Malware vulnerability of Windows 7

Operating Systems & Security

Prof. M. Timmerman

Malware vulnerability of Windows 7

Stijn Doeraene

January 26, 2012

Version 3.1

Malware vulnerability of Windows 7 January 26, 2012

Abstract

Even on the most recent desktop operating systems, different types of malware still exist and form a threat for both the system and its user. In this paper we will discuss the vulnerability of a modern operating system, Windows 7, against present-day malware. Our tests will be done on virtualized systems and because of the differences in architecture both on 32 and 64 bit versions.

After unleashing a multitude of malware, both basic and advanced ones, we find that some of it were indeed able to penetrate the system and even partially hide itself. With the use of specialized software however, a complete disinfection was for both test systems possible. While malware when it remains unnoticed thus forms a certain threat, it is in most cases easily removable when its existence is revealed.

1


Change history

Project v.

Release Date Author Description

0.1

December 9, 2011 Stijn Doeraene First Draft

0.5

December 16, 2011 Stijn Doeraene Draft Infected System

1 December 21, 2011 Stijn Doeraene Disinfection 32-bit

1.1

December 23, 2011 Stijn Doeraene Disinfection 64-bit

1.2

December 23, 2011 Stijn Doeraene Conclusions

1.3

December 27, 2011 Stijn Doeraene Infected System

2.0

December 28, 2011 Stijn Doeraene First report review

2.1

January 6, 2012

3.0

January 7, 2012

3.1

January 26, 2012

Stijn Doeraene

Stijn Doeraene

Stijn Doeraene

Abstract rewrite

Complete review

Final review

Table 1: Change History

Changes in this version:

• Final review

2


Contents

Abstract

Change history

1 Introduction

4

2 Different types of malware

4

2.1

Virus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

4

2.2

Worm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

4

2.3

Rootkit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

5

2.4

Trojan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

5

2.5

Others . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

5

1

2

3 The infected system

5

3.1

Secure environment . . . . . . . . . . . . . . . . . . . . . . . . . .

5

3.2

The system itself . . . . . . . . . . . . . . . . . . . . . . . . . . .

5

3.3

Infection methods

. . . . . . . . . . . . . . . . . . . . . . . . . .

6

3.3.1

P2P-networks . . . . . . . . . . . . . . . . . . . . . . . . .

6

3.3.2

Infected files using browsers . . . . . . . . . . . . . . . . .

6

3.3.3

Surfing the internet

. . . . . . . . . . . . . . . . . . . . .

7

3.3.4

Malware samples from online databases . . . . . . . . . .

7

3.4

Influence of browser choice . . . . . . . . . . . . . . . . . . . . . .

7

3.5

The actual malware

. . . . . . . . . . . . . . . . . . . . . . . . .

8

4 Removing strategies and tools

10

4.1

32-bit

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

10

4.1.1

Anti-virus . . . . . . . . . . . . . . . . . . . . . . . . . . .

10

4.1.2

Anti-malware software . . . . . . . . . . . . . . . . . . . .

14

4.1.3

Boot Rescue CD’s . . . . . . . . . . . . . . . . . . . . . .

15

4.1.4

Anti-rootkit software . . . . . . . . . . . . . . . . . . . . .

16

4.1.5

Verification runs . . . . . . . . . . . . . . . . . . . . . . .

20

4.2

64-bit

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

20

4.2.1

Anti-virus . . . . . . . . . . . . . . . . . . . . . . . . . . .

20

4.2.2

Anti-malware software . . . . . . . . . . . . . . . . . . . .

22

4.2.3

Boot Rescue CD’s . . . . . . . . . . . . . . . . . . . . . .

23

4.2.4

Anti-rootkit software . . . . . . . . . . . . . . . . . . . . .

24

4.2.5

Verification runs . . . . . . . . . . . . . . . . . . . . . . .

25

5 Conclusions

26

3


1 Introduction

Malware, short for malicious software, is a general term for basically all software that is hostile, intrusive or annoying. Malware has been been a plague for computers even before the Internet was widely available, when it was distributed mostly using infected floppy disks. However, since personal computers became more and more popular and the Internet became widely available, the malware industry grew with it.

While older malware was often designed simply to destroy files or crash systems, current malware makers create it mostly for the simple reason of profit.

This profit making can come in many forms, whether it is the creation of a botnet, stealing online banking accounts or simply showing advertisement.

This paper will test what an impact current malware can have on current up-to-date systems. In our tests, we will use the most recent operating system from the popular Windows family, Windows 7, and load it with all sorts of malware ranging from pretty innocent and easy to remove ones up to highly invasive advanced stealth software. We will then test whether malware is still able to infect our systems and if so, whether our detection software is able to detect and remove it.

2 Different types of malware

This section will give a short overview of the most important malware classes

as described by malware expert F-Secure [1]. This classification however stems

from a more theoretical point of view. In reality, the classification of most current (especially advanced) malware can be very difficult. This due to the simple fact that most current malware combines several aspects of different malware classes to optimize system integration, distribution and local invisibility.

An example of this is the Alureon rootkit described in the next section. This malware combines both trojan and rootkit characteristics to be able to embed itself deep into the host system.

2.1

Virus

”A malicious program that secretly integrates itself into program or data files.

It spreads by integrating itself into more files each time the host program is run”

[1]. The term ’virus’ is sometimes also used as a synonym for malware but this

is incorrect.

2.2

Worm

”A standalone malicious program which uses computer or network resources to make complete copies of itself. May include code or other malware to damage

both the system and the network” [1]. This type entails subcategories as Net-

Worms, Email-Worms, P2P-Worms, IM-Worms, IRC-Worms and Bluetooth-

Worms depending on the method of replication.

4


2.3

Rootkit

”A program or set of programs which hides itself by subverting or evading the computer’s security mechanisms, then allows remote users to secretly control

the computer’s operating system” [1].

2.4

Trojan

”Also known as a trojan horse, this is a deceptive program that performs additional actions without the user’s knowledge or permission. It does not repli-

cate” [1]. This types entails subcategories as Trojan-Spy, Trojan-PSW, Trojan-

Downloader, Trojan-Dropper, Trojan-Proxy and Trojan-Dialer (although this last type was mostly popular in the dial-up period).

2.5

Others

The abovementioned are generally considered the most significant malware types, however there are several other types that are also considered malware.

These include adware and spyware. These programs have as their goal either to show advertisements or collect information about the user without its knowledge. Although usually not as invasive and harmful as the abovementioned types, these types can cause slow systems and privacy invasions and thus definitely also belong in the malware category.

3 The infected system

In this section, we will elaborate on the initial acts that were performed before the actual malware removal. This includes setting up a secure environment separated from our actual system and getting malware on our systems. Additionally, a small subsection is dedicated to the influence of the browser choice on the chances of getting infected.

3.1

Secure environment

For our tests, we will use the free VMware Player virtualization software [13]

to create two completely isolated virtualized Windows 7 systems, a 32-bit and a 64-bit version. The main reason we will test both is because some malware is specifically designed for one architecture. To ensure there is no link between our test system and other systems and hardware, shared network folders are disabled and all hard drives are disconnected.

3.2

The system itself

The systems that are installed using VMware are two Windows 7 installations

(32bit and 64bit). These are running with approximately 1.5GB RAM and sufficient hard drive space. Before infecting these installations, all Windows updates are installed. This is done to ensure that our tests are not done on outdated systems with outdated security.

5


Besides the basic Windows programs, no other third-party software will be installed during the process except for Internet browsers, for access to the Internet, and malware detection and removal software, for obvious reasons. This for the main reason that we are interested to know to what extent current upto-date Windows installations are vulnerable to malware infiltrations and not which third-party software is vulnerable.

There is simply a vast multitude of potentially vulnerable third-party software available which would greatly clutter our results. In this research, we will focus on the vulnerability of the operating system itself and how deep malware can integrate itself into it.

3.3

Infection methods

Once the test environment was created, the next step was to infect our system.

To get the most diverse infections, we will use several different methods. Four different infection methods have been chosen for this purpose:

• Downloading infected files through P2P networks

• Downloading infected files through Internet sites

• Visiting infected sites on the Internet

• Downloading malware samples from existing databases

Because of the numerous warnings given to us by the installed anti-virus and anti-malware software (at this point AVG Anti-Virus and Malwarebytes Anti-

Malware - for more info see the next section), these programs were closed during the infection process.

3.3.1

P2P-networks

Some famous (or notorious) P2P-networks as gnutella, Gnutella2 (G2) and eDonkey have always been known as possible ways to get malware on your

system. For this method, we use the popular client Shareaza [5] to access these

networks and download infected files.

As for the search terms we tried several that are known to often return infected results. These include but are not limited to: crack, keygen, movies. In the result list returned by the P2P client, we focused on the files most likely to be infected, these being all sorts of archives (.rar, .zip, .7zip, etc) and executables

(.exe), generally with a suspiciously small size with regards to the claimed file type.

3.3.2

Infected files using browsers

The second way to receive malware is to visit certain download sites using an Internet browser and download infected files. For this method we searched for keygen and movie providing websites as these are known to often include more than just keygens or movies. Several sites offering ’bad’ files were found

6

Malware vulnerability of Windows 7 January 26, 2012 this way. To test if some browsers provide additional security warnings, this method is executed using several browsers. More on this in the next subsection.

Again we downloaded several files to our hard drive. To get diverse results, we combined several different sites.

3.3.3

Surfing the internet

The third major possibility to get malware on your system is simply by going to infected websites. On these sites there usually is no need to download specific items, viewing images can be enough to get infected. To be sure we visit infected

sites, we use the Norton Safe Web website [6] to get hold of the most infected

sites of the moment. As with the previous infection method, we will use several browsers to test the different browser protection methods and to see how this affects our chances of getting infected. This method is useful to use as the malware received by this method might be different from the one resulting from the other methods.

3.3.4

Malware samples from online databases

After getting infections using the most usual ways, we also used some online

databases [35] [36] [37] to extract malware samples. We focused on malware

types that were not already present on our system and selected the most persistent and notorious ones. These include some recent rootkits and viruses.

3.4

Influence of browser choice

As mentioned before, we used several different browsers to test whether they have an influence on the chance of getting infected. We selected three of the most popular browsers currently available:

• Internet Explorer 9 (IE)

• Mozilla Firefox 8.0.1 (FF)

• Google Chrome 15.0

While surfing, these browsers offer the opportunity of blocking the access to malicious websites, this by maintaining a blacklist of known dangerous sites.

During our tests, this was encountered mainly in IE which uses the built-in

SmartScreen Filter. Not only certain sites but also specific downloads were blocked using this technology. When sites are blocked, it is possible to ignore this message, however this action requires specifically to disregard the warning several times.

Although according to the others browser’s sites, both Firefox [7] and Chrome

[8] have similar technologies, only a very small amount of sites was reported

unsafe by them during our tests, this in great contrast with IE where a rather large amount of unsafe sites correctly got flagged as unsafe. A security report

written by NSSLabs [9] confirms this by reporting that the IE9 browser highly

outranks these last two when a comparison on malware blocking is made.

7


3.5

The actual malware

The number of malware retrieved given the earlier mentioded methods is quite large. Over 150 infected files were found after using a quick anti-virus scan. The infections itself reach from highly outdated worms to some of the newest rootkits available.

However as will later be seen, only a small part of these will at the end be able to successfully infect the system. Most of the malware will be stopped right at execution because some requirements were not met. These include the fact that the malware was built for a specific architecture or operating system, that the security flaw the malware was exploiting was already patched or that the necessary third-party software was not installed.

Following will be a short overview of the different malware samples that will

be released on our test systems. Figure 1 shows a listing of the initial malware

as detected by Microsoft Security Essentials (MSE) and AVG Anti-Virus 2012

(AVG).

The reader might notice that the two tools often use completely different names for exactly the same malware. This is possible since most malware has multiple aliases. Additionally lots of malware are extensions or improvements of the same initial malware meaning we can often speak of malware families. This family name is also sometimes used to identify infections. In the figure, the type

(if mentioned) is usually an indication. Most advanced malware types combine different techniques to reduce detection and removal as mentioned earlier in this report.

8


Figure 1: The malware that will be unleashed on our systems, as seen by MSE and AVG

We will provide a short elaboration on the different malware samples. Since

MSE provides the most specific details, these names will be used. We will only discuss the most remarkable and unknown items. Other items, including most of the trojans, are supposed to do what they are known and built for.

9


•

Alureon: Alureon [29] combines rootkit and trojan capabilities to embed

itself deep into the targeted system. It installs its own filesystem after which it tries to infect system drivers with as goal to implement a trojan.

Alureon belongs to the infamous TDL malware family of which the first version already appeared in 2006. The version infecting our test system is the latest one available (belonging to the TDL4 family) and is known as one of the most indestructible and persistent rootkits currently available.

The most recent version targets both 32-bit as 64-bit. By doing this it is

one of the first rootkits to succesfully infect 64-bit systems [30] [31].

• Rugrat.A and Shruggle.A: Both updates of viruses that were among the first ever to target 64-bit systems (Rugrat being the very first 64-bit virus

in 2004 [32]). Viruses currently available for 64-bit systems are still rare

which makes it interesting to see how effective these can be.

• Java/StrangeBrew.A, VBS/Internal.D: Two ancient viruses using either

java or VBS files to replicate itself [33]. These ancient viruses (period

around the year 2000) should normally be of no threat. They were added for the sake of completenesss.

• Virtool: The different malware items tagged virtool are tools used by other malware (usually trojans). Tasks often include stopping security software from running or sniffing network information.

• TrojanDropper: These malware items are designed to infiltrate the system

and drop other malware [34]. In our case, these will be used to drop

Alureon.J and Sirefef.B.

Once the abovementioned malware has been downloaded to our hard drive, we run the different executables with any security software disabled (including firewalls). To replicate a worst case scenario, several of the executables are run using administrator rights to ensure they are able to do the most damage possible.

4 Removing strategies and tools

This section will elaborate on the disinfection process. It is split up in two parts. First our 32-bit Windows 7 OS is cleaned and secondly our 64-bit Windows 7 OS. The process will in both parts be very similar, however depending on the needs and/or availability, different tools may be used.

4.1

32-bit

4.1.1

Anti-virus

The first part of the disinfection process is the use of regular anti-virus software. For our 32-bit OS, we have chosen for two popular free versions, namely

AVG Anti-Virus Free Edition 2012 and Microsoft Security Essentials (MSE), selected both for their popularity and their good results. These programs will be run independently from each other, both in a separate clone of the infected system. This will allow us to make a comparison and to check whether one of them is more effective.

10


The results of these scans can be seen in figures 2 and 3. Although the names

and amount of detections at first sight do not match, both anti-virus programs in fact detected the same malware, but use other aliases for it. The difference in amount is resulting from the fact that Microsoft Security Essentials groups infected files together under the malware name. The only file that is detected in AVG but not in MSE is the serial.sys file. However AVG was not able to remove it either.

Figure 2: AVG scan results

11


Figure 3: MSE scan results

After removal of the malware and a reboot that was requested by both programs, we request another scan to inspect how successful the programs were

in their removal. This can be seen in figures 4 and 5. Note that both Tro-

jan:DOS/Alureon.A (MSE) and Trojan Agent r.XJ (AVG) correspond to the same Alureon rootkit infection. Because of the rootkit and the deep integration in the system, these are not removable by our anti-virus programs. We will thus

need to use other tools to remove these. Additionally, in figure 4 we also see

the serial.sys file which is infected with a trojan but which is too important for the system to be removed.

12


Figure 4: AVG second scan results

Figure 5: MSE second scan results

After the use of two anti-virus programs, we notice (at least) 2 more infections we need to remove. These being the rootkit infection Alureon and the

Backdoor.Generic trojan that has infected the serial.sys file.

13


Since both anti-virus programs return almost the same results and AVG also seems to report on the status of the serial.sys file, we will use the corresponding

AVG system clone for the further removal of the malware. This way we can also easily check on the Backdoor.Generic trojan. Using the other clone would of course also be possible and would very likely lead to the same results.

4.1.2

Anti-malware software

Once most viruses, trojans and other malware have been removed, we continue

our test with Malwarebytes Anti-Malware (MBAM) [22], which specializes in

the removal of malware and has a very good detection and removal reputation

[23] [24] [25].

Surprisingly MBAM was able to detect another 37 infections that were overlooked by our previous programs. Although these were probably not that harmful (being temporary files) removing these eliminates further infection risk. The

Alureon rootkit infection and the trojan serial.sys infection were not reported nor removed by MBAM however.

Figure 6: MBAM scan results

To be sure this is not just because of the tool, we also use another highly

regarded tool, namely SUPERAntispyware [28].

The results of this can be

seen in figure 7. It appears that removing the Alureon rootkit and the trojan

serial.sys infection will require more specialized software as these are not even

14

Malware vulnerability of Windows 7 January 26, 2012 detected. After the MBAM scan, SUPERAntispyware is only able to detect some (rather harmless) Adware Tracking Cookies. All of these are deleted by the program.

Figure 7: SUPERAntispyware scan results

4.1.3

Boot Rescue CD’s

Bootable Rescue CD’s are an excellent tool for deleting or disinfecting infected files that cannot be deleted when the main OS is active. For our test we chose the F-Secure Rescue CD. Other boot rescue CD’s using the same principles

should work evenly well, examples of these are AVG Rescue CD [25], Kaspersky

Rescue Disk [26] and UBCD [27].

The result of this bootable cd can be seen in figure 8. Although there are

many files listed, the most interesting ones are listed in the middle tagged Trojan.Generic. This is the trojan that is infecting the serial.sys file which earlier couldn’t be removed. All the other files are actually files that are located in the vault of the anti-malware programs used earlier and which thus are of no risk anymore.

As can be seen in figure 8, F-Secure Rescue CD uses a minimalistic command-

line OS to do the job, but it is very efficient. Using the built-in update mechanism it always uses the most recent malware definitions. This makes F-Secure

Rescue CD a great tool for this job.

15


Figure 8: F-Secure Rescue CD scan results

4.1.4

Anti-rootkit software

Since the Alureon rootkit infection was not cured by our previous methods, we will now use some software specifically developed for this purpose. Several programs exist for this, among the most popular and successful are TDSSKiller

(by Kaspersky), GMER and Sophos Anti-Rootkit. Since Alureon and TDSS both belong to the same TDL malware family, Kaspersky’s TDSSKiller appears to be a good starting point for Alureon removal and we will start with this.

TDSSKiller indeed proves to be an excellent program, besides being fast and easy to use, TDSSKiller also performs. After a single search, it locates the rootkit infection and eliminates it without any hassle. After the second search, it locates the Alureon File System and removes this as well. These runs can be

seen in figure 9 and 10.

16


Figure 9: TDSSKiller scan results - removing the infection location

17


Figure 10: TDSSKiller scan results - removing the rootkit file system

Since rootkit scans are quite fast, we also run the other before mentioned programs, GMER and Sophos Anti-Rootkit to retrieve a second opinion.

The run of GMER can be seen in figure 11. Nothing suspicious can be seen

in the results. Notice however the absence of a title in the program main bar.

GMER uses a randomizing name system as a security measure to avoid being blocked by malware, including a randomized process name. This makes GMER an excellent rootkit removal candidate when other programs cannot be run because their processes are continuously killed by malware.

18


Figure 11: GMER scan results

Secondly, the run of Sophos Anti-Rootkit which can be seen in figure 12.

Three hidden files are shown, but no indication is given that these are malicious.

The tool also recommends to leave the files intact.

Figure 12: Sophos Anti-Rootkit scan results

19


4.1.5

Verification runs

Now all infections should be removed, we run our programs again to verify

this. This can be seen in figure 13. And indeed, every single program that we

run again confirms a threat-free system.

Figure 13: Results of the verification runs

4.2

64-bit

4.2.1

Anti-virus

Like before, the first part of the disinfection process is the use of regular anti-virus software. For our 64-bit OS, we have again chosen two popular and effective programs, AVG Anti-Virus Free Edition 2012 and avast! Free Antivirus

6. They will again be run independently from each other, each in a separate clone of the infected system.

The results of these scans can be seen in figures 14, 15 and 16. If we compare

the results of the two scans, we can see that AVG seems to be a little less effective if we look at quantity, however both programs find approximately the same groups of infections. A lot of JS.Redirectors, some Cryptors, some other

WIN32 malware and the same Win64 infection in consrv.dll. Both programs are also able to remove all of their found infections.

20


Figure 14: AVG scan results, all infections except spyware

Figure 15: AVG scan results, focusing on spyware

21


Figure 16: avast! scan results

4.2.2

Anti-malware software

Like before we also run some tests with other anti-malware tools. We will use the known and effective tools Malwarebytes’ Anti-Malware and SUPERAntispyware to scan for additional malware. These results can be seen in figures

17 and 18. Just like in the 32-bit version, the scans reveal some additional

malware that was not found by regular anti-virus software. For MBAM this entails some FakeAlert trojans (designed to show fake security warnings), an adware file (Trojan.Cinmus) and a passwordstealer, while SUPERAntispyware only found some tracking cookies. All were successfully removed.

22


Figure 17: MBAM scan results

Figure 18: SUPERAntispyware scan results

4.2.3

Boot Rescue CD’s

Since all previous scans did not reveal anything suspicious, no reason was found to use a bootable rescue cd.

23


4.2.4

Anti-rootkit software

Although there is also not a single indication that rootkits have infiltrated the system, still some rootkit scans were performed. This for the single reason that we released some rootkits to the system ourselves. The results of these scans are

seen below in the figures 19 and 20. Like with 32-bit systems, we use again the

tools TDSSKiller and GMER first. None of these are able to find any infection.

The rootkits that were used on this system thus seem to be ineffective.

Whether this is because the OS has been successfully patched or whether there are other reasons could not be determined. Since these two scans already did not provide any results, Sophos Anti-Rootkit was not used anymore in this test.

Figure 19: TDSSKiller scan results

24


Figure 20: GMER scan results

4.2.5

Verification runs

To confirm all malware have been removed from the system, we run some verification scans. As these all come up clean, this can indeed be confirmed.

The results of the performed scans can be seen in figure 21.

Figure 21: Results of the verification runs

25


5 Conclusions

As has been demonstrated before, both our test systems have been cleaned completely. For the 32-bit system, several specialized tools were needed, this due to the deeper integration of malware in the system. These specialized tools include Boot Rescue CD’s and rootkit removal programs. Boot Rescue CD’s are mainly useful for the elimination of malware that cannot be done when the host OS is running itself. Rootkit removal programs are useful in case of rootkit infection, but rather useless with other malware types.

For the 64-bit system, less specialized tools were needed. Regular anti-virus and anti-malware programs were sufficient to clean the system. The anti-rootkit programs were only ran for confirmation. This rather easy disinfection was caused by the absent of effective 64-bit malware. Most of the advanced malware currently spreading is still only effective against 32-bit systems.

Although the malware was not given a really long time to integrate into the system and we started with a fully updated system, the malware (especially on a 32-bit system) was still able to infiltrate quite deep into the system. It can be suspected that on outdated systems with more third-party software (and the corresponding glitches), malware might be able to infiltrate even deeper and do more damage.

However to conclude this document, we can state that this risk can be highly minimized by having an updated anti-virus and additional anti-malware program running on an updated system. As mentioned before, these programs give numerous accurate warnings before the infection even takes place, thereby forming a first barrier and minimizing the risk of infection. The limited amount of malware that gets through can then with all probability be removed using one

(or several) of the specialized tools discussed in this report. Malware prevention thus starts with an updated system and updated and running anti-malware programs.

26


References

[1] F-secure threat types http://www.f-secure.com/en/web/labs_global/threat-types

[2] Famous malware (1) http://www.ehow.com/list_6515813_famous-computer-viruses-worms.

html

[3] Famous malware (2) http://us.norton.com/security_response/

[4] Latest malware http://www.mcafee.com/threat-intelligence/malware/latest.aspx

[5] Shareaza P2P client http://www.shareaza.com/

[6] Norton Safe Web http://safeweb.norton.com/

[7] Firefox malware protection http://www.mozilla.org/en-US/firefox/phishing-protection/

[8] Chrome malware protection (NL) http://support.google.com/chrome/bin/answer.py?hl=nl&answer=

99020

[9] Browser malware protection http://www.nsslabs.com/assets/noreg-reports/2011/nss%20labs_ q2_2011_browsersem_FINAL.pdf

[10] Malware Distribution Project http://frame4.net/home

[11] PCMag Antivirus software review http://www.pcmag.com/article2/0,2817,2388652,00.asp

[12] PCWorld Antivirus software review http://www.pcworld.com/reviews/collection/5928/2011_free_av.

html

[13] VMware Player http://www.vmware.com/products/player/overview.html

[14] AVG Anti-Virus Free Edition 2012 http://free.avg.com/ww-en/free-antivirus-download

[15] Microsoft Security Essentials http://windows.microsoft.com/nl-BE/windows/products/ security-essentials

[16] Ad-Aware Free Antivirus & Antispyware 9.6

http://www.lavasoft.com/products/ad_aware_free.php

27


[17] avast! Free Antivirus 6 http://www.avast.com/free-antivirus-download

[18] GMER http://www.gmer.net/

[19] F-Secure BlackLight http://www.f-secure.com/en/web/labs_global/removal/blacklight

[20] Sophos Anti-Rootkit http://www.sophos.com/en-us/products/free-tools/ sophos-anti-rootkit.aspx

[21] F-Secure Rescue CD http://www.f-secure.com/en/web/labs_global/removal/rescue-cd

[22] Malwarebytes Anti-Malware http://www.malwarebytes.org/products/malwarebytes_pro

[23] CNET Malwarebytes Anti-Malware review http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_

4-10804572.html

[24] Tweakers Malwarebytes Anti-Malware review http://tweakers.net/meuktracker/26547/ malwarebytes-anti-malware-15121300.html

[25] AVG Rescue CD http://www.avg.com/nl-nl/avg-rescue-cd-download

[26] Kaspersky Rescue Disk http://support.kaspersky.com/viruses/rescuedisk

[27] UBCD4Win http://www.ubcd4win.com/

[28] SUPERAntispyware http://www.superantispyware.com/

[29] Alureon http://www.microsoft.com/security/portal/Threat/Encyclopedia/

Entry.aspx?Name=Virus:Win32/Alureon.A

[30] Alureon information http://www.kernelmode.info/forum/viewtopic.php?p=6097#p6097

[31] Alureon information (2) http://contagiodump.blogspot.com/2011/02/ tdss-tdl-4-alureon-32-bit-and-64-bit.html

[32] Rugrat.A information http://www.securelist.com/en/descriptions/old51237

[33] StrangeBrew information http://www.securelist.com/en/descriptions/66836/Virus.Java.

StrangeBrew

28


[34] Trojandropper information http://www.trojandropper.net/

[35] Offensive Computing http://www.offensivecomputing.net/?q=node/1654

[36] Kernelmode malware http://www.kernelmode.info/forum/viewforum.php?f=16

[37] Contagiodump http://contagiodump.blogspot.com

29

Malware vulnerability of Windows 7

Malware vulnerability of Windows 7

Stijn Doeraene

Abstract

Change history

Contents

1 Introduction

2 Different types of malware

3 The infected system

4 Removing strategies and tools

5 Conclusions

References

Related documents

Products

Support

Malware vulnerability of Windows 7

Malware vulnerability of Windows 7

Stijn Doeraene

Abstract

Change history

Contents

1 Introduction

2 Different types of malware

3 The infected system

4 Removing strategies and tools

5 Conclusions

References

Related documents

Add this document to collection(s)

Add this document to saved

Suggest us how to improve StudyLib