More along the lines of malware disinfection

I thought I would ask this considering the level of response I had on
the last thread I started, in the hope that someone might suggest a
technique for this problem.

When removing malware of one sort or another, I have had the situation
quite a few times where a dodgy dll/exe couldn't be removed/renamed in
normal or any safe mode, and attempts to remove its links from the
registry to stop it from starting result in the malware recreating those
links instantly (for example, a bit of malware inserts itself into the
winlogon notify list).  Normally I will boot off the XP CD to the
recovery console and rename the offending file(s) there, however, the
Windows XP recovery console does not allow you into the "Documents and
Settings" folder (access denied), and I have had it once or twice where
a bit of malware is stored inside that directory structure and has full
privs on the system.

On one occasion I tried inserting an extra command into the session
manager's BootExecute key, just telling it to delete the file in
question.  Admittedly I was hastily trying multiple strategies, so I
don't know whether this particular strategy worked, but I doubt it did
since the delete command is stored in cmd.exe.  Perhaps a batch file
could have done it but I doubt that the BootExecute system would allow
commands to spawn other processes.

Anyway, any ideas, as I probably will come up against this scenario again :)


--
Mike Moratz-Coppins
mike@...
http://www.mikeymike.org.uk/

Mike Moratz-Coppins wrote:
> When removing malware of one sort or another,

<SNIP>

Hi,

IMHO, anytime, repeat ANYTIME, you have an infected box, it is < 0%
trustworthy. You can remove the malware, but how do you know that
you found everything? You don't. Especially if the malware is some
sort of downloader or spyware.

Infected system? Back up the data, and ONLY the data, then (to quote
Microsoft from RSA a couple of years ago) "Nuke it from space!".

Bottom line: It is impossible to give any reasonable assurance that
a box that was infected has been cleaned. Best solution: Never store
use data on a client system (so you have nothing to back up) and
simply reimage any suspect system (ZenWorks, Ghost, etc.). I have
some clients that reimage every desktop every weekend just for good
measure.

Jon Kibler
--
Jon R. Kibler
Chief Technical Officer
Advanced Systems Engineering Technology, Inc.
Charleston, SC  USA
o: 843-849-8214
m: 843-224-2494




==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.

My experience is that if the malware has its hooks into the system that far, it's quicker and less painless to just wipe the system. I can never trust, from that point on, that I've gotten everything out of the system. With malware like that, it's like trying to rip blackberry bushes out of your garden -- make damn sure you've gotten every fragment of every root out of the ground, or you're going to be seeing it again soon.

--
Devin L. Ganger, Exchange MVP      Email: deving@...
3Sharp                             Phone: 425.882.1032
14700 NE 95th Suite 210             Cell: 425.239.2575
Redmond, WA  98052                   Fax: 425.558.5710
(e)Mail Insecurity: http://blogs.3sharp.com/blog/deving/

I have had the misfortune of having to remove several rootkits from Windows
2003 servers in the past. I know it isn't exactly what you are referring to,
but the concepts are generally the same.

Most likely you were dealing with onboot services that are hooking into the
Windows API to hide themselves from Windows all together. What you need to
do is get a listing of onboot services, and start looking at which ones are
not properly signed (most onboot services will be properly signed by a
reputable company i.e. MS, Adobe, etc). I recall that I used HiJackThis to
get me a list of the onboot services, and then looked at each of them to
verify that they were legit.

Armed with this list of "questionable" services you can boot into the
recovery console and run "disable <service>" to remove the services.

The problem with accessing the "Documents and Settings" folder is a tough
one to crack, as I didn't have to deal with it in my instance (the files
were located in a hidden directory in C:\Windows\). You might want to try
liveCD that supports reading and writing to NTFS (if they are using NTFS, or
if you are lucky, just access the drive via FAT32).

As a different avenue of approach, maybe you can accomplish something with
BartPE. That would allow you to boot into windows and run various apps
independent of the compromised OS.

Good luck,

Tom Walsh
Express Web Systems, Inc.
http://www.expresswebsystems.com/

Jon R. Kibler wrote:
Purely monetarily speaking, I love the idea of reinstalling every
machine that gets a virus.  I might have earnt about 4 times more money
than I have to date running my business, however I don't think customers
would appreciate their computer install being nuked every time they have
a malware issue.  I would say that so far I've done about 50 installs of
Windows (computer building aside) whereas I have attended about 200
appointments where I have removed some form of malware from a computer.

Sure, you can't be absolutely 100% sure that a machine is 100% clean,
but quite frankly you can't be 100% sure that a cleanly-installed,
patched up-to-date machine hasn't somehow been compromised by a 100%
undetectable rootkit.  When I go to an appointment, I check the usual
sources of 'programs being run on startup' registry entries that I'm
aware of, I check the process list, and I investigate further if I
observe any sign of a machine acting not 100% normal.

Computer fixing is rarely about 100% security (or anywhere near that),
as 100% security means "not usable".


--
Mike Moratz-Coppins
mike@...
http://www.mikeymike.org.uk/

Express Web Systems, Inc. wrote:
> The problem with accessing the "Documents and Settings" folder is a tough
> one to crack, as I didn't have to deal with it in my instance (the files
> were located in a hidden directory in C:\Windows\). You might want to try
> liveCD that supports reading and writing to NTFS (if they are using NTFS, or
> if you are lucky, just access the drive via FAT32).

AFAIK most live CDs just grant read-only access to NTFS.  Which one
would you recommend?

> As a different avenue of approach, maybe you can accomplish something with
> BartPE. That would allow you to boot into windows and run various apps
> independent of the compromised OS.

I haven't heard of that before, I'll read up about it.


--
Mike Moratz-Coppins
mike@...
http://www.mikeymike.org.uk/

On Tue, 2008-18-03 at 12:46 -0500, Jon R. Kibler wrote:
Why is this?  How can I trust my anti-<insert noun here) security
product;

A)  Discovered and Diagnosed the problem accurately?  I can't.
B)  Determine the exact nature of the discovery?  I can't.
C)  Find a method of removing the infection?  I can't.

So, I have to rely on:

1)  Knowledge of the OS.
2)  Knowledge of the filesystem.
3)  Knowledge that everything comes from a file, and if the source is
determined, then 'everything else it does, even if it morphs..' can be
discovered and repaired.  

Period.

If all these so called 'security' companies would publish more
information about malware, then I'd refute your argument 100%.  But they
do not, hence much information is misclassified, misdiagnosed, and
simply not available.

This is the REAL problem, not whether or not you can repair a system or
'trust' a PC.  Anyone who plugs a PC into the net and 'trusts' it is a
fool.  You have to protect your PC and be aware of what problems mean.
For instance 'anytime' a system crashes, this should be taken seriously
but thanks to vendors like Microsoft we laugh and joke about it and
forget about it.  However many crashes are results of bugs, and many
bugs are the exploits for malware.  

See how this comes full circle?  


>
> Infected system? Back up the data, and ONLY the data, then (to quote
> Microsoft from RSA a couple of years ago) "Nuke it from space!".

You go nukey boy...I for one would not agree.  Today's malware is
capable (heck more likely) to be infecting your data, or better hiding
DORMANT in your data.  Come on, you telling me the stegography has been
lost to malware developers?  I don't think so.  

Today I'm reading about cold-boot infections.  Wow, imagine a co-worker
infecting PC's.  It happens.  but we don't stop folks from using PC's.

>
> Bottom line: It is impossible to give any reasonable assurance that
> a box that was infected has been cleaned. Best solution: Never store
> use data on a client system (so you have nothing to back up) and
> simply reimage any suspect system (ZenWorks, Ghost, etc.). I have
> some clients that reimage every desktop every weekend just for good
> measure.

Bottom Line:  It is impossible to not be reinfected again.  By reimaging
you could be perpetuating dormant malware for years to come.

You know, I want to point out to folks on this list that this is NOT an
either/or situation.  Much like any time we engage in computer forensics,
there are processes we can institute as security professionals that allow
for the removal of untrusted components via a clean install without complete
loss of data.

1) Recognize that a system is compromised if it is infected with anything
more than an embedded 'exploit'.  (E.g. Email comes through that has HTML or
something which is temporarily copied to a local cache when the email loads
in the application.  This is easy to fix.  Any true "virus" which infects
the host system at deeper than an individual application level is taboo.
Toast.)  

2) Jon's point about reliability here is very key to the discussion.  It is
COMPLETELY irresponsible to warrant to a customer that you can certify a
system safe after it has been infected with any manner of
control-compromising code that has gone undetected/untreated for a period of
time.  As an individual consumer, I may choose to take that risk so there is
an important distinction for the environment that you are asking this
question on.  On an enterprise level it is hard to imagine a small or medium
business where this risk is acceptable.

3) Institute a process for incident response and correction.  Whether you're
a small business, a vendor, whatever, have a process which you use for these
kinds of events.  

        3A) In my case, I choose to first image a system.  Load the drive on
a live system which does not boot from hard drive and instead boots from a
live CD and invokes an imaging application.  If you find later that there is
reason to investigate the old drive / old environment, you need to have a
high quality copy of the data to do your investigation on.  Don't
investigate on the original source.  

        3B) Then if you are in a situation where investigation is not
warranted and there is no need for preserving the original environment (no
criminal or civil reporting or case involved), wipe the original hard drive
with, at the very least, a format operation.

        3C) Install a clean OS. Use the original media, the original OS if
you need to.  Patch the OS.  Protect the OS with antivirus or whatever
endpoint measures you/yourcustomer/yourorganization uses.

        3D) Use the appropriate application to access the saved disk image
and restore files as necessary to the reconstructed environment, ensuring
that they must each past muster in an antivirus application or other
scanning environment.

Realize that security is the intelligent application of principles and
experience to maintain a balance between confidentiality, integrity, and
accessibility for yourself, your customer, or your organization.  Security
doesn't have to be "wipe and restart" OR "remove the malware and continue
using", there are other solutions out there.  It is important to recognize
that there are multiple possible approaches and you need to examine the
risks and benefits of your (hopefully standardized) approach to regularly
determine if it can be improved.

-W

Wayne S. Anderson
http://www.linkedin.com/in/wayneanderson

-----Original Message-----
From: listbounce@... [mailto:listbounce@...] On
Behalf Of Jon R. Kibler
Sent: Tuesday, March 18, 2008 11:46 AM
To: Mike Moratz-Coppins
Cc: focus-ms@...
Subject: Re: More along the lines of malware disinfection

Mike Moratz-Coppins wrote:
> When removing malware of one sort or another,

<SNIP>

Hi,

IMHO, anytime, repeat ANYTIME, you have an infected box, it is < 0%
trustworthy. You can remove the malware, but how do you know that
you found everything? You don't. Especially if the malware is some
sort of downloader or spyware.

Infected system? Back up the data, and ONLY the data, then (to quote
Microsoft from RSA a couple of years ago) "Nuke it from space!".

Bottom line: It is impossible to give any reasonable assurance that
a box that was infected has been cleaned. Best solution: Never store
use data on a client system (so you have nothing to back up) and
simply reimage any suspect system (ZenWorks, Ghost, etc.). I have
some clients that reimage every desktop every weekend just for good
measure.

Jon Kibler
--
Jon R. Kibler
Chief Technical Officer
Advanced Systems Engineering Technology, Inc.
Charleston, SC  USA
o: 843-849-8214
m: 843-224-2494




==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.

I should point out one factor which I think makes a large difference in
the approach that one might take in encountering a security issue - the
vast majority of my customers are home users who just casually use their
machine.  In a hypothetical situation of me being called in to analyse a
security compromise of a medium-sized business's system(s), my strategy
definitely would not factor in "can I fix this in under 3 hours".

Wayne S. Anderson wrote:
I used the term 'malware' because I believe that the threats are
becoming more and more blended.

> 2) Jon's point about reliability here is very key to the discussion.  It is
> COMPLETELY irresponsible to warrant to a customer that you can certify a
> system safe after it has been infected with any manner of
> control-compromising code that has gone undetected/untreated for a period of
> time.

Do you see this as applying in a joe average home user scenario?

> As an individual consumer, I may choose to take that risk so there is
> an important distinction for the environment that you are asking this
> question on.  On an enterprise level it is hard to imagine a small or medium
> business where this risk is acceptable.

Agreed.

> Realize that security is the intelligent application of principles and
> experience to maintain a balance between confidentiality, integrity, and
> accessibility for yourself, your customer, or your organization.  Security
> doesn't have to be "wipe and restart" OR "remove the malware and continue
> using", there are other solutions out there.  It is important to recognize
> that there are multiple possible approaches and you need to examine the
> risks and benefits of your (hopefully standardized) approach to regularly
> determine if it can be improved.

I assume you mean, in my average scenario (eg. home casual user got
their machine compromised through installing something while browsing
for porn) that my advising the customer of common-sense approaches as
well as possibly suggesting alternative software to help avoid similar
problems in the future, for example?


--
Mike Moratz-Coppins
mike@...
http://www.mikeymike.org.uk/

This has been a really great thread, folks!

With regard to the question of not knowing whether or not you have any
modified files remaining on the system, you might be interested in the
following URLs, which have been following and dissecting a newer method
of getting malware on to a machine... simply embed it into a Flash "ad":

http://msmvps.com/blogs/spywaresucks/default.aspx

http://www.bluetack.co.uk/forums/index.php?s=ba964b70addd94e94cce765b5a6
9103b&showtopic=18064&st=0&p=86387&

And an excellent paper, written in 2001 by SANS senior faculty member
Lenny Zeltser, with a pretty thorough discussion and break down of what
just one piece of malware can do to a system.
http://www.zeltser.com/reverse-malware-paper/

And don't forget to:

fdisk /mbr

when you re-use the hard drive.
http://support.microsoft.com/kb/69013


Jim Monahan



===================================

P Please consider the environment before printing this e-mail

Cleveland Clinic is ranked one of the top hospitals
in America by U.S. News & World Report (2007).  
Visit us online at http://www.clevelandclinic.org for
a complete listing of our services, staff and
locations.


Confidentiality Note:  This message is intended for use
only by the individual or entity to which it is addressed
and may contain information that is privileged,
confidential, and exempt from disclosure under applicable
law.  If the reader of this message is not the intended
recipient or the employee or agent responsible for
delivering the message to the intended recipient, you are
hereby notified that any dissemination, distribution or
copying of this communication is strictly prohibited.  If
you have received this communication in error,  please
contact the sender immediately and destroy the material in
its entirety, whether electronic or hard copy.  Thank you.

Mike Moratz-Coppins wrote:
>Purely monetarily speaking, I love the idea of reinstalling every machine that gets a virus.  I
>might have earnt about 4 times more money than I have to date running my business, however I don't
>think customers would appreciate their computer install being nuked every time they have a malware
>issue.  I would say that so far I've done about 50 installs of Windows (computer building aside)
>whereas I have attended about 200 appointments where I have removed some form of malware from a
>computer.

Hello
Recently I was setting up wireless for a customer.  Found a piece of malware vb.cc I think. checked
hosts, registry, accounted for any processes I didn't know, ran anti-virus, rootkit revealer,
couldn't see any further signs of compromise, and the PC ran as well as I might have expected,
broadband running fine too.  I informed the customer anyway of the risks, feeling bad like I was
fishing for more work I told them they were probably perfectly safe but couldn't be 100% without
doing more work or a full service on the box.  And left it up to them.

As they used the machine for work and personal banking they preferred a full service (should always
work better after a clean rebuild anyway).

5430 infected files.

Kind Regards
Colin

This is a great point, Mike.

As with all things security related, you really have to examine the
environment and the value of the asset which you are securing.

In your particular example, you appear to focus largely on home users.  I
would actually offer them the choice, if it were me.  It has been me in the
past when I was getting started.  You do your initial investigation.  Ah
hah!  Malware!  You naughty user, you, stop going to those uh.... creative
body art.... sites.  At that point you can either offer them your arbitrary
toast-and-rehash service which loses all of the data OR you can say that
there are three choices and its up to you.

My first service is to remove the malware.  I don't warrant my work as
modern malware can be a real bugger to get rid of.  I will make my best
effort to get rid of the bad stuff and leave the good stuff intact but
realize there is a small chance something can go wrong and a small chance
that the creeping crud could still be there.

My second service is to pave over your system.  Its fast, its relatively
cheap if you still have your old CDs, but you lose your data.  I warrant
this service because your system is fresh and fully patched and will be
working but wont have your old data.  Most people don't do this because they
have pictures, games, etc, that they want me to grab from the old system.

My third service takes a little more time and involves a little more work
but I rebuild your system and try to bring over standard profile information
from your old computer and the information that you tell me you really need
from the old PC.  This is the image-rebuild-and-restore option.  I warrant
this work because its detailed work and I leave you a fully patched system
with as much information as I can reasonably recover from the old PC.  This
costs a little more but is the best option.

This way you offer yoru customers the choice, let them choose whether they
want to pay for the extra time.  You offer your customer options including
an upsell/premium option that makes a little more money for you.  Your user
gets to choose what level of risk they are taking on (even though they don't
see it as risk, they just see it as what work you are willing to do and how
you walk away from the job).

Wayne S. Anderson
http://www.linkedin.com/in/wayneanderson

-----Original Message-----
From: listbounce@... [mailto:listbounce@...] On
Behalf Of Mike Moratz-Coppins
Sent: Tuesday, March 18, 2008 2:57 PM
To: focus-ms@...
Subject: Re: More along the lines of malware disinfection

I should point out one factor which I think makes a large difference in
the approach that one might take in encountering a security issue - the
vast majority of my customers are home users who just casually use their
machine.  In a hypothetical situation of me being called in to analyse a
security compromise of a medium-sized business's system(s), my strategy
definitely would not factor in "can I fix this in under 3 hours".

Wayne S. Anderson wrote:
> You know, I want to point out to folks on this list that this is NOT an
> either/or situation.  Much like any time we engage in computer forensics,
> there are processes we can institute as security professionals that allow
> for the removal of untrusted components via a clean install without
complete
> loss of data.
>
> 1) Recognize that a system is compromised if it is infected with anything
> more than an embedded 'exploit'.  (E.g. Email comes through that has HTML
or
> something which is temporarily copied to a local cache when the email
loads
> in the application.  This is easy to fix.  Any true "virus" which infects
> the host system at deeper than an individual application level is taboo.
> Toast.)  

I used the term 'malware' because I believe that the threats are
becoming more and more blended.

> 2) Jon's point about reliability here is very key to the discussion.  It
is
> COMPLETELY irresponsible to warrant to a customer that you can certify a
> system safe after it has been infected with any manner of
> control-compromising code that has gone undetected/untreated for a period
of
> time.

Do you see this as applying in a joe average home user scenario?

> As an individual consumer, I may choose to take that risk so there is
> an important distinction for the environment that you are asking this
> question on.  On an enterprise level it is hard to imagine a small or
medium
> business where this risk is acceptable.

Agreed.

> Realize that security is the intelligent application of principles and
> experience to maintain a balance between confidentiality, integrity, and
> accessibility for yourself, your customer, or your organization.  Security
> doesn't have to be "wipe and restart" OR "remove the malware and continue
> using", there are other solutions out there.  It is important to recognize
> that there are multiple possible approaches and you need to examine the
> risks and benefits of your (hopefully standardized) approach to regularly
> determine if it can be improved.

I assume you mean, in my average scenario (eg. home casual user got
their machine compromised through installing something while browsing
for porn) that my advising the customer of common-sense approaches as
well as possibly suggesting alternative software to help avoid similar
problems in the future, for example?


--
Mike Moratz-Coppins
mike@...
http://www.mikeymike.org.uk/

> Mike Moratz-Coppins
>> Wayne S. Anderson

> > 2) Jon's point about reliability here is very key to the
> > discussion.  It is COMPLETELY irresponsible to warrant to a
> > customer that you can certify a system safe after it has been
> > infected with any manner of control-compromising code that has
> > gone undetected/untreated for a period of time.

> Do you see this as applying in a joe average home user scenario?

Absolutely it does. If you say, "I've fixed it," you've arguably agreed to assume liability (as one of the earlier bits of conversation brought out) for the further good operation. If you've missed some piece of malware that then goes on to capture sensitive personal data...

...not a position I'd want to be in. And most of the clients I had back when I was working on home systems understood that, once I explained it to them. After all, the name of the game is user education. If they're engaging in risky practices, they need both the negative feedback (the inconvenience of having the drive wiped) and the positive feedback (okay, here's where you probably picked that up, and here's ways to browse more safely) if they're going to learn something about using their computer more intelligently.

--
Devin L. Ganger, Exchange MVP      Email: deving@...
3Sharp                             Phone: 425.882.1032
14700 NE 95th Suite 210             Cell: 425.239.2575
Redmond, WA  98052                   Fax: 425.558.5710
(e)Mail Insecurity: http://blogs.3sharp.com/blog/deving/

You're right that I can't be 100% sure that a clean install is not compromised already -- but the chances are a LOT lower than trying to manually clean a known-compromised machine. By reinstalling, I'm certainly leaving the user in no *worse* position of risk; by not reinstalling, I am.

--
Devin L. Ganger, Exchange MVP      Email: deving@...
3Sharp                             Phone: 425.882.1032
14700 NE 95th Suite 210             Cell: 425.239.2575
Redmond, WA  98052                   Fax: 425.558.5710
(e)Mail Insecurity: http://blogs.3sharp.com/blog/deving/

On 2008-03-18 Mike Moratz-Coppins wrote:
> I should point out one factor which I think makes a large difference
> in the approach that one might take in encountering a security issue -
> the vast majority of my customers are home users who just casually use
> their machine.

You do realize that significant amounts of spam are deployed through
zombified computers of exactly these "home users who just casually use
their machine", don't you?

[...]
>> 2) Jon's point about reliability here is very key to the discussion.
>> It is COMPLETELY irresponsible to warrant to a customer that you can
>> certify a system safe after it has been infected with any manner of
>> control-compromising code that has gone undetected/untreated for a
>> period of time.
>
> Do you see this as applying in a joe average home user scenario?

Even if he doesn't, I do. Unless you can determine without any doubt
when and how the machine was compromised, and what exactly was altered
afterwards, the only resonable and responsible way to deal with the
problem is to backup the data and reinstall the machine. Period.

http://www.microsoft.com/technet/community/columns/secmgmt/sm0504.mspx

Regards
Ansgar Wiechers
--
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq