Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Microsoft
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: More along the lines of malware disinfection

from [Devin Ganger] Network Security [Permanent Link]
Subject: RE: More along the lines of malware disinfection
Date: Tue, 18 Mar 2008 10:46:52 -0700 
My experience is that if the malware has its hooks into the system that far, 
it's quicker and less painless to just wipe the system. I can never trust, from 
that point on, that I've gotten everything out of the system. With malware like 
that, it's like trying to rip blackberry bushes out of your garden -- make damn 
sure you've gotten every fragment of every root out of the ground, or you're 
going to be seeing it again soon.

--
Devin L. Ganger, Exchange MVP      Email: deving@3sharp.com
3Sharp                             Phone: 425.882.1032
14700 NE 95th Suite 210             Cell: 425.239.2575
Redmond, WA  98052                   Fax: 425.558.5710
(e)Mail Insecurity: http://blogs.3sharp.com/blog/deving/



-----Original Message-----
From: listbounce@securityfocus.com
[mailto:listbounce@securityfocus.com] On Behalf Of Mike Moratz-
Coppins
Sent: Tuesday, March 18, 2008 6:33 AM
To: focus-ms@securityfocus.com
Subject: More along the lines of malware disinfection

I thought I would ask this considering the level of response I had
on
the last thread I started, in the hope that someone might suggest a
technique for this problem.

When removing malware of one sort or another, I have had the
situation
quite a few times where a dodgy dll/exe couldn't be removed/renamed
in
normal or any safe mode, and attempts to remove its links from the
registry to stop it from starting result in the malware recreating
those
links instantly (for example, a bit of malware inserts itself into
the
winlogon notify list).  Normally I will boot off the XP CD to the
recovery console and rename the offending file(s) there, however,
the
Windows XP recovery console does not allow you into the "Documents
and
Settings" folder (access denied), and I have had it once or twice
where
a bit of malware is stored inside that directory structure and has
full
privs on the system.

On one occasion I tried inserting an extra command into the session
manager's BootExecute key, just telling it to delete the file in
question.  Admittedly I was hastily trying multiple strategies, so
I
don't know whether this particular strategy worked, but I doubt it
did
since the delete command is stored in cmd.exe.  Perhaps a batch
file
could have done it but I doubt that the BootExecute system would
allow
commands to spawn other processes.

Anyway, any ideas, as I probably will come up against this scenario
again :)


--
Mike Moratz-Coppins
mike@mikeymike.org.uk
http://www.mikeymike.org.uk/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  More along the lines of malware disinfection, Mike Moratz-Coppins
Next by Date:  RE: Compromised WinXP box prob, Devin Ganger
Previous by Thread:  More along the lines of malware disinfection, Mike Moratz-Coppins
Next by Thread:  RE: More along the lines of malware disinfection, Express Web Systems, Inc.
Indexes:  [Date] [Thread] [Top] [All Lists]