Sunday, June 26, 2011

Anti-Malware Tools of Note

As promised, here is a resource-dump of some anti-virus/anti-malware tools I either use for came across in my recently documented battles that I thought would be helpful for reference.

As with many things in life, having the right tool for the particular job at hand can save much time and aggravation.   Hopefully most of these will already be well known to the GSD faithful readers. But I also hope that maybe one or two of these may be new finds as well to go into your toolbox.

Obviously this isn’t a complete list.  However they nicely supplement those I’ve already recommended. Check the side-bar to the left for many more that have been previously shared here.

While I do sometimes favor a direct frontal attack against malware while the system is running “live”, I typically find it much more productive to first whack-away at the infected system “off-line” having booted the system first in a WinPE environment.  I prefer to use my own custom Sexy USB Boots tools on a write-protected USB stick.  There are lots of flavors of WinPE including WinFE and WinRE and each bring their own benefits/drawbacks to the fight.

One important lesson I’ve learned is that the more scratch-space you can spare on your WinPE build, the better your apps will run in the WinPE operating environment.  Check out this WinPE and DISM/PEimg to boost Scratch Space (Ram Disk) post to option things out.  If you want to carry the option to boot from several different “boot.wim” files with different scratch-space settings, or maybe WinPE, WinRE, and WinFE boot options all on the same stick check out this WinPE Multi-boot a Bootable USB Storage device post for some thoughts.

Of course there are lots of different options for building your WinPE as well.  You can go “old-school” and use the Microsoft WAIK, there is WinBuilder, or you can check out TinyApps cool find to build a WinPE without any of those extra bits.  AgniPulse sets out a great tool and method to in his Beginners Guide to Creating Custom Windows PE.

My own preferred first-strike team is to boot the system with WinPE then toss the free tool VIPRE Rescue at the system.  There are two things that I think really make this anti-malware tool exceptional.  First it is easy to use and very thorough. But secondly, it creates some incredible logs and quarantines the files.  Both the logs and quarantined files helps me understand what was going on with the infection and possibly what vector it used.  That might help me secure the fixed system and submit the files for additional analysis.

Once the system is running “live” again, I also like to toss Malwarebytes Anti-Malware Free at the system.  It is a pretty aggressive anti-malware scanner with lots of options.

I also like SurfRight’s Hitman Pro 3 and have found it seems to do an exceptional job addressing issues that are missed by many other tools I have used. The plus is that you can use their product to get unlimited free scanning + 30 day removal.

Norton Power Eraser is a very powerful tool to root-out deeply embedded malware from a system Read their page carefully first.  I’ve had good experience with it myself.

I also keep handy and request a third-scan opinion from the still fairly new Microsoft Safety Scanner.  Being a “standalone” tool of sorts, it can be run in the WinPE environment or on the “live” system.  The trick in WinPE is to make sure your WinPE build has a large scratch-space value.  Check out this 4sysops post Offline Antivirus – How to run Microsoft Safety Scanner on Windows PE 3.0 for more details.

I do understand that for some folks, the thought of making a custom-spun WinPE boot tool could be quite intimidating.  With that in mind, you will want to keep a copy of the Microsoft Standalone System Sweeper Beta handy.  Of course you will need an uninfected “host” system to create the tool. Download the “builder” utility in either x32 or x64 flavor depending on your hardware and choose a blank CD, DVD, or USB drive with at least 250 MB of space. Execute the tool and build-away.

Of course, you may want to do more with this plain-Jane WinPE build that it lets you.  And you can if you know the tricks our dear TinyApps bloggist posts in his Extending Microsoft Standalone System Sweeper tips.

Maybe all you want is just to download and burn an ISO file to CD and use it to try to disinfect a system without all those extra bells-and-whistles that I love so much in WinPE.

Well, many reputable security product vendors offer their own tools as well in that same line.

Calendar of Updates has a page that is kept pretty updated Free Anti-Virus Rescue boot CDs including direct links to Avira Rescue CD & BitDefender Rescue CD.

F-Secure keeps their own Rescue CD resource updated. They also offer some fantastic Easy Clean, Online Scanner, and Blacklight rootkit tool.

Likewise, Kaspersky has their own Rescue Disk 10 tool as well as an Online Scanner, an incredibilly extensive toolbox of free Virus-fighting utilities to address specialized malware threats, a tool to remove banner from desktop, unlock Windows.  Kaspersky also offers valuable documentation on common malware information, viruses and solutions, as well as Rogue security software response guidance.

Dr.Web CureIt!! is another LiveCD solution worth knowing.  See also their Sysadmin First aid kit page for some additional resources.

Not “free” for everyone but a good LiveCD resource for Norton product users, check out the Norton Bootable Recovery Tool.  As explained on the page, “You will need your product key or PIN in order to use the Norton Bootable Recovery Tool.”

Likewise, if you are a Sophos customer, they also offer their customers the Sophos Bootable Anti-Virus tool. However, they do offer some Free Tools as well, including some specialized tools as well as Free Security Scan tools and their Sophos Anti-Rootkit tool.

Need more? Check out this GSD USB based AV/AM Tools post for many more options.

I have an extensive collection of highly-specialized sysadmin tools at my disposal. However the following tools are always the ones I keep coming back to over and over again. All free.

As malware (and particularly scareware/rogue-security “products”) gets more and more sophisticated, it seems even more highly-specialized tools are needed to fight and restore the damage done by them.

Broken EXE Association is a how to and REG files for fixing issues launching applications after an infection.

The Updated Combofix (5-23-11) is a highly specialized tool offered by the fine folks at bleepingcomputer.com forums.  It is not recommended to run on your own without guidance from their community unless you are already an advanced/professional Windows system specialist. Seriously.  Read their ComboFix usage, Questions, Help? page well and carefully before embarking on its usage.

See also their RKill utility. From that page:

RKill is a program that was developed at BleepingComputer.com that attempts to terminate known malware processes so that your normal security software can then run and clean your computer of infections. When RKill runs it will kill malware processes and then import a Registry file that removes incorrect file associations and fixes policies that stop us from using certain tools. When finished it will display a log file that shows the processes that were terminated while the program was running.

As RKill only terminates a program's running process, and does not delete any files, after running it you should not reboot your computer as any malware processes that are configured to start automatically will just be started again. Instead, after running RKill you should immediately scan your computer using some sort of anti-malware or anti-virus program so that the infections can be properly remove

And for any Mac users/caretakers who are still reading this post, they also have a BleepingComputer Mac Rogue Remover Tool. Check out that page for more info.

This Google redirect virus forum thread has a lot of great tips and steps to follow in addressing malware in general.

As I last posted, I feel remiss to not re-mention this guide Remove Windows Recovery (Uninstall Guide) over at BleepingComputer.com for a good review and walkthrough of a semi-automated recovery process.

Included in there are two noteworthy tools: RKill (Download Link) and Unhide.exe (Download Link). Rkill is a rouge-process killer of sorts and unhide.exe attempts to restore malware-relocated user files back to their original/rightful locations. See this Bleeping Computer Downloads: RKill page for more information as well as this one Question on 'unhide.exe' for more background information on them both.

You can also take the manual restoration approach offered by “colsearle”

Try navigating to the following path: (make sure you have the hidden files and folders visible)
C:\Documents and Settings\your user name goes here \Local Settings\Temp\smtmp
Inside the smtmp folder you will see three folders named 1, 2, 4
1 = Start Menu Program shortcuts
2 = Current User Quick Start shortcuts
4 = All Users Desktop folders and shortcuts
Simply copy the shortcuts back to the original path.

I also found this guide over at SmartestComputing written by “Broni” to be very helpful as well and full of specialized remediation tools and links How to restore files hidden/deleted by Windows Recovery virus.

Although most of what I see now-a-days is Windows 7 and Vista systems for most of my home/family/friends systems. More than a few still have XP systems. One trick still in my bag from days ago is when a system is cleaned of a internet-browsing redirector infection the internet doesn’t work anymore is that in many cases it requires the network sockets to be “reset” by running a tool like LSP-Fix or WinSock XP Fix 1.2 (via MajorGeeks mirror site).  This only should be run on XP systems.

Coming full-circle again in this post, some of these tools and techniques require working on a live running system and others can be done “off-line” using a LiveCD/WinPE/otherOS approach.

If you do go with a “off-line” boot method such as WinPE from a bootable USB flash or HDD, you want to be very careful you avoid potential cross-infection in your response/rescue efforts. Yes a bootable CD/DVD does offer greater protection but at the same time, it can severely reduce the number of options or other tools you can bring to bear on assessing and cleansing the system.

If you have a LOT of bootable ISO files (as I do for specialized situations), then I seriously recommend the awesome iodd device for sysadmins and incident responders as well as you semi-pro malware busters.  It allows you to carry many, many, many different bootable ISO files on a portable HDD and pick between them on the fly for off-line system booting.  Couple that with a physical write-block switch and the ability to partition the hard disk drive you cram into it, and you can carry many portable apps on there as well to access if you are booting in, say, a WinPE environment.

If that seems like way too much (and it never could be) firepower, then at least consider a USB flash drive with a write-block switch.  My personal preference is the Kanguru Flashblu II (NewEgg product link).  It is a great value for a reasonably sized USB drive with a write-block switch.  Sony also offers write-block switches on some of their USB flash drives (Alvis has one in fact) but they are getting harder and harder to find.

If you don’t have the option or resources to pick up either one, but do have a bootable USB flash drive that you have already loaded up with all your scanners, tools, and other response files, consider this simple and free tool usbdummyprotect. The trick to using it is to download the tool and unzip, then copy it directly onto your USB drive.  There, run it.  It creates a “dummy” file to fill up all the remaining free-space on your flash-drive.  In theory, this should prevent malware from copying any files to your drive.  When you want your free-space back, just delete the clearly identified dummy file.

Not quite the same thing, but noteworthy is Document Solutions free DSi USB Write-Blocker. You need to download and install this on your own clean-system first. Then run the tool BEFORE connecting a USB flash device.  Basically it keeps your own running system from writing TO the USB device once you plug the device onto your PC.  This should preserve time/date stamps and other file modifications.  It doesn’t necessarily protect your host system from anything bad on the device itself if you choose to either run anything directly or copy off the device and run locally. So understand how it works first then use it when the situation calls.

Finally, in some cases, the malware might have actually damaged or modified the Windows bootloader itself. If this is the case and any of the specialized tools already mentioned didn’t work to restore the Windows boot loader, then you may need to do it yourself.

See this GSD post Partition and Disk Management: Part II – Free and Useful Tools for a rich roundup of resources.

For a really nice and trusted freeware GUI tool check out EasyBCD 2.1 from NeoSmart Technologies.

I also recently discovered MBRWizard which is not a free product (but it is offered dirt-cheap) and has a great GUI as well.  However, for your value-expecting fans not afraid of a little command-line ninja work, they do offer a CLI Freeware version! Check out the Command line reference page for more information.

Effectively responding to a malware/rogue-ware infection is never an easy task. It takes careful assessment, planning, research, tool/utility/scanner gathering, off-line booting in many cases, and lots and lots of tedious, patience-requiring work.  It takes time, experience, and for the non-technical, lots and lots of help from a devoted community.

Obviously, this post can’t even really begin to scratch the surface of the tools and techniques out there. However, I hope it is a good starting point or comes to be a return-to resource source to collect valuable materials as you go forth and battle.

Cheers.

--Claus V.

2 comments:

Dave Nelson said...

That is seriously cool. But the source of the hardware leaves me wanting something made in the US. Sigh. Maybe I'm just paranoid.

Ken Pryor said...

Claus,

Thank you so much for this fantastic post! I learned a great deal that will help me in my own battles with malware. I've bookmarked this page so I can come back to it again and again.

Thanks!
Ken