Saturday, May 9, 2009

WoT primer #1: easy no-nonsense malware removal.

The first of an anticipated motley of Wall of Text™ primers concerning anything that might interest me that also might interest you (because face it, there's a glut of so-called "obscurities" on blogs such as this, and being the industrious off-the-internet bastard that I am, I cannot be possibly searching all the time for interesting stuff that other people haven't shared much) - and today, it's about -you guessed it- manual malware removal.

I am of the opinion that antiviruses are much more trouble than they're worth, because half (or most) of the time they're fairly ineffective at detecting halfway decent headaches spread commonly through infected USB drives and/or idiotic internet surfing. Resource hogs, the lot of them, too - even with today's phenomenally powerful computers orders of magnitude greater than my aging ones. Long experience with other people's cases first-hand made me write this guide for myself (and for other interested people) should I somehow forget wtf am I doing in the middle of a job. This guide is primarily for infested XP systems, but the concepts should apply to virtually any other desktop environment.

Firstly, the ingredients of a perfect meal.
1.) A working brain. If you haven't any GTFO my page; I can't help but profit from your glaring stupidity if you refuse to. There's the greater internet for terms I'm using that you may not understand at first, if you know not how to use them I can't help you.
2.) Some software that should show you in detail the running processes of your system and associated loaded libraries (processexplorer is the easiest to obtain, get it here).
3.) Some software that should enable you to kill running processes' individual aspects (even hidden ones). Processexplorer can terminate processes but not its constituent DLLs - this will be problematic - so for alternatives I got myself IceSword (a Chinese antirootkit tool. Information here or here, author's blog in Chinese here and additional download page here).
4.) HijackThis does "nothing", but it sure is helpful to know what it purportedly detects. Good for error-checking. And removing malevolent registry entries.
5.) The default task manager (for ANY windows OS at least) is useless for almost every infestation and besides most malware hide themselves from this and/or disable it entirely along with other administrative functions. Needed only if the system is almost or already clean.
6.) The command prompt for your system, however, might be of some use provided it's not disabled as well.
7.) Internets. For information gathering ("is this file spyware? or this? or this?"). To be disconnected when attempting to cleanse the system.


Now malware removal isn't a cut-and-dried science even if most antivirus products would have you believing otherwise.

I. Some of those are fairly easy to recognize:
-- a suspiciously named executable or library that may or may not take after a legitimate system process (scvhost.exe instead of svchost.exe),
-- an executable or library that appears to be legitimate yet loaded from some other directory where it shouldn't be (an svchost.exe file from c:\ instead of the usual system32 directory)
-- a bunch of files and folders exhibiting the same filesize apparently 'overwritten' by some worm (most of the time what you've seen is just the worm; the real files and folders were simply hidden by it)
-- one or more of the types above (and below) set with 'read-only', 'hidden' and/or 'system' attributes. Especially these, because why would a legal file disguise itself? Rule of thumb: No file from the system folders can both be hidden and read-only and/or system. Exceptions exist of course but discerning those exceptions' what the internet is for. Deviations otherwise most certainly are malware of some sort (unless you hid your porn in there). Getting rid of these is merely a matter of clearing those attributes, usually by delving into your command prompt and invoking
attrib -h -s -r [filename]
or the suitable equivalent in other systems. There might be some considerable snags if it so happens that you cannot bring up the command prompt, which a follow-up passage below will discuss.

II. Then there are those that bury themselves a bit deeper:
-- libraries work by being loaded into applications. For this reason malware DLLs cannot simply be killed with the usual means (you have to unload them first from their parent applications, else the access denied, file 'in use' error) especially when they latch onto some critical part of the software hierarchy (e.g. winlogon.exe) - this is where the module-unloading functions of IceSword come in handy. The native taskkill function can do the same thing, only with the added hassle of extensive command prompt handling.

III. Then there are the real pains in the ass when they manage to screw you over. Suppose the malware makers aren't the usual dullards this time:
-- for every file you manage to delete another pops up in its place or somewhere else on your hard disk. This is most likely caused by two or more instances of the malware infecting different files and operating at the same time.

The way to deal with this, naturally, is to somehow stop all copies from simultaneously executing. ProcessExplorer has this 'suspend' function you can use on malware apps (found at rightclick) and/or individual threads of an infected application (found on said app's properties page, under the threads tab) - provided you can decipher which threads belong to the malware and which is legit - and you can use it to suspend all threads you deem suspicious. Deleting them should be a breeze afterwards, but always make sure all copies were accounted for lest there be reinfection once again.

-- the 'disabler' type of malware that revokes access to certain tools when you try to remove them. The first sign of a malware infection is usually the disabling of your OS's task manager, command prompt and/or other administrative privileges. It is therefore imperative that you maintain access at least the tools required to cleanse them.

On systems that shut down and/or reboot while attempting access to native administrative tools, a batchfile overriding the shutdown command can be used upon its triggering. A clearer example would be to make a .bat file on windows OSs spamming the
shutdown -a
command two or more times within the file and then running it. Inelegant, but usually effective: no more pesky shutdowns for the session.

I haven't had much experience with those types that really screw around with permissions (your user privileges downgraded entirely to guest-level or something like it); it seems to me their coders would think it too much work to be thorough with end-user computers instead of going after the big guys: system administrators and the like who know their stuff. tl;dr I won't be discussing the matter further until I've known more.

-- a combination of the preceding characteristics of malware as described above. Rule of thumb: no single piece of malware has everything. Mainly because of differing philosophies concerning detection: you hide your stuff either by appealing to common ignorance or by programming skill. You either assume your target won't notice or won't be able to take action. The former is the focus of most virii and worms while the latter's the realm of both trojans and rootkits (more so on rootkits). You should be able to tailor your responses to such threats as they arise: It may mean the difference between a clean reinstall and preserving the status quo.

After those huge walls of text you should probably have some idea by now on how to deal with various types of infestation. The steps depend upon the nature of infection, but all of these have simple common sense as grounding. Disconnect from the net when cleansing; immediate reinfection lowers considerably. Check the registry before and after cleansing for aberrances; clean computers don't have unfamiliar registry keys reinstated after erasing them. Check startup folders for unfamiliar faces. And of course, prevention is always better than cure.
-- get a firewall instead of an antivirus. An analogy would be walling up your lot instead of relying on guns and knives and table forks when burglars are already looting inside. Windows firewall is like the wooden palisade even your neighbor's tykes can run over so choose something more substantial.
-- disable autoplay altogether. When opening removable drives ALWAYS rightclick (and NEVER doubleclick) to be sure you're opening a folder instead of a nuisance.
-- set your file explorer to be able to view all files and folders even hidden and system ones (and all extensions) at all times. In UNIX and UNIX-like systems extensions aren't much of a bother but on Windows doctoralthesis.doc and doctoralthesis.doc.vbs are two very disparate things. Be wary for those aforementioned executables masquerading as folders and files and you might yet find the real objects they replaced simply hidden alongside the fakes thanks to this simple precaution. Not to mention that any sudden inability to see hidden files after explicitly setting otherwise is indeed a fine indicator of an infection afoot.

And lastly, if you can't even be bothered by going through the instructions above (but still want a squeaky-clean computer) you might as well get Deep Freeze in here. It 'washes' the system clean after every reboot at the expense of having all data written after a mandatory snapshot of the state of the system removed. Imagine a System Restore every reboot - only enforced, all-encompassing and a big patching hassle for MMORPGs.

No comments:

Post a Comment