Uncategorized »
My Malware-Related Resources
March 7, 2011 | post a comment | Mark Russinovich
My Malware-Related Resources
Given that Zero Day is a book about the threats posed by malware, I thought I’d post pointers to my other malware-related publications and presentations. Some show how to clean malware using the utilities I’ve written and others discuss operating system features designed to prevent malware infections or limit malware’s effect when an infection occurs.
One increasingly common tactic employed by the malware community is to promote “scareware”. Scareware software is malware disguised as antimalware that web sites trick you into installing by announcing that your computer has been – ironically – infested with malware. Many of these fake antimalware products create a doorway through which other malware authors can push their wares after purchasing access from the scareware creator. Scareware entered the scene in 2004-2005 and this blog post from early 2006 dissects a scareware product I ran across, showing how it installs itself and downloads additional malware. It even includes a video that uses my Sysinternals tools to show what’s going on under the hood as the infection occurs:
http://blogs.technet.com/b/markrussinovich/archive/2006/01/03/the-antispyware-conspiracy.aspx
Many of the Sysinternals utilities are heavily used by professional malware analysts. They often use the more advanced features of the tools, but even their basic functionality make it possible for users with some computer proficiency to solve their own malware incidents – or those of their family and friends. Some malware has grown so sophisticated that only a professional can successfully analyze and clean it (or even detect its presence), but my Advanced Malware Cleaning presentation from the Microsoft TechEd conference in 2006 is still relevant today for most commonly encountered malware:
http://technet.microsoft.com/en-us/sysinternals/gg618529
Here's my own analysis of an email-delivered malware I received, intended to enlist the computer of whoever launches it into a botnet (to be safe, I launched it in a controlled configuration in a virtual machine with no access to my local network):
http://blogs.technet.com/b/markrussinovich/archive/2007/04/09/741440.aspx
This recent blog post on my technical blog shows how a Microsoft support engineer used some of the more sophisticated Sysinternals features to analyze and clean a new strain of malware, MarioForever, off the computers of a large hospital network:
http://blogs.technet.com/b/markrussinovich/archive/2011/02/27/3390475.aspx
That malware had gotten past the antimalware used by the hospital. Unfortunately, malware is evolving so quickly and at such large scale that antimalware only addresses a fraction of the malware in circulation and is instantly out of date when updated with new antivirus signatures. And antimalware, just like any commercial software, can have vulnerabilities that enable malware to gain access to a system or to gain administrative rights if it infects a system with limited rights. This blog post from 2007, The Case of the Insecure Security Software, demonstrates the use of Sysinternals tools to identify certain kinds of antimalware vulnerabilities and exposes some flaws that existed at the time in the antimalware product of a top security vendor:
http://blogs.technet.com/b/markrussinovich/archive/2007/06/19/1256677.aspx
Operating systems and most common commercial software has become more secure over time, largely because of cutting edge defense-in-depth measures added by the tools developers use to create software and also added to newer versions of operating systems. Here’s a Channel 9 interview (Channel 9 is a Microsoft web site that interviews Microsoft developers) where I talk about operating system security:
In this video interview, Mark Minasi and I discuss some of the security enhancements introduced in Windows 7:
http://www.msteched.com/2009/NorthAmerica/TTK12
I define the concept of “security boundaries”, which are operating system features designed with strong security guarantees, in this TechEd 2009 presentation. To highlight the difference between defense-in-depth features, which have no guarantees but can foil certain types of malware attacks, and security boundaries, I describe the design and implementation of a number of Windows features often considered security boundaries:
http://www.msteched.com/2009/Europe/SIA301
One of the features I covered in that presentation is User Account Control (UAC), a feature added in Windows Vista that drew ire because users initially ran into many of UAC’s “allow/deny” dialogs before software adapted to the more secure configuration UAC was designed to promote. This presentation, User Account Control Internals and Impact on Malware, goes deep inside UAC’s implementation to reveal how it works and why those dialogs are ultimately useful for everyone:
http://www.microsoft.com/showcase/en/us/details/10c81bb6-972b-4856-9a39-2cc0eb1352ae
Finally, my most famous blog post, Sony, Rootkits and Digital Rights Management Gone Too Far, was one I can’t leave out. It chronicles how I discovered a rootkit Sony was distributing on some of the audio CDs it sold in 2005, and the post eventually lead to Sony’s recall of millions of CDs and a settlement with the FTC:
