Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

How malwares hide


  • Please log in to reply
2 replies to this topic

#1 chepukha

chepukha

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:09:30 AM

Posted 14 July 2010 - 10:51 AM

Hi all,
I've just read the tutorial "How Malware hides and is installed as a service on Windows NT/XP/2000/2003" by Lawrence Abrams (http://www.bleepingcomputer.com/tutorials/how-malware-hides-as-a-service/).

First of all, I'd like to thank the author very much for his interesting and informative tutorial.
As there is no way to comment or ask the author, I decided to post my questions here.

I wonder from many services shown in the list, how can we decide which services to kill?

Abrams provided a batch file to get list of services running. But look at his example (SSearch.biz), if we look at the service name (pnpsvc) and display name (Plug n Play...) there's no way to know it is SSearch.biz. And it seems every service has a good description. How can we know which service is malware?

Is there any list of suspicious services?

Thanks,
Chepukha

BC AdBot (Login to Remove)

 


#2 hamluis

hamluis

    Moderator


  • Moderator
  • 55,899 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:09:30 AM

Posted 14 July 2010 - 12:43 PM

It is up to the user...to determine whether a listed service is valid...or not, since malware can be disguised or misinterpreted for a valid service when one looks only at a filename.

IMO, the key characteristics a user needs are:

a. The ability to use Google or some other search engine to look up available info on any suspect file.

b. The understanding that what one "sees" is often not what is on that printed page. Example: iexplore.exe is valid, while iexplorer.exe is often seen by users to be the valid service.

c. The understanding that file placement and typical file size data is readily available, using Google or other search engine, for many (if not most) valid filenames. If a file presumed to be legit is in a location that it should not be...and the file size does not tie in with listed known filesizes...that should be an alarm.

Dates, but still apllicable: Are You Infected Detecting Malware Infection - http://www.securityfocus.com/infocus/1666.

Malware grows more sophisticated daily, while users seem to grow more careless or unconcerned, IMO. The chief weakness in any system's security posture...seems to lie with the user, not with all the programs, schemes, and procedures which have been devised...to assure users a system that is free of malware or at least capable of negating such.

That's the approach I take...there is no easy answer other than to address my biggest obstacle to system security...which is...myself.

Louis

#3 chepukha

chepukha
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:09:30 AM

Posted 19 July 2010 - 12:03 PM

Thanks Louis.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users