No announcement yet.

A Comprehensive Guide To Windows Malware

  • Filter
  • Time
  • Show
Clear All
new posts

  • A Comprehensive Guide To Windows Malware

    The Purpose Of This Guide

    Among the layperson, including many people who are very experienced in general computer and internet usage, there is a lot of misinformation when it comes to malware. Much of this is spread through hearsay, by people who know just enough to be dangerous and sound knowledgable, but in reality think they know far more than they really do.

    The purposes of this guide is meant to provide a quick, comprehensive information regarding malware, and numerous high-quality resources that will address most of the everyday needs people have regarding malware.

    My Background

    I have run a small computer business for several years, and have trained at the malware training courses at the top online malware communities.

    Different Types Of Malware

    Malware is a general umbrella term which is a portmanteau of malicious software, that refers to all different kinds of bad stuff out there. People who are less savvy regarding malware often use the term "virus" as a general term. Technically speaking, a virus is a specific kind of malware (and less common these days than most people would think). Using the term "virus" as a general, catch-all term will signal to people in the malware communities that you are less familiar with the topic. So use the right jargon, and sound knowledgeable. :D


    A virus refers to a specific catageory of malware. Like a biological virus, a computer virus is not a complete file in of itself, but a chunk of malicious code that infects any type of executable file/code. When the executable code is run, the virus code is activated & replicates as well.

    Viruses come in all shapes, sizes, and flavors. They can range from somewhat harmless virii, to deadly polymorphic file infectors such as Virut or Sality. Some types of viruses, such as the aforementioned, are mostly immune to conventional scanners. With infections such as Virut, the experts in the malware field who have experience with it, generally recommend reformatting ('wiping' your hard drive and reinstalling your operating system).

    So there are many different kinds of viruses


    The full term is 'trojan horse', and for those who know their ancient greek mythology, its function is analagous to the wooden horse of the legendary Trojan War. It is mean to appear harmless to your computer/security programs, but actually contains a malicious payload. This payload can be whatever the malware writer puts in it. This can range from things like rogue security programs, to dangerous backdoors/dialers or keyloggers.

    Rogue Security Programs

    This is a very common type of infection these days. It's also the ones that get the most attention by the average person, because it's meant to be noticed. These are those programs that run on your computer telling you that you have 100s of infections, and telling you to buy their program. People who are more familiar with the internet generally know better, but many less experienced people do not. Malware is a big business, with some estimates putting it at $2 billion/year or more.

    A big function of rogues, depending on how virulent it is, is to disable your antivirus or other security programs, and also block certain programs from running, or all executables. If you've ever tried opening some program such as taskmanager, only to get a popup that says "cannot open tskmgr.exe. The file is infected", or something along those lines -- this is a rogue security program at work.

    There are various tricks to try and get around this, such as renaming the file you want to open, but any decent rogue program will block these tricks. Generally speaking, unless it's a specific scenario, don't even bother with these, and proceed to proper cleaning methods.


    A rootkit is not technically malware, in of itself. Rather, it is a type of technology, and can be used for legitimate or malicious purposes. It's purpose is basically to cloak whatever is put "inside" of it. There are several methods that rootkits use to cloak files, but the end-goal is the same.

    This lecture by Mark Russinovich, creator of the Sys Internals suite, has a good basic description of rootkits and anti-rootkit technology.

    Advanced Malware Cleaning

    The lesson to take home here is that just because you don't have any symptoms and your computer seems to be fine, does not mean that you are not infected.

    And for filesharers like us, infection is always a risk. There is a lot to potentially gain by spreading a backdoor around among a popular download.

    Backdoors, Keyloggers

    These programs might often be accompanies by rootkit technology in order to stay hidden. As its name implies, a backdoor program is designed to provide a hacker access to your computer without you realizing it. Typically, these programs are programmed to dial home as soon as they are installed, automatically download more malware, or notify the creator that it has successfully gained access to your system.

    A keylogged, as its name implies, logs the keys that you type.

    These types of programs can be very dangerous if you store sensitive information on your computer, or access sensitive stuff like online banking on the internet.

    This video here provides an enlightening, hands-on look at just how simple it is to create a backdoor program and distrubute it around the web.

    Advanced Malware Cleaning

    Proactive Protection: Defense Before You Get Infected

    Antivirus Programs

    I'm constantly surprised at how many customers I get who do not even have an antivirus program. Contrary to what many people believe, having an antivirus -- even the best one -- does not provide you with complete protection, or anything close to it. Many of the most common infections are highly resistant to detection by general purpose scanners, or immune to it altogether. For example, Vundo, a common and problematic infection these days, deposits files with a random name. The code also constantly varies enough in a way that makes classic antivirus programs almost useless against it. The filenames come in a pattern that a trained human is able to recognize, though.

    However, many people do not even have an antivirus program. Bottom line -- get one.

    Don't take it on hearsay as to which scanners are good or bad. Base your decision on a combination of scientific information and experience from real experts. For independent tests, av-comparitives is looked to by many in the malware community.

    AV-Comparatives - Independent Tests of Anti-Virus Software - Main-Tests

    The Main Test --> On Demand test measures the performance of a full system scan, with the latest virus definitions. The proactive test measures performance with out of date definitions -- usually 2 or 4 weeks old. The dynamic test measures real-time protection.

    PC world often has test data that you can look up as well. Just use google -- search for things like "PCworld, antivirus 2008 reviews", or something like that.

    Several things are important to keep in mind when looking at test results:

    - Malware in the real world is often accompanied by cloaking, aka rootkit technology, which obviously reduces detection ability.

    - Thousands of new variations of malware come out each day. The malware writers have the edge, because they can make new malware, have it infect people, and it will be some time until these are found, analyzed, and definitions are updated. In the malware world, 24 hours is a long time.

    - Even a 99.9% detection rate means that there are thousands of malware samples that were not detected. And that's known malware samples. These ones that are not detected well are often the more common, and more problematic malware. Furthermore, the test scores in the lab have a margin of error, when compared to performance in the real world.

    - Nevertheless, the test scores are a good indicator of how antivirus programs stack up against EACH OTHER. Just keep in mind that the test scores should be used more as a relative comparison to other AV programs -- not as an absolute indicator of how well it will perform in the real world.

    - Some people say that proactive test scores don't matter as much, because youre not going to have 2 or 4 week old definitions in the first place. However, this is not correct. Remember that much malware is difficult for AV programs to detect. The proactive test score gives some idea of how "adaptive" the AV program is, i.e. how good it is at detecting based on bahavior, patterns, etc.... as opposed to just definitions. This is important, because definitions are next to useless against malware that is constantly varying, such as Vundo.

    - When you look at the test scores, you will see that AVG these days isn't all that great, contrary to the popular hearsay in many forums. You'll also see that Norton isn't bad at detecting, despite its bad reputation in many circles. Yet keep in mind that Norton's reputation is for other issues, besides detection. These include causing side-effect issues with people's systems. Whether that is still the case today -- I don't know -- I haven't seen any solid data on this. However, both Norton and Mcaffee are notourious for being a pain to uninstall -- requiring special removal utilities.

    You'll also see that Trend Micro, a common AV program, and one that the average "tech" at Geek Squad often recommends, is actually not very good at all. In fact, if you go back through the reviews at PCworld, etc over the years, you'll find that it consistently sucks.

    - Clamwin is absolutely horrible, so if you ever see it recommended, remember that.

    - CA is one of the worst as well. The last test data I saw for it was a 60-something percent detection rate. To give some idea of how bad this is, a 90% would be a D- or F, in my book. When its not even included in tests like av-comparitives on a regular basis, you know that it sucks.

    - Avira free is the best, or second best free AV you can get, depending on who you talk to. It's main disadvantage is that it tends to have a higher rate of false positives.

    Avira AntiVir Personal - Free Antivirus - Free software downloads and software reviews - CNET

    Antivirus Myths and Tips

    - Free AVs are bad. False. Free AVs have the same core engine as paid versions. For example, in the av-comparitives test, note that Avast FREE, consistently ranks near the top. The difference is generally in the features, not core antivirus capability. Usually the paid ones have extra features like "anti spyware", email protection, etc. Many of these aren't very useful, but the average person doesn't know this. Look at the actual test data for free AVs on av-comparitives and tech sites like PC world, and you will see that this isn't true.

    - Having a great AV will give you all the protection you need. Completely false. You need multiple layers and strategies, as dicussed further below.

    - I ran a scan, and nothing turned up, so I must be clean. Completely false as well. The reasons for this should have already been covered by now.

    - Any time someone insists that so-and-so antivirus is the best, remember that if they don't have test data to back it up, their opinion is meaningless. Antivirus programs are one very big area for hearsay. Stick with hard data, not hearsay.

    Real-time Registry Monitor: A second important layer of protection

    In order for malware to be active, it needs to make changes to your registry. There are a few exceptions, but this is generally the case. Automated security programs can only detect what they are programmed to. Obviously they cannot recognize things the same way a person can.

    A program like spybot search & destroy's tea timer monitors any changes to your registry, and notifies you when it detects something. It's not 100%, but is a very strong layer of defense. When it detects something, it notifies you saying something along the lines of "So-and-so process is trying to make changes: Allow or Deny".

    If you are browsing the internet and this randomly comes up, it's almost certainly malware. Tea Timer is a great program to use, even if the spybot itself is maybe a B- or C+ scanner. The Pros are that its a great layer of protection. The Cons are that when making legitimate changes to your computer, such as installing something, you'll probably get a lot of popups -- if the install is making 18 changes to the registry, you'll get 18 different pop-up/prompts. For some people, this is annoying. The other disadvantage is that it can use up to around 120 MB of memory. For older computers, such as ones with 512 MB of RAM, this can really bog things down.

    Basically, if you don't recognize the program as legitimate, deny any changes to your registry. There should be no legitimate changes that simply pop up out of the blue.

    And yes, it's free.

    Spybot - Search & Destroy - Free software downloads and software reviews - CNET

    NOTE: - Windows Vista and 7 have a built in feature that serves the same function as this. This is the utility that asks if you want to allow a program to run/have access, etc. However, many people simply automatically click yes to everything, which of course negates the purpose.

    Other Good Real-time protection

    - Don't run more than one antivirus program. They can conflict. Plus, if you have a good one, there isn't any advantage to having two in the first place.

    - Tea Timer can run in parallel with an AV real-time.

    Spybot - Search & Destroy - Free software downloads and software reviews - CNET

    - Win Patrol is another free, and very good security program, which has real-time features.

    WinPatrol - Free software downloads and software reviews - CNET

    - Some antispyware programs, such as Superantispyware, have real-time features. You could use this as well, if you have enough RAM memory. If you are unsure of how much memory you are using up, just open task manager, and see how much memory your real-time is using up. I've never really used this, though.

    - Another real-time antispyware program that you can use is Spyware Guard, by javacool.


    Passive Protection Layer

    Passive protection measures preemptively block various exploits that malware uses to get onto your computer. As with all anti-malware measures, nothing is perfect, but the more layers you have, the better.

    - Spybot S&D's Immunize function is good to use.

    - Spyware blaster, by Javacool is a useful passive protection means to apply to internet explorer

    Software Firewalls

    These differ from router-based firewalls, which are found in most modern routers these days, in that their main strength is to monitor outgoing connections. Basically, a router-based firewall only allows an external computer to connect to yours, if your computer connects to it first. But as long as it was "authorized" by an outgoing connection from your computer, a standard firewall does not distinguish among anything. So this is protection against hackers. Malware infections, not so much.

    A backdoor program is mean to initiate an outgoing connection without you being aware of it. So any response to this outgoing connection is legitimate, as far as your router-integrated firewall is concerned.

    A software firewall is useful in that it monitors outgoing traffic, allowing you to get a better chance at stopping some keylogger from sending data back to a hacker, or a backdoor from dialing out and giving a hacker access to your system.

    - The Windows XP firewall sucks, especially as it's registry based, and more vulnerable to malware. I don't know about the Windows Vista/7 firewall. I believe it is not very good either, as its based off the registry -- but don't quote me on that. Either way, with Microsoft's record in this department, getting a good sofware firewall is a good idea.

    - Two good free software firewalls are Comodo (their antivirus is horrible, though), and Sunbelt (formerly Keiro). There are other good ones as well, but these will do just fine. They have different features and user interfaces, so some people definitely prefer different firewalls over others.

    Browsers & Browser Protection

    - Firefox is more secure.

    Secunia: Firefox most vulnerable browser |

    The above article is a commentary on a heavily biased report from the generally good source of Secunia, saying that firefox was the most vulnerable browser. There are several things wrong with the Secunia report. Many of them are outlined in the link above. The other thing being that the original article that claimed firefox was the most vulnerable, only showed half the picture. In the graph showed in the link above.... it showed the red graph on the left, but conviently omitted the blue graph on the right which shows the vulnerability of ActiveX.

    - Use an Adblocking plugin. One of the biggest sources of malware is browser exploits such as drive by exploits. Some of these exploits involve simply clicking on an object in the browser window that has malicious script attatched to it. Often times, you will not even notice this at all. A good all-around blocker for firefox is Ad Block Plus. The only thing to be aware of with this is that it can block many flash/interactive objects that you want. So if you go to a site, and some interactive feature isn't working, chances are the Adblock is blocking it. So you have to simply disable Adblock for that page.

    - Use passive protection, such as the Immunize function of spybot s&d, as mentioned above, or Javacoo's spyware blaster.

    Strategies For Protective Sensitive Information

    - Don't use the same password to your sensitive sites like online banking as you do for everything else.
    - Don't store passwords to senstive sites in your browser.

    - If you must store things like passwords on your computer, don't do silly things like make a notepad document that is titled "passwords.txt". Remember that a malicious program can easily be programmed to scan for any sort of text string, document name, etc. Simply put yourself in the hacker's shoes, and think of the types of ways that many people would store their password on their computer.

    - Name the document with an ambigious name that only you would recognize, like "Rover pics at the beach". Don't write it down using something like

    Wells Fargo Username & Password

    Login: Abc123
    Pasword: abc123

    I store passwords on my computer, but it is in a format that only I recognize. So any malicious program isn't going to be able to search for it, and even if a hacker did get it, it wouldnt be useful to them.

    Another way to immunize data from a malicious scan would be to use MSpaint and type the text & save it as a jpg. People can read it. Scanners cant.

    - It's important to realize just how simple & easy it is for a basic malicious program to search your computer for these things. I think the biggest thing is that many people don't realize just how common theft of sensitive information has become these days, and just how common these malicious programs are. The microsoft video posted up above provides a good demonstration. (just because their products can suck doesnt mean they dont have knowledgeable experts working there. :D )

    It's a very simple matter to do a search filenames for strings such as 'password(s)', 'login', 'banking', or basically a long list of any potential terms. It's also simple to search the text within unencrypted documents.

    Use multiple partitions, or mutliple OS installs

    - Creating a seperate partition from the one your active OS is on and putting sensitive data on that will protect it to a fair degree. Worms and such can gain access, but if you have a data-only partition, this will provide a pretty strong layer of security if you make it read-only.

    - Install multiple instances of Windows, for example, and use one install for general use, including playing all your cracked games, or downloading keygens. Use another install on a different partition for sensitive stuff.

    PART 2 Coming Soon

    - Info on malware removal
    - Links to various resources and information

  • #2
    Hi! Thank you very much. I have always thought that antivirus and trojan are the same. After I lost all my files and documents due to the virus attack, I try to behave more accurately. I have downloaded a professional antivirus program and Antivirus for Chromebook as well I hope that situation will never happen again!