Jump to content

Can malware replace legit Windows files?


Recommended Posts

Could someone tell me if upon infection, Windows files get replaced with infected versions, such that deleting or renaming the infected file would make Windows unable to boot or function properly?

Edit Aug 30th:

Most users that have malware would prefer their computers be "fixed". They don't want a fresh install of windows, because it means having to reinstall everything, import everything, change settings on everything... I am looking for a way to avoid this. The following conversation attempts to find a better way.

Edited by mraeryceos
Link to comment
Share on other sites

  • 4 weeks later...

Even more would change system files and / or networking related stuff, to log your keyboard and steal passwords and phone home, or even to interfere with your online banking.

Several also manipulate the system restore mechanics, to re-appear even after being removed by safety software.

And worst is, they often try to get auto started extremely early after reboot, before any of your shields are up. And manipulate those then...

In most cases, damaging the system to not boot anymore would not be in the interest of a bad guy, as this would also stop his misuse of your machine.

This often includes spreading the malware even more over your machine, like to all of your contacts, or stealing even more critical data from you...

So killing your machine kills his worthy tool.

Keep in mind, after mistreating you, they may like to sell their access to other criminals, that would like to continue with hurting you and others.

The first one may steal some of your internet accounts for gaming sites or e-mail, next may want to steal your bank account or attack your money transfers, third may want to spread <real dirt> or other illegal stuff over your machine. Then there are people attacking web servers they don't like.

Most of all would like your system still to be up and running, at least until all they want is done...

So it depends on the intention of the criminal.

No more, no less.

Edited by FishBowl
Link to comment
Share on other sites

Thanks FishBowl! Now the real reason I brought this up.

(1) On an infected machine, if you replace the files that occur in every installation of Windows XP SP2, no matter what the hardware, will this eradicate the malware that may have leached onto legit system files?

(2) Well, the registry would always be different, so you coudln't replace that. The registry may call out to drivers, dll's, etc that are malicious, and aren't part of the core system files in (1). But you can use your favorite boot cd to load up the registry and remove the offending startup entries. I can't remember if possible to use Sysinternals Autoruns to load the remote registry on the hard drive, while booting off a CD or USB device. Anyway, this is something you could do.

Does anyone know which files are present on every installation of Win XP SP2? What I'm getting at, is that this would be a quick fix without having to reinstall windows, and everything else. Boot off a cd, overwrite files, remove startup reg entries, and you are good to go. You may still have some malware left on the machine, but it won't be active (and I assume harmless unless someone double clicks on a malware executable).

Does anyone know which files are present on every installation of Win XP SP2? I've made some rough attempts at overwriting with the originals, but Windows would blue screen after I did it. Oops... killed the patient.

AHA! I should have been reading Wikipedia! :blushing:

http://en.wikipedia.org/wiki/Rootkit#Removal

While most Administrators prefer a clean reinstall, a skilled Administrator using a PE can often delete and clean a rooted system if a reinstall is not a viable option.
Edited by mraeryceos
Link to comment
Share on other sites

I am not interested so much in what it does, but how to get rid of it. I can rewrite the boot sector, if that is what you mean by "deeper". What do you mean by deeper? Yes, exactly what do you mean by deeper?

Edited by mraeryceos
Link to comment
Share on other sites

"Replaced" files that are Malware can be overwritten with "legit" files can be done with an "over-top reinstall" without loss of data, profiles, post-installed software, etc. Bear in mind that Malware can have a module named the same as a good file in a different folder that will still cause damage (or whatever) becuse it gets executed before the good one (ref. the execution PATH).

Best bet is use all recommended Malware Cleaners / Scanners, check the registry (HijackThis is a good one), then maybe (if necessary) do an "over the top reinstall". There will more than likely be lots of stray Malware hiding if you don't "clean" the system.

Can you describe any symptoms that leads you to believe you're "infected"? There are usually tell-tale signs. If so, post here...

HTH and Good Luck!

Link to comment
Share on other sites

Bear in mind that Malware can have a module named the same as a good file in a different folder that will still cause damage (or whatever) becuse it gets executed before the good one (ref. the execution PATH).
OK! Thanks!

I don't have an infected computer at the moment. I'm a tech. I usually just get data off and reinstall windows.

Best bet is use all recommended Malware Cleaners / Scanners, check the registry (HijackThis is a good one), then maybe (if necessary) do an "over the top reinstall". There will more than likely be lots of stray Malware hiding if you don't "clean" the system.
Too much work. Also, running an antivirus scan is likely going to be ineffective in cleaning malware.

Reference http://av-test.org papers titled:

testing for rootkit detection and removal

Also of interest:

getting rid of malware from infected pcs

I was looking for a quicker method. For example, overwriting Windows files with a copy of files always existing on a standard Windows installation. Then perhaps rename or delete all files NOT on a standard Windows installation (can be automated). I like this method better than doing an "over the top" installation of windows, because, you don't know what the F*&& the "installation" does.

So I still have the question:

Does anyone know which files are present on every installation of Win XP SP2?

Edited by mraeryceos
Link to comment
Share on other sites

Bear in mind that Malware can have a module named the same as a good file in a different folder that will still cause damage (or whatever) becuse it gets executed before the good one (ref. the execution PATH).
QFT - in fact due to Windows File Protection and the fact that a lot of the system binaries have open handles which prevent overwriting while the system is running, it's more likely that malware masquerading as OS files will be running from another (often temp) folder.

Another trick that has been used is to have lookalike executable names - dllh0st.exe, for example.

If suspicious of a running process, use Task Manager or Process Explorer to view the command line rather than just the process name - that can often give clues as to what a process is.

Link to comment
Share on other sites

On my machines at home, I am keeping system / applications and documents / downloads / recordings strictly separate, on different HDDs / partitions.

I am making image backups of the relatively small system partition(s) every couple of days, onto two big mobile HDDs, alternating those.

And I even have a spare machine, almost similar hardware. Just in case...

I am using Ghost 7.5 from inside of Win98SE (+NUSB), to write the images. Around five to ten minutes for an OS.

Worst case, I could take the mobile (IDE) disk out of it's case and connect it directly to the board.

Then MS-DOS and Ghost are enough to write back.

Similar would also work with my old Knoppix LiveCD 3.4 and partimage, instead of '98, for example.

Anyway, taking care and having a nice HW firewall protected me pretty well during the past years, so system reconstruction never was required to remove malware but only to move to bigger disks or to repair human mishaps and failing experiments.

Edited by FishBowl
Link to comment
Share on other sites

FishBowl, I follow a similar backup strategy. I also have separate data and system partitions :-) My challenge is for systems you get that haven't had that preparation.

Does anyone know which files are present on every installation of Win XP SP2? I may test if I find time. Instead I keep hoping someone has already done it!

Link to comment
Share on other sites

Malware, such as rootkits, can patch actual Windows binaries so they cannot be detected by API calls. You would have to verify the digital signatures, probably mounted offline, on the files to ensure they are authentic. While the new KPP in Vista x64 helps prevent this, its not impossible.

http://en.wikipedia.org/wiki/Kernel_Patch_Protection

Link to comment
Share on other sites

Malware, such as rootkits, can patch actual Windows binaries so they cannot be detected by API calls. You would have to verify the digital signatures, probably mounted offline, on the files to ensure they are authentic.
Do all files have digital signatures? Even driver files? Because even if all Windows XP SP2 files are the same, the driver files will be different for every computer, and the virus may have put itself in as a driver.

1. Overwrite all standard WinXP SP2 files with originals

2. Rename all extraneous files

3. What to do about driver files???

Can a standard set of driver files be used, that will allow the system to boot, so that you could reinstall drivers to non-infected versions?

You know... if you delete the boot.ini file and other root files, then rename the windows, "program files", and "documents and settings" folders, you can do a blank install of windows. This would ensure all the files that are needed for the computer are there...

Most people that have a virus would prefer there computers to be "fixed". They don't want a fresh install of windows, because it means having to reinstall everything, import everything, change settings on everything... I am looking for a way to avoid this.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...