±Your Account
Membership:
New Today: 1
New Yesterday: 3
Overall: 24197
Visitors: 50±Latest Webinar
±Latest Articles
· Geo-tagging & Photo Tracking On iOS
· KS – an open source bash script for indexing data
· Mobile Device Geotags & Armed Forces
· Categorization of embedded system forensic collection methodologies
· Interpretation of NTFS Timestamps
· What are ‘gdocs’? Google Drive Data – part 2
· What are ‘gdocs’? Google Drive Data
· Bad Sector Recovery
· Forensic Artifact: Malware Analysis in Windows 8
· Windows 8: Important Considerations for Computer Forensics and Electronic Discovery
· KS – an open source bash script for indexing data
· Mobile Device Geotags & Armed Forces
· Categorization of embedded system forensic collection methodologies
· Interpretation of NTFS Timestamps
· What are ‘gdocs’? Google Drive Data – part 2
· What are ‘gdocs’? Google Drive Data
· Bad Sector Recovery
· Forensic Artifact: Malware Analysis in Windows 8
· Windows 8: Important Considerations for Computer Forensics and Electronic Discovery
±Follow Us
±Latest Jobs
Back to top
Skip to content
Skip to menu
Back to top
Back to main
Skip to menu
agreed. I've never seen a malware check constantly for running processes. It might of course exist, but that must be very rare.
Sure, for this particular type of malware, that might work. I've seen malware that looks for processes by name, rather than window title; as such, the technique you've described would not work.
Another means that you might consider is to identify those "security" programs that are installed and running on all systems within your domain. For example, if you know that your infrastructure uses McAfee or Symantec for AV, you can use WMI to query the status of the specifically named process on all active systems. You can do the same for the Security Center...some AV specifically registers with the Security Center, so you can see if the firewall and AV are up and running. This would simply be an alternative approach that you could use, rather than pushing something new to all the systems to be run.
HTH
Automatically detecting malware that kills processes?
Automatically detecting malware that kills processes?
Posted: Sun Apr 15, 2012 10:30 am
It's somewhat common for malware to kill processes such as from various anti-malware software, Process Monitor/Explorer, Wireshark, etc.
If it usually does that by looking at the window title of each program, would it be possible to run a small program across the network with psexec that simply changes its window title in order to see if it can trick malware into killing it before its done? That would turn self-defending malware against itself...
If it usually does that by looking at the window title of each program, would it be possible to run a small program across the network with psexec that simply changes its window title in order to see if it can trick malware into killing it before its done? That would turn self-defending malware against itself...
-
Audio - Senior Member
Re: Automatically detecting malware that kills processes?
Posted: Sun Apr 15, 2012 7:07 pm
There are several different ways to detect a particular process.
For example it could be done from the executable's path, file size, executable strings, code signing certificate, etc.. & not just the title.
You would also probably find that the malware was only checking the process on launch, and not checking it again once it was up and running.
For example it could be done from the executable's path, file size, executable strings, code signing certificate, etc.. & not just the title.
You would also probably find that the malware was only checking the process on launch, and not checking it again once it was up and running.
-
Passmark - Senior Member
Re: Automatically detecting malware that kills processes?
Posted: Sun Apr 15, 2012 11:44 pm
- Passmark
You would also probably find that the malware was only checking the process on launch, and not checking it again once it was up and running.
agreed. I've never seen a malware check constantly for running processes. It might of course exist, but that must be very rare.
-
cedricpernet - Member
Re: Automatically detecting malware that kills processes?
Posted: Mon Apr 16, 2012 6:17 am
- AudioIf it usually does that by looking at the window title of each program, would it be possible to run a small program across the network with psexec that simply changes its window title in order to see if it can trick malware into killing it before its done? That would turn self-defending malware against itself...
Sure, for this particular type of malware, that might work. I've seen malware that looks for processes by name, rather than window title; as such, the technique you've described would not work.
Another means that you might consider is to identify those "security" programs that are installed and running on all systems within your domain. For example, if you know that your infrastructure uses McAfee or Symantec for AV, you can use WMI to query the status of the specifically named process on all active systems. You can do the same for the Security Center...some AV specifically registers with the Security Center, so you can see if the firewall and AV are up and running. This would simply be an alternative approach that you could use, rather than pushing something new to all the systems to be run.
HTH
-
keydet89 - Senior Member
Re: Automatically detecting malware that kills processes?
Posted: Mon Apr 16, 2012 11:40 am
Great answers, thanks guys!
-
Audio - Senior Member