Using mutexes to detect active infection
One of the mechanisms to prevent this phenomenon is the creation of specific mutexes, the presence of which makes a conclusion about the presence of active infection. At the same time, mutexes do not hide in any way, and therefore can be a reliable signal for the presence of a certain infection.
The execution of the list of handles for all mutexes open in the system can be done using the Handle utility from Mark Russinovich . This is done with a simple command:
handle.exe -a > log.txtBy parsing the list, you can not only get information about whether there is an infection in the system, but in some cases also get information about which file is potentially infected.
Considering that a complete collection of logs even on a very busy machine takes several seconds, it seems promising to create black-and-white lists of mutexes that allow for rapid assessment of infection. For example, it is well known that:
_AVIRA_ [letters] or __SYSTEM __ [letters] - marker ZBot
svchost_test_started - marker
TDL3 Flameddos - marker Bifrost
__b4ng__b4ng__38 - marker Tigger
Jo1ezdsl - marker Bankpatch.C
Op1mutx9 orAp1mutx7 - and necessarily complex with * exeM_ * - marker Sality
Jhdheddfffffhjk5trh - marker Allaple
1337bot - marker Spybot
Rootz - Sdbot marker
should be noted that the presence of specific mutexes can be detected and the complete memory dump infected system via plug mutantscan Andreas Schuster for Volatility .
Of course, this method does not provide 100% information about the full mechanism of subsequent treatment, in addition, the virmaker can remove the specified “detection” with just a few changes in the code, but on the other hand, the advantage is expressiveness and ease of maintaining the databases.