Using mutexes to detect active infection
When infecting a system, a virmaker is always faced with the task of determining whether the system is already infected. Otherwise, the implementation of repeated mechanisms of infection in some cases can lead to disruption of the Trojan or destabilization of the entire system. Both are undesirable.
One of the mechanisms to prevent this phenomenon is the creation of specific mutexes, the presence of which concludes the presence of active infection. At the same time, mutexes are not hidden at all, and therefore can be a reliable signal of the presence of a certain infection.
Making a list of handles on all mutexes opened in the system can be done using the Handle utility from Mark Russinovich . This is done by a simple command:
After parsing the received list, you can not only get information about whether there is an infection in the system, but in some cases you can get information on which file is potentially infected.
')
Considering that the full collection of logs even on a very busy machine takes a few seconds, it seems promising to create black and white lists of mutexes that allow for a rapid assessment of infection. For example, it is well known that:
_AVIRA_ [letters] or __SYSTEM __ [letters] - ZBot marker
svchost_test_started - TDL3 marker
Flameddos - Bifrost marker
__b4ng__b4ng__38 - Tigger marker
Jo1ezdsl - Bankpatch.C marker
Op1mutx9 or Ap1mutx7 - and always in combination with * exeM_ * - Sality marker
Jhdheddfffffhjk5trh - Allaple marker
1337bot - Spybot marker
Rootz - Sdbot marker
It should be noted that the presence of specific mutexes can also be detected by full memory dumps of an infected system using the mutantscan plugin for Andreas Schuster for Volatility .
Of course, this method does not provide 100% of the information about the full mechanism of subsequent treatment, besides, the virmaker can remove the specified “detection” with just a few changes in the code, but on the other hand, the advantage is expressivity and simplicity of database management.
One of the mechanisms to prevent this phenomenon is the creation of specific mutexes, the presence of which concludes the presence of active infection. At the same time, mutexes are not hidden at all, and therefore can be a reliable signal of the presence of a certain infection.
Making a list of handles on all mutexes opened in the system can be done using the Handle utility from Mark Russinovich . This is done by a simple command:
handle.exe -a > log.txtAfter parsing the received list, you can not only get information about whether there is an infection in the system, but in some cases you can get information on which file is potentially infected.
')
Considering that the full collection of logs even on a very busy machine takes a few seconds, it seems promising to create black and white lists of mutexes that allow for a rapid assessment of infection. For example, it is well known that:
_AVIRA_ [letters] or __SYSTEM __ [letters] - ZBot marker
svchost_test_started - TDL3 marker
Flameddos - Bifrost marker
__b4ng__b4ng__38 - Tigger marker
Jo1ezdsl - Bankpatch.C marker
Op1mutx9 or Ap1mutx7 - and always in combination with * exeM_ * - Sality marker
Jhdheddfffffhjk5trh - Allaple marker
1337bot - Spybot marker
Rootz - Sdbot marker
It should be noted that the presence of specific mutexes can also be detected by full memory dumps of an infected system using the mutantscan plugin for Andreas Schuster for Volatility .
Of course, this method does not provide 100% of the information about the full mechanism of subsequent treatment, besides, the virmaker can remove the specified “detection” with just a few changes in the code, but on the other hand, the advantage is expressivity and simplicity of database management.
Source: https://habr.com/ru/post/114713/
All Articles