10 ways to detect computer malware

8/7/2019 10 ways to detect computer malware

http://slidepdf.com/reader/full/10-ways-to-detect-computer-malware 1/19

By By Michael P. KassnerMichael P. Kassner

Cybercriminals are putting forthCybercriminals are putting forthevery effort to make malwareevery effort to make malwaredifficult to detect. Successfully, I difficult to detect. Successfully, I

might add. Ever optimistic, I might add. Ever optimistic, I thought I would have a go at thought I would have a go at providing information on how toproviding information on how tomake their job more difficult.make their job more difficult.



W ith all the different terms, definitions, and terminology, trying to figure out what¶s whatW ith all the different terms, definitions, and terminology, trying to figure out what¶s whatwhen it comes to computer malware can be difficult. To start things off, let¶s define some key when it comes to computer malware can be difficult. To start things off, let¶s define some key terms that will be used throughout the presentation:terms that will be used throughout the presentation:

��MalwareMalware: Is: Ismalmalicious softicious softwareware that¶s specifically developed to infiltrate or causethat¶s specifically developed to infiltrate or causedamage to computer systems without the owners knowing or their permission.damage to computer systems without the owners knowing or their permission.

��MalcodeMalcode: Is: Ismalmalicious programmingicious programming codecode that¶s introduced during the developmentthat¶s introduced during the developmentstage of a software application and is commonly referred to as the malware¶s payload.stage of a software application and is commonly referred to as the malware¶s payload.

��AntiAnti--malwaremalware: Includes any program that combats malware, whether it¶s real: Includes any program that combats malware, whether it¶s real--timetime

protection or detection and removal of existing malware. Antiprotection or detection and removal of existing malware. Anti--virus, antivirus, anti--spywarespywareapplications and malware scanners are examples of antiapplications and malware scanners are examples of anti--malware.malware.

Keeping the above definitions in mind, let¶s look at 10Keeping the above definitions in mind, let¶s look at 10 ways to detect computer malware.ways to detect computer malware.



��Knowing exactly what is running on a computer is paramount toKnowing exactly what is running on a computer is paramount to

learning what shouldn¶t be.learning what shouldn¶t be.

��Creating a reference baseCreating a reference base--line is the best way I¶ve found toline is the best way I¶ve found toaccomplish this.accomplish this.

�� Let¶s look at three applications that do just that.Let¶s look at three applications that do just that.



��Process ExplorerProcess Explorer is an excellent way to determine whatis an excellent way to determine what processesprocessesare running on a computer.are running on a computer.

��Process Explorer also describes the function of each process.Process Explorer also describes the function of each process.

��More importantly, Process Explorer can be used to create a baseMore importantly, Process Explorer can be used to create a base--line of the running processes used by the computer when it¶sline of the running processes used by the computer when it¶soperating correctly.operating correctly.

��

If for some reason, the computer starts behaving poorly, runIf for some reason, the computer starts behaving poorly, runProcess Explorer again and compare the scans.Process Explorer again and compare the scans.

��Any differences would be good places to start looking forAny differences would be good places to start looking formalware.malware.



��HiJackThisHiJackThis is Process Explorer on steroids, making the applicationis Process Explorer on steroids, making the applicationsomewhat daunting to those of us not completely familiar withsomewhat daunting to those of us not completely familiar withoperating systems.operating systems.

��Still, runningHiJackThis before having malware problems creates aStill, runningHiJackThis before having malware problems creates agreat reference basegreat reference base--line, making it easy to spot changes.line, making it easy to spot changes.

��If it¶s too late to run a baseIf it¶s too late to run a base--line scan, do not fear. There are severalline scan, do not fear. There are severalW eb sites with onW eb sites with on--line applications that will automatically analyzeline applications that will automatically analyze

the log file from HiJackThis, pointing out possible conflicts. Two thatthe log file from HiJackThis, pointing out possible conflicts. Two thatI use areI use are HiJackThis.de Security HiJackThis.de Security andand NetworkTechs.comNetworkTechs.com..

��If you would rather have trained experts help, I would recommendIf you would rather have trained experts help, I would recommendW indowSecurity.com¶sW indowSecurity.com¶s HiJackThis forumHiJackThis forum..



�Kaspersky has an application similar toHiJackThis calledGetSystemInfo.

�I like the fact that Kaspersky has an online parser. Just upload thelog file and the parser will point out any disparities.

�GetSystemInfo like the other scanners is a good way to keep track

of what¶s on the computer, and if need be help find any malwarethat happens to sneak in.



��R emember the definition of antiR emember the definition of anti--malware? Combat malware by malware? Combat malware by providing realproviding real--time protection or malware removal.time protection or malware removal.��

��That¶s exactly what vulnerability scanners do. Proactively, detectThat¶s exactly what vulnerability scanners do. Proactively, detectvulnerabilities so malware cannot gain a foot hold.vulnerabilities so malware cannot gain a foot hold.

��I¶d rather update applications than chase malware any day.I¶d rather update applications than chase malware any day.



� Microsoft Baseline Security AnalyzerMicrosoft Baseline Security Analyzer (MBSA) is a(MBSA) is avulnerability scanner that detects insecure configurationvulnerability scanner that detects insecure configurationsettings and checks all installed Microsoft products forsettings and checks all installed Microsoft products for

missing security updates.missing security updates.

��I recommend using MBSA when upper managementI recommend using MBSA when upper managementneeds convincing. Making a case for needing aneeds convincing. Making a case for needing avulnerability scanner is sometimes easier if the product isvulnerability scanner is sometimes easier if the product is

from the OEM.from the OEM.



��R emember when I mentioned ³It¶s simple, no vulnerabilities noR emember when I mentioned ³It¶s simple, no vulnerabilities nomalware´? W ell, it¶s not exactly that easy.malware´? W ell, it¶s not exactly that easy.

��It would be except for those nasty things calledIt would be except for those nasty things called zerozero--day exploitsday exploits andandzerozero--day virusesday viruses..

��That¶s where antiThat¶s where anti--virus applications come into play, especially if they virus applications come into play, especially if they useuse heuristicsheuristics..



��Lately, antiLately, anti--virus software is getting little respect. Like everyone, I getvirus software is getting little respect. Like everyone, I getfrustrated when my antifrustrated when my anti--virus program misses malcode that othervirus program misses malcode that otherscanners manage to find.scanners manage to find.

��Still, I would not run a computer without antiStill, I would not run a computer without anti--virus. It¶s too risky. Ivirus. It¶s too risky. Isubscribe to thesubscribe to the layered approachlayered approach when it comes to security.when it comes to security.

��Choosing the correct antiChoosing the correct anti--virus application is personal. Commentsvirus application is personal. Commentscome fast and furious when someone asks TechR epublic memberscome fast and furious when someone asks TechR epublic members

which one is the best.which one is the best.

��A majority feel that any of the free versions are fine for nonA majority feel that any of the free versions are fine for non--businessbusinessuse. I useuse. I use AvastAvast oror ComodoComodo on W indows machines.on W indows machines.



��The next class of antiThe next class of anti--malware is capable of both detecting andmalware is capable of both detecting andremoving malware.removing malware.

��I¶m sure you are wondering why not just use these from the start. II¶m sure you are wondering why not just use these from the start. Iwish it was that simple.wish it was that simple.

��In explanation, scanners useIn explanation, scanners use Signature filesSignature files and heuristics to detectand heuristics to detectmalware. Malware developers know all about each and can morphmalware. Malware developers know all about each and can morph

their code, which then nullifies signature files and confuses heuristics.their code, which then nullifies signature files and confuses heuristics.That¶s why malware scanners aren¶t the cureThat¶s why malware scanners aren¶t the cure--all answer, maybeall answer, maybesomeday.someday.



��I wanted to make sure and mention that you need to beI wanted to make sure and mention that you need to be

careful, when picking malware scanners.careful, when picking malware scanners.

��The bad guys like to disguise malware (The bad guys like to disguise malware (antivirus 2009antivirus 2009) as a) as amalware scanner, claiming it will solve all of your problems.malware scanner, claiming it will solve all of your problems.

��All four of the ones that I have chosen are recommended by All four of the ones that I have chosen are recommended by

experts.experts.



Malicious SoftwareR emoval ToolMalicious SoftwareR emoval Tool (MSR T) is a good general(MSR T) is a good generalmalware removal tool, simply because Microsoft should know malware removal tool, simply because Microsoft should know whether the scanned code is theirs or not. Three things I like aboutwhether the scanned code is theirs or not. Three things I like aboutMSR T are:MSR T are:

��The scan and removal process is automated.The scan and removal process is automated.

��W indows pdate keeps the signature file database currentW indows pdate keeps the signature file database current

automatically.automatically.

��It also has the advantage of being an OEM product, thus lessIt also has the advantage of being an OEM product, thus lessintrusive and more likely to be accepted by management.intrusive and more likely to be accepted by management.



��SU R AntiSpywareSU R AntiSpyware is anot er eneral purpose scanner t at also is anot er eneral purpose scanner t at also oes a ood job of detecting and re ov ing ost alware.does a good job of detecting and re ov ing ost alware.

��I av e used it on sev eral occasion and f ound it to be ore t an I av e used it on sev eral occasion and f ound it to be ore t an adequate.adequate.

��Sev eral ec Republic e bers av e entioned to e t atSev eral ec Republic e bers av e entioned to e t atSU R AntiSpywarewas t e only scanner t ey f ound capable of SU R AntiSpywarewas t e only scanner t ey f ound capable of

completely remov ing antiv irus (malware).completely remov ing antiv irus (malware).



��MalwarebytesMalwarebytes AntiAnti--MalwareMalware (MBAM) malware scanner was the(MBAM) malware scanner was themost successful of the four I tested. I was first introduced to it by most successful of the four I tested. I was first introduced to it by worldworld--renowned malware expertrenowned malware expert Dr. JoseDr. Jose NazarioNazario of Arborof Arbor

Networks.Networks.

��For a detailed explanation of how MBAM works, please refer to my For a detailed explanation of how MBAM works, please refer to my postpost Malware scanners: MBAM is best of breedMalware scanners: MBAM is best of breed..

��

Still, MBAM does not catch everything. As I pointed out in theStill, MBAM does not catch everything. As I pointed out in theMBAM article, it misses some of the moreMBAM article, it misses some of the more--sophisticated malware,sophisticated malware,especially rootkits. W hen that happens I turn to the next malwareespecially rootkits. W hen that happens I turn to the next malwarescanner.scanner.



��I explained inI explained in R ootkits: Is removing them even possibleR ootkits: Is removing them even possible, why , why it¶s hard to find rootkit malware.it¶s hard to find rootkit malware.

��Fortunately,Fortunately, GMER GMER is one of the best when it comes tois one of the best when it comes todetecting and removing rootkits, enough so, to be recommendeddetecting and removing rootkits, enough so, to be recommendedby Dr.by Dr. NazarioNazario..



Using the above antiUsing the above anti--malware techni ues will go a long way in makingmalware techni ues will go a long way in makingit tough for malware developers, especially if you:it tough for malware developers, especially if you:

��Make sure all software on your computer is upMake sure all software on your computer is up--toto--date.date.

��R un a baseR un a base--line scan and save the log file, you may need it later.line scan and save the log file, you may need it later.

��Sophisticated malware runs uietly, so scan for malware on aSophisticated malware runs uietly, so scan for malware on a

regular basis.regular basis.

For more information, please refer to The 10 faces of computer malware.

10 ways to detect computer malware

Documents