Author Topic: Protect Windows Safe Mode against malware....  (Read 4406 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32688
  • malware fighter
Protect Windows Safe Mode against malware....
« on: January 02, 2010, 01:46:45 PM »
Hi malware fighters,

As nmb published this in the virus and worms sticky ( http://forum.avast.com/index.php?topic=37542.msg448961;topicseen#msg448961) , I give it again with some additional precaution instructions.
More and more malware is found that prevents infected Windows computers from starting in Safe Mode, but the Belgian security researcher, Didier Stevens, has come up with a solution now. A program he developed will produce a registry key that can not be removed. It is also possible to put back all registry keys that have been maliciously removed. Cyber criminals do not want this to happen off course and they now developed specific malware that scans the registry actively to prevent putting back deleted keys. For this kind of malware users have to use a LiveCD to start the OS, acoording Stevens a rather complicated procedure to perform. Well it sees to it malware won't run and the Safe Modus registry key is being restored.

The registry key that the researcher produced even makes that system admins and the system account cannot remove that particular key. That makes that malware cannot do this either. These specific rights are only made when the registry key is not there. "You may think now that malcreants could circumvent this by adapting rights before they want to delete keys. That is a fact." But because there is no malware around that changes the Safe Mode registry key, there is no need yet to change the rights of system admins and system accounts. This issue will be solved when the software comes out."

Problem
According to Stevens it is a big problem. "I have been posting about malware that deletes the Safe Mode keys to prevent users from malware removal in Safe Mode. Later I have found a solution to restore Safe Mode", as the researcher tells us. The .REG files has been downloaded now over 30.000. "And it is striking to me that this solution is gaining so much popularity during the recent couple of months, it makes me think that malware that disables the registry keys is on the increase."
Links: http://blog.didierstevens.com/2010/01/01/the-undeletable-safeboot-key/

https://www.didierstevens.com/files/software/UndeletableSafebootKey_V0_0_0_1.zip

http://didierstevens.wordpress.com/2007/02/19/restoring-safe-mode-with-a-reg-file/

polonus

P.S. Use secure downloading, that means whenever installing new software without knowing the source perform a AV and anti-malware scan for the executable and the rest of the files.
If there is no malicious software flagged or detected, it could be a zero day, so be careful.
Before installing a proggie or a tool, always export your Registry first.
Might it be malcoded then make another export of the Registry and compare both exports with a File Compare to see what malcoded crap has nested in the registry. Then perform an  uninstall and search for the files that weren't removed (select *.* for date of that specific day of install) now as a final step put back the Registry - easy peasy...

Damian
« Last Edit: January 02, 2010, 06:20:46 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline nmb

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3060
Re: Protect Windows Safe Mode against malware....
« Reply #1 on: January 02, 2010, 05:42:58 PM »
Thanks for the detailed explanation sir pol.  :)

nmb

Offline logos

  • Avast Überevangelist
  • Serious Graphoman
  • *****
  • Posts: 9442
Re: Protect Windows Safe Mode against malware....
« Reply #2 on: January 02, 2010, 05:49:05 PM »
very useful once again, thanks guys  ;)
w7 - ais7

Offline CharleyO

  • Avast Evangelist
  • Starting Graphoman
  • ***
  • Posts: 7085
  • Be alert for error code - ID 10T
Re: Protect Windows Safe Mode against malware....
« Reply #3 on: January 02, 2010, 08:18:04 PM »
***

Thanks for the information, Polonus.   :)


***
Self-built desktop (8 years old) - AMD64 3200+_Gigabyte GA-K8NS Ultra-939_4 gb RAM_GeForceFX 5800w/256 ram_XP/SP3_Avast 7_MBAM_ZA Free __and__ Toshiba Satellite Laptop_W7-64bit_ 4 gb Ram_Avast 8_MBAM

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32688
  • malware fighter
Re: Protect Windows Safe Mode against malware....
« Reply #4 on: January 04, 2010, 03:15:52 PM »
Hi CharleyO,

I wrote about exporting the registry before and after downloading from unknown sources, but a VM snapshot would also do fine,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!