Tutorials

February 20, 2006

Curing Malware Infections

By Laurie Rowell and Dan Bacon

Page 1 of 3

When panic-stricken customers or users call for help with systems that have gone kablooey, the culprit is probably a malware infection.

Common complaints from malware infections include dying audio, blinking video, even a system that mysteriously turns itself on and off. The reasons for infection can vary, too. Maybe the customers simply lowered their security settings...or failed to update the security software you already installed... or just had a spate of bad luck.

Whatever the scenario, have no fear. In this TechBuilder Recipe, we'll offer several simple steps you can take to diagnose the most common malware- related problems. Then we'll show you how to get infected systems back in working order, quickly and efficiently. We'll also provide quick and easy preventive measures you can take to keep your systems battle-hardened against future malware mutations. Finally, we'll show you how to use freeware utilities that will help you and your clients limit your security spending.

Malware has become a serious business. While some malware is still created as a kind of competitive game, today most attacks are driven by the profit motive. In other words, most of the bad guys are in it for the money. This means your clients have much more at risk than just their data. Their passwords, credit-card accounts, and other payment data are now up for grabs, too.

When it comes to malware, spyware tops the list of offenders. Unlike viruses and worms, spyware is not self-replicating. Instead, spyware enters a system via a software download or Web site. As the term suggests, Web browsing done from an infected system can be spied on by a third party. While the spying may be done for relatively harmless marketing, spyware can actually participate by shoving in nasty pop-up ads, re-routing browsers to ad sites, and -- far more insidiously -- stealing user IDs, credit-card numbers, and other valuable information. (For more information on the differences between spyware and viruses -- and their prevention -- see this earlier TechBuilder Recipe, Fight Spyware Like You Mean It!)

The good news is that, by cleaning up malware from a system, you may also help fix other system problems users did not even know they had.

Ingredients

Here's what you'll need to start healing a malware-infected system:

The user's system: This is the system that you suspect is malware-infected. For the purposes of this Recipe, we're assuming the system runs on Windows and has an Internet connection.
Virus-removal software: We recommend McAfee Stinger, which is freeware.
Anti-spyware software: We like SpyBot Search & Destroy, also a freeware package.
Anti-virus software: We recommend Grisoft AVG (free edition), Symantec Norton AntiVirus, or Trend Micro PC-cillin Internet Security.

Note: McAfee's Stinger is mainly deployed for removing viruses, while Spybot Search and Destroy is used for tracking down and removing spyware. There's very little overlap in what they do, which is why we recommend you install and use both. If you deploy only one of these programs, the system could still end up infected, despite your most noble efforts. So to be safe, use both.

Page 2: Six Steps to Taking on Malware

Page 1 | 2 | 3

February 20, 2006

Curing Malware Infections

By Laurie Rowell and Dan Bacon

Courtesy of TechBuilder.org

Page 2 of 3

Six Steps To Taking On Malware

Begin by getting rid of the nasty malware. Then you can get the system back up and running. It takes just a few simple steps:

1. Disable system restore: Perform this step only if the infected computer runs Windows XP or ME. If the infected machine runs Windows 2000, then don't disable System Restore; instead, skip ahead and start with Step 2.

For Windows XP and ME systems, you want to disable System Restore because malware can reside in one or more of the restore points created by the OS. If System Restore is left on, a restore might well re-infect the system from its stored backup.

Here's how to disable System Restore:

First, right-click My Computer. Click on Properties.
Next, click the System Restore tab.
Finally, select the appropriate checkbox to turn off System Restore on all drives. Click OK. Click Yes to confirm.

2. Download and run Stinger: McAfee Stinger is a quick, lightweight freeware utility that scans for and removes the most common malware. The application is frequently updated, but unfortunately, it’s a one-time use utility, not a suite that you can keep running on the system. So you'll need to download the entire application every time you need to use it. While that's a pain, the software's frequent updates ensure that you're covered for whatever new malware mutations emerge in the wild.

Here's how to get Stinger:

Download McAfee Stinger and save it to the local hard drive of the user's infected system.
Run Stinger.exe from the location where you saved it.
Start the scan by clicking Scan Now.

3. Install Spybot Search & Destroy and scan the system: Spybot Search & Destroy is a freeware spyware detection and removal tool that will scan the entire hard drive. You can’t be sure that it will get absolutely everything, but it’s free, it’s thorough, and it will catch what ails the system most every time.

First, download Spybot Search & Destroy and save it to the local hard drive of the infected system. As of this writing, the latest version is 1.6.2
Next, install Spybot Search and Destroy from the location where you saved it. Double-click the setup file, and during the installation, select the default installation options.
Start up Spybot with the icon on the desktop.
The configuration wizard will start up; click Next through each step.
Click on Search for Updates to find the latest definitions for the product. Note: If you receive a “bad checksum” message, this means the server was overloaded, so simply select a different server from the pull-down list and try again.
Select all the updates that were found and click on Download Updates.
Click on Search & Destroy. Then click on Check for Problems. This will scan the machine.
If anything is found, select all the malware that was found and click on Fix Now. This will clean the system.

Remember, Spybot Search and Destroy is a solution for triage, not prevention. To prevent re-infection, advise your client to purchase a spyware-blocking application and to leave it running on their systems at all times. One example is Spy Sweeper, a $29 package from Webroot that not only covers triage, but also acts as a spyware deterrent.

4. Install an anti-virus suite, and scan the system: Any solid anti-virus program will suit your needs here. The goal is to stop the most common virus or worm infections before they can get in to damage the machine. If you're on a budget, the free edition of AVG Anti-Virus from Grisoft will do the job handily. If you're willing to pay, Symantec’s Norton Anti-Virus ($39) or Trend Micro’s PC-cillin Internet Security ($49) enjoy the best reputation on the market. The fee versions may have a quicker response on updating their definitions against new outbreaks, but otherwise, the functionality of the products is similar.

5. Test to ensure the problem is resolved: If all goes well, after you run the anti-virus and anti-spyware, the system's problems will have been solved. If so, skip this step and move on to Step 6. But if the machine is still not working properly, you'll need to do further testing.

To do so, reboot the machine, this time in Safe Mode. Then run both Stinger and Search and Destroy again. Both products are already up-to-date, so there is no need to check for any updates; just run them as is. But don't worry about running an anti-virus program at this point. Most, if not all, cannot run in Safe Mode.

Running Stinger and Search and Destroy in Safe Mode should effectively locate and remove any malingering malware that may be lurking in the system. Why? Well, in Safe Mode, the computer doesn’t start all the system's services (such as the registry), and it doesn’t load all the drivers. Spyware hiding in such places can intercept signals from the OS and say “all is safe here” when it's really not.

After you’ve finished running these utilities, boot Windows normally. If the system is still not working properly, a more thorough examination will have to take place, or a compete reinstall of the system.

6. Turn System Restore back on: System Restore is a useful tool to facilitate recovery from failed software or driver installations. So you’ll want to leave it on under normal operating conditions. Here's how to switch it back on:

First, right-click My Computer. Click on Properties.
Next, click the System Restore tab.
Finally, select the appropriate checkbox to turn on System Restore on all drives. Click OK.

If you've completed all six steps as detailed above, congratulations! You will have a clean system up and running.

Page 3: Preventative Measures

Page 1| 2 |3

February 20, 2006

Preventative Measures

By Laurie Rowell and Dan Bacon

Courtesy of TechBuilder.org

Page 3 of 3

Preventative Measures

Once you've gotten the system clean and working, there are several steps you can take to protect the system and save your customer future grief.

One key fix is to ensure that Windows patches are current. These should be downloaded from Microsoft Windows Update. Using the Express download on the site is fine, but you also should ensure that automatic updates are turned on.

Missing an update to Windows can trigger big problems, like the debacle last summer when the Zotob worm caused havoc at several media outlets, even forcing the producers at ABC News to resort to electric typewriters for their World News Tonight program. This particular worm grew nastier over a period of days The ironic part was that a fix was actually released by Microsoft in plenty of time to prevent the worst of these problems happening to these companies!

Large companies can’t employ the option to turn on automatic updates for their individual users. That's because systems inside the firewall have to integrate with legacy software. Instead, to ensure compatibility with all their internal systems, IT departments must test patches before they can roll them out. Fortunately, if you work with small and medium businesses, or with individual users, that's rarely an issue.

Also, consider installing a firewall on your customers' systems. Switching on the Windows Firewall in XP is a good start. For those on other Windows systems, running BlackIce or ZoneAlarm can prevent security headaches down the road.

One you have the system up and running again, make sure your users and customers understand the risk of opening e-mail attachments. Since new viruses can hijack the address book, even attachments from trusted sources can infect their systems. The short version: Be careful, and be sure to run anti-virus software at all times.

Many users are also unaware of the risks associated with drive-by downloads from Web sites. WinXP Service Pack 2 (available with the Windows Update site mentioned above) alerts users when a risky download is in the offing. But SP2's fixes and alerts appear only when the user is browsing with Microsoft's Internet Explorer. If users go online with Firefox or some other non-Microsoft browser, they won't get any warning at all. Even if your clients ultimately decide to continue using Firefox et. al., they should at least understand the risks.

So now you have a recipe for satisfied customers. Their malware-infected computer is fixed. And they have the tools and knowledge to protect their systems in the weeks and months ahead.

Page 1| 2 |3