Badware 2011

Published: 2011-12-26
Last Updated: 2011-12-26 00:44:40 UTC
by Deborah Hale (Version: 1)
12 comment(s)


As 2011 draws to a close I am reflecting on the "compromised" computers that I have dealt with in the last few months.  In April I went to work for a company that is the IT Department for a number of small businesses in our area.  One of the things that I do is deal with machines that "are not working correctly".  The majority of the complaints were first identified with "Security Popups".  These were pretty easy ones to identify - AntiMalware 2011, AntiVirus 2011, and the latest one Security System (vclean.exe).  In all of these cases the users said that they were on a website and clicked on a link or an image file.  They said that the computer immediately started popping up with various messages about computer instability. I have found that most of these types of infections are easy to cleanup and most required simple Malware Bytes and a good anti-virus program to clean them up.

Others have not been so easy.  I have dealt with several that had been infected that had some or all of the files on the hard drive hidden.  These are the difficult ones to deal with.  Tools like Combo Fix are required to even identify these infected files. I have found several "tools" that have helped with the identification and removal.

I have also had several machines that were unable to install Windows updates.  The customer has no recollection of any virus infection - the updates just stopped working with a pretty generic error.  On the first machine I worked with Microsoft to attempt to figure out what was going on.  After several back and forth emails and following procedures provided by Microsoft I discovered that the directory used to write temp install files and install logs was "missing".  It looked like the directory had been deleted however, if I searched for the file I would find older versions of the log files.  Continuing to investigate I discovered that the directories and files had been changed to hidden and read only when using the attrib command. Running the UNHIDE.EXE tool returned the file structure to normal.  I ran the Windows updates again and all was well.  Running a virus scan and MalwareBytes scan several malicious files were detected and removed.

Some of the machines have not been so easy.  Cases were operating system files, network files, and other critical files had been altered are best handled by a format and reload.  Formatting and reloading requires that the customer have the original install CD's.

My goal for 2012 is to educate all of our small business customers on the importance of Windows Updates and having a good Anti-virus program.  Having these two items go along way in minimizing the number of "compromised" computers the customer will have to deal with.

Deb Hale

Keywords: badware
12 comment(s)


Would like to see some more details on what tools you have found that work on this malware situations.
I find that the best tool is a known-good system binary image that includes all the user's application programs, but not his data. I also run a nightly backup program to capture the time history of all the files on the machine. When malware strikes, I format the disk after making sure with the user that we saved anything critical that changed since the last nightly backup. Then I restore the image, update it with Microsoft as well as all the other application providers, and finally I restore all the user's data files form teh most recent know-clean nightly backup copy. MORAL: The best antidote to infection is timely backup!
Oh yes, I forgot. After updating the restored image, but before restoring the user's data files, I make a fresh backup image. That waya, the next time this happens, I have fewer updates to apply.
I have one user that gets whacked about once a month. :-(

We have an agreement now. When I restore her laptop, she owes me some delicacy that she has cooked. She is a very good cook. I don't know whether to encourage her to be more careful, or *LESS* careful! ;-)
@ Ben

Deb mentioned MalwareBytes in the diary entry, great tool:

'Won't get into "Who's Best" in the never-ending A/V debate, but you can get a good idea for your own decision by reviewing this chart:
If you have "problem users," consider setting a disallowed-by-default Software Restriction Policy. Very powerful against both user slip-ups and exploit payloads.

In a business with 10 computers or less, Windows Home Server makes a nice automated backup/recovery solution. I recently reimaged my Win7/Office2010 system over a gigabit network in about 30 minutes (new disk drive), very straightforward.
I completely support the idea of reimaging a machine, instead of trying to rip out the malware. It's been my experience that even when the malicious software is removed, sometimes the machine just doesn't behave like normal anymore. The same energy spent fighting the malware can be spent reimaging, and the end result is a nice, clean PC, no temp files, no fragmentation on the disk...

Patching and AV are still absolutely critical, but once the malware gets in, I suggest we follow Ellen Ripley's advice - nuke the site from orbit, it's the only way to be sure.
For eight years, I have been “fighting the good fight” against malware. Before the automated tools such as ComboFix or Spybot S&D.

In the past, an extensive system “cleaning” would begin with the initial assessment, obvious characteristics of the infection, altered system files and end with proper mitigation; obtaining necessary AV Fixes and manual clean up of the system registry. After tackling a myriad of download Trojans, Sasser Worms, Root kits, and maybe a couple of bios infestations have led to one conclusion:

It takes more time to clean up an infected machine than to reimage it, or reload from scratch. Once a machine is reimaged /clean installed, there is certainty regarding the state of the operating system. The cheap and easy repair will result in unknown code left on a “cleaned” machine, possibly subject to further compromise. Remember, it is the behavior of the client that caused the infection.

What about the preloaded programs? As any journeymen tradesman, I have every office disk and windows office installation disk in existence, as well as a Microsoft TechNet subscription; which allows you to legally download media. If the client is without the key, if they system appears legit, (key code on box --and the office is not corporate) I will pull it, or extract from the dead machine.

For cleaning data, I have created single purpose virus scanning machines that are reimaged per job; using removable caddies on a running machine, with an antivirus that is aware of removable devices.

The best solution to avoid the infection dilemma, is proper training of co-workers, clients, friends and family on the dangers of identity theft, and the “real world” implications of simply clicking on something before you think.

Btw, I envy the corporate IT guys, than can enforce strict software and firewall policies. Java, please clean up your act. Java exploits are the most common as of late, it doesn’t help one of our Citrix remote tools require it :(
Along with Windows patch management and an AV client that updates at least daily, common 3rd party apps need to be updated. Even being one Java version behind is now too risky to allow. Unfortunately, Java doesn't consistantly auto-detect when new versions are needed.
I agree fully with techspace. I've done fierce and pitched battle with some of the nastier malware out there over the years and remain undefeated.
That doesn't mean I called the system clean after, I did such battle just to ascertain what the malware was trying to do and defeated it, to better intercept it in the future (and submit that novel sample to the antivirus vendors).
In each and every case, it was re-image/reload the system.
As for systems for cleaning, a virtual works well, scan and clean the documents, then restore the snapshot (making sure that snapshot is with the most current antivirus and all software patches.
THAT all said, it's only a matter of time before someone DOES put a BIOS based virus or worm out there in the wild, it was proof of concept displayed years ago.

Diary Archives