427 Botnet fm qxd

Evidence for all these pieces of information can be obtained from an anal-
ysis report that is created by CWSandbox. In the following sections, those
items are examined in detail, and extracting evidence for them from an anal-
ysis report is explained.
How Does the Bot Install?
If we want to check whether a given host already is infected with a particular
malware or if we want to clean a host from that parasite, we need information
about the locations where the malware installs its files and about the mecha-
nisms it uses to automatically execute at system startup. Finding the answer to
the latter question normally also solves the first one, since any autostart mech-
anism needs the information where to find the process to start. Windows
offers many different possibilities to instruct the system to execute a specific
application automatically on startup.The great tool 
AutoRuns
2.
shows most of
them.Though there are many ways, nearly all malware either uses one of the
\run
sections of the registry or installs a Windows Service application or
kernel driver. However, the malware needs to modify a registry setting to set
up any form of autostart mechanism. CWSandbox reports all accesses to the
registry, so you easily can filter out those accesses. As we already saw, registry
accesses are contained in the 

and the relevant entries are
 
and
.
Here are some examples of malware that
installs as an autostart process, using different registry sections:

subkey_or_value="mirosoftware" data="C:\WINDOWS\MEDIA\microsoftware.exe"/>
subkey_or_value="MS Domain Name Server Deamon" data="MSDNSD32.exe"/>
subkey_or_value="AppInit_DLLs" data="bampklkf.dll"/>
Notify\directut" subkey_or_value="DllName" data="directut.dll"/>
As mentioned, some bots do not install as normal programs but as
Windows Service applications. In that case, beside the changes to the registry,
the analysis report will contain lines like these:

Download 6,98 Mb.

Do'stlaringiz bilan baham: