Threat Level: green Handler on Duty: Jan Kopriva

SANS ISC: Badware 2011 SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Badware 2011


As 2011 draws to a close I am reflecting on the "compromised" computers that I have dealt with in the last few months.  In April I went to work for a company that is the IT Department for a number of small businesses in our area.  One of the things that I do is deal with machines that "are not working correctly".  The majority of the complaints were first identified with "Security Popups".  These were pretty easy ones to identify - AntiMalware 2011, AntiVirus 2011, and the latest one Security System (vclean.exe).  In all of these cases the users said that they were on a website and clicked on a link or an image file.  They said that the computer immediately started popping up with various messages about computer instability. I have found that most of these types of infections are easy to cleanup and most required simple Malware Bytes and a good anti-virus program to clean them up.

Others have not been so easy.  I have dealt with several that had been infected that had some or all of the files on the hard drive hidden.  These are the difficult ones to deal with.  Tools like Combo Fix are required to even identify these infected files. I have found several "tools" that have helped with the identification and removal.

I have also had several machines that were unable to install Windows updates.  The customer has no recollection of any virus infection - the updates just stopped working with a pretty generic error.  On the first machine I worked with Microsoft to attempt to figure out what was going on.  After several back and forth emails and following procedures provided by Microsoft I discovered that the directory used to write temp install files and install logs was "missing".  It looked like the directory had been deleted however, if I searched for the file I would find older versions of the log files.  Continuing to investigate I discovered that the directories and files had been changed to hidden and read only when using the attrib command. Running the UNHIDE.EXE tool returned the file structure to normal.  I ran the Windows updates again and all was well.  Running a virus scan and MalwareBytes scan several malicious files were detected and removed.

Some of the machines have not been so easy.  Cases were operating system files, network files, and other critical files had been altered are best handled by a format and reload.  Formatting and reloading requires that the customer have the original install CD's.

My goal for 2012 is to educate all of our small business customers on the importance of Windows Updates and having a good Anti-virus program.  Having these two items go along way in minimizing the number of "compromised" computers the customer will have to deal with.

Deb Hale


279 Posts
ISC Handler
Dec 26th 2011
Would like to see some more details on what tools you have found that work on this malware situations.
I find that the best tool is a known-good system binary image that includes all the user's application programs, but not his data. I also run a nightly backup program to capture the time history of all the files on the machine. When malware strikes, I format the disk after making sure with the user that we saved anything critical that changed since the last nightly backup. Then I restore the image, update it with Microsoft as well as all the other application providers, and finally I restore all the user's data files form teh most recent know-clean nightly backup copy. MORAL: The best antidote to infection is timely backup!

133 Posts
Oh yes, I forgot. After updating the restored image, but before restoring the user's data files, I make a fresh backup image. That waya, the next time this happens, I have fewer updates to apply.

133 Posts
I have one user that gets whacked about once a month. :-(

We have an agreement now. When I restore her laptop, she owes me some delicacy that she has cooked. She is a very good cook. I don't know whether to encourage her to be more careful, or *LESS* careful! ;-)

133 Posts
@ Ben

Deb mentioned MalwareBytes in the diary entry, great tool:

'Won't get into "Who's Best" in the never-ending A/V debate, but you can get a good idea for your own decision by reviewing this chart:

160 Posts
If you have "problem users," consider setting a disallowed-by-default Software Restriction Policy. Very powerful against both user slip-ups and exploit payloads.

In a business with 10 computers or less, Windows Home Server makes a nice automated backup/recovery solution. I recently reimaged my Win7/Office2010 system over a gigabit network in about 30 minutes (new disk drive), very straightforward.
12 Posts
I completely support the idea of reimaging a machine, instead of trying to rip out the malware. It's been my experience that even when the malicious software is removed, sometimes the machine just doesn't behave like normal anymore. The same energy spent fighting the malware can be spent reimaging, and the end result is a nice, clean PC, no temp files, no fragmentation on the disk...

Patching and AV are still absolutely critical, but once the malware gets in, I suggest we follow Ellen Ripley's advice - nuke the site from orbit, it's the only way to be sure.

9 Posts
For eight years, I have been “fighting the good fight” against malware. Before the automated tools such as ComboFix or Spybot S&D.

In the past, an extensive system “cleaning” would begin with the initial assessment, obvious characteristics of the infection, altered system files and end with proper mitigation; obtaining necessary AV Fixes and manual clean up of the system registry. After tackling a myriad of download Trojans, Sasser Worms, Root kits, and maybe a couple of bios infestations have led to one conclusion:

It takes more time to clean up an infected machine than to reimage it, or reload from scratch. Once a machine is reimaged /clean installed, there is certainty regarding the state of the operating system. The cheap and easy repair will result in unknown code left on a “cleaned” machine, possibly subject to further compromise. Remember, it is the behavior of the client that caused the infection.

What about the preloaded programs? As any journeymen tradesman, I have every office disk and windows office installation disk in existence, as well as a Microsoft TechNet subscription; which allows you to legally download media. If the client is without the key, if they system appears legit, (key code on box --and the office is not corporate) I will pull it, or extract from the dead machine.

For cleaning data, I have created single purpose virus scanning machines that are reimaged per job; using removable caddies on a running machine, with an antivirus that is aware of removable devices.

The best solution to avoid the infection dilemma, is proper training of co-workers, clients, friends and family on the dangers of identity theft, and the “real world” implications of simply clicking on something before you think.

Btw, I envy the corporate IT guys, than can enforce strict software and firewall policies. Java, please clean up your act. Java exploits are the most common as of late, it doesn’t help one of our Citrix remote tools require it :(
1 Posts
Along with Windows patch management and an AV client that updates at least daily, common 3rd party apps need to be updated. Even being one Java version behind is now too risky to allow. Unfortunately, Java doesn't consistantly auto-detect when new versions are needed.

5 Posts
I agree fully with techspace. I've done fierce and pitched battle with some of the nastier malware out there over the years and remain undefeated.
That doesn't mean I called the system clean after, I did such battle just to ascertain what the malware was trying to do and defeated it, to better intercept it in the future (and submit that novel sample to the antivirus vendors).
In each and every case, it was re-image/reload the system.
As for systems for cleaning, a virtual works well, scan and clean the documents, then restore the snapshot (making sure that snapshot is with the most current antivirus and all software patches.
THAT all said, it's only a matter of time before someone DOES put a BIOS based virus or worm out there in the wild, it was proof of concept displayed years ago.

8 Posts
Multi layer protection is the best way.
Two tools I am so glad that the SANS Analyst in the Family told me about are, one I already had which is Xmarks,
and the one he told me about after Sunday dinner in October 2010 by asking me;Uncle Bud?
Are you saving your passwords in Firefox?
And I said Yes,Stephen.
He replied,
I want you to try Lastpass.
I asked him if it was available at Sourceforge,
He said it might be.
And that was the end of it until I got home and searched for it.
Best tip I ever got !
I had already got him some AntiMalware tools for his machine and his Dads' and sisters' machines,
Plus an introduction to Acronis,
He was a bit giddy after he saw Acronis restore an image backup.

Looking forward to the next generation of hardware based anti malware in a CPU or on a mother board itself,
That would be great.

I like that my Current A/V scans all downloads for bugs upon completion of the download.

64 years old and retired !

If your problem users do not need to run an Administrators Account,
Then putting them on a Limited Account would prevent them from running and installing Executables without Admin approval.
20 Posts
I work in a large environment with many, many types of images. In addition, we don't have enough desktop staff to re-image infected PCs unless I can't get them going reliably. We have good AV, filtering, and firewalls. I've been cleaning up PCs for seven years, and I'm always looking for vectors or compromised websites. When I find them, I can usually put them in our HOSTS file or sometimes just have it blocked on our firewall or even on our filter. That's three ways to make sure it stays clean--because it's the user, not the machine. It's wearying to have something re-imaged and then it gets infected again in a week. Argh. My basic theory is to use a lot of notifications, prevention and blocking. We also occasionally use MalwareBytes to check to see if I got enough of it. It takes me an average of 20 min now where it used to take 5-10 min, and things are harder to clean sometimes. Progress in malware, I guess.
1 Posts

Sign Up for Free or Log In to start participating in the conversation!