3 Tips for Detecting Malware
- Written by: Dave Nelson
Detecting malware is becoming more difficult. The 2016 Verizon Data Breach Investigation Report (DBIR) details how difficult it is for anti-malware tools to keep up with advances in malware evasion techniques. As such, it can be expected that systems within your environment will succumb to malware. The following tips will help you identify if a system has been infected even if your anti-malware tools fail to detect an infection.
1. Check the following Windows registry keys for unknown executables.
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
Typically these will be completely random names such as IFAZZS.EXE or 9G8XRT43.BAT. They may also be close to the spellings of valid system files with one or two extra characters such as serverr.exe
You can also use the Startup Tab in the Windows Task Manager for a quick view, however, this will only show applications set to run under the currently logged in user account. A startup event can also be suppressed from showing in Task Manager, so viewing the registry keys is the most effective method.
2. Review the system services for unknown services
Currently registered services are each listed as sub-keys of the following Windows Registry key.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
Any keys that are unfamiliar or appear to be random should be investigated to determine if they are legitimate or malicious.
3. Review system event logs
Windows Event ID 7036 and 7040 will list any services that attempt to start. Details such as the command line used to execute the service, usernames and source workstation may be included in these or other events from the Service Control Manager. This information can pinpoint the source of malware including when the source workstation is an IP address that is not on the local network.
Finally, should you find files, URLs or other information you believe points to malware, you can use www.virustotal.com to check the hash, URL or IP for use in malware. You can also search the database for service, file or user names, IP addresses, mutex information and other details found during malware analysis.
Fighting malware is no easy task. Hopefully you’ll find this list of detection techniques useful in identifying a system that may have been compromised by malware.