News
Blogs
Shark Bait
Knowledge Centers
Opinion
Webcasts
Video
Podcasts
IT Careers
White Papers
Computerworld Reports
Zones
Case Study Library
RSS Feeds
Events
Industry
This Week in Print
Print Subscriptions


Ads by TechWords

See your link here


Michael Horowitz's picture
Michael Horowitz

Defensive Computing

More posts | Read bio

November 15, 2009 - 6:17 P.M.

Larry Dignan's antivirus nightmare

12 comments

Over at ZDNet, the site's Editor in Chief, Larry Dignan, just blogged about his experiences trying to remove a malware infection from his Windows XP computer.
 
As a story from the trenches, I loved it, especially his experience calling McAfee on the phone for help.

But I was surprised at his approach to dealing with the problem. 

Malicious software has been infecting Windows computers for ages, yet his only line of defense was a single antivirus product. That's simply insufficient.

One obviously missing defensive tactic is running as a limited user, or, at the very least, using DropMyRights to run Internet facing applications with reduced rights. This isn't perfect, malware can still execute, but at least it can't permanently install itself, so it won't autorun at the next boot. 

Perhaps most surprising, coming from someone I assume is a techie, was this statement "... once Antivirus Pro is installed you’re screwed." Non-techies may be screwed, but nerds know to make disk image backups.

Perhaps my focus on Defensive Computing slants my perspective, but there is no excuse for not making image backups. Imaging software can be had for free, or very little money, and not only does an image backup protect you from any and all software problems, it also offers protection from hardware problems.

From the effort Dignan put into dealing with his malware infection, it seems the computer was important to him, making the lack of an image backup to fall back on all the more surprising.

And his malware removal efforts were all but doomed to fail.

For one thing, he fought the enemy on their territory. Once a Windows computer has been infected, it's no longer your computer. Bad guys do a great job of protecting their turf and the infected operating system is now their turf.

The best way to remove malware is from outside the infected system and the best way to do this is to boot the computer using the Ultimate Boot CD for Windows (UBCD4WIN).

Running an operating system off a CD treats the infected C disk as a data disk and thus prevents the malware from running.

Dignan wrote that he "... needed to manually remove the files. The problem: I couldn’t find them ..." Chances are that an operating system running off a CD would see the files he couldn't from within the infected system.

Booting to a Linux Live CD is great for this and for copying important files off the infected machine. But UBCD4WIN lets you run a whole host of anti-malware software directly from the CD. It can even self-update many of the programs from the Internet before using them to scan the infected drive.

If your favorite antimalware programs are not available from within UBCD4WIN, then you can simply use it to share the infected drive over a LAN and scan the infected C disk from a clean machine elsewhere on the network.

I wrote a trio of articles at eSecurityPlanet on this approach:

Still, there are limits to what can be done from the outside, because the infected registry is not mounted and scanned as a registry.

Thus, after scanning from the outside, you need to boot the suspect OS and run anti-malware software from within the system. The more products you run the better. If it was me, I'd run a half dozen applications, starting with Mark Russinovich and Bryce Cogswell's Autoruns (it's both free and portable).

This, however, raises the question of whether you can trust a machine at all after its been infected. Can you be sure the malware has been totally removed? I don't think you can.  

Which leads right back to my main point: image backups. Dogs may be mans best friend, but image backups are a nerds best friend.

What People Are Saying

Add new comment

UAC - A Good Thing

Submitted by Anonymous on November 21, 2009 - 10:00 A.M.

The UAC of Vista and Windows 7 is a Good Thing.

(I use Vista.)

Do you REALLY want to install this Fake Antivirus Program? (grin)

Reply | Report this comment

I use Vista too ...

Submitted by Anonymous on November 21, 2009 - 10:41 A.M.

... and UAC is fine to the extent that it enables IE protected mode.

However, UAC is not a security boundary and the question "Do you REALLY want to install this Fake Antivirus Program?" won't actually be asked. Nor anything even close to this question.

For true least privilege in Vista/7, create a standard user account and use this account for day-to-day use. Enable application whitelisting in folders C:\Windows and C:\Program Files via Software Restriction Policy (SRP). Use the application control feature in Parental Controls for Vista/7 Home and gpedit.msc for Vista/7 Business/Professional/Ultimate. Use a search engine to find a tutorial for either Parental Controls or gpedit.msc.

With this setup, the user will not even get a prompt. This is true default deny.

Reply | Report this comment

No Problem So Far

Submitted by Luis Carmona on November 16, 2009 - 1:33 P.M.

So far I haven't have any problems with killing the Antivirus Pro processes in Task Manager (if you know what to look for), then downloading and cleaning off the infection with Malwarebytes Antimalware. (I also make sure to disable applicable Start Up items just in case.) You also need to make sure System Restore is turned off and not turned back on until cleaning is done. After dozens of cleanings, so far all have been successful with no evidence of any residuals.

Reply | Report this comment

Virus Defenses

Submitted by Windows 7 User on November 16, 2009 - 12:24 P.M.

One nice thing about Windows Vista Business and 7 Professional (I'm not sure about Home Premium for Win 7) is that the backup programs include the ability to create image backups - Win 7's is far better since the user can create the image across a network.

One other suggestion to safeguard data is to partition the HDD and place all data on a separate partition. Even the Outlook pst file can be re-located to another partition (and Windows Live Mail too). At least, if the O/S partition is destroyed, the data is still safe. This should not disuade a user from backing up data files (it actually makes it easier since the entire drive can be backed up easily), but it does create an additional layer of security.

Reply | Report this comment

a data-only partition

Submitted by Michael Horowitz on November 16, 2009 - 4:40 P.M.

I completely agree with the suggestion to segregate out data files from the operating system (and apps) into another partition. I have been doing this for years.

It makes the image backups smaller and, as you say, leaves your data untouched should an OS restore be needed.

Reply | Report this comment

Another idea

Submitted by Anonymous on November 15, 2009 - 11:57 P.M.

that might give you additional clues is to run RootkitRevealer, another tool written by the same people who developed Autoruns. All this tool does is to signal you if files and directories might be hidden from you at a very low level (by diverting Windows APIs). If this is the case, only an offline scanning might save you although I once had a surprisingly good result using Dr.Web CureIt!. As for mounting the registry when using a live CD, I usually use a plug-in for BartPE called Regitry Editor PE but I don't know if it works with OBCD4WIN.
I agree with the author of the article that Larry Dignan panicked too soon.

Reply | Report this comment

mounting the registry from outside infected OS

Submitted by Michael Horowitz on November 16, 2009 - 12:17 P.M.

When I wrote about this in July, both MalwareBytes and SuperAntiSpyware were working on being able to mount the registry as a registry when running outside the infected system. See

www.esecurityplanet.com/features/article.php/51671_3830676_2/The-Best-Way-to-Remove-Viruses-and-Malware-Part-3-The-Clean-Up.htm

I'm not sure where things currently stand.

Reply | Report this comment

WinPE

Submitted by Anonymous on November 19, 2009 - 12:08 P.M.

If you use a WinPE Boot CD you can use REG.EXE to load the registry from then infected system and the use whatever scanning tool to at least find the malicious items, in some cases you may have to manually remove them. The HKLM registry files are located in the C:\Windows\System32\config under their respective names and the User Registry is located in the User profile folder in a file named NTUSER.DAT. Be extremely careful when manually deleting entries in these registry files. I may be a good idea to create backups of these files before loading and editing. Use REG /? to get the command line options for this utility.

Reply | Report this comment

Prevention easier than cleanup

Submitted by Anonymous on November 15, 2009 - 7:13 P.M.

"One obviously missing defensive tactic is running as a limited user, or, at the very least, using DropMyRights to run Internet facing applications with reduced rights.

Agreed. Least privilege is a must.

Next is default deny. Since Windows XP Home does not come with Software Restriction Policy via gpedit.msc, the next best thing is TrustNoExe (it's free) from this link:

http://beyondlogic.org/solutions/trust-no-exe/trust-no-exe.htm

The default setting is to allow no executable to run if not in folders C:\Windows and C:\Program Files. And a limited user cannot write in either of these folders.

Reply | Report this comment

fallback to an image backup

Submitted by Michael Horowitz on November 15, 2009 - 8:23 P.M.

I'm not familiar with that product, but the idea seems good. Along those lines, I often use Online Armor from Tall Emu. It pops up a warning any time a new or modified program runs.

But neither of these products negates the most important point I was trying to make, to have a disk image backup (or two) to fall back on.

Reply | Report this comment

Related Posts

A billion malware infections cleaned
Different approaches to removing malware
Microsoft: XP is far more vulnerable than Vista, Windows 7
Microsoft Security Essentials: Free is great, but is it effective?

Editor's Picks

Attacks likely against Windows, PowerPoint, researchers say

Google Buzz takes the fight to Facebook, Twitter

Judge dismisses Windows anti-piracy software lawsuit

Microsoft e-health research taps Xbox, mobile phones

Review: 3 encryption apps keep your data safe

Startup opens offshoring alternative in distressed Michigan

About Us Advertise Contacts Editorial Calendar Help Desk Jobs at IDG Privacy Policy Reprints Site Map
CIO Computerworld CSO DEMO GamePro Games.net IDC IDG IDG Connect IDG Knowledge Hub IDG TechNetwork IDG Ventures
IDG.net InfoWorld ITwhitepapers ITworld JavaWorld LinuxWorld Macworld Network World PC World The Industry Standard
Copyright © 1994 - 2010 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of
Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.