Geekly Articles each Day
📜 ⬆️ ⬇️

Experienced trivia-9, or “You are sick! How will we treat? ”

image The continuation of "experienced trifles." Previous parts can be read here .

From time to time, every system administrator needs to check a “suspicious” computer for malware. Either weird traffic is coming from it, or weird windows are getting out, or worse, some WinLock were caught. I will talk about a simple, almost step by step express method that we offer to our new supporters. Someone may find it incomplete or too simple; nevertheless, many problems can be identified with its help. And to understand the problem is half the solution. In any case, I will be glad to read in the comments your additions and useful tips on this issue.


In general, to explore the computer for the "search of infection", this occupation is fascinating, but ungrateful. Often, the time you spend searching and treating is much longer than the time you would spend completely reinstalling your computer while preserving data.
Examining a computer closely can be done only for the sake of your own education / pleasure, or in a situation when it contains non-portable software (software whose settings nobody knows how to transfer to a new computer, or it is very time-consuming / resource intensive). Considering this, we tried to ensure that the test was as fast and low-cost as possible. If it is impossible to understand the problem by it, the computer is often reinstalled, or in particularly important cases, it is given to the senior admins for a closer examination.
')
Another important point is that in order for an inexperienced sapper to correctly “check” an infected computer, you first need to train him to understand what is “normal” in it and what is not, for this purpose we first give them a freshly installed, clean computer with an approximate set of our internal ON, and they train on it. Stupidly banish all the tests, and see what happens. They accumulate a so-called. “Clean computer template”. They see with their own eyes the triggers of test utilities for ordinary things that are present even on deliberately clean computers (for example, AVZ creeps terribly if the computer has Symantec Endpoint Protection, etc.). In the future, when checking in real conditions, these "deviations" are quite easily noticed.
  1. Run on an AVZ machine with fresh bases. In the parameters set: Heuristics - max, Advanced analysis, Blocking user rootkits - depending on the importance of the machine. In general, it is better to start by simply starting the check and look at the result without blocking anything. Check the SPI configuration, open TCP \ UDP ports using the same AVZ. Examine the result, compare it with the output from a clean machine, weed out known programs that have a triggering effect (antiviruses, PuntoSwitcher a la interceptors, etc.). Analyze the difference, if any.
  2. "For fans" you can go through the items on the SERVIS menu in AVZ. Search for gray (unidentified) lines by Program Files, Documents And Settings, Windows. Try to understand what it is and why. On important computers it is better to look at ALL items (Managers ..., dispatchers ..., etc.) of the SERVICE menu.
  3. Launch Autoruns from Sysinternals. Enable option Verify Code Signature. Analyze the result on the subject of "strangeness", pay attention to the ways, names, descriptions in the columns Publisher and Description.
  4. Check already executed tasks using Process Explorer from Sysinternals. Pay attention to the path to the program being launched (you need to enable it additionally in the View - Select Columns menu

image Performing the described procedures and a careful analysis of the results obtained allows you to make a decision about what to do next: clean the computer or allow it to be reinstalled. The process of cleaning the system is almost always unconventional, creative. Other infections are quite difficult to withdraw, they are deeply prescribed in the services, monitor the removal of themselves from the avran-ways, replace the shell, etc. In the end, there are rootkits. Be prepared for the fact that the final cleaning path is likely to have a good look, the easiest way is likely to be incomplete. If you still decide, then you can clean the system, for example, like this:
  1. Disable System Restore. check that all restore points are cleared. Traditionally, this is a favorite "bomb shelter" for all sorts of infections.
  2. Clean everything possible using AVZ (make sure to enable AVZ-Guard mode (AVZ blocks third-party software launch and allows you to run software only from its interface), start everything you need from AVZ, troubleshoot the wizard — clean the system, deferred file deletion , rootkit blocking, etc.)
  3. After (!) Blocking rootkits using AVZ, in AVZ-Guard mode, start and carefully examine the output of the Autoruns utility from Sysinternals. Malware is usually either written in the “registry branches that are running”, or they replace the shell. Here will help experience, keen eye and "pattern of a clean car"
  4. Manually clear the profile of an infected user:
    • Temporary folders (% User% \ Local Settings \ Temp)
    • Browser cache (% User% \ Local Settings \ Temporary Internet Files \ Content.IE5)
    • Browser history (% User% \ Local Settings \ History \ History.IE5)
    • Reset the internet explorer to default (browser service properties-advanced-reset)
    • In Internet Explorer, check add-ons (service-properties of the browser-program-add-on). Extra disable / delete.
    • (Note that after these actions, the current user will lose the history of visits, saved passwords, cookies, etc.)
    • Similarly, browse third-party browser profiles if the user uses them.
  5. Check the system variables (type SET in the command line), especially pay attention to the PATH, clean it if necessary, but be careful not to delete the necessary one. This will help the training "clean system pattern."
  6. Check SYSTEM-LOG from the last boot (system log from event 6009-6005). Pay attention to errors when starting services and running drivers.
  7. You can run portable versions of popular anti-viruses, for example, DrWeb Cure IT (it is free only for personal use, remember this) or a version from Kaspersky Lab . Such anti-virus utilities are updated regularly, and each time you will most likely have to download them again with fresh databases. They can check not everything, but only the Documents And Settings, Program Files, Windows folders.
  8. If the result is not satisfactory, boot from any live CD (Bart-pe, Alkid-LiveCD, Hiren BootCD, etc.) and check it with the same antivirus tools.
  9. Check the files in the Windows and Windows \ System32 folders for their dates. Pay special attention to files that are changed on the day or the day before the infection. If they have the correct names, and at first glance, they are needed for the system to work - replace them with similar ones from the neighboring system (note that you can do it with the same systems that are at least approximately the same. You cannot change the userinit.exe file from WinXPSp2 for the same WinXPSP3 file, etc.


If you still could not cure the machine, try to contact the profile branches of the forums, for example Virusinfo , and if they did not help there, seriously think about reinstalling the system, since you can cure a trojan, but you will spend a lot of time and there will most likely be no guarantees for a complete cure. And you could spend the time spent on this occupation with much greater benefit.

Upd: For more clarity, I will add: the machines that are being investigated in this way are ALREADY disconnected from the network, they are taken from them (if they can be taken). This rapid method was written to train the personnel in order to quickly and with minimal effort, inexperienced supporters make a decision: should the computer be cured or should it be reinstalled.

To be continued

Source: https://habr.com/ru/post/122670/

More articles:


All Articles