Nuke Modified | AntiVirus Remover

THE CHALLENGE OF DETECTION and remove threats INSTALLED

THE CHALLENGE OF DETECTION and remove threats INSTALLED

Abstract

The time when the competitiveness of a product AV was determined by the ability detect a bucket of samples

soon be behind us. New tests, driven by the demand for AV products to against spyware, will measure the ability of an AV product to manage a given threat detection to elimination.

Detecting and removing installed and active threats presents many challenges, especially when several files, processes

and registry components are involved. The ability of these components to be updated to the Internet anytime and with varying frequency does only complicate the issue.

This article discusses the challenges faced by providers to change their AV products away of

blindly detect and remove a given set of samples to detect and remove various samples within the threat installed.

INTRODUCTION

When the virus began to infect the files from the message of anti-virus at the time was to mark files

infected. In some cases, the files still worked as expected, but they performed additional features they were

not designed for and may ultimately have a detrimental effect on all system.

The solution for fixing an infected file has been replaced by a copy of the original, making absolutely certain that the

files on the system were clean. This solution was acceptable in the days of small operating systems with clear a limited number of applications installed. As we moved into the 1990 operating systems becomes increasingly complex and above this improved technology means that users can install more applications become more complex. The existing solution to a virus attack – to replace infected files – has become less and less practical, especially for users and small businesses, and therefore There was a growing demand for anti-virus solutions for disinfection for infected files.

Today, a significant change even the request is being processed. The threats are increasingly complex to the point where it is possible to provide simple instructions to help clean. The explosion spyware has increased the number of types of threats to install many components, such as files and registry entries. While, once, by removing Trojan horse was a matter of killing a process, deleting a file and delete a registry entry, we now have threats that require removing many of each of these components. In addition there was a significant increase in the number of threats using technologies stealth anti-kidnapping and complicate further the procedures for withdrawal.

The complexity of eliminating threats with many components has led to a demanding clientele that security solutions to manage

the threat to them. Microsoft would have you believe that there are cases where this is simply not possible [1]: "When you are dealing with rootkits and some advanced spyware programs, the only solution is to rebuild from scratch. In some If it is really no way to recover without nuking the systems from orbit. But as with the solution originally recommended for infected files viruses, it is not currently a practical solution, especially for home users and

small businesses.

THE COMPONENTS MULTI THREAT

There are now many threats, especially those associated with potentially unwanted applications such as adware that add and

modify multiple processes, files and registry entries on the system. These multi-component threats have a certain number of challenges for security products attempt to reverse the changes that were made to the system. Withdrawal of an multi-component threat with the intention to restore a system to a stable and secure may not involve destroying some of the changes resulting from the installation this threat. However, removing a threat to the satisfaction of a client means for detecting and removing all installed components and Restoration modified parameters to their

original values.

Component classification

threats installed can be considered as having two main categories of components: primary and secondary components.

The main components

The main components are the most important threat. It is those who actually provide the threat with his

functionality or the cause of this feature loaded when the operating system starts or a user logs in. Remove Components primary threat is, in most cases be sufficient to neutralize the threat, preventing it from causing further damage, loss of information or error reporting system.

There are two categories of main component.

The primary components: these are usually executable files that provide the functional characteristics of the

threat, the processes associated with these files and load points in the associated register. Detection of these elements indicate that the system is affected by a particular threat, but simply to remove is not necessarily a sufficient solution

to infection.

Compound primary components: they are components of a threat that is implemented by modifying and

addition of several files and registry entries. Examples are the registered services with the service control manager, LSPs (LSP) hooked into the Windows TCP / IP manager, Internet Explorer Browser Helper Objects (BHOs) and other COM objects registered. efficient removal of compound

components requires the modification of all relevant entries on the system. In some cases, failing to fully manage all changes made by a component will result no adverse effects in other cases the damage can be caused. Deleting a file associated with an LSP for

For example, will lose network connectivity if the Winsock registry entries are not modified to remove

that particular LSP.

secondary components

minor components are generally composed of registry entries and accessories files such as data files, logs, configuration files, etc. If left on the system from many of these items will remain benign as they are useless without the primary components of the threat. However, for

completeness they should ideally be removed or delivered in a pre-infected.

Eliminate the threat INSTALLED

There are two important steps in eliminating threat installed. First installed the threat and all its components,

both primary and secondary schools, must be identified. Once that is completed the analysis of the threat can be used to determine what actions are needed to eliminate the threat posed by the system to leave the system in a safe and usable state.

phase detection

The objective of the detection phase is to provide a complete list of all installed components of any threat found on the computer being scanned. With the inclusion of multi-component threats to be taken into account, we see that the use of two scanning techniques is necessary for at

effective and efficient construction of these lists of components.

digital technologies

Content Scan and background scanning are the two main techniques for detecting static are usually used to detect the presence of a threat installed and gathering all the components of this threat.

Content analysis

Technical Analysis content, traditionally used by AV scanners can be used to detect primary file components

components such as executables a threat. However, this technique is not necessarily the most suitable for the detection of secondary file components, in particular data files, log files, etc. that are subject to frequent and unpredictable changes. In addition, it is not always necessary to detect all components

directly through content analysis, because once the analysis has determined that a particular threat is installed it are more efficient methods such as scanning technique box below, to detect the rest of the threat.

Background scanning

contextual analysis techniques, most often invoked by dedicated anti-spyware solutions, providing a method to detect threats based on the known

presence of a particular set of results on the system being scanned. This method uses rules such as combinations of names and locations of the file settings and registry to determine if

a threat is installed on the system.

By example, consider the following series of entries on the

system:

File: <system> taskmon.exe

File: <system> shimgapi.dll

Register:

HKLM Software Microsoft Windows CurrentVersion Run Taskmon

= Taskmon.exe

Registry: HKCR CLSID {E6FB5E20-DE35-11CF-9C87-

00AA005127ED} InProcServer32 Default = "shimgapi.dll"

Without content analysis of one of the files that we can positively identify the system as being infected with

W32/MyDoom-A.

Background scanning is not the most effective technique or practice when used on its own. For example, this scan

Technical is not very effective at the gateway where no rule can be applied context installed.

There is also the complication of making a Positive identification of a specific threat, where the names of common file or registry entries are added or modified, leading to reports non-specific such as "this file and the registry entries are suspicious. There is also an increased risk of false

positive reports, especially when individual components are based on attributes such as names of files or registry entries.

For example, the following file and entry Registry:

File: <windows> system.exe

Registry key:

HKLM Software Microsoft Windows CurrentVersion Run system

= System.exe

At best, this combination of components can be labeled as suspicious, but not scan the contents of

system.exe the file it is not possible to link it to any particular threat or even a threat to all.

When the context of digitization has its most effective is when used in combination with the content scanning on the desktop for

help assemble all the components threat installed. Positive identification of one or more of the major components of a threat, files, for example, or process according to their content, can be used to trigger rules context of digitization. Background scan uses these rules to identify components Threat installed on the computer without relying on a content scanner to positively identify all the individual components.

For example W32/MyDoom-A above. If a scheduled scan system detects W32/MyDoom-A in taskmon.exe

This information can be used to trigger context a rule that looks for other components W32/MyDoom-A.

Scanning requirements

The majority standard applications of non-malicious can be deemed to have a predictable, well behaved plant. The information that the application is installed on a computer is sufficient to determine the names and addresses of all components, both primary and secondary. There are many cases where this is true for malicious applications as well. Many trojans and worms are predictable between infections, which in turn can make quick and easy to remove, as the detection of a single component is enough information to clean the entire application system without malicious scan all system to detect each component explicitly. This is true for the example in Figure 1 W32/MyDoom-A.

This predictability is not true of all the malicious threats and potentially unwanted property. There are several examples where in-depth scans of the system are needed to ensure that all components of threat have been properly identified so that a consolidation process of the system can be made (Figure 2).

This is especially true for threats like Look2Me adware application that contains components named randomly.

A further complication is added when the threats use sophisticated techniques to hide stealth elements of their installation. Depending on techniques used, it may be possible to infer the presence of a threat disguised as using the content standard user-mode scanning and use of technical background to build a complete list of installed components.

Otherwise, more sophisticated techniques for detecting rootkit is necessary.

Phasing Out

Collect information on all installed components of a threat is the first step out a threat of a system. The second step is to complete this

withdrawal on the basis of information gathered – but it is unfortunately too often becomes a task much more than simply terminate, delete or modify these elements.

The traditional line of attack is to eliminate the threat of memory, delete the infected file and registry entries and end with the restoration of any changed file and registry settings. Although this is still where we ultimately want to achieve, it is not always possible to achieve without additional steps along the way concerning actions ranging from renaming files and the suspension of the process

to a complete restart of operating system.

Establish procedures for removal of a specific threat is increasingly dependent on a detailed analysis of the threat to determine how to behave when the threat of removal actions are implemented.

Anti-withdrawal techniques

A full technical paper could be written about the use of anti-withdrawal, which is not my intention here. Instead I refer you to the article Sergei Shevchenko [4] Eric Chien and the paper [5] for examples of complications that may be involved. I will summarize the findings that the products Security must be taken into account when attempting to overthrow the attempts of threats to prevent them from being removed. The threats are becoming more employment techniques complicate the removal of their software. Some of these techniques have been seen for many years in malware. An example is monitoring or monitoring of processes where one or more son are set to continuously monitor the active status of the threat and its various components, as effectively being W32/Chir-B implemented by 2002.

Another example is injecting code into system processes that can not be restarted without stopping system, as used by W32/Lovgate the following year. More complex techniques, however, were potentially from unwanted applications such as adware. There are a lot of money to make products ofthese and sellers often behind teams of engineers to implement technology that prevents users from deleting applications.

The techniques used include installing drivers to implement protection mechanisms rootkit style, renaming components regularly threatened to overthrow the detection and context change privileges to the extent that even the administrator has no power to do something about the threat.

In the simplest cases, these techniques can be circumvented by carefully Given the order in which the components of the threat is removed from the system. In more complex cases, it may not be possible to remove a threat instead, it is necessary to implement strategies that involve the elimination restart operating system and complete the removal actions during or after the boot sequence.

Shared components

An important consideration to make when you remove a threat of a system is to identify the components of a threat

are shared or non-exclusive. These are components that may have been installed by the threat, but are actually third-party applications or components used for provide additional functionality to the threat, but not exclusively designed for this threat.

An example of a component is a non-exclusive language library. A threat can install a library to ensure it runs on the target system, but it is not possible to say, without a reliable history overview of the system if the library file was on the system before installing the threat. It is

So dangerous to remove these components, but it should also stress that they pose no risk to safety.

Pre-infection parameters

Removal of a threat also involves the recovery of legitimate file changes or registry entries that exist on the affected system. This represents a challenge because it is usually the case that the product carrying out security operation removal will not be aware of the condition of the affected system immediately prior to infection. In cases where a specific threat input has been fixed, for example, an Internet Explorer start-up entry, then a security flaw can be resolved. However, if the

changes are not specific threats, such as Internet Explorer security zone settings, it is not even possible to determine if changes in the threat made real differences to the original settings.

It would probably be the consensus in the industry to set the default entries often modified on a system where it is unlikely the pre-infected state is known.

CONCLUSION

In this article, I described how products security such as anti-virus and anti-spyware programs typically use two main

static scanning techniques for assist in the detection of threat installed components: content analysis traditionally used by anti-virus solutions and solutions Scan context often referred to by dedicated anti-spyware solutions.

I showed that neither the scanning technique is the only solution to the problem identification of components of a threat that must be marked for deletion. Instead, a combination of both techniques should be implemented to provide the most effective and efficient. After

the two scanning techniques also provides an extra level of mitigation cons frequent updates, we are seeing happening with today's threats.

Identify all components of a threat installed is not the only condition to eliminate this threat. The authors of malware and potentially unwanted applications are aware of attempts by anti-virus and anti-spyware removers

their applications. So just like the malware authors have sought to create viruses that subvert the detection, the goal now is to implement techniques that prevent, or at least complicate, the removal of unwanted applications. There strategies to overcome these technical anti-withdrawal, but it means that threats more often we find that the identities require removal which are also specific identities that can detect the threat.

The effectiveness varies with different security installed solutions reduce threats led to the requirement of specific tests to provide objective comparisons of how these products Security to perform this task. However, unlike traditional anti-virus scan when there are only two results, detected and undetected, there is some amount of common ground with tests that measure the effectiveness of the abduction. A system can be made stable and

secure without necessarily removing or restoring each component of a threat.

About the Author

This article was provided by Sophos and is reproduced here with their full permission. Sophos provides full data protection services including: security software, encryption software, antivirus, and malware.

Adware by Elmo, Timoteus [Paperback] $78.07 Please note that the content of this book primarily consists of articles available from Wikipedia or other free sources online. Adware, or advertisingsupported software, is any software package which automatically plays, displays, or downloads advertisements to a computer. These advertisements can be in the form of a popup. The object of the Adware is to generate revenue for its author. Adware, by itself, is harmless; however, some adware may come with integrated spyware such as keyloggers and other privacyinvasive software. Advertising functions are integrated into or bundled with the software, which is often designed to note what Internet sites the user visits and to present advertising pertinent to the types of goods or services featured there. Adware is usually seen by the developer as a way to recover development costs, and in some cases it may allow the software to be provided to the user free of charge or at a reduced price. The income derived from presenting advertisements to the user may allow or motivate the developer to continue to develop, maintain and upgrade the software product. Conversely, the advertisements may be seen by the user as interruptions or annoyances, or as distractions from the task at hand. Author: Elmo, Timoteus Binding Type: Paperback Number of Pages: 100 Publication Date: 2011/08/10 Language: English Dimensions: 9.02 x 5.98 x 0.24 inches

Spyware and Adware by Aycock, John Edition ILL, 1 $43.99 Spyware and Adware introduces detailed, organized, technical information exclusively on spyware and adware, including defensive techniques. This book not only brings together current sources of information on spyware and adware but also looks at the future direction of this field.Spyware and Adware is a reference book designed for researchers and professors in computer science, as well as a secondary text for advanced-level students. This book is also suitable for practitioners in industry.

Spyware And Adware By Aycock, John $132.82 Author: Aycock, John Series Title: Advances in Information Security Publication Date: 2010/10/14 Number of Pages: 145 Binding Type: Hardcover Language: English Depth: 0.50 Width: 6.25 Height: 9.25

Spyware Doctor $29.95 Spyware Doctor is a top-rated malware & spyware removal utility that detects, removes and protects your PC from thousands of potential spyware, adware, trojans, keyloggers, spybots and tracking threats. Now with AntiVirus!

Spyware Doctor with AntiVirus $39.95 Spyware Doctor with AntiVirus is a top-rated malware, spyware & virus removal utility that detects, removes and protects your PC from thousands of potential spyware, adware, trojans, viruses, keyloggers, spybots and tracking threats.

How to Do Everything to Fight Spam, Viruses, Pop-Ups, and Spyware by Feinstein, Ken Edition ILL, 1 $13.99 Feinstein shows general consumers how to improve their Web-surfing experience by eliminating aggravating pop-up ads, unsolicited spyware and adware programs planted onto their hard drives, and the onslaught of annoying spam emails. The CD-ROM offers trial programs and other files to help fight off spam, pop-ups, spyware/adware, and more.

PC Matic $57.99 PC Matic is an easy to use application that performs critical computer maintenance with a click of a button. PC Matic will remove and keep Malware at bay while boosting internet and system performance. The new Active Malware Protection stops Viruses, Spyware, Worms, Trojan Horses, Rootkits, Bots, Keyloggers, Adware.

Keep Your Kids Safe on the Internet by Johnson, Simon Edition , 1 $20.99 Written by a parent for other parents, this invaluable resource shows how to protect children from lurking threats on the Internet–pedophiles, cyber-stalkers, viruses, hackers, spyware, and adware. It provides independent review of 27 different types of software (firewalls, filters, etc.) and includes further links to products and information on a bonus Web site.