Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Why Do I Get Clean AV Reports When I'm Infected?


  • Please log in to reply
4 replies to this topic

#1 LittleGreenDots

LittleGreenDots

  • Members
  • 449 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Metro Detroit Area
  • Local time:01:23 PM

Posted 25 July 2013 - 07:45 AM

I'm going through nasty infection right now and will be reformatting and reinstalling Windows this weekend.  I had some great help on this here at BleepingComputer.  I'm trying to understand how this malware can hide from scans.  I scanned with AV software (MS Security Essentials) and MalwareBytes and both gave my computer a clean report.  I'm not a technically minded person but want to understand HOW malware works and can hide from detection.  Can the infection code hide from the scan?  I'd like to learn more but frankly am fearful of looking online for information on how malware works, how it attaches itself to code and the sorts of things it changes to do the nasty.  Looking for information about malware seems like a good way to atttact it.

 

I'd prefer a paper book actually. 

 

Any recommendations?

 

Thanks.



BC AdBot (Login to Remove)

 


#2 Anshad Edavana

Anshad Edavana

  • Members
  • 2,805 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:10:53 PM

Posted 25 July 2013 - 08:14 AM

Hi

 

If you are fairly good at programming especially in Assembly language, following book might help you.

 

http://www.amazon.com/Practical-Malware-Analysis-Dissecting-Malicious/dp/159327

 

 

http://www.amazon.com/Malware-Analysts-Cookbook-DVD-Techniques/dp/0470613033/ref=pd_bxgy_b_text_y


Edited by Anshad Edavana, 25 July 2013 - 08:15 AM.


#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:23 PM

Posted 25 July 2013 - 09:32 AM

Can the infection code hide from the scan?

Yes...with the aid of a rootkit.


Rootkits are powerful stealth system-monitoring programs that are almost impossible to detect. Rootkits are not a malware infection in and of themselves but are used by backdoor Trojans, Botnets and IRCBots to conceal their presence in order to prevent detection of the attacker's software and make removal more difficult. Rootkits can effectively hide its presence by intercepting and modifying low-level application programming interface (API) functions and can hide the presence of processes, folders, files and registry keys.

Not all rootkits are malicious. Legitimate programs can use rootkits for legitimate reasons so it's presence is not always indicative of a malware infection. It is normal for a Firewall, some anti-virus and anti-malware software (ProcessGuard, Prevx), CD Emulators sandboxes, virtual machines and Host based Intrusion Prevention Systems (HIPS) to exhibit rootkit-like behavior or hook into the OS kernal/SSDT (System Service Descriptor Table) in order to protect your system. SSDT is a table that stores addresses of functions that are used by Windows. Whenever a function is called, Windows looks in this table to find the address for it. Both legitimate programs and rootkits can hook into and alter this table.

When used for malicious reasons, a rootkit takes active measures to obscure its presence (hide itself from view) within the host system through subversion or evasion of standard operating system security tools and APIs used for diagnosis, scanning, and monitoring. Rootkits are able to do this by modifying the behavior of an operating system's core parts through loading code into other processes, the installation or modification of drivers, or kernel modules. Rootkits hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Some algorithms used by rootkit detectors, such as BlackLight, attempt to find what the rootkit is hiding instead of detecting the presence of the rootkits hooks. There are several rootkit classifications depending on whether the malware survives reboot and whether it executes in user mode or kernel mode. Most rootkits are classified as malware, because the payloads they are bundled with are malicious.

API Kernel hooks are not always bad since some system monitoring software and security tools use them as well. If no hooks are active on a system it means that all system services are handled by ntoskrnl.exe which is a base component of Windows operating systems and the process used in the boot-up cycle of a computer. Anti-rootkit (ARK) scanners do not differentiate between what is good and what is bad...they only report what is found. Therefore, even on a clean system some hidden components may be detected when performing a scan to check for the presence of rootkits and you should not be alarmed if any hidden entries created by legitimate programs are detected. In most cases further investigation is required after the initial ARK scan by someone trained in rootkit detection or with advanced knowledge of the operating system. Report logs need to be analyzed and detected components identified in order to determined if they are benign, system critical or malevolent before attempted removal. Using an ARK scanner without knowing how to tell the difference between legitimate and malicious entries can be dangerous if a critical component is incorrectly removed.

Rootkits can be especially dangerous because they compromise system integrity by making changes that allow it to be used by the attacker for malicious purposes. Remote attackers use backdoors as a means of accessing and taking control of a computer that bepasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker. Typically, a hacker installs a rootkit on a computer after first obtaining user-level access, either by exploiting a known vulnerability or cracking a password. Once the rootkit is installed, it allows the attacker to mask intrusion and gain root or privileged access to the computer and other machines on the network. Rootkits can result in browser search redirects to malicious web pages, the downloading of additional malware, and the ability to receive commands from attackers. Some rootkits can disable anti-virus and security tools in order to prevent detection and even thwart attempts to terminate them.

To learn more about Rootkits, please refer to:
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 LittleGreenDots

LittleGreenDots
  • Topic Starter

  • Members
  • 449 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Metro Detroit Area
  • Local time:01:23 PM

Posted 27 July 2013 - 02:58 PM

Thanks for all this information.  It is exactly what I was looking for. 



#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:23 PM

Posted 27 July 2013 - 04:53 PM

You're welcome.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users