PDA

View Full Version : Suggestion to defeat malware that deletes Spybot's files.



bizzybody
2007-09-03, 06:01
Suggestion first, followed by what made me think of this idea.

Recent malware has the nasty trick of generating random names for its files as it infests a PC. It also edits any internal references within its files to match the random names. Some malware will even recreate its files with all new random names if you find the files and delete them.

Combine that with a 'hunt and kill' list of executable filenames for popular anti-malware programs like Spybot and AVG, and it's an extremely nasty infection to find and kill when you can't get the cleaner software installed on the infected PC.

So how about using that same stealthing feature against the malware? How? By creating the installer on the fly when the download is requested. For example rename teatimer.exe to gfwilpsd.exe and changing all references in the other files for teatimer.exe to gfwilpsd.exe and similar for all the other .exe files. Then create the installer and a link to it. May as well randomize the name of the installer too because it won't be long before a malware comes along with a list of those names to look for and delete.

I know something like this is possible because GRC 'injects' a unique serial number into every paid download of SpinRite, then packs up the installer on the fly.

The random-named download of Spybot could be an option for when the standard version gets deleted by malware.

--------------------------------------------
Four days ago, one of my PCs caught a nasty bug that searches for and DELETES the .exe files for Spybot and AVG, and likely other anti-malware programs. (But not AdAware 6, but it didn't find anything bad.)

Both Spybot and AVG were fully updated the day before, yet this new bug sneaked past both of them.

Until it's eliminated, it's impossible to reinstall Spybot or AVG because the instant the installer puts the .exe files onto the drive, the malware deletes them.

This bug also causes the computer to reboot if I attempt to boot into safe mode. I also tried pulling the plug after booting so the bug couldn't make changes to the Registry on shutdown. The bug had a real nasty counter for that, the PC could no longer boot at all- it'd just reboot endlessly.

Next I tried a repair install of XP Pro (slipstreamed to SP2) and the bug survived that.

Yesterday (Sep. 01, 2007) I got the latest updates to AVG, connected the infested drive to another PC and it found several nasties, but not THE nasty because it's still there deleting Spybot and AVG and downloading all kinds of other crap whenever the computer's online. There's another small AVG update today, which has found 5 more bad files so far, still scanning as I type.