When disabling anti-virus applications, there are a few common misconceptions with what is actually required to completely disable the realtime protection that can prevent some virus removal tools from running.
Safe Mode will load only a basic set of drivers and devices, which often will temporarily disable the AV. However, some removal tools will reboot to Normal Mode during the removal process, at which point, AV will be re-enabled and can prevent those tools from running. Likewise, Safe Mode limits other functionality of Windows that may be required to remove particular infections.
Disabling in AV any real-time scanning portions of the software is the easiest way to insure that portions of the software that could potentially cause problems with surgical removal of infections don't interfere. Some AV cannot be disabled in the event that it is expired however, and in that case, it should be uninstalled using Add/Remove Programs, or the official uninstaller for that particular AV.
AR (AutoRuns) can be used to disable the services for an AV suite, however, with most AV packages, just disabling the services is not enough, as the package will generally install virtual devices that are used for various purposes in providing protection. Often, when the software service is disabled, these devices are not, and doing so leaves the system in a partially-broken state.
Removing AV is a guaranteed way to insure it does not interfere with the removal process. Most modern AV is not entirely removed by using Add/Remove Programs however, and the official removal tool from the AV manufacturer should be used to remove the product. A list of removal tools can be found here (ESET KB - Uninstallers for common AV Software). The list is slightly dated, but more or less provides a comprehensive index of common AV software and links to their respective removal tools or removal how-to guides.
In closing, in the event you can't or shouldn't remove the AV entirely, the preferred method for disabling the AV is to use the AV's own controls to disable the real-time scanning and/or firewall portions of its protection engine. AR and Safe Mode are simply incomplete or ineffective methods for disabling AV.
Monday, January 2, 2012
Tuesday, December 27, 2011
ZeroAccess (read: Whatever viruses we don't want to name specifically)
As of late, a large influx of 64-bit, and now 32-bit variations of "ZeroAccess" have been appearing in the wild, which, of course, means they've been trickling into us and need to be classified one way or another for the sake of easily managing the detection and removal on infected systems.
To shed a bit of light on what we're classifying as "ZeroAccess", "ZA64", or similar infections, lets break down the average infection to it's core parts;
Multiple files appearing under 'C:\Windows\Assembly\tmp\U\' with 000000CF.@ style naming conventions (the last two characters, as well as the leading digit are often interchangeable with various variants of the infection.
This portion of the infection is actually belonging to the Win64.Sirefef family. More commonly, Sirefef.D or Sirefef.K.
On 32-bit systems, it is fairly common to see, in place of the Sirefef infection (which is 64-bit only) a Conedex.A infection, which is essentially implemented and functions in the same manner.
With this infection, it is also common to see 'Services32.exe' or 'Java.exe' located in the 'C:\Windows\' folder. This is the main dropper packaged with most of these infections. Generally speaking, it visually appears and is often mistaken as an Adobe Flash Updater/Installer. In actuality it is installing most of the registry keys, legacy device drivers and services that allow the remote controller of the Botnet to use a push-style delivery system on infected machines. This backdoor dropper belongs to the Bafruz family. Most commonly, we see Bafruz.B and Bafruz.D.
Packaged with these are generally one of two DLL files; kwrd.dll or consrv.dll.
Starting with kwrd.dll, identified as Win32/Bitcoin.B by some AV brands, we see the first of many non-adware packages associated with this infection. Primarily, this DLL stands to remotely transfer the wallet.dat and addr.dat files of Bitcoin installations to a remote host, thus stealing the Bitcoin* holdings of the infected user.
consrv.dll seems to function primarily as a DNS redirector, sometimes to adware and at other times to shopping sites or other revenue-generating mechanisms. Most often, infections that feature consrv.dll contain a Rogue.AV element ("You're infected with 9,435,234 infections! Send us money now to remove them!") and revenue is clearly generated from that aspect of the infection.
Due to the dynamic assembly nature of the application, all of the 000000CF.@-style files are compiled at boot-time into a 32 or 64-bit packed executable that then runs to keep the system infected. This allows for the infection to download updated code structures from the host machines or P2P-network attached to the infection, allowing the infection to remain entirely dynamic and auto-updating.
So, in closing, rarely, if ever, does the "ZeroAccess" infection actually contain any element of ZeroAccess. There are a few instances where a ZA package is included, however, outside of Windows XP systems with an infected TCP/IP stack, or Vista systems with infected netbt.sys, this isn't seen very much.
* Bitcoin is a digital crypto-currency developed as an open-source project and released at Bitcoin.org. At the time of writing this, a single Bitcoin (BTC) is worth roughly $4 USD on market exchanges.
To shed a bit of light on what we're classifying as "ZeroAccess", "ZA64", or similar infections, lets break down the average infection to it's core parts;
Multiple files appearing under 'C:\Windows\Assembly\tmp\U\' with 000000CF.@ style naming conventions (the last two characters, as well as the leading digit are often interchangeable with various variants of the infection.
This portion of the infection is actually belonging to the Win64.Sirefef family. More commonly, Sirefef.D or Sirefef.K.
On 32-bit systems, it is fairly common to see, in place of the Sirefef infection (which is 64-bit only) a Conedex.A infection, which is essentially implemented and functions in the same manner.
With this infection, it is also common to see 'Services32.exe' or 'Java.exe' located in the 'C:\Windows\' folder. This is the main dropper packaged with most of these infections. Generally speaking, it visually appears and is often mistaken as an Adobe Flash Updater/Installer. In actuality it is installing most of the registry keys, legacy device drivers and services that allow the remote controller of the Botnet to use a push-style delivery system on infected machines. This backdoor dropper belongs to the Bafruz family. Most commonly, we see Bafruz.B and Bafruz.D.
Packaged with these are generally one of two DLL files; kwrd.dll or consrv.dll.
Starting with kwrd.dll, identified as Win32/Bitcoin.B by some AV brands, we see the first of many non-adware packages associated with this infection. Primarily, this DLL stands to remotely transfer the wallet.dat and addr.dat files of Bitcoin installations to a remote host, thus stealing the Bitcoin* holdings of the infected user.
consrv.dll seems to function primarily as a DNS redirector, sometimes to adware and at other times to shopping sites or other revenue-generating mechanisms. Most often, infections that feature consrv.dll contain a Rogue.AV element ("You're infected with 9,435,234 infections! Send us money now to remove them!") and revenue is clearly generated from that aspect of the infection.
Due to the dynamic assembly nature of the application, all of the 000000CF.@-style files are compiled at boot-time into a 32 or 64-bit packed executable that then runs to keep the system infected. This allows for the infection to download updated code structures from the host machines or P2P-network attached to the infection, allowing the infection to remain entirely dynamic and auto-updating.
So, in closing, rarely, if ever, does the "ZeroAccess" infection actually contain any element of ZeroAccess. There are a few instances where a ZA package is included, however, outside of Windows XP systems with an infected TCP/IP stack, or Vista systems with infected netbt.sys, this isn't seen very much.
* Bitcoin is a digital crypto-currency developed as an open-source project and released at Bitcoin.org. At the time of writing this, a single Bitcoin (BTC) is worth roughly $4 USD on market exchanges.
Java != JavaScript
A rather common misconception I've come across while working with techs is that Java-- the object oriented programming language developed by Sun Microsystems and presently maintained by Oracle, Inc-- is the same language as JavaScript-- the object oriented scripting language developed by Netscape, Inc. and maintained by the W3C.
This is an easily explainable misunderstanding due to both languages containing the moniker "Java" in their name, however, aside from the Object-Oriented nature of both languages, there are very few remaining similarities.
Needless to say, re-registering jscript.dll will not resolve Java issues, and reinstalling Java will not resolve JavaScript issues.
This is an easily explainable misunderstanding due to both languages containing the moniker "Java" in their name, however, aside from the Object-Oriented nature of both languages, there are very few remaining similarities.
Needless to say, re-registering jscript.dll will not resolve Java issues, and reinstalling Java will not resolve JavaScript issues.
Subscribe to:
Posts (Atom)