Hacking Book | Free Online Hacking Learning


malicious code removal practice

Posted by herskovits at 2020-03-21

Reading: 8760

What is malicious code, instruction set? Binary executable? Script language? Word processing macro language? Other instruction sets and so on Taking common types for example, if a server has malicious code, the malicious code of windows series machines generally refers to viruses, worms, Trojans and backdoors, and the malicious code of Linux system machines is generally rootkit.

Then, how to quickly determine whether there is malicious code in your web server, whether there is intranet penetration caused by web-based problems, or whether malicious code is implanted as a springboard machine, chicken, etc.; how to quickly clear malicious code by hand or tools, strengthen the system, and prevent the next intrusion.

Green League technology blog invites security engineers of security service team to start with a real case to explain how to manually remove malicious code. Now it is known that a server is not performing properly. We need to check the server for problems.

View system log

The precondition is that the log policy and audit policy of the server have been enabled.

system log

After querying the log, it can be found that the attacker has made multiple login attempts from the terminal service side, that is, the remote desktop, and a large number of the same status logs appear, that is, remote brute force guessing. Due to the limit of login failure times, the time for the attacker to guess the real password is delayed.

How to execute a malicious program

It can be found by checking the planned tasks of the system that the attacker uses the more conventional planned tasks to execute Trojan programs.

By checking the properties of the scheduled task, you can find the path of the Trojan horse file.

Implementation 1

Implementation 2

Implementation 3

The Trojan file is similar to the file name of svchost.exe, which is confusing to some extent, and belongs to the general hiding way. It can be seen from the query that svchsot.exe is the related program of troj / gwghost-o Trojan horse, which is the main component of the Trojan horse.

Continue to trace

In addition, slowly following the steps of the intruder, it can be seen that the attacker has moved more than one hand and foot.

Track down 1

In the prefetch folder, the prefetch directory is the pre read file started for the system. You can see Xiaoma and the broiler catching tool. When you check the creation time, you can see that you have taken the server as a broiler several days ago or even earlier, but you haven't found it yet.


In addition, it is found that there are some. Pf files. Obviously, the attacker wants to be a chicken when the system is running. According to the file name of the pre read file. PF, the system starts a reverse search to lure the enemy in.

PF file

It can be found that in the system directory, there is a link to the. Pf file. Obviously, this is also the way to boot and load, which makes the server go online as a tool when it is powered on. It's really a long-term fishing.

Attack by innuendo

View the process, you can find the problems in the system from the running process;

Task Manager

To sum up the cases, in the process of looking for malicious code, it is the purpose to view the system information according to various ways, judge the existence position and triggering mode of malicious code according to the collected information, delete the execution file of malicious code, and investigate whether the accessory products of malicious code affect the system startup items, system files, etc.; the execution files and services related to malicious code will be checked Services, links and so on are deleted. If possible, the most secure reinstallation of the operating system is excellent.

To troubleshoot the problems in the server system, we need to check the process, service, startup item, network connection, hook, etc., and focus on the log events and system information changes before and after the security event according to the time node when the security event occurs. If possible, we can use the time point as the clue for correlation analysis So as to find out the thinking and operation steps of the intruder. We also recommend some common gadgets, which can help us better to get different types of system information, so as to grasp the system traces and find problems.

Trace 1: process

Recommended widget: process explore

Process explore

View suspicious processes and their children. You can observe the following:

Process without signature verification information

Process without description information

Owner of process

Is the path of the process legal

A process that takes too much CPU or memory resources for a long time

Trace 2: Documents

Recommended method: sort by date and check the changes of sensitive directory files of the system.

Trace 3: start item

Recommended Gadget: AutoRuns


This gadget can view the system's startup key, and can explain most of the startup keys, and display the path to call the registry. At the same time, it can also check and detect some common Trojan running modes, BHO keys, planning tasks, image hijacking, etc. The standard of general judgment is whether the item is annotated, whether it is a suspicious common component, whether it is not an item added by the administrator, etc.

Trace 4: comprehensive analysis

Recommended Gadget: iceword


Iceword has powerful functions. It can detect hidden processes and mark them in red for our convenience. At the same time, it can detect and observe ports, services, registry, files, threads, etc., and manually detect suspicious option names that are not described or strange one by one.


The process of malicious code detection is a very interesting process. It goes against the intruder's ideas, like restoring the crime scene, time reversal, plus reasoning and analysis, and not letting go of any clues. I believe that you who like detective novels will like the process of malicious code detection and exploration.

English version: http://blog.nsfocus.net/case-study-removing-malicious-code/