Deep antivirus Guide (2)

Step 3: Malicious Software Analysis

Control the spread of malicious software attacks, you must take the time to understand the nature of sudden and malicious software to perform more detailed analysis. Does not perform this step can increase the likelihood of re-infection; do not understand the work of malware will not be able to ensure that the system had been cleared and safe from future attacks.

Check the operating system elements
* Activities, processes and services.
* The local registry.
路 Microsoft? Windows? System files in the folder.
鈥?New user or group account with administrator privileges, especially the new user or group account.
* Shared folders (including hidden folders).
* File name but with a normal position in the new file exception.
* Open network ports.

Check the active processes and services
The system may be infected in their memory in the introduction of a new process. Process to help minimize the number of entries in the list and therefore help to identify any malicious processes, should be closed to all valid applications, and any effective back-office applications, such as Instant Messenger, e-mail monitor, or in memory of the third-party utility program.

If special tools are not available, you can use all Microsoft Windows systems Windows "Task Manager" tool to quickly check the active processes running on the system. However, due to "Task Manager" does not show the path to start the process of the image, it can not be determined as "svrhost" malicious software attacks start whether the legal process.

Complete the following steps to use the "Task Manager" of active processes:
1. While pressing Ctrl + Alt + Del pop-up "Windows Security" window and select "Task Manager." Note: In Windows 9x computer, you will see a running list of programs, rather than the "Task Manager" application.
2. Click the "process" tab.
3. Adjust Windows "Task Manager" window in order to screen the activities of the process as much as possible.
4. From the menu bar, select "View" option and click "Select columns ..."銆?br />5. Select the following check boxes:
路 PID (Process Identifier)
路 CPU usage
路 CPU time
* Memory usage
* Memory usage peak
路 I / O read
路 I / O write
6. Click "OK" and adjust the size of the window to show as many of these columns. You can click any column heading to sort the column. Each column of the list using the sort method and determine which process is using what resources. Note: To obtain a printout of the list for future reference, activate Process Explorer or the Windows "Task Manager" window and press the keyboard's Alt + Print Screen. Will be created on the computer's clipboard the list of screen shots, the snapshot can be pasted into Windows Paint application or Microsoft Word, and to print.

Blaster worm under the map will show the process details for the Microsoft Windows 2000? Server "Task Manager" in the activities of the process.



Figure 3 shows the activities of Blaster worm process, Windows 2000 Task Manager

Note: some of the malicious software may try to stop the "Task Manager" starts as a form of defense. This case, can Microsoft Windows? XP and Windows Server? 2003 computer using the Tasklist command line utility (or Windows 2000 computer using the TList command-line utility) generated can be copied to removable media, a simple text file list for further analysis. Use the following command line syntax generated list contains all active processes the text file: tasklist / v> TaskList.txt the command line in the current working directory, create a file named TaskList.txt.

Check the Startup folder
Malicious software can try to modify the system's Startup folder from the start line. Note: According to the analysis of the operating system, the exact path of these folders will be changed. The following information applies to running Windows XP, Windows Server 2003 or Windows 2000 operating system. Should check the startup files of the two regions. The first is the "All Users" folder, this folder can be found in the following default location: C: Documents and SettingsAll UsersStart Menu

The second area is the account currently logged on user profile path, check the system configuration files created on all accounts not just the currently logged on is very important. You will be C: Documents and Settings \ Start Menu to find the information, which is defined on the system checks the user's login ID.

Analysis of the local registry
Since the completion of the system registry is a large, complex data storage, so the recovery process after the completion of attack to create a copy of the entire system registry for detailed analysis will be of benefit.

All Windows versions contain the backup utility can be used for backup and restore entire registry. If you have regular backups using the backup disk, you can easily include in the backup registry. To use the backup application to backup the registry, please select the focus to be included in the backup drive, files and folders select "system state."

As the "system state" contains specific information and other system registry, so the size of these backup files may be hundreds of MB. Another option is to use all Windows versions with the Registry Editor utility. The utility is more suitable to generate a copy of the registry. Windows XP and Windows Server 2003 with two Registry Editor tool, Regedit.exe and command-line tool Reg.exe.

To use the Regedit generate a copy of the registry, please do the following:
1. Click "Start", "Run", type Regedit, then press Enter.
2. In the left pane, select the "My Computer" and then from the "File" menu, select "Export."
3. In the "File Name" box, type a copy of the registry file name and location.
4. In the "Export Range", click "All", then click "Save."

Highlights: As the disk will be exposed to malicious software, it must pay more attention to ensure an effective control method, before the disk will not be exposed to other systems.

Check malicious software and corrupted files
Most malicious software will modify the computer's hard drive to one or more files, and find the file may have been affected is a very difficult process. If the image created by the system, you can be infected system with the image created by the new system were compared.

If this option is not available, another to determine which files have been changed since the method is the introduction of malicious software system to change the first time all the files system-wide search. You can use the Windows search tool to search; the following screen shot shows how to use the "Search Results" pane of the advanced options narrow the search range of infected files.



Figure 4 "

Search results for "Advanced Options dialog box

According to the set options as shown, will be listed in the introduction of malicious software, the host of the date (for example, April 27, 2004) to create all the files. You can also create a subdirectory that contains the current directory and all files in the list of text files, it should be noted that the list may be a long list.

To create a directory and its subdirectories for all files in the list, please do the following:
1. Click "Start", "Run", type cmd, and then press Enter.
2. Change to the directory to record.
3. At the command prompt, type dir / s /-c / o:-d / t: c / q> FileList.txt, and then press Enter.

Implementation of the command in the current directory to create a text file named FileList.txt should copy the file to removable media for further analysis. Note: There are many other ways you can use other tools and scripts to create a similar list. However, this section is designed to help use the computer tools available to quickly gather information. If you have time to prepare a script that contains more advanced emergency response kit, use it instead of the process shown here.

Check user and group
Some malicious software on the system will attempt to assess the current user's privileges, or group with administrator privileges to add new a new account. Check the following exception settings:
* The old user accounts and groups.
* Not suitable for the user name.
* Invalid user membership of the group.
* Invalid user rights.
* The recently promoted to any user or group account privileges.
* Finally, make sure that all managers are effective team members.

Use Local Users and Groups Microsoft Management Console (MMC) snap-in check to the local Administrators group to set any exceptions. Should also check the local computer security logs for any unusual entries. For example, the "Account Management" category entry (such as event 636) direction has a new member to the local group. These logs will also provide you with the date and time change occurs.

Note: Although these articles describes Windows 2000, Windows 2003, but it is also relevant, because the same group did not change the basic default. However, Windows Server 2003 introduces additional default groups, such as network services and local services to special groups. Check the default system configuration for more information.

Check the shared folder
The other common symptoms of malicious software is to use the shared folder transmitted infections. Use Computer Management MMC snap-in, or through the command line using the NetShare command checks the infected system the state of the shared folder. The following table shows the Windows client and server, the default shared folders.

Note: By default, Windows 9x computers do not share files or folders, unless the file sharing is enabled. In addition, Windows 9x client does not "admin $" or the equivalent of hidden share; only those special shared folder or volume via the network to use (in some way stop the destruction of systems or to install some of the remote control software).

Table 1 Windows XP default folder sharing



Table 2 Windows Server 2003 and Windows 2000 Server default folder sharing

Check the open network ports
Many malware attacks attempt to weaken the system has been damaged for future attacks easier. A commonly used technique is to open the network port on the host malicious software, the attacker will then use these ports for the host of other routes. Finally, you can use Windows with the NetStat command-line utility records current network connections and listening ports in the state of the network. The tool can be used to obtain network connectivity and port status of the full printout.

Use network protocol analyzer
Network protocol analyzer tool can be used to create the infected host incoming and outgoing network traffic log data. Network trace file should be saved as part of the information file set for further analysis.

Check the system event log and export
Can use the Windows system event log identified a variety of abnormal behavior (malicious software can be used to identify the changes and the change of time). Use Event Viewer Management Console to each type of event log files (application, security and system) saved to removable media for further analysis. By default, these files are stored in C: WinntSystem32Config directory, and are known as AppEvent.evt, SecEvent.evt and SysEvent.evt. However, when the system is active, these files will be locked, so you should use the Event Viewer management tools to export.

The following tips provide information on how to use these logs to help determine the impact of malicious software attacks information:
* Find the suspected attack of any changes.
* The event log file creation and modification time and the time to compare.
* Look suspicious invasion to create an account or change the password.

Malware analysis process in the end, can be considered malicious software, according to the nature of re-connecting isolated networks. For example, if the analysis only through special peer (P2P) application, determine the spread of malicious software, then change the external firewall filters to block the application uses the network to restore the fracture network and other services. The patch will enable organizations to resume carrying out the system returns to a normal level of communication.






相关链接:



Auto Attendant Computer operator



Proficient in CSS filter (2)



Simple AUTOMATION Tools



Additional team bonus, energy Stimulate team



Science - Screen Savers Expert



Avc-free



convert mkv



China Unicom to introduce iPhone would be wasted



Why is throwing money at very odd tiger VC Zhou Hongyi Good "Fudge"?



Dell Shipped the wrong price is not the defendant of fraud: frozen funds



wma converter



Create Servlet Filter Wizard



On the open source Jetty SERVLET Container



Mov To Avi Converter Free



Catalogs Audio And Multimedia