11

I have seen some sites offering 'Malware University', training classes on getting rid of malware. Do you think that updating your malware removal skills (or arsenal) is necessary from time to time? How do you become more effective at dealing with this growing, very complicated, threat?

Terry
  • 1,073
  • 1
  • 11
  • 17

4 Answers4

32

You don't "clean malware". You level the machines and start over. Anything less is a disservice to your Customer and asking for trouble.

As far as dealing with the "threat", you don't allow users to run with Administrator-level accounts (on Windows), and you don't install untrusted software (inasmuch as is possible). It seems fairly simple to me. My Customers and I do not have a problem with malicious software.

Evan Anderson
  • 141,071
  • 19
  • 191
  • 328
  • 11
    Downvotes, eh? Go ahead-- downvote me. I'm still right. *smile* "Cleaning malware" is bush league. After a malicious third-party has attacked your computer, keeping an untrustable operating system and application software around is a bad idea. – Evan Anderson Jun 17 '09 at 23:57
  • 4
    +1 for telling it straight. I do think it's good to understand how malware works, though -- so some reliable training from the likes of Mark Russinovich or SANS might be worth doing. – Ben Dunlap Jun 18 '09 at 00:15
  • 1
    So how do you define malware? Are you really advocating reinstalling the OS because you got something as innocuous as this? http://www.viruslist.com/en/viruses/encyclopedia?virusid=18321 I can understand reinstalling if you contracted some of the more nefarious malware..... – Josh Brower Jun 18 '09 at 00:23
  • 2
    I'm advocating leveling the OS and restoring only data files from backup if you care about the confidentiality, integrity, and availability of the data handled by a computer that has run malicious third-party code. If a malware author needs only to make their software have the outward appearance of being simplistic to cause you to trust that the machine is "clean" after you've tinkered with it, that's what the malware authors will do. – Evan Anderson Jun 18 '09 at 00:28
  • Hypothetically, if you could verify the integrity of every executable on a system by way of booting from a trusted source operating system (say, off of an optical disc), I'd be fine not leveling the OS. As it happens, systems like the old "Tripwire" for *nix operating systems did just that-- created cryptographic signatures to allow you to take a system offline, boot from a trusted OS, and verify the integrity. Perhaps we should be getting to that point in the Windows world. (That, or we should start using the TPMs that are in our computers... *shudder*) – Evan Anderson Jun 18 '09 at 00:31
  • So what it comes down to is the business decision of your risk appetite for CIA for the compromised box... – Josh Brower Jun 18 '09 at 00:32
  • When you really think about all the risks, I don't see how anyone using a computer for business can have much of an appetite. Given how much all of us are spending on "identity theft" w/ the related costs being "passed on" by banks and businesses to consumers I think it's hard, from a home user standpoint, to have much of an appetite either. Malware infected computers are screwing up the Internet for everybody, and we "IT people" need to collectively get off our asses and do something about it before some idiot legislator tries to (which is going to be bad for all of us). – Evan Anderson Jun 18 '09 at 00:38
  • 1
    +1 for learned the hard way. – cop1152 Jun 18 '09 at 01:08
  • Je suis d'accord, (I agree) completely. This is what imaging deployment programs like Altiris is for. Provided anything can be retrieved from the harddrive for the user, re-image, perform post-build and move on to more critical things. – Greg Meehan Jun 18 '09 at 01:41
  • I'd say it depends on the OS and nature of the intrusion. I recently cleaned up a minor intrusion on a disused Linux account. One issue with the descent of Windows from a single-user system and Linux and MacOSX from multi-user is that Windows tends to blur the difference between user and administrator. – David Thornley Jun 18 '09 at 14:20
  • Not to mention that locking down Windows machines only works so far. Some people need admin access on their computers (Visual Studio 2008 expects it, for example), and some people higher in the company may well demand admin access and get their machines infected. At least that should keep you in practice for wiping and re-imaging. – David Thornley Jun 18 '09 at 14:23
  • +1 - Nuke and pave is the way to go these days. And definitely +infinity for taking away Admin rights from those who don't need it. – romandas Aug 06 '09 at 22:52
6

Beyond the sysadmin practices of not letting users run administrator level accounts and such, a lot of the responsibility falls on you to remain up to date on threats in the wild. Read the warnings that popup when a new threat is found. Have an update policy for your software.

Nothing can destroy security faster than a determined user, so educate them about the dangers of clicking on random links in e-mail or installing applications unless they are sure of the source (etc), making sure to tell them that this is for the safety of the network and their home computers.

If you stay on top of news, and keep your users in the know, then you drastically reduce your exposure.

RascalKing
  • 1,138
  • 5
  • 7
5

As far as "malware training" goes, the name alone is a bit too marketing-buzzword to inspire much faith. Perhaps I'm too much of a skeptic, but I feel that any specific "malware topics" are going to be obsolete before the class is in session.

Sure, some basic skills apply, but if an admin (or support tech) doesn't already know those things, I'd rather they format the machine (for the reasons Evan Anderson pointed out) instead of taking a chance on their cleaning skills.

Kara Marfia
  • 7,892
  • 5
  • 32
  • 56
4

Autoruns and Process Explorer from Sysinternals (now owned by MS) are your best friends. The 1-2 infections I see a week where a user has opened an attachment or visited a page a shouldn't have, and the (up-to-date!) AV hasn't complete blocked it, can generally be cleaned up in 30m-1h of effort with just these two utilities. The are pretty straightforward, and after your first few clean-ups you'll get a knack for knowing what needs to be killed/removed to get rid of the malware.

That said, every once in awhile you'll run across a peice of malware that isn't written by an idiot, so if you can't make any headway after 30 minutes, its time for a complete wipe/reload.

Keep in mind, this is more appropriate for SMB's where hardware isn't standardized. If you've got a system image and the user's files are backed up, it will be quicker to wipe/reload at the first sign of infection.

Skawt
  • 688
  • 4
  • 9
  • I consider myself fairly proficient with procexp and autoruns. Last time I used these tools to remove a virus everything looked squeaky clean, but it turned out that the computer was still transmitting spam messages - enough to get our IP put on several SMTP blacklists. The only way to be sure of a clean box is to rebuild. – Nic Mar 23 '10 at 05:55