<

Malware Fighting – Best Practices

Published on
62,176 Points
12,676 Views
35 Endorsements
Last Modified:
Awarded
Editor's Choice
Community Pick

Sub-Titled: “My Way” (with apologies to Francis Albert Sinatra)


Let me start by stating emphatically that I am one of those Experts who prefer doing things “My Way”.

It’s kind of a no-brainer. “The following procedure works for me, so here is what I recommend that you do…”.

I believe that recommending methods that work for you (me) is exactly what Experts-Exchange is all about and it is the rule that I follow when posting advice.

When attempting to help one of our Members with a malware problem we need to be extremely cautious that any “My Way” advice is also consistent with the known best practices.

As Malware Experts, our first goal should be to identify which variant we are dealing with, and then provide the best known “safe” fixes to get the system cleaned and running properly.

The purpose of this Article is to discuss the procedures listed below. As in many areas of IT, there is often wide disagreement about “Best Practices” and I am hopeful that all reading this will join in a robust discussion of the topic.

This Article is the result of a lot of work by a lot of people. Unfortunately, the EE Articles process does not allow for "Multiple Authors", but this would have been impossible for me to put together without the extended technical advice of rpggamergirl and thermoduric.

Anyone even casually familiar with the Virus & Spyware Zones will know of "rpg" and her long history of providing superb advice to our members. "thermoduric" is less well-known but his work at the highest levels of creating malware fighting tools made his contributions invaluable.

Their contributions to the Article are shown in italics to allow credit where credit is due.

The main discussion points are:

1.  CURRENT TOOLS and SCANNERS
2.  SAFE MODE SCANS
3.  SLAVED DRIVE SCANS
4.  BootCD SCANS
5.  MANUAL REMOVAL OF INFECTIONS

ONLY USING CURRENT TOOLS and SCANNERS


Many of us have developed a “Bag of Tricks” through the years with our favorite Tools, Scanners, and other Applications. I think that all of us should be very careful to ensure that anything we recommend will first do no harm.

Outdated tools and scanners can be very harmful to current systems. A scanner developed for older Operating Systems might improperly modify a Windows 7 system file with the same name as an XP system file, with devastating (read BSOD) results.

A great example is “SDFix” (one of the greatest tools ever developed), that hasn’t been updated since XP SP2 was current. Although there are still limited uses for SDFix, improper use could possibly result in a non-bootable system.

If any tool in your “Bag of Tricks” hasn’t been updated in the past few days (not weeks or months), you need to give serious consideration to dropping it until it is updated.

In a recent discussion, two of the top Malware Experts (rpggamergirl and phototropic) put together some lists of outdated tools:

SDFix  -- last update 6th November 2009
Smitrem -- Last updated 11/12/2006
SmitfraudFix -- last update 11 June 2009
RogueScanFix -- Last update 22-March-2008
FixWareout  -- last update Sept 2005, author has withdrawn FixWareout.
VundoFix v7  -- last update 22 June 2008  
CWSShredder -- Since changing hands it is no longer effective against CWS.
ABout:Buster -- last update 21 May 2006. Was excellent removal tool for all variants of CWS.
About:Buster tool is gone, the Author is now developing Malwarebytes.

If you are still using (or recommending the use of) any of the tools above, you need to reconsider doing so.

Similarly, it is important to keep legitimate links to the tools you are recommending in your "Bag of Tricks".  With questionable sites having legitimate sounding names, there is some confusion over where to download certain tools.  It is therefore important to not only suggest the tool, but also to provide a good link.  By providing only known legitimate links you ensure that readers will get the most current version of the recommended tools with downloads they can trust.

Currently the most commonly used malware scanners are Malwarebytes (MBAM) and ComboFix (CF). These are developed and updated frequently (often several times a day) by very well known MS MVP’s and have been tested/vetted by many millions of users from all over the world.

As of the publishing date of this Article the sources below are known legitimate download links for these programs.

Malwarebytes:
Go here: http://www.malwarebytes.org

ComboFix:
Go here: http://www.bleepingcomputer.com/combofix/how-to-use-combofix and read the instructions for the proper use of ComboFix. There are two links provided for legitimate download sites.

Please note the caution message posted at the download link for ComboFix:

"You should not run ComboFix unless you are specifically asked to by a helper. Also, due to the power of this tool it is strongly advised that you do not attempt to act upon any of the information displayed by ComboFix without supervision from someone who has been properly trained. If you do so, it may lead to problems with the normal functionality of your computer."

"Using ComboFix"

If you need help with malware removal, then please create a question in one of our "Virus & Spyware" Zones (here)."

You should always post the log generated by ComboFix as a reply in the question where you were asked to run it. Your helper will analyze this log and let you know what they would like you to do next."

SAFE MODE SCANS


If your computer will boot to “Normal Mode”, then in all cases that is how you should attempt to make the repair.
(The following comments in italics are courtesy of rpggamergirl):

During a Safe Mode boot, most malware processes are not running and Malwarebytes' heuristic detection can't detect them.

Malware processes must be active while doing the scan so scanning in Safe Mode is not going to be as effective.

Malwarebytes’ Direct Disk Access (DDA) is not running so the detection of rootkits and other stealth hidden nasties in this mode is not optimized.

While malware processes are not active in Safe Mode, most rootkits are - so MBAM is disadvantaged and will miss detecting them.

Windows File Protection is not on in Safe Mode in Windows 2000/XP/2003 Server so any patched system files e.g. explorer.exe, winlogon.exe, userinit.exe that are deleted by the scanner will not be replaced.

Naturally, if the system will only boot to "Safe Mode", then you will have to run your scans that way. You should warn people of the inherent problems when doing so and let them know that they need to run a full scan in "Normal Mode" ASAP.


SLAVED DRIVE SCANS


When scanning on an inactive drive, the scanner often misses the loading points in the registry which can cause "error loading" pop-ups when the drive is put back to its original host. Worse case scenario, it may render the system unbootable if a bad file is removed while the registry value is still intact.
 
For example a particular infection that hijacks the value of "windows' in this key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\SubSystems
"Windows"="basekwgb32.dll"
 
If the scanner deletes the bad "basekwgb32.dll" but does not restore the default value, when you put the PC back together it is guaranteed not to boot.

ComboFix is written so that it will not touch that file unless Recovery Console (RC) is installed for that same reason.
 
Windows File Protection is not used when scanning a non-active drive (as mentioned above) so if a crucial system file like userinit.exe or explorer.exe are infected the scanner will delete these files (no question asked) as opposed to just pointing out that these files are infected. Since WFP is not used, the deleted system files are not replaced and when you put the drive back, the user won't be able to login. If it is the explorer.exe that was deleted then explorer won't load leaving the user with no desktop icons/taskbar.

Malwarebytes is designed to be a disinfection tool for active malware on a running system and it is in normal mode where it is most potent.

BootCD SCANS


Is similar to slaving a drive (the drive is inactive):

The virus scanner's database on the BootCD is most likely outdated.
It can't create restore points (the system restore service is not running)
System File Protection is not on so the system could wind up with missing system files and broken configurations.
You get errors because registry values are not removed, so you still need to scan again within windows to remove redundant registry entries.


MANUAL REMOVAL OF INFECTIONS


That might work if the virus only has one file and one loading point and you don't reboot while you remove its loading point.

It is harder when dealing with an infection since it has multiple files and may have more than one loading point. Without knowing what the infection is and without knowing which files need to be deleted and which registry entries need to come off it can be complicated to the point of impossibility.

With random filenames it is difficult to know exactly which files to target unless you incorporate some diagnostic tools to find the exact files.

Some infections patch system files or create files to camouflage a system file or even create folders that are hard to differentiate from legitimate folders e.g. zero.access rootkit creates c:\windows\$NtUninstallKB6522$ among other files.
***********************************
 
In a recent discussion, one of our top EE Members (thermoduric) with many years working for one of the largest AV companies had this to say about “Manual Removal”:

I see there is also a propensity to recommend manual removal of malware. As someone who has worked in the AV industry as a Subject Matter Expert for many years, allow me to explain why doing so is both dangerous and flawed:

1. You cannot be sure you've removed the infection. Malware writers are also not stupid (unfortunately) and they nearly always include fail-safe features in their code to prevent manual removal. Such features include having stealth processes (processes that hook so deep into the OS they are able to be invisible) or injecting code into other running (often system) processes to act as a watchdogs that will re-infect a machine that is cleaned incorrectly. Such infections often need removal in a very specific way and often the steps must be performed in a very specific order and often requires the cleaning of processes that are running. Using its ability to hook into the OS an AV engine can prevent any infected running processes restarting until they have been cleaned on a system reboot.

2. Most malware comes in many variants and each has a subtle difference either in terms of how they infect or the payload they deliver. How do you know this isn't a variant you are dealing with? If it is there is a good chance you will not remove all the infection.

3. If a machine has one infection it likely has many. Your manual process may very well remove the specific infection you targeting but how do you know where are not more infections that are running in stealth?

AV Engines use a blended approach to detect infection and are able to detect a vaster range of infection than you could hope to manually deal with. Yes, it is true that no AV engine can detect 100% of malware (there is always the chance of a zero day virus) but I can tell you this... if you know of a virus and think you know how to remove it I can guarantee 100% that so will all of the reputable AV engines. What's more, they will also know all the variants (save for zero day ones) and also know how to successfully remove and (often) repair.

The rules used by AV engines are created by very clever researchers who disassemble malware to discover exactly what it does and how to remove it. Unless you know how to do that and have first hand experience in this field I strongly suggest you heed the words of the Subject Matter Experts and avoid suggesting manual removal techniques.
***********************************

The above excerpt was copied with permission and I concur with his advice entirely.

SUMMATION


We’re here as Experts to provide the best advice possible to other Experts-Exchange members. With the help of each other we can ensure that we do the following:

1.      Stay current with our knowledge levels;
2.      “Do no harm”; and
3.      Stick with “Best Practices”.

As mentioned above, I encourage anyone reading this to offer their thoughts on any part of the discussion. I’ve said many times that I learn a lot more on EE than I teach and I am looking forward to learning more in the discussions with you about this Article.

NOTE:
Other EE Articles focused on fighting malware are listed below:


Mine:
MALWARE - "An Ounce of Prevention..."
Basic Malware Troubleshooting
Stop-the-Bleeding-First-Aid-for-Malware
Rogue-Killer-What-a-great-name
Windows-Stability-Center
2012-Malware-Variants

rpg:
"Virut" - Malware continues to evolve
Viruses in System Volume Information (System Restore)
THINGS YOU NEED TO DO WHEN YOUR PC IS INFECTED
IF YOU CAN'T RUN .EXES IN AN INFECTED SYSTEM
Can't Install an Antivirus - Windows Security Center still detects previous AV
HijackThis - Some Tips & Tricks
HijackThis reports missing files on 64-bit Systems
"Google Hijack" - Google Search Gets Redirected
Infected Router - Google Search Redirects Even on a Clean System
35
Author:younghv
Ask questions about what you read
If you have a question about something within an article, you can receive help directly from the article author. Experts Exchange article authors are available to answer questions and further the discussion.
Get 7 days free