Monday, July 4, 2011

Malware scanner

Worms and trojans and viruses – Oh my! But beware the insidious rootkit, my child, because it is invisible. If you get a rootkit, it burrows deep into your system and disappears. Only a program specially designed to look for it will find it.

Microsoft has recently introduced the Microsoft Standalone System Sweeper (MSSS) that will, among other things, find and kill those pesky rootkits. Get the program at http://windows.microsoft.com/en-US/windows/what-is-windows-defender-offline.

MSSS is used a little differently than other one-time scans you’re familiar with such as MalwareBytes. It creates it’s own bootable CD or USB drive and you run it outside of Windows. It does this so it can find rootkits which, by definition, are hidden when Windows is running. If you actually bought your antivirus program on CD, it probably can do this; except MSSS is a little different (at least since I last had an AV CD). It doesn’t offer, but requires, that you update your definitions before running a scan.

Go to the download page and choose whether you want 32-bit or 64-bit. This button runs a downloader that gives you the option to create a bootable CD, bootable USB thumb drive, or download an ISO (Fig. 1). I’ll tell you what to do with an ISO next month; but until then, save yourself a lot of trouble and choose one of the other options.
Fig. 1 MSSS downloader
Fig. 1. The MSSS downloader menu (this image may have changed).

I decided to try MSSS out on my file server. When it runs a full scan – the default your first time – it alerts you the scan could take hours. Sure enough, after 4:52:42, it reported the number of “resources scanned” was 3,520,572!

Admittedly, my single C: drive runs about 350 GB (there’s a lot of client files I really should throw away). The program looked inside compressed files, naturally. It also looked inside downloaded .ISO CD images. To my surprise, it looked inside some Outlook .PST files to find a virus in the attachment of a piece of spam.

Creative Commons License
This
work by Bill Barnes is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License.
Permissions beyond the scope of this license may be available at http://zaitech.com/satellite/contacts.htm.

Thursday, June 23, 2011

Book Review

Review - Zero Day

Sex. Murder. Corrupt, bumbling bureaucrats. The Russian Mafia. The fate of the Western world. Hunky nerds and beautiful geeks.

Zero Day by Mark Russinovich has them all. It also has worms and viruses and rootkits – but you don’t have to know any more about them than that if your computer has them, it’s going to be a pain. This book is a can’t-put-it-down thriller until you start thinking about it. Then it will give you nightmares.

Zero Day starts with a company that is having computer problems. They call in a specialist who discovers that their servers have been infected with a particularly pernicious piece of malware. While he’s trying to get the company back in business a call from a colleague at the Department of Homeland Security lets them realize they both are vexed by someone known as “Super Phreak.” Could this be the harbinger of cyberwar? And one with an auspicious starting date.

Mark Russinovich is a Microsoft Technical Fellow. That is a position for a person who is so accomplished that he has no assignment beyond thinking up new ideas. Computer professionals will recognize him as the creator of the Sysinternals utilities. With names like LDMDump and PsGetSid, these programs allow you to learn things about your computer that you didn’t know existed; including that you have an infection down where your antivirus can’t get it.

Here, in Russinovich’s first novel, he uses his knowledge of what is and what could be to weave a story of what we hope never happens. Without referencing any specific real-life situations (see “Stuxnet”[1]), this is a story one could imagine was pieced together from page 4 of the daily newspaper. An airliner has a rough ride over the Atlantic. A ship runs aground in Japan. A hospital has a medication mixup. A worker dies in an industrial accident. Are these unconnected stories? Only our heroes have the insight to know that they are linked by Super Phreak’s zero day rootkit (you only need to know that’s a computer nasty no one has ever seen before). Since a political appointee is too inept, corrupt, or both to sound the alarm; our heroes have to chase, against the clock, across two continents on their own to save the world.

The first edition I had was marred by some editing errors. (The first chapter opens “Saturday, August 11” and on the next page in bold it refers to “Friday, August 11.” [This was corrected in the online excerpt.] In a faux pas as bad as calling your spouse with your lover’s name; another place refers to the heroine with a villain’s name.)

That said, the story maintains its credulity: travel takes real time, coincidences are fortuitous but not magical, heroes are strong and clever but not supermen. Worst of all, the technology is very real and is installed in any business or is available to any teenage hacker anywhere in the world where the internet is available. The story implies a single set of malware could damage a multitude of systems which, in fact, would have to be programmed individually. However, any of the attacks mentioned could happen any time in the near future – or be happening now.

If you like international political thrillers or if you like technology; you’ll like Zero Day. A pair of PhDs become unexpected agents sufficiently focused on what needs to be done to brush off an assassin’s bullets and to convince an uninvolved Russian to assist them in the course of a taxi ride. Russinovich has set himself up to have created the next Jack Ryan. Let’s hope we can look forward to more cybercrises to befall us. [Zero Day the book has no familial or topical relation to the 2003 or 2007 movies with a similar title.]
------- 

REFERENCES:

The book's homepage

http://www.zerodaythebook.com/
Mark Russinovich
http://en.wikipedia.org/wiki/Mark_Russinovich

Stuxnet
http://www.nytimes.com/2011/01/16/world/middleeast/16stuxnet.html
http://en.wikipedia.org/wiki/Stuxnet
Thanks to my source: Steve Gibson
http://twitter.com/sggrc
http://www.grc.com/securitynow.htm

Creative Commons License. This work by Bill Barnes is licensed under a Creative Commons BY-NC-SA 3.0 US License. Permissions beyond the scope of this license may be available at http://zaitech.com/satellite/contacts.htm.
(c) 2011 Bill Barnes - Disclaimer - Home Page - Blogs Home

Monday, January 3, 2011

Malware Alert !

Ransomware. It’s not a new form of malware (ie: viruses, trojans, worms, phishing, spyware, even spam), but neither has it faded into the background over time. Many of my clients needed my assistance after encountering it sometime during 2010. It first came to my attention 3-4 years ago in the form of “AntiVirus 2008.”

The vector is that, after visiting an infected website, a notice pops up on your screen that there is “a problem with your computer.” The “problem” it refers to may be a virus infection, update due, or disc defrag needed. The popup could vary from a poor imitation of a Windows information box to a dead ringer for the Windows Update shield and dialog or a Microsoft Security Essentials notice. Typically it uses spyware tricks to reload even after you’ve left the website or rebooted the computer. Usual Windows close window buttons in or on the window are often ineffective and you can only get it off your screen by right-clicking its icon on the taskbar. The window advises “click here” to resolve the problem – but beware! – clicking anywhere in the window could run the program. Then you’re in trouble!

You asked the website to install a program. It doesn’t need a rootkit or worm to run the malware. You asked it to install. Check out a full discussion of the process at http://windowssecrets.com/top-story/lizamoon-infection-a-blow-by-blow-account/.

Once the ransomware is installed, it locks up your computer only allowing you to go to their website to undo the damage. Of course, the “repair program” costs $20-$150. If you don’t shell out, it may have already encrypted your hard drive or it may corrupt your data before you can stop it.

Luckily, most of my clients contacted me and did not actually install the program. While they couldn’t get rid of the popup, I could log on as an unaffected administrator and squash it with a System Restore and multiple malware scans from different sources such as antivirus vendors, Malwarebytes, and Microsoft Malicious Software Removal Tool. Between alert refusal to install the program, antivirus scans, storing data on a server – not an active client computer – and backups; only one home user lost significant data. Everyone lost significant time and incurred the expense of my services.

Creative Commons License. This work by Bill Barnes is licensed under a Creative Commons BY-NC-SA 3.0 US License. Permissions beyond the scope of this license may be available at http://zaitech.com/satellite/contacts.htm.
(c) 2011 Bill Barnes - Disclaimer - Home Page - Blogs Home

Pages