1 / 24

Replacing System File Virus

Replacing System File Virus. Highlighted issue in 2008. Year 2008 (particularly the last 6 months) : In Vietnam, there are more than 121,000 cases on computer break-downs related to Windows' crash, typically the "Login - Logout" phenomenon. Highlighted issue in 2008.

argyle
Download Presentation

Replacing System File Virus

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Replacing System File Virus

  2. Highlighted issue in 2008 • Year 2008 (particularly the last 6 months) : In Vietnam, there are more than 121,000 cases on computer break-downs related to Windows' crash, typically the "Login - Logout" phenomenon.

  3. Highlighted issue in 2008

  4. Where does the problem come from? • Bkis has assigned a team to deal with this problem • Users often think that this is due to viruses But the real cause is antivirus software ! • Antivirus software break down Windows, it’s not virus’ fault.

  5. What is the cause? • In our experiment, we have tested with 4 antivirus software. And the results corroborate it. • Here is our method of testing: • Create environment: Infect the computer with the virus • Scan that computer with an antivirus software • Restart the computer to check the result Experiment result

  6. What is the cause? Antivirus Software System is broken down ! copy the system file to a location virus Replace system file… AV deletes virus file… Target Call back the original file system file system file System files C:\windows\system32

  7. What is the cause? • Methods of removing viruses of antivirus software that corrupt Windows • More than 5.800 viruses that lead to such problem when scanning with those antivirus software • (Most of them have their origins in People’s Republic of China) What is the type of those viruses?

  8. New trend • Common characteristic: replace system files • Virus that making changes to system files have been in the wild for over 20 years, beginning with file-virus. • But since 2000 up to now, the prevalent trends of viruses is Worm, Trojan because they can spread very quickly, and it is quite simple to create massive variants.

  9. New trend • Most antivirus software treat Worm and Trojan by simply detecting and deleting all virus files. • Bad guys cope with antivirus software by targeting some specific files of the system: • maintain the fast spreading speed, update variants continuously • defeat antivirus software. Antivirus software might be “Anti-Windows” software also if they merely delete virus files. Replacing system file virus (named by Bkis)

  10. New trend • When system is infected with this type of virus, what happen if it’s scanned by an antivirus software? • If the antivirus software deletes virus files merely... • => Windows will be broken down ! • Unfortunately, most popular antivirus program haven't solve this problem: BitDefender, Kaspersky, Norton Antivirus, McAfee

  11. Solution • Merely deleting the virus files is not finished • To throughly remove the viruses without corrupting the system, we need to restore the original code. • When attacking the system, virus will hide the original code somewhere. So the only way is debugging and decoding virus to find and restore the original code We did it that way and got a perfect result.

  12. Recommendations • This trend has appeared for over last 6 months and is becoming more and more popular. • 2009 is predicted to host a lot more. • 2008 in Vietnam: 121,000 cases on computer break-downs, 5.800 replacing system file viruses. • I don’t have the statistics of your countries but I believe that your countries have the same problem, cause most viruses in this type come from People's Republic of China and spread all around the world, not only in Vietnam.

  13. Recommendations Has your CERT encountered this problem?

  14. Recommendations • If encountering a lot, need to caution users • We are willing to help.

  15. Thank you!

  16. Question • Questions • Is it hard to kill this type of virus? Why can't other antivirus software treat these viruses well? • How can viruses overwrite Windows system files? • How can Bkav kill these viruses thoroughly (while still being able to update a large amount of virus patterns)? • Prevention is better than cure • How do these viruses differ from file-virus? • Ngoài hiện tượng login-logout, còn hiện tượng nào nữa không?

  17. Prevention is better than cure • New variants of viruses are born hourly. • Viruses creators use many encrypting tools and perform careful tests against antivirus software before distributing the viruses. • There has always been the case where computers with antivirus software can still be infected. We will then have to cure instead of preventing.

  18. Login – Logout Phenomenon • Login - Logout Problem • Viruses overwrite the Windows file userinit.exe • Antivirus software deletes that virus infected file. • Users encounter the "Login - Logout" problem

  19. Other files replaced by viruses • Other targets of viruses: • spoolsv.exe – Sprint spooler service can not start, can not use printer • rpcss.dll – RPC services can not start, the taskbar disappear, copy-paste function can work correctly

  20. Other files replaced by viruses • Other files that have been targeted by viruses: • explorer.exe • mswsock.dll • winlogon.exe • actxprxy.dll • dmserver.dll • termsrv.dll • comress.dll • much more...

  21. Tại sao trong thử nhiệm của chúng tôi lại để máy tính bị nhiễm virus sau đó mới dùng AV quét • Giống virus sinh học, thuốc chữa có sau khi virus xuất hiện (bird flu) • Cũng như vậy, AV phải có khả năng diệt virus khi máy tĩnh đã bị nhiễm • Thực tế rất nhiều người sử dụng bị nhiễm virus rồi mới có bản cập nhật của AV để diệt.

  22. Where does the problem come from? Anti Virus Program copy Virus Sytem missing file system file More details Windows’s broken down system file with another name

More Related