As 2011 draws to a close I am reflecting on the "compromised" computers that I have dealt with in the last few months. In April I went to work for a company that is the IT Department for a number of small businesses in our area. One of the things that I do is deal with machines that "are not working correctly". The majority of the complaints were first identified with "Security Popups". These were pretty easy ones to identify - AntiMalware 2011, AntiVirus 2011, and the latest one Security System (vclean.exe). In all of these cases the users said that they were on a website and clicked on a link or an image file. They said that the computer immediately started popping up with various messages about computer instability. I have found that most of these types of infections are easy to cleanup and most required simple Malware Bytes and a good anti-virus program to clean them up. Some of the machines have not been so easy. Cases were operating system files, network files, and other critical files had been altered are best handled by a format and reload. Formatting and reloading requires that the customer have the original install CD's. My goal for 2012 is to educate all of our small business customers on the importance of Windows Updates and having a good Anti-virus program. Having these two items go along way in minimizing the number of "compromised" computers the customer will have to deal with. Deb Hale |
Deborah 279 Posts ISC Handler Dec 26th 2011 |
Thread locked Subscribe |
Dec 26th 2011 9 years ago |
Would like to see some more details on what tools you have found that work on this malware situations.
Thanks, Ben |
Anonymous |
Quote |
Dec 26th 2011 9 years ago |
I find that the best tool is a known-good system binary image that includes all the user's application programs, but not his data. I also run a nightly backup program to capture the time history of all the files on the machine. When malware strikes, I format the disk after making sure with the user that we saved anything critical that changed since the last nightly backup. Then I restore the image, update it with Microsoft as well as all the other application providers, and finally I restore all the user's data files form teh most recent know-clean nightly backup copy. MORAL: The best antidote to infection is timely backup!
|
Moriah 133 Posts |
Quote |
Dec 26th 2011 9 years ago |
Oh yes, I forgot. After updating the restored image, but before restoring the user's data files, I make a fresh backup image. That waya, the next time this happens, I have fewer updates to apply.
|
Moriah 133 Posts |
Quote |
Dec 26th 2011 9 years ago |
I have one user that gets whacked about once a month.
![]() We have an agreement now. When I restore her laptop, she owes me some delicacy that she has cooked. She is a very good cook. I don't know whether to encourage her to be more careful, or *LESS* careful! ![]() |
Moriah 133 Posts |
Quote |
Dec 26th 2011 9 years ago |
@ Ben
Deb mentioned MalwareBytes in the diary entry, great tool: - https://malwarebytes.org/products/malwarebytes_free 'Won't get into "Who's Best" in the never-ending A/V debate, but you can get a good idea for your own decision by reviewing this chart: - http://www.virusbtn.com/vb100/latest_comparative/index . |
Jack 160 Posts |
Quote |
Dec 26th 2011 9 years ago |
If you have "problem users," consider setting a disallowed-by-default Software Restriction Policy. Very powerful against both user slip-ups and exploit payloads.
In a business with 10 computers or less, Windows Home Server makes a nice automated backup/recovery solution. I recently reimaged my Win7/Office2010 system over a gigabit network in about 30 minutes (new disk drive), very straightforward. |
Jack 12 Posts |
Quote |
Dec 26th 2011 9 years ago |
I completely support the idea of reimaging a machine, instead of trying to rip out the malware. It's been my experience that even when the malicious software is removed, sometimes the machine just doesn't behave like normal anymore. The same energy spent fighting the malware can be spent reimaging, and the end result is a nice, clean PC, no temp files, no fragmentation on the disk...
Patching and AV are still absolutely critical, but once the malware gets in, I suggest we follow Ellen Ripley's advice - nuke the site from orbit, it's the only way to be sure. |
Eli 9 Posts |
Quote |
Dec 27th 2011 9 years ago |
For eight years, I have been “fighting the good fight” against malware. Before the automated tools such as ComboFix or Spybot S&D.
In the past, an extensive system “cleaning” would begin with the initial assessment, obvious characteristics of the infection, altered system files and end with proper mitigation; obtaining necessary AV Fixes and manual clean up of the system registry. After tackling a myriad of download Trojans, Sasser Worms, Root kits, and maybe a couple of bios infestations have led to one conclusion: It takes more time to clean up an infected machine than to reimage it, or reload from scratch. Once a machine is reimaged /clean installed, there is certainty regarding the state of the operating system. The cheap and easy repair will result in unknown code left on a “cleaned” machine, possibly subject to further compromise. Remember, it is the behavior of the client that caused the infection. What about the preloaded programs? As any journeymen tradesman, I have every office disk and windows office installation disk in existence, as well as a Microsoft TechNet subscription; which allows you to legally download media. If the client is without the key, if they system appears legit, (key code on box --and the office is not corporate) I will pull it, or extract from the dead machine. For cleaning data, I have created single purpose virus scanning machines that are reimaged per job; using removable caddies on a running machine, with an antivirus that is aware of removable devices. The best solution to avoid the infection dilemma, is proper training of co-workers, clients, friends and family on the dangers of identity theft, and the “real world” implications of simply clicking on something before you think. Btw, I envy the corporate IT guys, than can enforce strict software and firewall policies. Java, please clean up your act. Java exploits are the most common as of late, it doesn’t help one of our Citrix remote tools require it :( |
Eli 1 Posts |
Quote |
Dec 27th 2011 9 years ago |
Along with Windows patch management and an AV client that updates at least daily, common 3rd party apps need to be updated. Even being one Java version behind is now too risky to allow. Unfortunately, Java doesn't consistantly auto-detect when new versions are needed.
|
Gary 5 Posts |
Quote |
Dec 27th 2011 9 years ago |
I agree fully with techspace. I've done fierce and pitched battle with some of the nastier malware out there over the years and remain undefeated.
That doesn't mean I called the system clean after, I did such battle just to ascertain what the malware was trying to do and defeated it, to better intercept it in the future (and submit that novel sample to the antivirus vendors). In each and every case, it was re-image/reload the system. As for systems for cleaning, a virtual works well, scan and clean the documents, then restore the snapshot (making sure that snapshot is with the most current antivirus and all software patches. THAT all said, it's only a matter of time before someone DOES put a BIOS based virus or worm out there in the wild, it was proof of concept displayed years ago. |
Wzrd1 8 Posts |
Quote |
Dec 27th 2011 9 years ago |
Multi layer protection is the best way.
Two tools I am so glad that the SANS Analyst in the Family told me about are, one I already had which is Xmarks, and the one he told me about after Sunday dinner in October 2010 by asking me;Uncle Bud? Are you saving your passwords in Firefox? And I said Yes,Stephen. He replied, I want you to try Lastpass. I asked him if it was available at Sourceforge, He said it might be. And that was the end of it until I got home and searched for it. Best tip I ever got ! I had already got him some AntiMalware tools for his machine and his Dads' and sisters' machines, Plus an introduction to Acronis, He was a bit giddy after he saw Acronis restore an image backup. Looking forward to the next generation of hardware based anti malware in a CPU or on a mother board itself, That would be great. I like that my Current A/V scans all downloads for bugs upon completion of the download. 64 years old and retired ! Ol'Bud PS. If your problem users do not need to run an Administrators Account, Then putting them on a Limited Account would prevent them from running and installing Executables without Admin approval. |
Wzrd1 20 Posts |
Quote |
Dec 28th 2011 9 years ago |
I work in a large environment with many, many types of images. In addition, we don't have enough desktop staff to re-image infected PCs unless I can't get them going reliably. We have good AV, filtering, and firewalls. I've been cleaning up PCs for seven years, and I'm always looking for vectors or compromised websites. When I find them, I can usually put them in our HOSTS file or sometimes just have it blocked on our firewall or even on our filter. That's three ways to make sure it stays clean--because it's the user, not the machine. It's wearying to have something re-imaged and then it gets infected again in a week. Argh. My basic theory is to use a lot of notifications, prevention and blocking. We also occasionally use MalwareBytes to check to see if I got enough of it. It takes me an average of 20 min now where it used to take 5-10 min, and things are harder to clean sometimes. Progress in malware, I guess.
|
Wzrd1 1 Posts |
Quote |
Dec 28th 2011 9 years ago |
Sign Up for Free or Log In to start participating in the conversation!