Presentation is loading. Please wait.

Presentation is loading. Please wait.

Free Detection/Cleaning Tips and Techniques

Similar presentations


Presentation on theme: "Free Detection/Cleaning Tips and Techniques"— Presentation transcript:

1 Free Detection/Cleaning Tips and Techniques
Adware & Spyware Free Detection/Cleaning Tips and Techniques François Paget McAfee AVERT Senior Virus Research Engineer November 2005

2 Who are they and what are they
20 September 2018 Adware & Spyware Summary Who are they and what are they Preliminary definitions Some dangers Installation Tools used for tracking them Finding intruders Cleaning intruders Confidential

3 Acronyms which cover 2 particular types of commercial software :
20 September 2018 Adware & Spyware Etymology Acronyms which cover 2 particular types of commercial software : Adware Ads + Ware Advertising Software Spyware Spy + Ware Spying Software These 2 categories are sometimes linked with other groups of tools of various origins (malevolent or not). Confidential

4 PUP : Potentially Unwanted Program Malware : Malevolent Program
20 September 2018 PUPs & Malware PUP : Potentially Unwanted Program Malware : Malevolent Program Adware/Spyware BHO –Browser Helper Object Browser Hijacker Dialer Joke Virus, Worms Logic bombs Trojan / Backdoors Bots Remote Administration Tools Data Hijacking Tools Resource Hijacking Tools Network Attack Tools Unwanted commercial programs, hijacked use, lack of consent… Confidential

5 Adware The adware is a “profiler” Program of a commercial origin,
20 September 2018 Adware The adware is a “profiler” Program of a commercial origin, Does not replicate itself. Binary file (EXE or DLL). Installs itself after initial agreement, Watches browsing habits, Carries out targeted advertising. Makes offers matching a particular profile, Does not collect any personal data intentionally. Confidential

6 Spyware The spyware is a “spy” Program of a commercial origin,
20 September 2018 Spyware The spyware is a “spy” Program of a commercial origin, Does not replicate itself. Binary file (EXE or DLL). Sometimes installs itself without initial agreement, Collect and transfers much personal data intentionally. COMMERCE : Can be used as a springboard by other commercial activities (marketing approach by , post or phone). INFORMATION : Provided for commendable purposes but, distorted from its original intent. Confidential

7 Online registration procedures :
20 September 2018 Adware Main introduction vectors Free or demo software : Downloading utilities, Browsing assistance, Resource sharing software (peer to peer), Screensavers, Games, Hazardous sites : Pornography, Underground world, Electronic mail : Spam, Discussion forums, Online registration procedures : Software licenses, Access to private browsing zones, Virus and Trojan Confidential

8 20 September 2018 Example Before… A clean system is used for this test. It is a minimal VMWARE W2000 temporary disk with: 1 icon on the desktop, 6 applications listed in the Add/Remove Programs facility, 30 processes in memory according to the Task Manager. Confidential

9 20 September 2018 Example During… A sniffer program recorded connections to more than 100 distinct sites. Confidential

10 Example 8 new icons, 16 new applications, 10 new processes, 2 BHO,
20 September 2018 Example After… 8 new icons, 16 new applications, 10 new processes, 2 BHO, 2 new favorites, 1177 keys added in the system registry, 1579 values added or changed in the system registry, 96 new directories in the folders tree and, 649 new files. Confidential

11 Tools used in this tutorial
20 September 2018 Tools used in this tutorial InCtrl5 ( LspFix ( ProcExp ( RegMon ( StartupRun ( Sporder.exe (from Microsoft) Confidential

12 20 September 2018 Finding intruders Applications loaded when Windows boots are visible with SartupRun Confidential

13 20 September 2018 Finding intruders Applications loaded when Windows boots are visible in the registry Run and RunOnce keys Confidential

14 20 September 2018 Finding intruders With InCtrl5 we can compare the registry between two distinct moments Confidential

15 20 September 2018 Finding intruders Keep an eye on the ShellServiceObjectDelayLoad registry key This location contains only 3 entries in many standards configurations: Network.ConnectionTray Systray WebCheck Confidential

16 20 September 2018 Finding intruders Look at the Internet Explorer Start & Search registry keys Confidential

17 20 September 2018 Finding intruders Look at the Internet Explorer Toolbar registry key for suspicious CLSID Look at the HKCR/CLSID branch for mapping information Confidential

18 20 September 2018 Finding intruders Look at the Advanced Tab of Internet Explorer options Also visible in the registry at : HKLM\SOFTWARE\Microsoft\ Internet Explorer\ AdvancedOptions Confidential

19 20 September 2018 Finding intruders Look at extra items in the Internet Explorer Tools menu Confidential

20 20 September 2018 Finding intruders Search possible StyleSheet hijacking in Internet Explorer Confidential

21 Finding intruders Search for a possible DLL injection
20 September 2018 Finding intruders Search for a possible DLL injection Confidential

22 Finding intruders Search for trusted site 20 September 2018
Confidential

23 Finding intruders Search for Internet Protocol Hijack
20 September 2018 Finding intruders Search for Internet Protocol Hijack Confidential

24 Finding intruders Keep an eye in your Favorites 20 September 2018
Confidential

25 Finding intruders Confirm the suspicion
20 September 2018 Finding intruders Confirm the suspicion Confidential

26 20 September 2018 Cleaning Adware Cleaning the registry and removing the files needs to boot in safe mode ! Run & RunOnce ShellServiceObjectDelayLoad IE Start & Search […] Etc… HKEY_CLASSES_ROOT HKEY_LOCAL_MACHINE\Software\Classes HKEY_CURRENT_USER\Software\Classes MAIN CLSID ENTRIES OTHER ENTRIES Restoring the default values Deleting the others upsetting values HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\ShellServiceObjectDelayLoad, {CLSID-Value} HKEY_CLASSES_ROOT\PROTOCOLS\Filter (Plugin entries) LINKED CLSID ENTRIES DLL and EXE files launched by the here above keys Whole directories when the doubt is absent FILES AND DIRECTORIES Confidential

27 20 September 2018 Cleaning Adware In order to delete the file and to deal with such « file in use » problem… CLEAN INFECTED Confidential

28 20 September 2018 Cleaning Adware In order to delete the file and to deal with such « file in use » problem, we need to eliminate the processes that got created by booting in Safe Mode. SAFE MODE Confidential

29 20 September 2018 Cleaning Adware Example : step_1) Suspicious EXE and DLL must be identified. Confidential

30 4 CLSID (in this example) must be
20 September 2018 Cleaning Adware Example : step_2) CLSID values linked to them must be searched (and deleted) in the registry (HKCR/CLSID) 4 CLSID (in this example) must be deleted Confidential

31 20 September 2018 Cleaning Adware Example : step_3) duplicated CLSID values linked to the previous one must be searched (and deleted) in the registry, step_4) Related files must be deleted. One key must be deleted (in this example) Confidential

32 Sporder can be used as a diagnostic tool
20 September 2018 Cleaning Adware LSPs Cleaning – when adware installation use Winsock 2 (L)ayered and (N)etwork (S)ervice (P)rovider implementation to redirect visits to specific sites CLEAN INFECTED Sporder can be used as a diagnostic tool Confidential

33 LspFix can be used as a cleaning tool
20 September 2018 Cleaning Adware LSPs Cleaning – when adware installation use Winsock 2 (L)ayered and (N)etwork (S)ervice (P)rovider implementation to redirect visits to specific sites LspFix can be used as a cleaning tool I know what I am doing Confidential

34 The new war will happen on the cleaning way.
20 September 2018 Adware & Spyware Conclusion It was very easy to clean most of the viruses and Trojans we encountered some years ago. But now some of the new Trojans are more complicated. And adware and spyware are incredibly complex. The new war will happen on the cleaning way. Confidential


Download ppt "Free Detection/Cleaning Tips and Techniques"

Similar presentations


Ads by Google