SysInternals

Advanced Malware Cleaning with Mark Russinovich

Mark Russinovich has been one of my life heroes since first finding out about his SysInternals tools and the work he does. I make it one of my best efforts to follow his blog, read his Windows Internals book series and read content by him – Not because I have a homo-erotic obsession with the man, but because the tools he produces and his knowledge of the Windows Kernel is truly amazing and it’s no wonder why Microsoft bought his company of the day not to be able to absorb the company but to be able to absorb the man himself.

Paul Thurrott posted a link on his blog to a video from a Windows Spotlight session recorded by Mark about Advanced Malware Cleaning. I have never seen this video before I must confess. I have now since watched the video and it’s an excellent resource and even showed an old diagnosis dog like myself a few tricks, however a lot of the steps in the document are not for the faint hearted: Interupting the Windows Kernel and Reloading the Kernel from Disk to unload malware in memory.

You can get to the video at http://www.microsoft.com/emea/spotlight/sessionh.aspx?videoid=359. While on the site, I highly recommend anyone of a security disposition watches the related video over on the right by Marcus Murray entitled Knowing the Enemy – A Lightening Demonstration on How Hackers Attack Networks.

In less than 20mins, he demonstrates how to create a trojan horse using applications you can freely download from the Internet, how to hide that trojan inside a legitimate application like Word or PowerPoint and then once you have the trojan running, how you can use that trojan to attack an entire network and collect the passwords for every user in a domain.