Menyingkirkan Malware Secara Manual

Artikel sebelum ini (Mengenal Ancaman Siber: BOTNET) menjelaskan tentang bahayanya bot atau botnet yang mana ianya adalah sebahagian daripada malware. Langkah-langkah proaktif iaitu langkah pencegahan juga telah diperjelaskan.

---

Namun begitu, bagaimana sekiranya komputer anda telah dijangkiti malware dan perisian pengesanan kewujudan malware hanya mampu mengesan tetapi tidak dapat menyahkan malware tersebut? Sesetengahnya pula langsung tidak dapat mengesan kewujudan malware tersebut. Isu ini sering terjadi, seterusnya komputer anda masih lagi mengalami masalah masa pemprosesan yang lambat, penggunaan memori komputer yang tinggi yang menyebabkan tugas seharian terganggu dan ini berkemungkinan menyebabkan seluruh rangkaian ICT organisasi dijangkiti malware.

Malware terdiri daripada pelbagai perisian perosak yang berbeza seperti adware, spyware, viruses, worm dan yang terkini botnet. Setiap satunya berkongsi satu objektif iaitu akses ke dalam sistem seterusnya menyebabkan masalah sistem pengoperasi dan juga kecurian maklumat.

Tanda-tanda Jangkitan

Sepertimana yang telah dimaklumkan sebelum ini, malware akan melambatkan fungsi sistem pengoperasian. Walau bagaimanapun, terdapat beberapa keadaan lain yang memungkinkan komputer dijangkiti malware seperti:

• Wujudnya fail atau program yang tidak dikenali;
• Pengguna menghadapi kegagalan apabila cuba melayari laman web www.microsoft.com atau laman web anti virus;
• Terdapatnya beberapa direktori pada Windows Explores tetapi direktori tersebut tidak dapat diakses atau dibuka; dan
• Perisian browser seperti Internet Explorer atau Firefox membuka (pop-up) iklan-iklan yang tidak diingini.

Menyingkirkan Malware

Sekiranya tidak berpengalaman ianya agak sukar untuk menyingkirkannya, tetapi didalam artikel ini diperjelaskan langkah-langkah yang boleh diambil untuk menyingkirkan malware tersebut.

Langkah-Langkah Penyingkiran

Sebelum mengambil langkah yang terperinci pertamanya, tutup semua program dan juga Internet Browser. Sekiranya perlu, proses backup untuk data-data penting adalah perlu.

Pertama : Memberhentikan semua proses Malware dengan cara mengesannya terbilih dahulu.

Kaedah mengenal pasti malware adalah seperti berikut :

Menggunakan Windows Explorer

Dengan memilih konfigurasi diatas, semua fail berserta atribut akan dipaparkan. Seterusnya kenal pasti fail autorun.inf pada removalable drives seperti USB thumbdrives. Sekiranya USB thumbdrives tersebut autorun buka menggunakan notepad.exe untuk melihat sama ada fail-fail tersebut adalah merujuk kepada program yang sah.

Menggunakan Process Explorer

Dengan merujuk kepada gambar di atas, klik pada Option dan pilih 'Verify Image Signatures'. Pilihan ini adalah bagi mengenal pasti sama ada perisian tersebut daripada pembekal yang sah. Seterusnya pada lajur Company, lihat pada proses yang bukan daripada Microsoft Corporation. Sekiranya namanya tidak pernah didengari dan agak pelik, perhatian khusus harus diberikan kerana ianya berkemungkinan malware. Akhir sekali, periksa nama proses seperti csrss.exe, lsass.exe dan services.exe yang datangnya bukan daripada Microsoft. Nama-nama proses seperti ini sering digunakan oleh malware bagi mengelirukan pengguna.

Menggunakan TCP View

Lihat pada proses yang sedang dilaksanakan dan sambungan (connection) yang aktif. Sekiranya terdapat sambungan (connection) yang janggal, hentikan sambungan tersebut.

Menggunakan Notepad

Buka fail 'C:\WINDOWS\system32\drivers\etc\hosts' dalam Notepad.exe. Sepatutnya didalam fail tersebut hanya terdapat satu IP atau data iaitu:

127.0.0.1 localhost

Jika terdapat maklumat lain, ini mungkin malware tersebut telah mengubah kandungan fail tersebut. Fail ini boleh digunakan untuk mengarahkan host-names tertentu kepada pelbagai komputer.

Menggunakan Windows Task Manager

Klik pada start>run>type taskmgr. Pada tab processes akan kelihatan senarai proses yang sedang berjalan. Cari dan berhentikan proses malware dan buang semua fail non-malware yang berkaitan dengan malware. Untuk mengenalpasti sama ada proses yang sedang berjalan adalah malware, kenalpasti keadaan berikut nama fail yang mencurigakan, kenalpasti nama fail atau direktori yang di rasakan luar daripada kebiasaan, maklumat berkenaan fail yang pelik (file properties) seperti contoh hidden files, tiada versi fail atau nama pembekal, tarikh fail yang kelihatan tidak normal. Untuk memberhentikan proses. Klik pada proses tersebut dan pilih ‘End Task’.

Kedua : Setelah proses malware dikenal pasti, langkah seterusnya adalah menghapuskan proses tersebut daripada sistem komputer. Ia melibatkan empat langkah utama iaitu :

1. Hentikan semua proses malware yang sedang berjalan.
2. Keluarkan atau buang fail yang dijangkiti malware daripada sistem
3. Dengan menggunakan registry editor (Start->Run: regedit), lakukan proses carian dan buang segala entri yang berkaitan dengan fail atau program yang ditemui.
4. Ubah konfigurasi untuk tidak mengaktifkan autostart/autorun. Rujuk gambarajah di bawah : Taip pada ruang Run gpedit.msc

Kebiasaannya malware susah untuk dihapuskan dan ia akan tegar atau tidak akan boleh dihapuskan dengan cara mengujudkan proses kedua yang masih ada didalam sistem. Oleh yang demikian keempat-empat langkah yang dinyatakan diatas berserta langkah-langkah mengenal pasti kewujudan malware adalah sangat penting dan perlu perhatian khusus sebelum ianya memudaratkan sistem komputer.

Tools

Berikut adalah senarai tools yang boleh digunakan, semuanya adalah freeware dan tidak memerlukan proses instalasi yang rumit.

• Process Explorer (SysInternals/Microsoft)
• Autoruns (SysInternals/Microsoft)
• TCP View (SysInternals/Microsoft)
• Rootkit Revealer (SysInternals/Microsoft)
• Process Monitor (SysInternals/Microsoft)
• PsTools Suite (SysInternals/Microsoft)
• SmartSniff (Nirsoft)
• DTaskManager (Dimio)
• O&O RegEditor O&O Software

______________________________________

Penulis:

Bahagian Pematuhan ICT, MAMPU.

source and credit : http://www.ictsecurity.gov.my/

New cyber security threats facing the public sector

Rebecca Thomson

Thursday 17 June 2010 10:49

The US government is investing heavily in cyber security after the recent attacks on Google pushed the issue of targeted internet security breaches up the agenda.

Security experts say the attacks represent a new kind of security assault that can overcome the defences of even sophisticated companies such as Google.

They are carried out by very "motivated" and organised people and are targeted at a specific organisation, according to James Chappell, head of enterprise security services at Detica, who spoke at the recent conference on Modernising Justice Through IT.

The types of attacks Google experienced may still be infrequent, but Chappell predicts they are likely to increase as use of the internet continues to spread and business systems increasingly rely on cloud computing.

Some attacks might stem from the stereotypical "casual attacker" - a teenager in their bedroom - but cyber attacks are also increasingly becoming a way for hostile foreign states to attack other countries as the technology gets more sophisticated.

He said more people will get the skills needed to launch assaults on the systems of any organisation with the aim of getting hold of data, causing operational problems, or making a political point.

High-profile public sector organisations are perhaps more likely to have to cope with assaults like Google's, but Chappell said the approach in most departments or local authorities is wrong at the moment.

"A lot of protection today works on the basis of protecting against something that is already known about. If there is something that is not known about, and has not happened yet, how do you understand it and protect yourself?

"We are trying to explore what the threat is to civil government, and find out whether there is a level of awareness that they ought to be protecting themselves. Our impression is that the awareness is quite low."

The approach companies should be following is one based on monitoring and analysing data across the organisation carefully, to check for anomalies and anything unusual.

And seeing as most of the new kinds of attacks come through the internet, an excellent - albeit fairly drastic - way of protecting corporate networks is to separate them from the network the internet runs on.

Chappell admits this is costly, and said Detica has been looking at virtualisation as a way of separating machines virtually while cutting costs.

"How do organisations keep ahead of cyber security problems when there is no budget to invest in systems? The financial climate in the public sector is more austere than it has been for years, and the advice is to target specific vulnerabilities.

"It is about picking the areas you have vulnerabilities in to get the benefits. If you review existing operations and reduce costs there will be some budget to do something with," he said.

source and credit : http://www.computerweekly.com/Articles/2010/06/17/241633/New-cyber-security-threats-facing-the-public-sector.htm

85% infections contracted via web

18 June 2010

The first set of monthly research from IT security vendor Avast claims to show that, whilst surfing the internet is "statistically safer than, say surfing in Newquay" it's still a risk, as around 85% of computer infections are caused by accessing the web.

The research from Avast says that landing on an infected website is as simple as looking for something innocuous on the web such as the NHS, roofing supplies and fireworks.

Avast's research teams discovered a grand total of 396 679 hijacked and malicious webpages during May.

According to Avast, its research division uncovered an overwhelming small business theme during May for the most infected types of websites.

Drawing on the collective intelligence service collated by its CommunityIQ network, Avast says that, during May, its software prevented more than a million users every day from accessing infected websites.

The number of visits to individual infected sites, meanwhile, jumped by 52%, with each site receiving an average 89 visitors – up from the previous level of 59. At the same time, the number of reported infected domains dropped by over 30% to 396 679.

Odrej Vlcek, Avast's chief technology officer, said that the results from the May analysis are bad news for the general public, as it means there are more infections at high profile, legitimate sites with a high visit rate.

"Small businesses are easy targets as they often don't employ in-house IT staff and tend to use basic hosting services with limited threat prevention technology", he said.

Avast is advising internet users to avoid using peer-to-peer and warez sites and services – 'cracked' copies of your favourite movie or game might contain more than you think, says the firm.

"Watch where you click. Don't click on all search engine results or pop-ups that suddenly appear on your computer. You might get yourself infected with a fake security programme", he explained.

"Stay up to date. Keep your browser and related programmes up-to-date with the newest security updates. This will reduce the opportunity for hackers to take over your computer through a known vulnerability", he added.

source and credit to : http://www.infosecurity-magazine.com/view/10375/85-infections-contracted-via-web/

Spammers gear up for Father’s Day

17 June 2010

Global spam exploiting Father's Day is increasing rapidly in the run up to the 20 June celebration in 52 countries, according to the Symantec Response team.

"Sadly, spammers don't forget to send out their holiday spam, although a couple of ongoing global events such as the FIFA World Cup and Shanghai World Expo might also draw their attention," Vivian Ho, senior security response lead at Symantec wrote in a blog post.

Father's Day spam messages are similar to Mother's Day spam, including hit-and-run spam, product promotion, and e-card services, said Ho.

"We have observed that spammers registered lots of domains with various 'From' aliases and subject lines in order to bypass spam filters in hit-and-run spam. These types of spam messages, with Father's Day headers, can attract readers' attention", he said.

Symantec is expecting to see more attacks in the coming days and advises users to ignore these messages.

Samples of messages to avoid

• From: "Gifts for Dad by You" >
• From: "Father's Day Gifts"
• From: "Gift Ideas for Fathers Day"
• From: "Gifts for Dad by You"
• From: "Personalized Fathers Day Gifts"
• From: "Gifts by You for Dad"
• From: "Unique Gifts for Dad"
• From: "Create A Gift for Dad"
• Subject: Memorable Fathers Day Gifts
• Subject: Personalized Gifts for Dads, Grandpas, Uncles, Brothers, and Sons
• Subject: Gifts for All the Dads in Your Life
• Subject: Personalized Gifts Just for Dad
• Subject: Give Dad what he really wants - 25 Premium Cigars w/ Free S&H!
• Subject: - Father's Day -
• Subject: RE: FATHERS DAY.
• Subject: Father's Day Blowout! % OFF!
• Subject: Personalized "My Daddy's Hand" Print for Father's Day

This article was first published by Computer Weekly

Credit to : http://www.infosecurity-magazine.com/view/10335/spammers-gear-up-for-fathers-day/

Trend Micro security expert warns on hidden javascript tweets

17 June 2010

Rik Ferguson, senior security advisor with Trend Micro, has uncovered a potentially serious security attack on users of the Twitter microblogging service.

The attack centres on a tweet-based link that routes to an obfuscated Javascript routine and which delivers a variety of malicious payloads via the users' web browser.

The attack vector is essentially a rework of the popular phishing emails seen on regular email services for the last couple of years, Infosecurity notes, but this is one of the first times a Javascript vector has been used with Twitter.

In his Countermeasures security blog posting, Ferguson said that Trend's research team has seen both malicious PDF documents and executable files from this attack scenario.

"These Trojans attempt to connect to additional locations to download further malware. TrendLabs are currently investigating the situation", he said.

According to Ferguson, this latest Twitter malspam attack follows hot on the heels of the Gaza and FIFA spam run of earlier in June. "Be careful where you click and make sure your security software is blocking those evil links", he said.

Trend Micros's warning has been picked up by fellow IT security researcher Chris Boyd over at Sunbelt Software, who noted that "there appears to be a bit of a mad dash to infect people by the boatload on Twitter, with a variety of different messages being sent to random targets."

One of the PDF exploits, says Boyd, has turned out to be exploit.PDF-JS.Gen (a well-known virus, Infosecurity notes).

"This isn't the first malicious spamrun on Twitter, and it certainly won't be the last. With that in mind, it might be best to avoid random links sent to you from strangers. You never quite know what's at the other end", he said.

Credit to : http://www.infosecurity-magazine.com/view/10340/trend-micro-security-expert-warns-on-hidden-javascript-tweets/