Never miss an update! Get PC Plus in your RSS reader and follow us on Twitter
Cobbett: Malware Wars
Had I not been busy daydreaming of dragging its creator through fields of salt-tipped broken glass, I might have been impressed by the bit of malware that squirmed its way onto my games machine this month. As a bit of software engineering, it’s right up there with the systems that launched the space shuttle, or the robot that squirts all those little holes into the Wispa bars. Only slightly less friendly...
Before you ask, no. My games machine doesn’t have any anti-virus software on it, or any other defensive layers. My regular machines do, but they have files and applications I care about. This one exists to get clogged up with everything under the sun, and routinely wiped when the boot-up process gets longer than the complete works of Dostoyevsky. Every couple of months, to be exact. The only surprising thing about it getting infected with the techno-lurgy is that it doesn’t happen more often.
I’m not sure where this particular strain came from. A quick Google suggested it usually hangs out on the kind of website I’m fairly sure I don’t take my computer on a romantic date to, so either it’s getting revenge for the time I’ve been spending around that shameless Netbook hussy I picked up for Christmas, or it’s decided to see other geeks on the side.
It would explain where all the Coke cans came from...
The malware introduced itself politely, early on Saturday afternoon, with a fake Windows Firewall message. A good one, too. If you don’t know that Microsoft isn’t in the habit of apologising for not being able to fix things, and doesn’t typically send you off to buy some other company’s software, you’re going to be impressed. Here though, the battle lines were drawn. How tricky could one little bit of malware be?
Famous last words.
It quickly became obvious that the slippery little bugger had its tentacles buried in everywhere. Firefox and IE loaded with another fake warning about a fake virus alert and the same desperate plea to go buy some crapware. It reminded me of Windows XP back in its first couple of weeks on the shelves, when users were constantly innundated with annoying little pop-up messages advertising overpriced programs to kill annoying little pop-up messages. Trying to navigate to any of the standard malware killer sites was a non-starter. Typing in the usual URLs to malware-busting software meant an instantly closed browser. No error message. No ceremony. No finger wagging. Boom. Gone.
"Your move," my nemesis chortled.
Not a problem, I thought. I have five PCs. And yes, they helped. A bit. I managed to get an anti-malware tool across, but the fake firewall promptly defanged it by wiping its collection of definitions and killing the update process whenever it went out to get new ones. Even when everything was manually smuggled onto the system and camoflaged as ‘notmalwarekillerhonest.zip’ (just to be safe) three separate programs cheerfully gave the system a clean bill of health, marred only by the fake Windows Firewall message obscuring their triumphant thumbs-up.
In the end, I admitted defeat, and ran System Restore. It survived that too. Even now, one complete reformatting and reinstall later, I keep half-expecting to see the mocking message spring back up onto the screen and resume its taunting ways. I hope not, but I’m keeping a bell, book and candle nearby just in case. If the impromptu exorcism fails, the whole thing’s going to have to be buried in consecrated ground. Apparently this is a one-click process in the new versions of McAfee and Norton.
It’s no wonder that malware and spyware and viruses are such a problem. Even if you know what you’re doing, the original creators know your battleplan and are always ready to update theirs with a new wave of more advanced evil. When only a tiny fraction of a percent of victims is needed to draw a profit, what hope do the rest of us have? One thing's for sure. If they ever catch the guy who wrote it, I'll bring the salt...
|
TechRadar News Headlines
- Facebook on your mobile could give you a virus
- Google Street View awards the best streets
- 95% of user generated content 'is spam'
- In Depth: Key trends for the next 12 months in web design
- FBI wants two-year website visitor log retention
- Major Microsoft security patch equals biggest ever
- Google adds a little love to the Superbowl
- Thawing in Amazon Macmillan ebook row
- iTablet finally launched – but not by Apple
- Competition: WIN! A Powermat and iPhone receiver case
Copyright Future Publishing Limited (company registered number 2008885), a company registered in England and Wales whose registered office is at Beauford Court, 30 Monmouth Street, Bath, BA1 2BW, UK
Interesting story, and a good view of why malware these days are so nasty, not to mention the fact that exploits in the browser which still havent been discovered or plugged seem to be out there - just visiting a site can get one infected (NoScript in firefox seems a good preventive measure - keep the javascript away!)
The problem with antivirus and antimalware software, is for all their good intentions, they're rubbish. The sort of things you're likely to get infected with are the sort of things they cant protect you against. When you are infected, they're not much help, in getting definitions, and even with definitions, they're too far behind the malware writers.
My recommended approach for killing off malware is to make sure of 4 main tools (none of which require definitions, and rely on the human mind rather than a company, a definite plus).
1: Gmer ( http://www.gmer.net/index.php ) - Rootkits are nasty, they can hide deep away and avoid detection through a number of means, but Gmer can pull them out quite nicely. It can highlight suspicious entries which you can investigate, giving you a lead if you might be malwared. Bear in mind however, you need to do a bit of reading up on what you're doing before trying to solve it alone.
2: Autoruns ( http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx ) - From SysInternals, AutoRuns is a fantastic piece of software. It lets you see all the places where a nasty piece of malware might be hiding, and lets you remove it. This is particularly useful these days when malware try to register themselves as drivers and blend in, avoiding detection by almost all tools. Autoruns can hide all Signed Microsoft files, making it easy to see anything suspicious (either pretending to be Microsoft made or just dodgy drivers).
3: Process explorer ( http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx ) - Another SysInternals tool, but very useful, if the malware is playing hard to get. If Firefox or IE are behaving badly, or if odd stuff is happening, Process Explorer is great at finding the problem. You can see what DLLs are loaded by different processes, as well as giving you a nice view of processes running on your system (why wasn't task manager like this?). You can then kill (or suspend) anything suspicious, to give you a better fighting chance.
4: HijackThis ( http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis ) - It's a classic, but it's good. If you've been able to detect any rootkit parts and remove any nasty drivers (as these dont show up in HijackThis), this will help you reverse the rest of the damage. Remove annoying startups, changed registry keys, annoying policies the malware writers decided you might enjoy and so forth.
Together, you can beat almost all of the malware out there. The remaining malware which are incredibly nasty rootkits and hook in deeply, this should at least let you find it. Then you may need to use a specialist tool to delete the files on next boot, or just use a Linux boot CD or BartPE (bootable lightweight windows on a CD, very handy ( http://www.nu2.nu/pebuilder/ ) and you can have a clean system.
Detecting and removing nasties is a lot easier if you keep your system clean anyway. Get rid of all those stupid startup programs and bloat that try and get there. As a bonus, your system will run a lot better and be a lot easier to detect bad things too. ITunesHelper, QuickTimeTask... ick
Fighting malware is good fun though
Submitted by Oli on 8 February 2009 - 10:32am.
Thanks for the links - useful stuff. The main tool I use at the moment is MalwareBytes, which seems pretty effective as well. Although it relies on being able to get it onto your system in the first place, which can be tricky.
Submitted by Richard Cobbett on 8 February 2009 - 10:55am.
Post new comment