Jump to content


Photo

How To Find Hidden Malware


  • This topic is locked This topic is locked
No replies to this topic

#1 Cris

Cris

    BitDefender Evangelist

  • Regular Bitdefender Poster
  • PipPipPipPipPipPip
  • 3,360 posts
  • Gender:Male
  • Location:Galați/Iași, România
  • Interests:- Programming and scripting (C/C++, ASM, Java, Haskell, a little PHP, JS and XSL for the moment...hope for more)<br />- Biking trips

Posted 20 December 2007 - 08:14 PM

Most of the times, malware files don't stay where everybody can see them. They "install" themselves in system folders (C:\Windows, C:\Windows\System32, C:\Documents and settings etc...).

Even more, they use some techniques to hide themselves from the eyes of the user, by settings their attributes to Hidden and/or System. By doing this, they will become practically invisible in Windows Explorer. This happens because, by default, Windows is set not to show hidden files and folders. Why?
Because, in normal conditions, hidden files and folders and System files are the most important files of the Operating System and should be protected against accidental deletion and/or modification from inexperienced users.

Fortunately, you can always make Windows Explorer (or any other File Manager that you use) to show these files, by doing this:
  1. Open Windows Explorer
  2. Click Tools -> Folder options... -> View
  3. In the list of options, search for the category Hidden files and folders and enable Show hidden files and folders
  4. Also, disable the option Hide protected operating system files (Recommended). When you disable this option, Windows will show a confirmation message, asking if you are sure about this change. Confirm by pressing Yes
  5. Click OK to close the Folder Options dialog.
  6. Now you can view in Explorer all hidden files and folders
Warning! If you are not very experienced with Windows, I recommend that you leave these options at their default setting, to prevent accidental changes.


Another method used by malware is to add double-extension to their files, resulting in files named like: .mp3.exe or .jpg.exe. By default, Windows is set to hide the extensions for known type of files, so these malware files won't appear with their double-extension (you will only see them as .mp3 or .jpg).
This is not a method of hiding the files, to prevent you from seeing them. On the contrary, it's more a method to invite you to listen to a good song, or to view a cool picture when, in reality, you'll open an infected executable and you'll infect the computer.
Also, there are malware applications (executables) that mask themselves as folders: they have the icon of a Windows folder and, when you try to see what that folder contains, you'll actually open an infected application.
Example:
Attached File  Folder_executable.jpg   21.77KB   58 downloads

To view the real extension of a file, and to see if, in reality, it is the file you want to open or it is some malware that has double-extension, go to Folder Options -> View (the same way as above) and disable the option Hide extension for known file types and click OK. Now, the real identity of a file will be shown in Windows Explorer.
Attached File  Folder_executable_2.jpg   2.66KB   45 downloads





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users