Dealing With Infected Computers: Prevention and Remediation

There has been a recent spike in activity regarding viruses, malware, and other infections, which come from several different attack vectors affecting Windows and Mac operating systems. This is a common problem for all users; meaning it’s not just the serial browser and social media user getting these infections, it’s techies too. You should not be embarrassed to notify your IT staff of potential infections, because if not addressed in a timely manner, data and information loss can cause more damage, loss of reputation, legal issues, and expense for an organization than the cost of replacing a hard drive, or the time involved in remediating the issues or wiping and reimaging a hard drive.

Searching Google Images appears to be a widely used method for malicious users to embed fake antivirus offerings, which claim to find a virus or other problem with your computer and offer to clean it off if you subscribe to their service. These types of fake antivirus or antimalware exploits typically appear as a pop-up to mimic real antivirus or operating system messages. Other known vectors are: e-mail, links on both legitimate and questionable Web sites, Excel formulas, social media Web sites, etc.

If your antivirus\spyware\malware application identifies and quarantines an infection or threat, you may be (and probably are) still at risk. Through Solutionary’s research and testing of many recent infections, we have come to the conclusion that there is simply not a single tool that catches everything. We ran several well-known security tools against many different infections and not a single tool caught all the infected files. Most of them caught the file responsible for the initial attack, but this new breed of infections have gotten smarter and dig down deep into the boot sector, system, and registry, so they are difficult to identify and completely eradicate. Therefore, the best option to ensure complete removal of all infections on an affected computer is to wipe the drive completely and start over from scratch. That’s the only sure-fire method to eradicate many of these threats.

Here’s a few tips for users to avoid these issues and protect company information:



* Do NOT click links or visit questionable web sites


* Do NOT allow browsers to save passwords or form data


* Do NOT save files locally to your machine as a rule; by doing so you are putting any information on your computer at risk


* Do NOT try to fix (remove "it") an infection


* Save files to a network resource (a personal network drive, etc)


* Use ALT+F4 to quickly close a browser when you access questionable content or see a pop-up offering security tools

Here’s some barebones guidelines for users if they believe they have an infection:



1. Unplug the computer from the network


2. Follow your organization’s Incident Response Plan

If your organization already has procedures on how users should deal with infections, you may want to review your current procedures\policies to ensure some of these tips are included:



* Capture running system information (i.e., memory, services, etc.)


* Power off the computer (hold power button – do NOT use regular shutdown)


* Create a copy of the affected drive using a forensics copier (if available) to keep the current state in-tact and label it as infected


* Use the copy to do your research


*Save the results (logs or reports) from each tool and review the results


* Do not plug the affected computer into your internal network (or the drive into another machine on the network)


* Gather all information (i.e., firewall, antivirus, IDS, VPN, proxy logs, etc.)


*Certified staff should investigate the scope of theinfection to determine the extent of the incident (i.e., data and information loss, access, etc)

If infections are validated, perform the following steps:



1. Update your security defenses, including IDS, IPS, Host-based signatures, etc. identified from the investigation and then scan and monitor the affected environment for further and additional infections


2. Require all users in affected scope to reset passwords (both company and personal)


3. Fully wipe or erase the drive(s) before reusing them (or destroy them and buy a new drive)


4. Alternatively, you can utilize a third party for your forensics investigations if you do not have the appropriate staff or tools to perform such analysis

There is no clear-cut way to prevent or fix these issues today, but following the steps above may help in your prevention against these threats. To assist clients with detecting these threats, Solutionary creates custom signatures to detect known bad Web sites, and also to recognize the network traffic associated with new threats. As recently as last week, hundreds of fake antivirus Web sites surfaced and Solutionary’s SERT created new signatures with nearly 400 new entries.

For the techies, here’s a list of examples of recent infections (name and path):

* Virus: Rootkit.Win32.TDSS – Master Boot Record


* Trojan: DOS\Alureon.A – Master Boot Record


* Adware: AdWare.Win32.WhiteSmoke.axh - C:\WINDOWS\Temp\bdwp\setup.exe (multiple variants)


* Adware: AdWare.Win32.WhiteSmoke.heur - C:\Windows\Temp\explorer.exe


* Gen: Trojan.Heur.FU.huW@auviNBe - C:\Program Files\servername\crashreporter.exe


* Gen: Variant.Kazy.20660 - C:\WINDOWS\system32\calcsn32.dller


* Trojan: Trojan.Win32.Jorik.Skor.vn - C:\WINDOWS\Temp\Mgd.exe


* Trojan: Win32\FakeSysdef - C:\Documents and Settings\All Users\Application Data\OoyECuNcnEni.exe-(UPX)


* Exploit: Win32\MS04028!jpeg - C:\Documents and Settings\user\Desktop\Desktop Stuff\2008-12-09\20080905.cap\20080905.cap.gz-(GZip)-(part0878:)


* Virus: Win32\Patchload.O - C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP638\A0146822.exe (37 variants)


* TrojanDropper: Win32\Sirefef.B - C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP637\A0144809.SYS


* TrojanDownloader: Win32\Karagany.A - C:\Documents and Settings\user\Application Data\Sun\Java\Deployment\cache\6.0\23\15b67017-412e5f18
* Exploit: Java\CVE-2010-0094.x - C:\Documents and Settings\user\Application Data\Sun\Java\Deployment\cache\6.0\34\c669a2-5ca1bd02.vir\\*.class

Let’s look at the last exploit listed above in more detail.This particular exploit is related to the Java Runtime Environment and has multiple attack vectors. Unlike the ActiveX exploits that attacked Internet Explorer, it’s not browser dependent, so it can affect any browser that utilizes Java. It can allow certain system-level functions to be run with administrator privileges via the ClassLoader, which can ultimately lead to data and information loss, etc. The following are only a few of the variant classes used by this Java runtime exploit:

* vmain.class


* vload.class


* CusBen.class


* Trollllllle.class


* Cload.class


* huiak.class


* Applet.class

Another Java exploit with multiple Class variants: CVE-2008-5353 - C:\Documents and Settings\user\Application Data\Sun\Java\Deployment\cache\6.0\26\35ed065a-15e6fb14->*.class

* Jk7q1f0dza.class


* L3odckyq39.class


* U7ikaeo37.class

And another - CVE-2010-0840 - C:\Documents and Settings\user\Application Data\Sun\Java\Deployment\cache\6.0\30\3b7a5a1e-4a6b5da6->glass/mumux$vrkr.class
* glass/mumux$vrkr.class


* buba/main.class

In closing, keep your users informed by communicating tips to them regularly without making them feel bad if they get infected. If you belittle them, they will be reluctant to report issues, or may try to fix the issues themselves, which will only create more issues for you and your organization in the end.