Online Analysis Of Suspicious Files

Let’s say you run any one of my favourite problem analysis or detection tools, such as:

and you find one or more mysterious entries. What do you do now? Kill, then delete the processes? It may not be quite that easy – or that safe. Please, research what you’re deleting, and the possible consequences of deleting it, BEFORE you do so.

A lot of malware today will install itself in a package – creating 2 or more processes on your computer. Also, some security software, badly designed, may protect you, but may use names, or other identity elements, that may give it the appearance of malware.

It’s relatively easy to identify a single, active process that steals your passwords, throws ads on the screen, or creates links to distant, mysterious computers.

Some malware, though, will package itself in 2 or more components. It will include protective components, that ensure that the other process(es) continue running on your computer, even if you try to delete or kill them. When the protective processes detect that the active processes were deleted or terminated, it will make new copies of the other processes, frequently using different names, and restart the bad active processes.

Delete or kill one program, and suddenly you’ll have a second program (maybe with a different name), doing the work of the process that you just killed. You have to kill the background protective processes first. When you find a suspicious file or process, examine it, and ensure that there’s no other process referencing or protecting it.

There are two web sites where you can upload any suspicious file found on your computer, which will submit your uploaded file to multiple scanning engines for intensive analysis. Just go to either website and upload the file using the web page. This takes maybe 30 seconds to upload a file, then wait 5 – 10 minutes for a free analysis.

Examining the logs from Jotti and VirusTotal, do you see any malware identified? If so, don’t panic – do some research. Note which scanning engines detected the malware, and cross-reference those to free, online system scanning services.

In order for a protective bad process to restart a protected bad process (one that’s detected by HijackThis), the protective bad process has to contain some portion of, or reference to, the active bad process. Any individual scanning engine (called by Jotti and/or VirusTotal), that can find malware in an active bad process, should similarly be able to find the same malware in any other file on the computer, if additional bad files exist. Running a whole system scan, you look for other files that contain the detected malware.

Pick one or more of the scanning services which identified the malware, and do a complete system scan. Either a HijackFree, or a HijackThis, log is a good starting point; but both HJF and HJT are limited, in that they find malware using established patterns. Make sure the malware you are experiencing is not in other places too. Use all possible analytic tools.

In the case of very well written malware, it may be very difficult (if not impossible) for YOU to identify, and delete, all components of the malware simultaneously. Its protective processes may be written to detect your feeble human actions, and it can restart itself faster than you can kill or delete it.

But don’t despair! Just identify all components of the malware at any time (without killing and / or deleting anything). Then use Pocket Killbox. You identify ALL of the bad files or processes to Pocket Killbox, and Pocket Killbox takes care of them for you. It’s like having a team of well trained snipers, each aiming at a different bad guy. firing simultaneously, and killing all of the bad guys without warning any.

If you have any doubts about this technique, or if even Killbox can’t get rid of the bad stuff, remember the Expert Help Forums. Any time Jotti or VirusTotal identifies a bad file, spend some time searching thru 2 or 3 of these forums. Find out what techniques and tools are currently being used to remove the identified malware. Again, Strength Thru Diversity.

Just don’t guess at the problem. Use the power of the web, and work from the experience of those who have already dealt with your malware.

Now for the bad news. Some malware may protect itself, from being deleted or interrupted, by hiding itself. You cannot delete that which you cannot see.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: