Removing Pests from Windows (Part 2)

If you missed the first part of this article you can click here and go to “Removing Pests from Windows (Part 1)”.

Caution:
If you are going to try some of the changes suggested in the article it is recommended you make backups of your system and the registry before attempting the changes. The backups need to be tested for integrity to ensure that you can restore the data without any problems. Please note that the changes suggested work for some systems and need to be tested on your unique configuration. IT professionals will find that by using technology to clamp down computer usage will eventually result in higher efficiency and less resource utilization by Malware and Spyware.

Operating systems should be secured by disabling standard services that are not required or by filtering specific services at a firewall. The system administrator should keep abreast of weaknesses and install patches or work-around, as they are made available. Use of unencrypted protocols should be avoided and effective virus protection software installed, including on external perimeters such as mail servers. Default privileged user accounts and passwords and guest accounts should be changed. This can be done using group policies. Users should be allowed system access to only that which is required specifically for the performance of authorized tasks, and duties should be separated to reduce the risk. A warning message should appear when accessing the system remotely to deter hackers and for legal recourse against them. As well, routers, switches, firewalls, virtual private networks (VPNs) and intrusion detection systems (H-IDS or N-IDS) are security components that should be evaluated and applied.

Possible changes to a computer after installation

Some of the below threats can be reduced if the IT professional tests and restricts installation of unauthorized software. It is also vital to test all software that is installed on the organizations computers. Configuration management should also be followed to mitigate threat and minimize reliance on specialized skill.

  • Patches for applications and operating systems
  • Driver updates and reinstallation
  • Service packs, these are clustered hot fixes and patches that get bundled into one large fix
  • Cookies, these files store user data and website configurations and preferences
  • Applications that are installed can cause the machine to slow down if they are poorly coded
  • ActiveX controls these controls can load up and start process on the computer without user intervention
  • Registry entries can be used to start up applications that may be malicious
  • Browser ad-ins can be loaded and can hang-up running processes by starving them of resources
  • Dialers, these applications attempt to dial out to predefined numbers and if more than one is intimated at the same time can cause the system to halt
  • Java scripts, these scripts can run commands within the browser
  • Advertising software this software is bundled with some shareware software
  • Viruses, these applications replicate and replicate sap resources
  • Key loggers log keystrokes and eventually the log files get full, some of these applications hang the computer if they conflict with security software
  • Hijackers: these applications redirect browsers and emulate popular search engines so that you click on the advertised results
  • Spybots: these applications spy on users
  • Trackers: these applications store places that the user visits and reports to the central website
  • Trojans are applications that come bundled with some bait software like games and other useful executables

By now you should be thinking I need to find out what is running on my computer if you are running a NT generation type OS you can press Ctrl + Shift + Esc this will launch task manager. Within the task manager you will be able to see some of the processes that are running on the computer. Some of them can be hidden from view. In XP a programmer can type run an exe with a -b switch and hide the application from view in task manager. IT professionals can limit these applications form being installed by having a group policy enabled that only allows administrators or authorized trusted professionals to install organizational software.

Threats normally stem from non standard software that is used for file transfer form peer based networks and file sharing sources. Some organizations actively bait exe files so that when they are downloaded they are corrupt to cause the CPU to red line. Cracked software can also sometimes be inferior. It can be incorrectly patched. Although this phenomenon is rare it does occur and can cause problems for IT professionals.

The picture above displays a typical task manager screen and the processes running on the computer are displayed here. This manager can be used as a way to detect applications that are running on a computer that are not meant to run. Some tools can because to limit the processes running on desktop machines. These type of tools stop foreign software from running and limits intruder risk by implementing this solution IT professionals can reduce risk and maintenance.

The above screen shot displays the running processes on the computer. To see this screen you can use a tool called spybot search and destroy. Under tools you can click on the System startup and view some of the applications that startup when windows is initiated.

In windows 98/XP one can use Msconfig utility initiated from the run dialog box. In other operating systems a useful utility is Spybot search and destroy.

In windows 98/ME/2000 you can also use the system information found in the accessories under system tools.

Please note that some applications may startup in the autoexec.bat file or win.ini file.

Below are steps that IT professionals can take to limit network infection and information theft. The steps below also help professionals to remove the offending malware/spyware.

Step one

Isolate the machine by removing it from the network or disconnecting the computer from the Internet. This will ensure that the machine can not infect other machines and that it can not infect itself with any bugs that may be Internet borne.

Step two

Check what services are starting up. This needs to be done in order to identify any services that may appear suspicious. You will also be able to identify normal services that have to startup and this process will sensitize you and will help you identify a threat much easier. Most sophisticated intruders hide the services that startup or bundle the pests with other exe files that need to start when the operating system starts. IT professionals can also write group policies that allow only a specific list of services to start. This task can also be scripted or tools can be used to monitor new services that are installed and activated on user machines. General periodic audits should be performed to report on service installation activities.

Step three

Use the Msconfig Utility on Windows XP to identify what applications are starting up. The latest applications no longer use the startup folder as the user can easily delete the shortcut from the startup folder. Authors keep finding new and creative ways to startup their resource sapping applications. This is why professionals need to educate their users.

Step four

Prevention is better than cure. Keep your Operating System and application files updated and do not browse unscrupulous websites and file transfer services that can potentially cause a Trojan to slip onto your system.

Task scheduler

Some systems have a scheduler or startup application that enables the startup of specified applications.

Windows 2000 and above has a general startup folder. This folder is able to effect all profiles and needs to be checked for startup applications.

c:\Documents and Settings\All Users\Start Menu\Programs\Startup

More specifically the user has a startup folder displayed below.

c:\Documents and Settings\username\Start Menu\Programs\Startup 

Windows also uses the registry to load up applications that need to run.

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunEx]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnceEx]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunEx]

If an IT professional finds this task keeps taking up a large portion of support resource and time, it may be necessary to clamp down on user behavior using custom group policies that restrict unauthorized registry additions or edits. If you do not have tools to automatically remove the startup applications from your computer you can use regedit to edit the registry. Please ensure you make a backup before removing any registry entries.

Other possible registry entries for IT professionals to lookout for:

[HKEY_CLASSES_ROOT\exefile\shell\open\command] =”\”%1\” %*”
[HKEY_CLASSES_ROOT\comfile\shell\open\command] =”\”%1\” %*”
[HKEY_CLASSES_ROOT\batfile\shell\open\command] =”\”%1\” %*”
[HKEY_CLASSES_ROOT\htafile\Shell\Open\Command] =”\”%1\” %*”
[HKEY_CLASSES_ROOT\piffile\shell\open\command] =”\”%1\” %*”
[HKEY_LOCAL_MACHINE\Software\CLASSES\batfile\shell\open\command] =”\”%1\”
%*”
[HKEY_LOCAL_MACHINE\Software\CLASSES\comfile\shell\open\command] =”\”%1\”
%*”
[HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command] =”\”%1\”
%*”
[HKEY_LOCAL_MACHINE\Software\CLASSES\htafile\Shell\Open\Command] =”\”%1\”
%*”
[HKEY_LOCAL_MACHINE\Software\CLASSES\piffile\shell\open\command] =”\”%1\”
%*”













If keys don’t have the “\”%1\” %*” value as shown, and are changed to something like “\”somefilename.exe %1\” %*” then they are automatically invoking the specified file.

Batch files

Batch files can also startup applications on a system.

Other files like the Win.ini file that you can configure by typing win.ini in the run dialog box to initiate the configuration. You can check any command that has a run=thisisabad.exe etc.

System.ini is another file that windows parses to startup applications. Look inside the file for the [Boot] shell= command.

In some of the initialization files it is important to look through the file for any process that may be running that has the load= in front of the process or EXE that is going to run. Typically these processes and applications have been disguised to look like normal windows process or normal windows applications that would normally run in task manager or in memory. It is important to know how the author of malicious code will hide his malicious applications within your system if you want to protect yourself or your organization. If you find a suspicious application running within Task manager try to locate it and then look around to see if you can find any other suspicious files in the same directory. If the files look malicious and they are the sort that you do not want on your computer it is a good idea that you delete that file after backing up your system. Removing all traces to that file in the registry and on the computer startup mechanisms is also a good idea.

If you delete the files and your computer complains that it needs the file because it uses the file for some or other reason at least you know that the computer can no longer do damage without the vital exe and Dll files that you deleted before the error messages started appearing. This is the safest way if the files are suspected. Please remember to make a backup before deleting any files!!!

Services

Some malicious authors may design applications that run as services within windows and these services may look like or mimic valid windows services. This strategy is used to avoid detection.

Please note that removing the application in the may work temporally, however the application may copy itself back onto the computer or reinstall itself. Removal of spyware may break working applications. Some spyware removal tools are themselves spyware.

Keeping it clean

  • Service pack 2 for Windows XP and personal firewalls and antivirus applications help somewhat.
  • Spybot search and destroy
  • Be careful where you submit your e-mail
  • Tighten up IE security
  • Cookie control session cookies that expire not too bad non session based permanent cookies
  • Activex controls
  • Pop ups! Kill them

Cookies installed on user computers can start to collect user data and build up a profile that periodically sends information to the central mother ship. The mother ship then analyses the data and formulates advertising material that twill match the profile of the respective user cookie management is necessary and some applications can control them. IT professionals can write logon scripts that erase cookie information at logon or group policy that does not allow cookies.

Solutions

  • Install a good antivirus and remove users ability to uninstall antivirus software.
  • Install a good spyware and adware remover on user machines.
  • Install or enable users personal firewall this can be forced using group policies in organizations.
  • Constantly update your machines software including hardware related software, operating system and application related.
  • If you do not want issues with performance avoid applications that subscribe to these practices.

Summary

In this article I have highlighted some of the techniques and places that some intruders hide their malicious code. It is important to note and understand where these bugs may hide so that the IT professional will be able to protect his/her organization against the ever growing threat. Remember that new techniques are being invented in order to outsmart users. This means that the IT professional needs to keep informed and ahead of the malicious code writer. The battle continues…

Leave a Comment

Your email address will not be published.

Scroll to Top