Detect and Defeat Malicious Processes Easily
At Phrozen SoftwareTM, we studied the ways that hackers use remote access trojans (RATs) and discovered that they almost always use a technique called RunPE. This technique spawns a legitimate process executable (PE) file—often a default browser or Microsoft system process—and replaces it with a malicious program code directly into memory. This tricks your computer into treating the malicious code as a legitimate process. Once this occurs, your antivirus program has no idea that your default browser is effectively turned into a virus.
Our RunPE Detector is a specially-designed security program that detects and defeats hacking attacks that use the RunPE technique to infect your system in one of two ways:
This technique bypasses or disables your firewall or application firewall rules. Because most malware needs to connect to a remote Command and Control (C&C) Server, it must have access to the Internet through the firewall. The RunPE technique hijacks a legitimate process that is authorized to access Internet and then connects to the C&C without being detected by the firewall.
Malware Packer or Crypter
Inexperienced hackers or “script kiddies” often use malware that is already known by most anti-virus programs but try to disguise it to evade detection. To do this, they use tools like malware packers or crypters to hide the malware inside legitimate processes or conceal the malicious code so that the antivirus program fails to detect it. The RunPE technique is then used to unpack or decrypt the malware in memory and to place it into a legitimate process without writing it to the disc, where it can be discovered and blocked.
What RunPE Detector Does
RunPE Detector scans PE headers for each process and compares the PE headers in memory to the PE headers in the process image path. This is a very simple method, but is also very efficient. Many commercial antivirus programs are capable of performing this scan, but Phrozen Software offers RunPE Detector as a standalone tool for performing scans manually or augmenting your custom cyber security suite.
We have tested RunPE against several of the most commonly-used types of malware and the detection rates are highly accurate. Because the RunPE technique is so commonly used with RATs, Trojans, Backdoors Crypters, and Packers, using RunPE Detector is a smart approach to ensuring your system is free of the most destructive types of malware.
Can I Use RunPE Detector to Remove Malware?
You can remove malware with RunPE Detector, but removing malware isn’t what RunPE Detector does best. RunPE Detector easily identifies hijacked processes by scanning all application files in the system (.exe, .com, .bat, .scr, .pif, etc.) and compares their PE headers to a running process to detect the point of infection. However, RunPE Detector does not identify host locations when the malicious code is loaded with a malware packer or crypter. For this reason, we recommend using a commercial antivirus solution to remove the malware itself:
- Use your existing antivirus program or Install a reputable trial version and perform a deep scan of the system.
- Remove any detected viruses and then scan again with RunPE Detector to be sure the malicious files were removed successfully.
- If the antivirus program doesn’t detect an infection, use RunPE Detector to manually kill the process and attempt to identify the malware host location (Registry, Paths, Services, etc.) by scanning suspicious files with our Winja solution.
- If you still do not succeed in removing threat, backup your important data and perform a clean reinstall of the operating system.
Protect Yourself against Future Attacks
If RunPE Detector discovers malicious processes in your system, you should understand that it is possible that your credentials and personal information may have already been compromised or stolen. Even after removing all threats, you should change all passwords (bank accounts, websites, games, applications, etc.) immediately and contact your financial institutions to alert them to the potential of fraudulent activity.
To stay safe in the future, never download programs from unknown sources and never use cracks or key generators (keygens) except in a virtual machine or sandbox (for example, Sandboxie). Purchase and maintain a strong antivirus program and use supplemental tools, like the ones produced by Phrozen SoftwareTM to keep your system and accounts protected. We recommend Kapersky or Bitdefender as commercial antivirus programs and COMODO Internet Security as a firewall.
As a final note, never allow any antivirus programs to scan your personal files in the cloud (versus scanning them locally on your machine. This approach can compromise your privacy and, in our opinion, should not even exist, so do not accept it!
A Note about 64-bit Process Scanning
RunPE Detector is compatible with 64-bit systems, but cannot currently scan 64-bit processes. We are planning to add this capability in the near future. Currently, most malware is compiled in 32-bit architecture and most infections occur in 32-bit processes. Because 64-bit machines can run 32-bit code, there is little urgency for hackers to focus on 64-bit code at the present time.