem/process/network connection.

For critical system, it is good to always making a regshot (registry snapshot) for every new production deployment as we cannot guarantee server will be safe forever. When incidence strikes, comparison against the initial regshot for issue detection.

Regards,
Dark Floyd
Valkyrie-X Security Research Group, Hong Kong

Navigation

[0] Message Index

[*] Previous page

Go to full version