Saturday, June 25, 2011

Skirmish 1: A Rouge Security Software battle

Note: while some may find this a helpful guide, it is not a “cure-all” malware cleaning process. Every infection is somewhat different.  What I hope to offer is a process I have used to successfully clean a specific infection from a home-user’s system. Your mileage may vary.

More than many weeks ago, my video-desk buddy at the church asked me for advice about what virus-cleaning product I recommended.

In my experience that means two things, someone actually has a compromised system and that any singular answer I provide will be inadequate to solve their problem if attempted.  So I probed further so I could provide a better (more detailed) answer.

Turns out the user was reacting to a report that popped up on their computer warning them they had a whole bunch of infected system files and that their PC was going to perform worse unless they purchased the offered program.

He then proceeded to show me a long list of “infected files” all with crazy names and locations.  He had done some Google work on the files listed but hadn’t made any progress.

Well, I agreed he did have a serious issue, but likely those “files” were just a sham and in fact the security warning/program was the problem.

I told him I’d prefer to have him haul his system up to the church early so I could (off the network) hook it up to a spare monitor/keyboard and take a quick-peek.  He readily agreed.

That afternoon we met up and after what seemed like a ten-minute bootup I agreed his system was running super-slow.  This was a Windows XP system and after I launched the task-manager and it eventually appeared, a number of suspicious running processes were visible.  On top of things, the CPU fan was roaring like a jet taking off. Yes…my friend reported…this behavior had been happening recently also.

I was able to identify and disable the main rogue security app “loader” but significant problems remained and I suspected other stuff was lurking unseen at first glance.

Attempts to run any .exe application executable failed.  Attempts to run CMD failed as well.  The Control Panel was MIA. Bad things were afoot.

This quick-peek told me enough to confirm that my friend had indeed been hit by a scareware/rogue-security “product” infection and was in some serious hurt.

He trusted me to bring his system home and throw it on my workbench to attempt a full cleaning.

So is set the stage.

The battle begins

First thing I did was to off-line boot the system.  This was a bit more challenging than one would expect.

Although it was a nice mini-case IBM ThinkCentre unit, alas, it did not appear to support USB flash drive booting.

So I used one of my WinPE ISO files loaded on my iodd device (with the write-block switch thrown) to get the system up and running with me in control.  I then plugged in my 2GB USB stick that I had preloaded with various utilities and malware-busting tools. (note: because I didn’t yet have my Kanguru Flashblu II drive, I used usbdummyprotect to fill the remaining free space on the drive to avoid a potential write-back infection).

I then ran VIPRE Rescue overnight against the system.  When done it had located and isolated the following infections (and associated bits) in multiple locations:

  • Trojan.Boot.Alureon.Gen (v)
  • Trojan-Dropper.Win32.TDSS.cfvs (v)
  • FraudTool.Win32.FakeRean.e (v)

After rebooting I had a lot of work to do.

Next since the System Properties and Control Panel weren’t working, I discovered that rundll32.exe had been renamed to rundll.exe.  An examination of that file convinced me it was the original file, so I renamed it back and those items worked again.

Since any attempt to launch an application failed, I had to repair that.  This was made pretty easy by using the correct REG file fix found in this Broken EXE Association page.  Fixed.

Because the system was still crawling in terms of performance, I had to start addressing that or else it might take a month to get it running better.

The system was running on 1GB of RAM (2 512MB mismatched speed sticks) with a 40 GB (5400 RPM) HDD at almost 90% filled. Yikes!

The virtual memory settings had a very large custom valued set, so I rolled that back to let the system manage it instead.  I turned off start-menu animations.

Next, I ensured that all the user’s documents and other files were present and the start-menu lists appeared normal and unaffected by this malware version. Only after that had been established and I had collected some web-browsing log files to see if I could learn the infection point, I ran both CCleaner and CleanAfterMe to neaten things up and gain some additional free hard-drive space.

Disk fragmentation was horrible (although my friend appears to have been dutifully defragging his registry based on a desktop program that I found installed).  So I used JkDefrag Portable to clean that up.

Now that things were running (a bit) snappier, I returned to the infection cleaning.

I used the installed (but apparently was overwhelmed) Microsoft Security Essentials tool to re-scan the system.  It didn’t find anything, but now that it was running again, the history showed its battle at the time of the infection to keep the system clean.

  • Exploit: Java/CVE-2010-4452
  • Trojan: DOS/Alureon.A
  • Trojan: Java/Clagent.B

Still not convinced, I next ran Malwarebytes : Malwarebytes Anti-Malware Free which found 15 more bits and pieces.

I then sought-out and installed all the most current Browser Plugin Updates as the installed ones were woefully outdated…hence the vector for the infection in the first place.

Next?  I downloaded and ran Hitman Pro 3 from SurfRight.  It revealed some more stuff remaining that indicated a boot-loader infection. Bad-stuff man.  Hitman Pro did it’s thing and cleaned up that mess.

I recovered both the admin password and OS key as the user had lost those and documented those for him.

Windows Updates had also been borked.  As this was a Windows XP system, I found that running the following command in a (now working again) CMD window got them flowing again.  More info and methods in this Microsoft KB883821 bulletin

To register the Wuaueng.dll file, follow these steps:

  1. Click Start, click Run, type regsvr32 Wuaueng.dll, and then click OK.
  2. When you receive the following message, click OK:

    DllRegisterServer in Wuaueng.dll succeeded.

Now that the Windows updates were all on successfully, I upgraded the browser to IE8 from IE6. Also found installed (and so updated) were Safari for Windows and Firefox..

I removed the registry defragger and installed Defraggler to provide this user a more friendly tool.  The outdated version of Adobe Reader got removed and replaced with Adobe Reader X instead. Apple Quicktime was updated.

From here I took the system outside and opened up the case.

Loads of dust-bunnies and the foam-intake filter was completely obstructed with dust buildup.  Much cleaning later, the system now was purring quietly along.  All the dust was restricting the cool-air intake over the CPU heatsink (also caked in dust) causing the CPU to run hotter, causing the fans to go into overdrive causing the system fan-noise to require ear-protection.

I turned off System Restore so it would dump all the restore-points, some of which had copies of the infected files. This also added a bit more free-disk space.

I ran both Process Explorer (making sure no other rouge processes were found) as well as Autoruns for Windows (which I used to disable/remove some non-necessary helper services).

I then searched out and updated all the device drivers from the IBM/Intel sites I could find that applied to this particular system. For this particular IBM system, I located this ThinkVantage System Update utility that was a really big help in the process.

A full scan with MS Security Essentials and MalwareBytes AntiMalware both came back 100% clean.

For extra measure I also ran both Kaspersky’s Anti-rootkit utility TDSSKiller and Norton’s Power Eraser. Both also reported no issues found.

I flushed the DNS cache and cleared the Java cache.  HOSTS file looked normal.

Things were looking up.

I dug around on the spec page for this system and found it could support up to 2 GB of system RAM on the mainboard.  It just so happened that I had a pair of matched 1 GB PC2700 333MZ DDR sticks laying around.  I pulled the original ones and dropped these in.  I think I could hear the system actually taking a deep breath and shudder with relief once again.  Performance was much more nimble now!

Alas, I didn’t have a spare drive, but did pass on a note for my recommendation to upgrade to a larger capacity/faster RPM PATA hard-drive as well.


Time invested? Approximately 10 hours (not counting unattended overnight scanning) spread over a week.

Return on investment from gratefully shining face of owner? Priceless.

Lessons learned

Reviewing all the logs, it seemed clear that the user had browsed across an maliciously-coded web-page in a unpatched browser running unpatched/outdated browser plug-ins.  I suspect the java exploit got the ball started and once the actual malware installer app had been dropped/executed on the system. all bets were off despite MSSE’s attempts to protect the system.  For additional information on these things these references might be helpful..

I guess in some ways since the system was in the state it was, the slowness of the performance may have kept things from getting worse or the user being able to continue to work with the infection running in the background. In this case, the scareware/malware only helped cause the system to grind down even slower.

No one single anti-malware app fixed the problem.  Because the malware compromised/changed some key Windows filenames and settings, additional manual remediation work had to be performed.

There are a lot of great cleaning tools out there, the challenge is being familiar with the best of them and knowing which ones are the most effect to apply.

The whole process is quite involved and must be taken through logically, building on each success.

Next post -- same thing but with a twist -- Dad’s PC infection.

I’ll also do a standalone post linkfest listing these and other tools/resources I found helpful or came across in these skirmishes.


--Claus V.

1 comment:

FF Extension Guru said...

I'll give credit to Mozilla for implementing a system that when you upgrade to a newer version of Firefox will check your plugins. In the upcoming Firefox 6, there will be a link from the add-on managers. Nice, but as I have seen (and sure you've too) must users don't click on the plugins tab on the add-ons manager. Heck I am sure most users don't even go into the add-ons manager unless they are disabling or removing an add-on.