PC Malware Handling

 Security, Working Notes  No Responses »
Jun 182011
 

This is a series of notes on dealing with PC malware (viruses, worms and the like) gathered because I’m looking into it and published as a way of reminding myself about this stuff. Bear in mind that I’m not an expert but neither am I a complete dunce – I’m normally a Unix or Linux person but I’ve been keeping half an eye on Windows infections for years.

Some links to tools are contained within. However you should be aware that tool recommendations change over time; you will need to check how outdated this document is before following any recommendations blindly.

At present this blog entry is a work in progress … lots of testing needs to be done before being confident this is right.

Cleanup Process

This is not :-

  1. How to approach this forensically – if you’re dealing with an investigation, it’s a whole other ball game and you probably need professional assistance to avoid corrupting evidence.
  2. A technical guide as to which tools to use.

1. For The Ultra Cautious Or When Handling Real Important Data

The process of removal can be destructive, and in the worst cases you can end up cleaning the malware and ending up with a brick. So make an image of the hard disk as it is. Two basic ways this can be done :-

  1. Removing the hard disk from the infected machine, attaching to an appropriate machine (USB->SATA, USB->IDE converters are handy here), and making an image of the disk.
  2. Booting off a “rescue” CD on the infected machine, and imaging the hard disk to a network share of some kind. This is the preferred option.

This will be slow. So be it. Cleaning an infected PC is not going to be a quick job whatever you do. The best you can hope for is that there are many periods where you can leave it churning away and get on with something else.

2. Boot A Rescue CD

There are those who tell you that there is no need to boot off a known uninfected disk to clean an infected machine; their anti-malware/virus product can clean an infected machine “live”. There are others who claim that the only way to be sure is to boot off that disk and clean the machine that way. Both are wrong.

If you are paranoid (and in the presence of malware paranoia is fully justifiable), you will do both.

3. Boot Infected Machine and Clean

As suggested previously after booting off a rescue disk and cleaning, boot the infected machine and clean again.

Tools

The following is a list of rescue CD’s that have been suggested :-

  • UBD4Win. Has to be “built” with the assistance of an XP installation; somewhat tedious but it isn’t the end of the world. However it does need preparing in advance – building a rescue CD with the assistance of an infected machine isn’t the most sensible idea!
  • Knoppix. Graphical, pretty, feature packed, but seems to be lacking in anti-malware tools (for instance the only AV tool included is Clam).
  • Trinity Rescue Disk. Menu interface. Virus definitions update over the net; choice of Clam, F-Prot, Bitdefender, Vexira, AVast (need to obtain license key). Various other utilities.
  • F-Secure Rescue CD.

Some of the above are Windows based; some are Linux based. The choice of which to use should be based on results not whether they tickle your prejudices (or mine!).

The following is a list of “live” tools to be installed that have been suggested :-

Asides

Nothing to do with the main subject. Merely some notes worth mentioning.

It seems that at least some malware can detect it is running within a virtual environment. In some cases it ceases to do anything, and in others may try to “break out”. This indicates that analysing malware within a virtual environment may not give sensible results, and in some cases may be dangerous! That is not to say that using a virtual environment is no longer of any use, but you may need to take special case such as running the virtual environment under Linux and/or ESX rather than Windows. And be careful about negative results.

Where Are The Multi-User Slates ?

 Computing, Security  No Responses »
Jun 152011
 

.. or to give them the more popular name, tablets.

What is the one thing all slates (whatever the usual choice of operating system) are missing? Support for multiple users.

Whilst there have been and are slates based on desktop operating systems, the only ones that have gained any level of popularity are based around operating systems for mobile phones – principally iOS and Android. And for some reason, these do not have support for multiple users which is sort of understandable for mobile phones but it is definitely a weakness for slates.

Imagine if you will, that you have bought a slate and setup the details for your work email, and are busily exchanging emails with someone who insists on being called “Bubbles” and you are engaged in a bit of harmless flirtation. Now you plonk your slate down on the coffee table, and your partner picks it up to play with; of course they end up looking at your latest email from “Bubbles”.

Or in the morning, you rescue your slate from the resident teenager wandering around the house under an angry cloud. You’re in a hurry and don’t check the slate until you wire it up to a projector to show those figures you were working on last night. And this is when you discover (to the amusement of the collective senior managers) that your pet teenager has replaced the default background image with an image of their favourite teenage idol in a scantily clad pose.

Now both of those examples were extreme and intentionally a bit humorous, but the problem is genuine. Even if you are single and excessively possessive about your slate, having a user called “work” and another called “play” allows you to hide one activity from the other. Not a bad idea to keep the games hidden from your boss!

Add a “demo” user and you can hand your slate to a fellow worker or friend to let them have a look at your slate without the risk of them discovering something they shouldn’t.

The mistake the manufacturers have made is assuming that a slate is a single user device. In practice, everyone wants a go and unless you have really big pockets and carry it around everywhere with you, people will pick it up and use it. The ‘net is full of stories about geeks who bought a slate, and wound up with their partner using it more than they do. And not always through choice!

It appears that I’m not the only one who thinks this would be a really good feature.

More Downs Images

 Photography  No Responses »
Jun 142011
 

The following were made over a week ago around the village of Finchdean :-

#1: Church In The Valley

Valley Church

Interesting church this one – an ancient hunting lodge chapel.

#2: Follow The Path

Follow The Path

It’s hard to stop walking along this path.

#3: Cloud Path

Cloud Path

World Naked Bike Ride – Portsmouth

 Politics, Religion  No Responses »
Jun 102011
 

No, there’s no pictures here.

Today Portsmouth had it’s very first World Naked Bike ride to demonstrate against the car culture. I’m not a cyclist so didn’t take part (perhaps we should have a World Naked Walker day!), but thought it was a worthy protest done in a fun way. The organisers were troubled by the activities of a certain group of fundamentalist christians who were upset that anybody would dare to bare.

I happened to catch them riding past as I was walking back into work. And the reaction of the onlookers? From what I could see from the reactions of the “crowd”, pretty much everyone thought it was fun – nobody seemed upset and nobody seemed overly “excited”. It brightened up an otherwise somewhat gloomy day – it certainly wasn’t the best weather for naked anything!

Those fundamentalists who were more concerned with what others might be doing, than their own “issues” should learn that it was just fun. There was no widespread wailing and gnashing of teeth at the horrendous sight of a bunch of pervy old exhibitionists. Yes it was a bit exhibitionist – in the same way that any protest is because people won’t pay any attention to your statement if you don’t attract attention. And frankly a naked protest is a good deal more peaceful and fun than any other kind.

Any “perversion” is solely within the mind of anyone who thought that there was anything perverted about it. Nudity can be sexual, but only in the right context – and someone cycling isn’t being sexual.

Most of us have grown up enough to realise this was just good clean fun. It’s about time that the others grew up and minded their own business (at least).

One of the specific points that the fundamentalists made was that children might be upset by the nakedness – either seeing naked people, or being naked themselves after the ride when it was claimed that one of the riders had a naked child in a seat behind her. Taking that last point first … I saw the relevant rider, and there’s no way you could know that the child was naked unless you saw him or her being put into the seat.

Whilst I have no children, I do have some experience with them, and in my experience children are likely to find naked adults to be funny and be curious as to why they’re naked. And many of us have seen toddlers who whilst being changed think it’s funny to run around naked. Older children may react differently, and of course sexual exhibitionism is an entirely different matter. But this wasn’t sexual exhibitionism!

To those who took part, I raise my glass. And hope it takes place next year.

 Older Entries  Newer Entries