Quick and Dirty Malware Removal

The following is a quick and dirty guide to virus/malware removal. These are simple, proven steps to clean out malware and get a PC back and running as quick as possible.  No attempt is made to do any sort of forensics nor are there any techniques included for measuring or controlling the propagation to other machines or networks.  The assumption is that the damage has already been done and you are just cleaning up the mess.

Arming Yourself

The following is a list of tools you will need to have handy.  It is highly recommended that you download these on uninfected machine before hand! There are many types of malware out there that are known to detect file names/ signatures of popular cleaning tools and infect them.  You have been warned!

Kill Everything That Moves

  • Alt-F4 any obvious pop-ups, don’t take the risk of click on the window even if the border “looks like a window”, it could easily be an imagemap

  • Launch process explorer and look through all of the running processes. Look very closely, do any of the names look out of place?  Eating up too much memory?  Pay special attention to the “Company Name”

  • Once you have killed any running processes, double check for open ports. Got to the command prompt and run netstat -an | find /i "listening" This will show you all ports that are being listened on.

Stop It From Spawning

  • Launch Autoruns and look through all of the start-up items.  There is a feature in the latest version to hide Microsoft signed entries, this will make your life much easier. Save the current settings in Autoruns before removing any items. That way if you remove something you shouldn’t you can replace it, Check all start-up items, also pay attention to drivers and service. Again there are many obvious telltale signs of malware - misspellings, invalid directories, etc.

  • Check Start->Program Files->Startup

Destroy the Source

Run Combofix. This can take up to 40 minutes complete.  For part it will need to be connected to the network to update.  During its run Combofix launches many small utilities that clean various malware. For part of its network cleaning/repair the machine will lose network connection for up to 10 mins.  If you are running Combofix remotely, don’t panic. Seriously, even when you think “God what have I done, I’ve killed the network connection!”, it will come back.

Clean Up the Mess

  • Run Malwarebytes quick scan

  • Visit Add/Remove programs and remove any “junk” programs.  Use Revouninstaller for stubborn ones

Sanity Check

  • Launch IE and verify functionality by going to a few websites.  Also do a search on Yahoo, Bing and Google.  Verify that the search result links actually take you to the correct site (not redirected).

  • Review c:\windows\system32\drivers\etc\hosts

Share your tips

Do you have any tips or tricks, any hand software that you use to defeat the ever growing scourge that is malware?

Jarlsberg Means Hacker Fun

At some point this was renamed to “Google Gruyere” https://google-gruyere.appspot.com/

This is just a quickie post, but I just heard about a new google Code Lab project called Jarlsberg.  Jarslberg is part tutorial and part toy web-app - it’s goal is to teach web developers common web vulnerabilities and how to defend against them.

I’m just digging in to this so I don’t have much to report yet, but it looks like a blast!

Have fun and happy hacking.

Phishing and Spam IQ Quiz - Will You Pass?

I just took the Sonicwall Phishing and Spam IQ Quiz and I’m proud to say I passed with flying colors.  All told, it probably took under 5 minutes to complete, while I was getting ready to leave for work. 

It’s doubtful if Sonicwallwill ever release any data from this quiz, but I would hazard a guess that the results wouldn’t surprise anyone.  Those who would describe themselves as “technical” probably got near to 100% in all cases, while those who could be described as non-technical probably scored similarly to random chance.  If you consider yourself techincal and still missed a few, consider this.  These emails are deliberately designed to be deceptive.  Any of us scoring 100% probably applied my more care and reasoning to the quiz then we normally do to our email.  If everyone went at their typical scanning speed, I’m sure there would have been no perfects!

So, why is it that to some of us these phishing scams are blindingly obvious?  I think the answer lies in what we look for.  For most of the technical audience taking the test, I would suspect they scanned the emails the same way I did.  Look only at the urls, if they “look” legitimate they probably are, if they “look” fake they are probably a scam.

My thought is that a less sophisticated user would probably read through the email, trying to weigh the tone of authority, the context and various other clues to determine if it was legitimate or not.  And therein lies the problem.  By even reading the email they have started to sell themselves into the “false context” trick of the social engineer.  People will do seemingly careless things (give away social security numbers, passwords, etc) if the context is crafted in a way to make them believe “this is okay”.

How can we defend against this, both for the people we may be educating , but also to ourselves?  My personal plan is to develop “shortcuts”.  Logical rules that will immediately tell me whether something is probably a scam or not.  That way I don’t allow myself to get caught up in the narrative and buy into the context offered.  For instance, in the quiz above, my personal “rule” or shortcut was to look at the url, if it looked odd I would assume that it was fake.  There is little to lose by doing this because if it turns out to be a legitimate request, someone will contact you another way.

Anyone out there brave enough to admit they have fallen for a scam?  What were the telltale signs, that are now obvious, that you didn’t pick up on?  Do you have any personal “shortcuts” that you use when evaluating emails, phonecalls or other requests for your personal information.

If you are a system administrator I implore you to create a similar test for your users and report back with the results!