Malware Hunting with Sysinternals Tools

Speaker: the illustrious Mark Russinovich

Today malware is everywhere. Sysinternals has been tackling malware detection and remediation for over a decade now. Currently good malware removal skills are essential for the IT professional, as all four major anti-virus engines detect less than 40% of threats. Source: CAMP: Content-Agnostic Malware Protection

A common day example of malware: the fake antivirus. This is an example of "found threats" on a new Windows install:

...and the quick removal process with Sysinternals Autoruns:

Old (2005) techniques for malware detection and remediation

  • Disconnect form network - stop malware from downloading more malware or extracting data
  • Identify malicious processes and drivers
  • Terminate identified processes
  • Identify and delete malware autostarts
  • Delete malware files
  • Reboot and repeat steps above

Be pragmatic about malware removal. If you can have confidence that you have identified and cleaned the malware, don't resort to wiping the system. 

Suspicious files are those that have no...

  • Processes that have no name
  • icon
  • no description or company name
  • unsigned 
  • live in Windows or User profile
  • are packed
  • include stragne URLs
  • have open TCP/IP connections
  • host suspicious DLLs or services

Process Explorer is "Super Task Manager"

Process View color key:

Blue = special kind of processes with same security as Process Explorer
Pink = hosting Windows services
White = unfiltered
Dark purple = packed/encrypted (suspicious) malware using obfuscation techniques that loads itself into memory but stays packed to dodge AV
Right click > search online
Right click > autostart path in registry
rundll32.exe process is created from Control Panel processes
Lots of malware hides itself in rundll32.exe


Almost all MS code and third party codes digitally signed. Can be verified via Process Explorer (verified signers). If signature is missing that is a red flag. CRL = Certificate Revocation List is pinged to see if certs have been revoked due to malware using those certs

Sigcheck.exe -s (recursive) -e (show extensions) -u (show only unsigned) *

GAC_32 is expected to be hit with malware due to unsigned images living there

String tab > memory button = shows string mapped into RAM. Look for suspicious URLs in the strings

DLL view (ctrl + D). listdlls -u * = dump all unsigned DLLs from all processes 

Terminating Malicious Processes

Buddy System. If one process goes down another will be started. The solution is to suspend them all. Active processes are now asleep.

Stop the autostarts. Autoruns by Sysinternals scans all files configured to autostart or load on the system. Verify code and signatures. Red images show up without valid digital signatures. White is third-party signed. Yellow are orphans. Jump to Entry for registry autostart location or Jump to File Location. Uncheck the autorun to disable it. This tool can also scan targeted remote systems (from boot environment). Also shows Timestamp of last modified date.  autorunsc.exe command line tool (print out in CSV format to scan corporate networks). Try not to do things you can't undo. 

Tracing malware activity

When in doubt, run Process Monitor!

Double Click on process > Process tab

Filtering is a key technique for procmon to focus only on what you want. Right click on row > include, exclude, etc. Click on Filtering icon for more complex filtering.Catergory = write only shows modification activity (malware will show here most likely).

Process Tree sees everything, including those processes living between the refresh rate of Process Explorer.

Real world analysis and cleaning

Winwebsec Scareware - skinned with many different aliases 

Keeps putting itself into RunOnce registry key when the malware is shut down. ProcMon enable boot logging to see what the malware is doing during system startup and shutdown to see that happening. 

Boot into safe mode to clean (booting win8 into safe mode is incredibly difficult. use a win7 usb key (or a k2000!))

Law enforcement scare ware (child porn found on system and law enforcement is after you! FBI asking for MoneyPak payment)

Lockscreen.CT - system hijack until you pay for the key

Process Explorer and autoruns shows us what it's doing. No signature, all in Russian, sitting in Run registry key. 

Fix: To clean this you must boot into Safe Mode w/ Command Prompt (this version skips auto runs). Do not use vanilla Safe Mode or Safe Mode w/ Networking.

Case of the runaway GPU

Vicenor - family of trojans 

GPU fan has been hijacked and GPU fan is running at 99% activity. Process Explorer has GPU column to see usage. Can see what files are using that GPU percentage. 

Malware was a bitcoin miner using the victim's system GPU for mining. 

Fix: Use Process Explorer to look at what that malware is doing and the bitcoin account it's uploading to

Case of unexplained FTP connection

Exchange server was making unusual outbound FTP connections. Process Monitor trace saw FTP connections.

Fix: Take File System and Registry info out of the trace to just see Network traffic



This post is locked
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ