Bleepin' malware...

Monopoly money comes in many flavors: 7, Vista, XP, 2K, ME, 98, etc.

Moderators: Flying Fox, Ryu Connor

Bleepin' malware...

Postposted on Sat Apr 23, 2011 10:09 am

So I just got done cleaning off my father's PC. He had one of those "fake anti-virus" things (Internet Protection Firewall), and a couple of other questionable ones as well (Paretologic PC Health Advisor, and Advanced Registry Optimizer). System was totally bogged down, and he was getting nag messages from IPF telling him he was infected with all sorts of other crap, to try and get him to pay their "protection" money.

Nuked 'em all, ran Malwarebytes, got him up-to-date on patches, and installed MSE.

Guess we need to have another talk about installing random crap off the Internet...
(this space intentionally left blank)
just brew it!
Administrator
Gold subscriber
 
 
Posts: 37737
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: Bleepin' malware...

Postposted on Sat Apr 23, 2011 10:36 am

But it scans the links and says internet is secure :confused:

Funny thing is that if you don't do silly stuff you can live without AV software just fine.
Core 2 Duo E6300, MSI P45 NEO-F, Club 3D GTX 260, 4Gb DDR2-800Mhz, Audigy X-Fi Fatal1ty Champ1on ed., 0.5Tb+1Tb Seagate Barracuda 7200.12, 630W AXP, Samsung SyncMaster BX2450, ViewSonic VP171b
Madman
Minister of Gerbil Affairs
 
Posts: 2317
Joined: Tue Apr 01, 2003 4:55 am
Location: Latvia

Re: Bleepin' malware...

Postposted on Sat Apr 23, 2011 10:39 am

I'm a bit surprised you did a "clean up" rather than a total wipe. In these situations I usually format the hard drive and start fresh; safer and (potentially) less irritating.
Suspenders
Gerbil
 
Posts: 29
Joined: Wed Jun 18, 2008 3:30 pm

Re: Bleepin' malware...

Postposted on Sat Apr 23, 2011 11:02 am

Yeah, wipe and reinstall was an option. But since Malwarebytes seemed to have no trouble getting things cleaned up I figured it was worth it to not have to reinstall all his other stuff. Not sure he even knows where the install media is for all his other software...
(this space intentionally left blank)
just brew it!
Administrator
Gold subscriber
 
 
Posts: 37737
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: Bleepin' malware...

Postposted on Sat Apr 23, 2011 12:06 pm

Suspenders wrote:I'm a bit surprised you did a "clean up" rather than a total wipe. In these situations I usually format the hard drive and start fresh; safer and (potentially) less irritating.

Actually, it's safer, but the approach most applications choose to save their data makes sure you can't just reformat the HDD.

There is application data in C:\AppData\, C:\Program Files\, My Documents, c:\%userprofiles%\appdata, registry, C:\program files\common files\, c:\windows etc.

For the last few formats I've found that only way you can be sure you have all your previous data intact is to uninstall everything, clone the HDD to VHD, and then back it up, so that one month later you can get, say your outlook folder that wasn't copied properly out of their program files directory or something.

Reformatting is nightmare nowadays if you care for the data.
Core 2 Duo E6300, MSI P45 NEO-F, Club 3D GTX 260, 4Gb DDR2-800Mhz, Audigy X-Fi Fatal1ty Champ1on ed., 0.5Tb+1Tb Seagate Barracuda 7200.12, 630W AXP, Samsung SyncMaster BX2450, ViewSonic VP171b
Madman
Minister of Gerbil Affairs
 
Posts: 2317
Joined: Tue Apr 01, 2003 4:55 am
Location: Latvia

Re: Bleepin' malware...

Postposted on Sat Apr 23, 2011 12:15 pm

I would use another RootKit scanner in safe mode just to be sure. Or it may really be NFO time.
Image
The Model M is not for the faint of heart. You either like them or hate them.

Gerbils unite! Fold for UnitedGerbilNation, team 2630.
Flying Fox
Gerbil God
 
Posts: 24440
Joined: Mon May 24, 2004 2:19 am

Re: Bleepin' malware...

Postposted on Sat Apr 23, 2011 12:23 pm

Madman wrote:Reformatting is nightmare nowadays if you care for the data.

IMO it is actually *less* of a nightmare than it used to be, since most newer apps tend to store their data in the "Documents and Settings" area by default. This is more like how *NIX does things (all user files in the /home area).

Flying Fox wrote:I would use another RootKit scanner in safe mode just to be sure. Or it may really be NFO time.

Yeah, I plan to do a rootkit scan as well. But it looks like most of the alleged malware was actually fake stuff that IPF was reporting just to try and get the user to pay for their "product". :roll:

I find the name "Internet Protection Firewall" somewhat amusing, given that the product's only purpose is to get people to pay "protection" money. Maybe the scammers actually had a sense of humor...
(this space intentionally left blank)
just brew it!
Administrator
Gold subscriber
 
 
Posts: 37737
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: Bleepin' malware...

Postposted on Sat Apr 23, 2011 12:49 pm

re Madman,
I agree, it can certainly be quite a nightmare because of where application data gets saved, but there's little choice if you want to use your computer afterwards for eg. doing your banking online.

For myself this problem is greatly mitigated by using mostly portable apps and saving files and things Im working on in one location to make backups easier. Still, things like user configurations, game save files and the like get obliterated unless I make a point of looking for those files and backing them up before any reformat.
Suspenders
Gerbil
 
Posts: 29
Joined: Wed Jun 18, 2008 3:30 pm

Re: Bleepin' malware...

Postposted on Sat Apr 23, 2011 2:44 pm

Most of the scam security products I encounter are really easy to remove as they're just using local user privs and running an app from the HKCU standard startup key. Sometimes they're even more simple to remove as they allow Task Manager to kill them :)

I do plenty of checks afterwards, and on XP you've got to tread more carefully as sometimes the malware detects XP and uses the almost-standard-admin privs to wreak havoc (commonly in the boot sector), but I haven't seen a piece of malware get more than just user privs on Vista/7 in quite a while.

The odd thing is, the first scam security product I encountered (on XP) was a real bugger to remove, and instead of the usual arms race I would expect between the good and bad guys resulting in more complex techniques being used, the malware designers IMO have just gotten sloppy. Having said that, I think the anti-virus companies have gotten sloppy as well, because if all it takes is safe mode (sometimes not even that), an executable rename and a registry key deletion to stop it, then why the hell haven't the AV companies caught up? I've seen every popular AV scanner / Internet security product get taken out by the scam security product. I just don't get it. Surely malware before the era of scam security products was trying the same tactics.

There's a scam security product doing the rounds on XP at the moment that deletes the Automatic Updates service, but forcing the windows update agent install on it fixes that.

I advise customers that since I can't prove that malware isn't still on the machine and is just being extra-sneaky, that a data backup and clean install is the only way to be sure, but I think (at least in my line of work) it's important to "keep my hand in" and get some practice in detecting and removing these threats.
mikeymike
Gerbil Elite
 
Posts: 635
Joined: Wed Jan 27, 2010 6:09 am

Re: Bleepin' malware...

Postposted on Sat Apr 23, 2011 4:46 pm

Speaking of rootkits... what do people generally use to scan for them these days? The original RootkitRevealer is getting a bit long in the tooth; do newer rootkits have countermeasures that prevent it from detecting them?
(this space intentionally left blank)
just brew it!
Administrator
Gold subscriber
 
 
Posts: 37737
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: Bleepin' malware...

Postposted on Sat Apr 23, 2011 5:32 pm

just brew it! wrote:Speaking of rootkits... what do people generally use to scan for them these days? The original RootkitRevealer is getting a bit long in the tooth; do newer rootkits have countermeasures that prevent it from detecting them?

Stuxnet.
Life is hard; but it's harder if you're stupid. Big Al.
Captain Ned
Global Moderator
Gold subscriber
 
 
Posts: 20311
Joined: Wed Jan 16, 2002 7:00 pm
Location: Vermont, USA

Re: Bleepin' malware...

Postposted on Sat Apr 23, 2011 5:50 pm

This blog has few very interesting investigations:
http://blogs.technet.com/b/markrussinovich/

But the general rule is:
If malware had admin access any time during it's lifetime
If malware uses any sort of zero day vulnerability

The system might be toast.

This is probably also the reason why I absolutely despise the nowadays practice of home pinging software. The systems are super complex, work with admin privileges a lot of the time, generate gigs of background traffic. The computing has gone so far that you can't trust your PC anymore.

Has anyone of you run security audit tools on your systems recently? I tried once, and the conclusion was, oh F* it, there is no way one person can understand how safe their PC is in a lifetime. There are millions of registry entries under HKLM that are guest writable, that do millions of different things, you just can't protect your PC anymore.

And yea, I think I read somewhere that few rootkits are not picked up with rootkit revealer.

One thing you might do to verify if the spyware is safe to just delete is to find what it is, disassemble it, and see what it does, and clean what it did. That will take year or so. So.... Meh...
Core 2 Duo E6300, MSI P45 NEO-F, Club 3D GTX 260, 4Gb DDR2-800Mhz, Audigy X-Fi Fatal1ty Champ1on ed., 0.5Tb+1Tb Seagate Barracuda 7200.12, 630W AXP, Samsung SyncMaster BX2450, ViewSonic VP171b
Madman
Minister of Gerbil Affairs
 
Posts: 2317
Joined: Tue Apr 01, 2003 4:55 am
Location: Latvia

Re: Bleepin' malware...

Postposted on Sun Apr 24, 2011 2:12 am

RootKitRevealer hasn't picked up anything in ages for me.

I top off any malware disinfection routine with a full MLB, assuming that I found and disabled the original symptom and any other typical symptoms I look for. If a malware infection has managed to evade my usual tactics, as well as taking the machine home, disconnecting the disk and scanning it on my own machine with anti-virus and MLB and I've had zero or only partial success in removing it, I tend to recommend a reinstall to any customer at that point. My logic being, if it has exhausted most of my usual tactics and I've spent quite a while on it already, then how much longer do I need to spend to be confident that it is then malware-free, or whether I can actually be confident in my work at that point.

But the general rule is:
If malware had admin access any time during it's lifetime
If malware uses any sort of zero day vulnerability

The system might be toast.


I don't know about your experiences of dealing with malware*, but IMO a lot of customers refuse to admit that they realise they did something wrong**. Based on that, it's very difficult to answer either of those questions, and I think my customers would look elsewhere if I started handing out reinstalls like expensive parking tickets with the added annoyance of losing settings and "how things worked". I think my reinstall price is quite reasonable (£60), which includes bringing the computer back and setting it up on-site, and IMO it's a subsidised service. There's also the fact that I would have to spend some time attempting to remove the malware before going for the 'nuke it from orbit' strategy, either I have to give that attempted service away for free or it becomes an expensive malware removal job.

* - I'm not meaning to devalue your experience with this comment btw.

** - Yes, I realise that a lot of malware gets through purely via software vulnerabilities, and I've seen demonstrations where there isn't any outward sign that a malware infection just took place.
mikeymike
Gerbil Elite
 
Posts: 635
Joined: Wed Jan 27, 2010 6:09 am


Return to Windows

Who is online

Users browsing this forum: No registered users and 2 guests