Ransomware! – How A Layered Security Approach Can Defeat It

My Australian mate, Mal Cowan, steps into the breech when his good friend gets infected with one of the most difficult to remove pieces of malware currently ripping up the Internet – ransomware. Follow Mal, in this guest writer article, as he spins up his skill set and puts the hammer to a ransomware payload cybercrime.

Recently, I received a frantic call from a good friend.  He informed me that when he booted his computer, there was a message supposedly from Australian Law Enforcement, stating that his PC had been involved in illegal activity and, distributing pornographic material.

Freak-out time – The malware had taken a photo of him via his webcam and placed it in the top  middle of the Law Enforcement notice.

Note: This scam is not restricted to Australia. The graphic below provides ample evidence that this type of ransomware is a global issue.

Graphic courtesy of F-Secure.

Immediately, I knew what this program was – Ransomware.  Tech and blog sites have been full of news of this scourge in the past few months.

At first look, there was a full screen message – complete with an official looking logo from the Australian Federal Police.  The computer’s IP address had been logged, and there was indeed a photo of my friend, along with the messages outlined above.

The clincher? The message stated that he had to pay a fine to unlock his computer.

First, I tried to start Task Manager to stop the malware process.  That did not work – it simply would not load.  The computer was well and truly locked.

Next, I tried to restart the computer in Safe Mode.  No luck.  The message appeared again.  Still frozen.

Then, I inserted Kaspersky Rescue Disk (a fantastic Linux based recovery disk made for just this type of situation), and restarted the computer.

Selecting boot options before Windows started, I loaded Kaspersky and updated the malware database via the Internet.  The wonderful thing about Kaspersky is, it scans the infected machine without Windows running, so anything nasty cannot hide.

After a three hour scan, Kaspersky came up with 50 Trojan detections (one of the biggest I have ever seen).  It was able to eliminate all but one of them.

I crossed my fingers and restarted Windows.  Instead of the message, there was just a big white screen – still locked.  Kaspersky had obviously made a dent, but I needed something more.

Before leaving for my friends house, I had loaded up a USB stick with Hitman Pro Kickstart.  Hitman Pro is a wonderful true cloud antivirus scanner using multiple AV engines, with an excellent detection rate.

Recently, it also added a feature in which one can create a bootable USB stick that can bypasses the infected boot process.  The catch is – this must be done on an uninfected machine (which is why I used my personal computer to create it).

I inserted the USB stick into the slot, restarted the machine, and went to boot options (the F12 key on the infected machine) and selected “Boot from USB”.

Hitman Pro Kickstart came through.  It booted straight into the Windows environment without a hitch, and then proceeded to run a scan (an Internet connection is required).  I was a bit dismayed when the scan came back clean, as I knew Kaspersky had not been able to eliminate one threat.

But now, I was past the ransomware Trojan and able to start other antimalware applications.  Malwarebytes was next.  I updated it and proceeded to run a full scan.  Bingo.  It nailed a few more Trojans that had got past Kaspersky and Hitman Pro, and after deleting these nasties and rebooting the computer normally again, a further scan with Hitman Pro, Malwarebytes and AVG, the computer came up clean.

The point of my story really is quite simple.  NOBODY can rely on one antivirus/antimalware application to catch all malware.  The ransomware obviously got past the onboard, realtime antivirus (which was not AVG, I installed that afterwards).  Kaspersky detected most of the infections, Hitman Pro helped me boot into the Windows environment, and Malwarebytes cleaned up the rest.  AVG came up with a clean scan after I uninstalled the old antivirus.

How did my friend get infected?  Who knows.  There are so many exploits that this Trojan could have used that I don’t have a clue.  The computer is a family machine, used mostly by children for online games and such.

Just visiting a family friendly site can get your computer infected these days. It could have been worse.  It might have been an infection that actually encrypted the contents of the whole computer.  That’s a nightmare I am glad I didn’t have to deal with.

Thanks Mal.  

Malware Hunting? Checkout These 20 + Free Tools Designed To Destroy Tough Malware

Choosing and using the right tool, which has been designed specifically for the job at hand, is obviously a levelheaded approach. Still, I’ll wager that you can conjure up more than one occasion when you’ve encountered the “one tool for all purposes” mindset – the so-called “Birmingham Screwdriver” effect – “If it doesn’t work – hit it. If it still doesn’t work, use a bigger hammer.”

The Birmingham Screwdriver approach, taken by many AV solutions, may not always be the most appropriate approach to eradicating a tough malware problem – a specially designed application which targets specific classes of malware may be a better solution.

The following tools have been specifically designed to help skilled users better identify malware infections and then, eradicate (hopefully), those specific infections. These tools require advanced computer knowledge – unless you feel confident in your diagnostic skills, you should avoid them.

Just to be clear – not all of these tools are “one-click simple” to decipher, and users need to be particularly mindful of false positives.

Should you choose to add these applications to your antimalware toolbox, be aware that you will need the latest updated version for maximum impact.

Note: Many of the following tools have been tested and reviewed here previously.

Emsisoft HiJackFree

The program operates as a detailed system analysis tool that can help you in the detection and removal of Hijackers, Spyware, Adware, Trojans, Worms, and other malware. It doesn’t offer live protection but instead, it examines your system, determines if it’s been infected, and then allows you to wipe out the malware.

Runscanner

If you’re a malware hunter, and you’re in the market for a free system utility which will scan your system for running programs, autostart locations, drivers, services and hijack points, then Runscanner should make your shortlist. The developers of Runscanner describe this freeware utility as having been designed to “detect changes and misconfigurations in your system caused by spyware, viruses, or human error.”

HijackThis

HijackThis is a free utility which heuristically scans your computer to find settings that may have been changed by homepage hijackers, spyware, other malware, or even unwanted programs. In addition to this scan and remove capability HijackThis comes with several tools useful in manually removing malware from a computer. The program doesn’t target specific programs, but instead it analyses registry and file settings, and then targets the methods used by cyber-crooks. After you scan your computer, HijackThis creates a report, and a log file (if you choose to do so), with the results of the scan.

RKill

RKill is a program developed at BleepingComputer.com – “It was created so that we could have an easy to use tool that kills known processes that stop the use of our normal anti-malware applications. Simple as that. Nothing fancy. Just kill known malware processes so that anti-malware programs can do their job.”

Emsisoft BlitzBlank

BlitzBlank is a tool for experienced users and all those who must deal with Malware on a daily basis. Malware infections are not always easy to clean up. In more and more cases it is almost impossible to delete a Malware file while Windows is running. BlitzBlank deletes files, Registry entries and drivers at boot time before Windows and all other programs are loaded.

McAfee Labs Stinger

Stinger is a stand-alone utility used to detect and remove specific viruses. It is not a substitute for full anti-virus protection, but rather a tool to assist administrators and users when dealing with an infected system. Stinger utilizes next generation scan engine technology, including process scanning, digitally signed DAT files, and scan performance optimizations.

Specialty Removal Tools From BitDefender

28 special removal tools from Bitdefender.  On the page – click on “Removal Tools”.

Microsoft Malicious Software Removal Tool

This tool checks your computer for infection by specific, prevalent malicious software (including Blaster, Sasser, and Mydoom) and helps to remove the infection if it is found. Microsoft will release an updated version of this tool on the second Tuesday of each month.

NoVirusThanks

NoVirusThanks Malware Remover is an application designed to detect and remove specific malware, Trojans, worms and other malicious threats that can damage your computer. It can also detect and remove rogue security software, spyware and adware. This program is not an Antivirus and does not protect you in real time, but it can help you to detect and remove Trojans, spywares and rogue security software installed in your computer.

Norton Power Eraser

Symantec describes Norton Power Eraser in part, as a tool that “takes on difficult to detect crimeware known as scareware or rogueware. The Norton Power Eraser is specially designed to aggressively target and eliminate this type of crimeware and restore your PC back to health.”

FreeFixer

FreeFixer is a general purpose removal tool which will help you to delete potentially unwanted software, such as adware, spyware, Trojans, viruses and worms. FreeFixer works by scanning a large number of locations where unwanted software has a known record of appearing or leaving traces. FreeFixer does not know what is good or bad so the scan result will contain both files and settings that you want to keep and perhaps some that you want to remove.

Rootkit Tools:

If you think you might have hidden malware on your system, I recommend that you run multiple rootkit detectors. Much like anti-spyware programs, no one program catches everything.

IceSword

IceSword is a very powerful software application that will scan your computer for rootkits. It also displays hidden processes and resources on your system that you would be unlikely to find in any other Windows Explorer like program. Because of the amount of information presented in the application, please note that IceSword was designed for more advanced users.

GMER

This freeware tool is essentially a combination of Sysinternals’ Rootkit Revealer and Process Explorer. The program can list running processes, modules and Windows services, in addition to scanning for the presence of rootkits.

Special mention 1:

MalwareBytes – In addition to its superb free AV application, MalwareBytes offers a basket full of specialty tools. The following application descriptions have been taken from the site.

Chameleon

Malwarebytes Chameleon technology gets Malwarebytes running when blocked by malicious programs.

Malwarebytes Anti-Rootkit BETA

Malwarebytes Anti-Rootkit removes the latest rootkits.

FileASSASSIN

FileASSASSIN can eradicate any type of locked files from your computer.

RegASSASSIN

RegASSASSIN removes malware-placed registry keys in two simple steps – just reset permissions and delete! This powerful and portable application makes hard-to-remove registry keys a thing of the past.

Special mention 2:

A Rescue Disk (Live CD), which I like to think of as the “SWAT Team” of antimalware solutions – is an important addition to your malware toolbox. More often than not, a Live CD can help you kill malware DEAD!

Avira AntiVir Rescue System – The Avira AntiVir Rescue System a Linux-based application that allows accessing computers that cannot be booted anymore. Thus it is possible to repair a damaged system, to rescue data or to scan the system for virus infections.

Kaspersky Rescue Disk – Boot from the Kaspersky Rescue Disk to scan and remove threats from an infected computer without the risk of infecting other files or computers.

Tweaking.com Windows Repair 1.7.5 – A One Click Simple Free Repair Utility

While freeware maintenance applications are readily available for download (and, many of them are very capable), finding a good, solid, freeware system repair application, suitable for less technically inclined computer users, is always a challenge.

One of my favorites in this application genre is Tweaking.com’s Windows Repair – a super all-in-one repair tool which has undergone 30 revisions since I last reviewed it. This small tool has plenty of functionality, including the ability to fix registry errors and file permissions – as well as issues with Internet Explorer, Windows Update, Windows Firewall, and more.

Windows Repair can even restore Windows original settings which have been changed by malware – a common occurrence.

Fast facts – Windows Repair can do the following:

Reset Registry Permissions
Reset File Permissions
Register System Files
Repair WMI
Repair Windows Firewall
Repair Internet Explorer
Repair MDAC & MS Jet
Repair Hosts File
Remove Policies Set By Infections
Repair Icons
Repair Winsock & DNS Cache
Remove Temp Files
Repair Proxy Settings
Unhide Non System Files
Repair Windows Updates
and more…

As the following screen captures show – Windows Repair is not only simply to operate but, it “holds the user’s hand” while working through the repair process.

Note: All screen shots can be expanded to the original size by clicking.

For those users dealing with a malware infected system, the application directs to a number of anti-malware freebies so that the repair process can begin on the right footing.

Previous users will note that both Avast and ComboFix (a specialty antimalware tool), have been added to Step One.

As the application points out in the following screen shot, there’s nothing to be gained by completing a repair sequence if there are errors in the file system.

While the system file check is optional, it makes good sense to run this tool.

Likewise, with the file version checking tool.

Prior to starting the repair process both a System Restore Point, and a Registry backup option, are available.

A quick piece of advice: Never allow an application to make system changes, without creating a System Restore Point first. It takes only a minute, or two.

The updated application dispenses with the old three level system of repairs. Instead, all repairs have been  combined into a single window – as illustrated in the following screen capture.

In the above screen capture, I’ve highlighted a single repair – Repair Winsock and DNS Cache. For the Geek crowd this is a simple repair.

The Geek way:

Go to “Run” in the Start menu (“Search” for “Run” if you can’t see it).

In the Run box, type CMD (doesn’t need to be capitalized).

At the command prompt, (not in the Run box), type – ipconfig/flushdns.

Hit “Enter”, and that’s it. The DNS cache has just been flushed.

Looks pretty simple – if you are a Geek. With Windows Repair, there’s no need to have all the esoteric system info that geek’s carry around in their heads – one click and the job is done.

Let’s take a quick look at repairing a problem I have on this machine – Windows Update is acting a little wonky.

I’ve selected the Repair Windows Update checkbox.

The following screen capture illustrates Windows Repair running the routine.

Time to complete the repair – 14 seconds – not including the required restart. How’s that for speed?

Here’s what regular readers have to say about this super application – based on a previous review.

Steve

September 1, 2011 at 10:49 pm

Excellent program. Just featured it twice in a week because it really saved us. I’m so use to re-registering files or doing fixes it is second nature. We just ran into a computer that the answer and suggestions on the web just didn’t work. The program re-registered over 1000 files and the pc was fixed. Ironically I had worked with it for two hours and remembered your review! SFC and every solution became fruitless.

TeXaCo

September 7, 2011 at 10:34 pm

I just wanted to let you know that my brother talked to me about problems on his computer where registry entries were apparently messed up. He could not open any word documents at all because they were all garbled with numbers and letters.

I didn’t know exactly what to tell him how to fix it and then I remembered you posting this so I told him to download this and try it out. Sure enough after using the registry repair at tweaking.com his computer is back to normal….without a reformat.

I just figured you would like to know. It saved me some headaches

Thanks for posting this.

Using Tweaking.com – Windows Repair by MajorGeeks.com (Click on graphic to play video).

System requirements: Windows XP, 2003, 2008, Vista, Win 7.

Download at: MajorGeeks

For those users who prefer to carry their utilities on a Flash drive – a portable version is available here.

Windows Repair makes it easy to repair common Windows problems and, its ease of operation should make it ideal for less experienced users.

Comodo Cleaning Essentials – An Aggressive On-Demand Malware Scanner

This past week, Neil J. Rubenking, PC Magazine’s lead analyst for security, in his article – The Best Free Antivirus for 2012 – included Comodo Cleaning Essentials.  Earlier this year, I took this freebie application for a test run and wrote up my impressions. Curiously, this post had both Twitter and Facebook referrals but, limited response from regular readers.

Comodo Cleaning Essentials is a tough application when used in the fight against malware, and in the event you missed this post, I’ve republished it here.

Comodo Cleaning Essentials

Comodo’s recently released portable Comodo Cleaning Essentials (freeware), is an interesting breed of applications within applications – an aggressive on-demand malware scanner (the core application), combined with several system tools – a variation of Windows Task Manager (Killswitch), and an Autorun Analyzer.

Users who are familiar with Sysinternals Process Explorer will have little difficulty getting down to work with Comodo’s Autorun Analyzer. Or, for that matter, Killswitch – an impressive Windows Task Manager replacement.

For now, I’ll focus on the on-demand malware scanner. All graphics in the following review can be expanded to their original size.

Simple, straightforward, and easy to understand GUIs are the standard – and, Comodo Cleaning Essentials meets that standard.

For my initial test run, I did not hold back in terms of the volume of information the application had to deal with – as illustrated in the following graphic. I should add – I set the selectable heuristics at “low level”. Users may choose to bump up  this setting.

Updating of the database is an automatic process, as illustrated.

Following application launch, my first reaction was – Get It Done! Thirty six minutes in, and memory scanning had not yet been completed. SLOW!

Three hours plus. Yawn – I’M WAITING!!!!!!!!

Waiting still – at the four hour plus mark. At this point I exited the application (2 Million objects scanned), since drive E: is malware free. As well, the 49 threats found by the scanner were all false positives – not a bad thing necessarily. More on this to follow.

Comodo Cleaning Essentials is no slouch at eating up the clock cycles – as illustrated in the following screen shot.

I jumped ahead here a little bit here, and ran a comparable scan with Microsoft Security Essentials which, as you can see in the following graphic, is not a system resource hog.

MSE test run – using the same test parameters.

The MSE scan completed in just under three hours. Keep in mind however – MSE is not portable, and is designed to act as a first line of defense against malware penetration.

Comodo Cleaning Essentials on the other hand, has been crafted as a “real world – everything is messed up” solution. Especially valuable in circumstances where malware has blocked access to onboard AVs.

The false positive issue.

No doubt, warnings and cautions generated by antimalware scanners, can often be a major frustration – time consuming and just a pain in the butt. On the other hand, scanning a HD which has been overrun by malware, demands the use of an aggressive tool – and, Comodo Cleaning Essentials certainly qualifies as “aggressive”. Simply put – you can’t have your cake and eat it too.

Autorun Analyzer:

As mentioned earlier, this component is a Process Explorer takeoff – with a number of worthwhile additional features.

The following screen capture (showing all entries), indicates 3 possible unsafe entries which, on investigation proved to be benign. Still, better safe than sorry. So, I take no issue with warnings which prove to be a “false alarm”. I’m all in favor of a “give me the bad news philosophy” – I’ll determine the relevancy of the information provided.

KillSwitch:

As a Windows Task Manager Replacement, KillSwitch has it in spades. The following screen shots illustrate just a few of the enhancements.

Over the years, I’ve happily been able to convince more than a few readers to occasionally spot check their network connections, using stand alone applications such as CurrPorts.  KillSwitch includes this capability – a very good move in my estimation.

Finally (at least for this report), KillSwitch includes a “Quick Repair” tool which, in the right circumstance, could be invaluable. Sorry, for this review I couldn’t find any items on this test platform to repair.  

Fast facts: 

Classifies the threat level of all objects and processes currently loaded into memory and highlights those that are not trusted

Allows the admin to terminate, delete or suspend every untrusted item with a single click.

On-demand malware scanner quickly finds viruses, rootkits and hidden services

Extremely efficient malware removal routines thoroughly disinfect virus stricken endpoints

Detailed statistics and graphs allow admins to analyze and fine tune system activity to almost infinite levels of detail

Leverages Comodo’s huge whitelist database to accurately identify the trust status of every running process with minimal false positives

Integration with Comodo cloud scanning technology delivers instant behavioral analysis of unknown processes

Powerful system tools provide control over even the most obscure system settings

Simple interface for admins to manage trusted vendors list

Comprehensive event logs provide detailed overview of system activity on endpoint machines

Quick repair feature allows fast restoration of important Windows settings

Can replace the standard Windows Task Manager if required

Another indispensable addition to admin’s security toolkit to complement software such as Comodo Internet Security

Lightweight – requires no installation and can be run right from a USB stick

System Requirements: Windows 7 – 32 and 64 bit, Windows Vista – 32 and 64 bit, Windows XP – 32 and 64 bit

Download at: Comodo

I’m not suggesting that Comodo Cleaning Essentials is the perfect tool (if you find such a tool, please let me know     ), but, if you’re on the hunt for a lightweight, standalone security application – that doesn’t require installation – Comodo Cleaning Essentials deserves a close look.

A caveat: This application is not designed to be used by anyone other than highly knowledgeable, and well experienced users.

Comodo Cleaning Essentials – Fast It’s Not – Powerful It Is

Comodo’s recently released portable Comodo Cleaning Essentials (freeware), is an interesting breed of applications within applications – an aggressive on-demand malware scanner (the core application), combined with several system tools – a variation of Windows Task Manager (Killswitch), and an Autorun Analyzer.

Users who are familiar with Sysinternals Process Explorer will have little difficulty getting down to work with Comodo’s Autorun Analyzer. Or, for that matter, Killswitch – an impressive Windows Task Manager replacement.

For now, I’ll focus on the on-demand malware scanner. All graphics in the following review can be expanded to their original size.

Simple, straightforward, and easy to understand GUIs are the standard – and, Comodo Cleaning Essentials meets that standard.

For my initial test run, I did not hold back in terms of the volume of information the application had to deal with – as illustrated in the following graphic. I should add – I set the selectable heuristics at “low level”. Users may choose to bump up  this setting.

Updating of the database is an automatic process, as illustrated.

Following application launch, my first reaction was – Get It Done! Thirty six minutes in, and memory scanning had not yet been completed. SLOW!

Three hours plus. Yawn – I’M WAITING!!!!!!!!

Waiting still – at the four hour plus mark. At this point I exited the application (2 Million objects scanned), since drive E: is malware free. As well, the 49 threats found by the scanner were all false positives – not a bad thing necessarily. More on this to follow.

Comodo Cleaning Essentials is no slouch at eating up the clock cycles – as illustrated in the following screen shot.

I jumped ahead here a little bit here, and ran a comparable scan with Microsoft Security Essentials which, as you can see in the following graphic, is not a system resource hog.

MSE test run – using the same test parameters.

The MSE scan completed in just under three hours. Keep in mind however – MSE is not portable, and is designed to act as a first line of defense against malware penetration.

Comodo Cleaning Essentials on the other hand, has been crafted as a “real world – everything is messed up” solution. Especially valuable in circumstances where malware has blocked access to onboard AVs.

The false positive issue.

No doubt, warnings and cautions generated by antimalware scanners, can often be a major frustration – time consuming and just a pain in the butt. On the other hand, scanning a HD which has been overrun by malware, demands the use of an aggressive tool – and, Comodo Cleaning Essentials certainly qualifies as “aggressive”. Simply put – you can’t have your cake and eat it too.

Autorun Analyzer:

As mentioned earlier, this component is a Process Explorer takeoff – with a number of worthwhile additional features.

The following screen capture (showing all entries), indicates 3 possible unsafe entries which, on investigation proved to be benign. Still, better safe than sorry. So, I take no issue with warnings which prove to be a “false alarm”. I’m all in favor of a “give me the bad news philosophy” – I’ll determine the relevancy of the information provided.

KillSwitch:

As a Windows Task Manager Replacement, KillSwitch has it in spades. The following screen shots illustrate just a few of the enhancements.

Over the years, I’ve happily been able to convince more than a few readers to occasionally spot check their network connections, using stand alone applications such as CurrPorts.  KillSwitch includes this capability – a very good move in my estimation.

Finally (at least for this report), KillSwitch includes a “Quick Repair” tool which, in the right circumstance, could be invaluable. Sorry, for this review I couldn’t find any items on this test platform to repair.  

Fast facts: 

Classifies the threat level of all objects and processes currently loaded into memory and highlights those that are not trusted

Allows the admin to terminate, delete or suspend every untrusted item with a single click.

On-demand malware scanner quickly finds viruses, rootkits and hidden services

Extremely efficient malware removal routines thoroughly disinfect virus stricken endpoints

Detailed statistics and graphs allow admins to analyze and fine tune system activity to almost infinite levels of detail

Leverages Comodo’s huge whitelist database to accurately identify the trust status of every running process with minimal false positives

Integration with Comodo cloud scanning technology delivers instant behavioral analysis of unknown processes

Powerful system tools provide control over even the most obscure system settings

Simple interface for admins to manage trusted vendors list

Comprehensive event logs provide detailed overview of system activity on endpoint machines

Quick repair feature allows fast restoration of important Windows settings

Can replace the standard Windows Task Manager if required

Another indispensable addition to admin’s security toolkit to complement software such as Comodo Internet Security

Lightweight – requires no installation and can be run right from a USB stick

System Requirements: Windows 7 – 32 and 64 bit, Windows Vista – 32 and 64 bit, Windows XP – 32 and 64 bit

Download at: Comodo

I’m not suggesting that Comodo Cleaning Essentials is the perfect tool (if you find such a tool, please let me know     ), but, if you’re on the hunt for a lightweight, standalone security application – that doesn’t require installation – Comodo Cleaning Essentials deserves a close look.

A caveat: This application is not designed to be used by anyone other than highly knowledgeable, and well experienced users.

Microsoft’s Malicious Software Removal Tool Focuses On Families – Malware Families, That Is

Like it or not, (what’s not to like), you get scanned once a month – provided that is, you update your Windows OS on the second Tuesday of each month (fondly known as Patch Tuesday).

Malware comes, and malware goes. Not all malware of course, but the majority of malware doesn’t stick around very long – just a few days in many cases. Still, with upwards of 300,000 new malware samples every day (according to some estimates), AV solutions could soon be overrun in the race to keep pace with this onslaught. Luckily, malware can often be be grouped by families (malware with inherited characteristics), and that’s where Microsoft’s Malicious Software Removal Tool specifically, comes into play.

The Malicious Software Removal Tool, which is updated monthly, is included with Patch Tuesday’s Windows Update and once activated – runs in the background targeting specific, prevalent malware families. If an infection is found, the tool will remove the malware (hopefully), and provide a report on any actions taken.

A list of malicious software detected and cleaned by the Malicious Software Removal Tool is available here.

If you wish, you can download and then run this tool manually, as required. The latest edition of the tool is always available at the Microsoft Download Center.

System requirements: Windows 7, Windows Server 2003, Windows Vista, Windows XP

You might wonder as to why Microsoft would make a point of including this AV scanner as part of Windows update. Here’s why (in my view) – an astonishingly large number of users don’t have any security applications installed or, an installed AV solution’s databases is rarely (if ever) updated.

If you take issue with this statement (and that’s fair), then test it by asking a typical user friend/s to name their AV application; tell you the last time they updated the database and, if they recall the last time they ran a malware scan. I think you’ll be disappointed with the response.

A website worth taking note of: Microsoft Consumer Security Support Center.

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

With Kaspersky’s Free TDSSKiller You’ll Have A Fighting Chance To Kill Rootkits

There’s malware, and then – there’s MALWARE. In other words, all malware is not created equal. For example, Rootkits are not your common everyday piece of malware.

Rootkits are often designed to overwrite the Hard Drive’s MBR (master boot record), the first sector – Sector 0 – where the code to boot the operating system following BIOS loading, resides.

As a consequence, Rootkit files and processes will be hidden in Explorer, Task Manager, and other detection tools. It’s easy to see then, that if a threat uses Rootkit technology to hide, it is going to be difficult to find.

And yes, I’m aware that major AV application developers are fond of pointing out that their products will flag and remove Rootkits. Users are expected to believe those claims – DON”T!

From a previous article (June 2011) –

Microsoft is telling Windows users that they’ll have to reinstall the operating system if they get infected with a new rootkit that hides in the machine’s boot sector. A new variant of a Trojan Microsoft calls “Popureb” digs so deeply into the system that the only way to eradicate it is to return Windows to its out-of-the-box configuration.

Scanning for Rootkits occasionally, is good practice and by scanning with the right tools, Rootkits can be hunted down and eradicated (maybe) – but  personally, I would never trust that any detection/removal application has successful removed a Rootkit.

If you have detected that your system has become infected by a Rootkit, I recommend that you first wipe the drive –  using a free tool such as Darik’s Boot And Nuke, reformat, and only then – reinstall the operating system.

Rootkit detectors can be difficult to work with and consequently, my good buddy Michael C., following the last post on Rootkit detection – Got A Rootkit Infection? – Find Out With These Four Free Rootkit Detectors – posed the following question: “Just wondering if there is a rootkit detector for us “average users” that doesn’t require a MIT degree.”

And, there is.

Kaspersky Labs has developed the free TDSSKiller utility which is designed to detect and remove common Rootkits. Specifically, Rootkits in the Rootkit.Win32.TDSS family (TDSS, Sinowal, Whistler, Phanta, Trup, Stoned) – in addition to regular Rootkits (now, there’s a misnomer), as well as Bootkits.

Usage instructions:

Download the TDSSKiller.zip archive and extract it into a folder on the infected (or possibly infected) computer with an archiver (free 7-Zip, for example).

Run the TDSSKiller.exe file.

The utility can detect the following suspicious objects:

Hidden service – a registry key that is hidden from standard listing.

Blocked service – a registry key that cannot be opened by standard means.

Hidden file – a file on the disk that is hidden from standard listing.

Blocked file – a file on the disk that cannot be opened by standard means.

Forged file – when read by standard means, the original content is returned instead of the actual one.

BackBoot.gen – a suspected MBR infection with an unknown bootkit.

The interface (as shown below) is clean and simple. Click on any of the following graphics to expand.

A scan in progress.

The completed scan shows the system is clean and free of Rootkit infections. You’ll note that the scan finished in 10 seconds.

Following the scan, you will have access to a full report – if you choose.

System requirements: Win 7, Vista, XP (both 32 and 64 bit systems).

Download at: Kaspersky

Since the false positive issue is always a major consideration in using tools of this type, you should be aware that tools like this, are designed for advanced users, and above.

If you need help in identifying a suspicious file/s, you can send the file/s to VirusTotal.com so that the suspicious file/s can be analyzed.

To read a blow by blow description of just how difficult it can be to identify and remove a Rootkit, you can checkout this Malwarebytes malware removal forum posting.

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

Norman Malware Cleaner –Another Free Tool To Remove Tough Malware

Just like the 14 free specialty malware removal tools I wrote on earlier this year, Norman Malware Cleaner has been designed to identify tough malware infections, including specific malware, and then help you eradicate those infections.

Since this particular application is a stand alone executable, it does not require installation (perfect for a Flash Drive). Since scanning with the most recent definition database is a must, you will need to download a new version of the application on a per use basis.

On execution, you will be presented with the following end user agreement. This may be the shortest end user agreement I’ve ever seen.

Despite the fact that this is a powerful application, setting the options is fairly straightforward.

For the first test, I ran a simple Quick scan as illustrated in the following two screen captures.

This scan completed in less than four minutes, and indicated that no infections were present.

I then changed two critical group policies which duplicated common malware attacks – no access to the Task Manager, and restricted access to Windows Explorer (show hidden files).

As you can see in the following screen shot, Norman Malware Cleaner had no difficulty picking up on, and cleaning, these registry changes on a scan rerun.

A scan results log file is saved to the desktop, as illustrated.

Fast facts:

Detect and Remove malware (viruses, Rootkit’s, FakeAV, worms and more)

Utilize advanced Anti-Rootkit technology

Quarantine module

Scanning and cleaning including Norman patented Norman SandBox technology

Supports Quick- Normal- Full- Custom Scan mode

Command line function for better tailor scanning across several machines (businesses)

Daily signature updates available

Systems requirements: Windows 2000, XP, 2003, Vista, 2008 and Win 7.

Download at: Norman

Registration is required.

Note: This application is for use when you are dealing with a machine you know is infected. It is not a replacement for a real-time AV.

As with most tools in this class, advanced computer knowledge is required. Unless you feel confident in your diagnostic skills, you would be better off avoiding this application.

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

Got A Rootkit Infection? – Find Out With These Four Free Rootkit Detectors

Earlier this week, in my Daily Net News column, I posted the following –

Microsoft is telling Windows users that they’ll have to reinstall the operating system if they get infected with a new rootkit that hides in the machine’s boot sector. A new variant of a Trojan Microsoft calls “Popureb” digs so deeply into the system that the only way to eradicate it is to return Windows to its out-of-the-box configuration.

That’s truly scary stuff – rootkits are not your common everyday piece of malware. As a reminder to regular readers that rootkits can be hunted down and eradicated, I’m reposting an edited version of an article first published in December of last year.

Rootkits use any number of techniques to hide, including concealing running processes from monitoring programs, and hiding files, and system data, from the operating system.

In other words, the rootkit files and processes will be hidden in Explorer, Task Manager, and other detection tools. It’s easy to see then, that if a threat uses rootkit technology to hide, it is going to be difficult to find.

So, scanning for Rootkits occasionally, is good practice, and if you have the necessary skills to interpret the results of a Rootkit scan, Tizer Rootkit Razor, appears to be a good choice to help you do this. I should be clear however, this tool is not “one-click simple” to decipher, and users need to be particularly mindful of false positives.

Since the false positive issue, is always a major consideration in using tools of this type, you should be aware that tools like this, are designed for advanced users, and above.

Here’s a reasonable test to determine if you have the skills necessary to use this application effectively. If you’re not capable of using, and interpreting, an application such as HiJackThis for example, it is unlikely that using this program would prove to be beneficial. On the other hand, if you can interpret the results of a  HiJackThis scan, you’re probably “good to go”.

The user interface is dead simply – functional and efficient, as the following screens from my test system indicate. BTW, no Rootkits were found during this test. Or, after scanning with the additional tools listed below.

Fast facts:

Main Screen: This page displays information related to your operating system and memory usage.

Smart Scan: This feature automatically scans all the critical areas in the system and displays hidden objects, making things easier for the user.

NOTE: The user is provided with a feature to fix the hidden object (if any).

Process Scan: This module scans processes currently running on the machine. A process entry will be highlighted in red if it is a hidden rootkit. The user can click on an individual process to display any hidden modules loaded by the process.

NOTE: The user is provided with the option to terminate processes and delete modules.

Registry Scan: This module scan is for hidden registry objects.

Smart Scan: A smart scan will scan the critical areas of the registry.

Custom View: This module provides a virtual registry editor view, hence enables the user to navigate through the registry and check for hidden keys or values. (Hidden keys/values will be highlighted)

Kernel Module Scan: This module scans for loaded drivers in the memory. A module entry will be highlighted in red if it is hidden.

NOTE: The user is provided with a feature to unload and delete a driver module from memory.

Services Scan: This module scans all installed services on the local machine. A particular service entry will be highlighted if it is hidden.

NOTE: The user is provided with start, stop, pause, and resume features. They may also change the startup type of service.

SPI Scan: This module lists all the LSPs installed in the system. This is read only information.

NOTE: The user can check for any unauthorized LSP installed.

SSDT Scan: This module scans for any altered value in the System Service Descriptor Table (SSDT). The process of alteration is termed as “Hooking.”

NOTE: The user can restore the altered value to its original value.

Ports Scan: This module will scan all open TCP and UDP ports. A particular port entry will be highlighted if it is hidden.

NOTE: The user is provided with the option to terminate the connection.

Thread Scan: This module will enumerate all running processes. The user can click on a particular process to view and scan all threads running in context of that process. Any hidden threads will be highlighted in red.

NOTE: The user is provided with the option to terminate a thread.

File/Object Scan: This module will scan for any hidden files in the system. The user selects a location on the computer to scan.

Click here to read about Tizer Rootkit Razor’s features, in comparison with other anti-rootkit applications.

System requirements: Windows XP, Vista, Win 7

Download at: Tizer Secure

Note: registration required.

If you think you might have hidden malware on your system, I recommend that you run multiple rootkit detectors. Much like anti-spyware programs, no one program catches everything. To be safe, I occasionally use each of the rootkit detectors listed below, on my machines.

Microsoft Rootkit Revealer

Microsoft Rootkit Revealer is an advanced root kit detection utility. Its output lists Registry and file system API discrepancies that may indicate the presence of a user-mode or kernel-mode rootkit. According to Microsoft, Rootkit Revealer successfully detects all persistent rootkits published at http://www.rootkit.com, including AFX, Vanquish and Hacker Defender.

IceSword

IceSword is a very powerful software application that will scan your computer for rootkits. It also displays hidden processes and resources on your system that you would be unlikely to find in any other Windows Explorer like program. Because of the amount of information presented in the application, please note that IceSword was designed for more advanced users.

GMER

This freeware tool is essentially a combination of Sysinternals’ Rootkit Revealer and Process Explorer. The program can list running processes, modules and Windows services, in addition to scanning for the presence of rootkits.

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

Runscanner – Aggressively Queries Your System And Applications For Unauthorized Changes

The developers of Runscanner describe this freeware utility as having been designed to “detect changes and misconfigurations in your system caused by spyware, viruses, or human error.”

Sounds a bit like HijackThis, the free utility from Trend Micro, which has a well deserved reputation for being aggressive in tracking down unauthorized changes that have been made to your system/applications.

Runscanner though, takes this process miles beyond HijackThis, and does so by  using an intuitive approach that casual users*, and experienced users alike, should find easy to work with.

*The only difficulty I see, that casual users might have a problem with is – the enormous volume of information this application is capable of producing. This could make it difficult for a casual user to interpret results.

Runscanner is a simple executable, and no installation is required. Just click on the file, and then choose your mode – beginner or expert.

The following screen capture shows the results of a full scan I ran on a Win 7 (32 bit), machine. The only entry I was unfamiliar with was Staropen.sys. Runscanner was right on the job though, with the right click context menu providing access to “lookup” services, as the screen shot below illustrates.

I took a look at Staropen.sys using a Google link to the Prevx file investigation site, and found the following: The filename Staropen.sys is used by objects that are classified as safe. It has not yet been seen to be associated with malicious software.

I then uploaded the file to VirusTotal (another context menu option),and VirusTotal reported the following – as shown in the screen shot below.

I suspected that this system driver was a component of CDBurner XP, and opening the location (another context menu option), then reading the driver with NotePad, indicated this was correct.

The next part of the test involved generating an online malware analysis report, which generates a massive report on all items which are considered safe, unsafe, whitelisted and additionally, verification of each file’s digital signature.

The screen capture below shows only a tiny (and I do mean tiny), portion of this report. The report is the most comprehensive of any I’ve ever seen, produced by this type of utility.

When you click on the screen capture below, to expand to the original size, you’ll notice that I’ve queried  Nitro PDF Spool Service. Rather than go directly to the site, instead, I’ve used COOL Previews to gather the relevant information. If you’re not yet familiar with COOL Previews – you can read a review of this outstanding time saver here – Surf Smarter – Take A Sneak Peek At Links With CoolPreviews Firefox Add-on.

Fast facts:

100+ start/hijack locations

Online malware analysis

Import and export of .run files

Powerful process killer

Save to text log file

Powerful file filtering

Host file editor

History backup / restore

Explorer jump

Analysis of file certificates

Beginner, Expert mode

Bit9 FileAdvisor MD5 lookup

Systemlookup.com lookup

Upload file to VirusTotal

Analyze loaded modules

Google lookup

Runscanner database lookup

Regedit jump

If you are a casual user, one caveat from the developer you should be aware of: Runscanner requires advanced Windows knowledge. If you delete an item, without knowing what it is, it can lead to major Windows problems. If you are not sure what to delete, post your Run file to a helper forum.

A list of helper forums is available directly from within the application, or here.

System requirements: Windows 2003, Windows 2000, Windows Vista, Windows XP, Windows 7 (according to the developers, the application is x 64 compatible).

Download at: Download.com

Public process list is an additional service provided by the developers. In this list you will be able to browse all processes and files found by Runscanner. Extra information for top processes is added to the database and optional security info is provided by research.

Runscanner has additional capabilities not reviewed here, so I recommend that you take a close look at this freebie. I think you’ll find that it’s worth the effort.

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.