Extra strain caused by malware
By apexwm, 3 June, 2011 13:56
It seems like outbreaks of malware over the past year, have increased significantly on Windows platforms. And, so far, there seems to be no end in sight at the moment. If anything, these outbreaks will continue and become even more complex. Currently, I've been seeing malware get through several layers of security which includes Symantec Endpoint Protection 11.6, Websense 7, and up to date Flash, Java, Adobe Reader, etc.
First, malware (and viruses) put a huge strain on IT resources. It takes only a few seconds for malware to corrupt a Windows user's profile folder or PC. But can take hours to clean up as well as research to find the source. Locating the source is nearly impossible without careful inspection of the user's activity and resources accessed around the time that the malware seemed to appear. Sometimes, the malware will reside on the PC far in advance from the time that it begins to actively show signs.
Not only does it take a good amount of IT resources to try and find the source of the malware, but also to prevent it on other PCs as well. Keeping Flash, Java, Adobe Reader, and Windows all up to date is nearly a full time job. New versions of each product come out within weeks of each other, and they should be thoroughly tested for compatibility then rolled out to PCs. This can take hours per week.
The top two malware forms that we've seen recently either hose the Windows profile which disables the user from running any programs, or fills the C drive with junk files causing it to fill up and slow to a complete crawl. All of which, are able to bypass all Windows XP and 7 security features as all users are running with limited (non administrator) access.
I've talked with colleagues in IT and they too are seeing the same activity and are also seeing the same strain on IT resources as well. It's becoming more of a problem and a challenge for IT administrators. Locating a product to help eliminating this malware is also difficult as no single product seems to work alone. It is a combination of products, that is more effective, but that too also needs to be tested because these products can conflict with each other, too.
Talkback
> The top two malware forms that we've seen recently either hose
> the Windows profile which disables the user from running any programs,
> or fills the C drive with junk files causing it to fill up and slow to
a
> complete crawl.
Have you got names to identify these, please? Since I've had virus-free Windows
machines on the net 24/7 for many years, I'm a little surprised that I've never
run into them, or even heard of them....
Jack Schofield 3 June, 2011 16:14
Report offensive content Reply
"Have you got names to identify these, please?"
Here's one of the earlier ones that started getting through, called "Antivirus
soft". Here's a good article that explains more of what it does:
http://www.2-spyware.com/remove-antivirus-soft.html . This one has bypassed
Symantec Endpoint Protection as well as Websense. This one has mutated into
other similar ones that we've seen more currently that cause a bunch of popups
and eventually modify the registry so that executables no longer work for the
profile logged in at the time that the malware ran. I do not have the names
of the latest variants, especially the one that keeps filling the C drive. We've
started looking at Malwarebytes Anti-malware which has so far proven to be more
effective than top names like Symantec.
On my personal machines, I get few viruses as well, especially since I use
Linux. :) But in corporate environments with thousands of machines, your chances
are quite a bit higher that you will see this type of activity. In the cases
described, there are about 1300 machines, and these malware variants show up
about 2-3 times per week. So far it's been quite a challenge trying to keep
up with the ever changing variants of these, combing through user history to
see how they got through. So far it seems to be partially from Java vulnerabilities
but we haven't placed a solid finger on it.
apexwm 4 June, 2011 03:04
Edit Delete Report offensive content Reply
I have encountered three instances of Malware which disabled executive files after the malware loaded. I was unable to determine the startup mechanism. All the instances were Ransomeware, and potentially more insidious. although I couldn't establish that.
In the in two cases. I was able to remove the Malware in Safe Mode using system restore and then various tools to clean up; in the third case I had to remove the user entirely and create a new user, having first recovered the data using a live Linux Distro before deleting the affected user.
Either way was quite time consuming. I don't remember the namres, nothing very
memorable.
Moley 4 June, 2011 16:28
Report offensive content Reply
Its getting to the point where one wrong typo of a website address and these Rogue Antivirus tools, are finding methods to bypass an out of date Java, or a web browser vunerability. Once installed - it easier/quicker just to write off the current installation (assuming you have a good backup).
I've got to the point I wouldn't recommend using Windows XP SP3 (wouldn't recommend full stop if your under 20!) unless you compliment it with either Acronis True Image or Paragon Hard Disk Manager 2011, and make a regular Hard disk image. There are just far too many security updates to keep track of, from both Windows update and third parties -Adobe,Sun Java etc.
I'd also recommend storing files on Dropbox, so your data is 'skinned' on top of your Windows system, so its just a fairly easy case of restoring the image, and maybe a few bookmarks, assuming email's are in the cloud.
Once infected, its best to write off the Windows installation - and use a restore image.
Its 20 minutes to restore from an image backup using either Acronis or Paragon, that's about how long it takes to download and install Malwarebytes. Removal can be several hours(days) more, and you rarely get the system you had originally.
I think we're reaching a point where it's pretty much impossible to state you actually have a 'virus free' Windows machine (depending on someone's surfing habits), there are so many methods of infection and places in the filing system for files to hide. Most Antivirus programs only scan files below a certain size. It takes an impossible amount of time to keep everything 'current'
The best free solution I've found currently is Comodo Internet Security (free version). Version 5.4.18 has a new Auto Sandbox facility, which isolates any file it doesn't recognise, and prevents interaction with any of the system files.
The program has really improved greatly over previous versions. It's much more user friendly (far less cryptic message to answer) and much of the bloatware has been removed. Best though to install it without Geekbuddy (one of the options) and also watch out as it tries to install Ask toolbar, as part of the installation setup. Otherwise, its a great Firewall/Antivirus/Sandbox Combination, and not too heavy on resources.
Simply: Prevention is the best cure.
(I have no connection with Dropbox,Comodo,Acronis,Paragon)
SoapyTablet 4 June, 2011 17:45
Report offensive content Reply
@apexwm
> We've started looking at Malwarebytes Anti-malware which has so far
> proven to be more effective than top names like Symantec.
I often recommend that, and while I use MSE, I run it to doublecheck my PCs. Happily it comes up all zeros here.
> But in corporate environments with thousands of machines, your chances
> are quite a bit higher that you will see this type of activity.
But if your PC software is kept up to date, then there's unlikely to be any that isn't attributable to user error, and even that should be rare. All the common attacks exploit holes that were patched months or even years ago. Secunia's PSI is a simple way to check that Adobe software, Java etc are up to date.
> So far it seems to be partially from Java vulnerabilities but we haven't
> placed a solid finger on it.
Java is widely exploited but it's easy to uninstall. Do your users actually need it? If so, it's best to uninstall *all* versions of Java before doing a clean install. Here's something I quoted earlier:
"Malware written in Java has existed for many years, but attackers had not focused significant attention on exploiting Java vulnerabilities until somewhat recently. In 3Q10, the number of Java attacks increased to fourteen times the number of attacks recorded in 2Q10, driven mostly by the exploitation of a pair of vulnerabilities in versions of the Sun (now Oracle) JVM, CVE-2008-5353 and CVE-2009-3867. Together, these two vulnerabilities accounted for 85 percent of the Java exploits detected in the second half of 2010."
http://www.zdnet.co.uk/blogs/jacks-blog-10017212/microsofts-security-report-shows-windows-7-is-safer-10022480/
@SoapyTablet
> these Rogue Antivirus tools, are finding methods to bypass an out of date
> Java, or a web browser vunerability.
Well, yes, if people leave gaping security holes unpatched then malware writers will be happy to exploit them ;-)
> there are so many methods of infection and places in the filing system
for files to hide.
> It takes an impossible amount of time to keep everything 'current'
Almost all Windows malware exploits easily fixable holes in extremely obvious ways. Basically, there are enough mugs around that malware writers don't need to do anything particularly sophisticated (if they even know how). And as mentioned, it's easy to keep non-Microsoft software up to date using PSI.
> Simply: Prevention is the best cure.
Absolutely!
Jack Schofield 7 June, 2011 16:00
Report offensive content Reply
I've seen the one that filled up your disk, but that quiet some time ago. It's
hard to detect, as I believe back then it inflates in users temp directory.
Basically it creates small chuck of files and since these files took the whole
sector actually, it could filled the disk quite fast.
Mazli Alias via Facebook 15 June, 2011 10:22
Report offensive content Reply
@Mazli Alias via Facebook
A couple of years ago there was a minor fashion for Decompression Bombs. Basically you had a small file and created many levels of nested copies inside a single archive, so it became huge when uncompressed. I suspect not many people have seen one, and I've never seen one in the wild. The technique works just as well on Linux as it does on PCs.
Unlike apexwm's viruses, compression bombs may not be just a basic "Incompetence
tax". It's not unknown for smart people to uncompress files without checking
to see what's in them.
Jack Schofield 15 June, 2011 19:11
Report offensive content Reply
Just saw another case recently, this time being "Internet Security 2010" that made it through several layers of security, including a web filter and Symantec Endpoint protection, on a Windows XP machine with current Windows updates but outdated Flash & Java. There is currently a team here investigating Flash & Java as possible avenues of attack.
http://www.2-spyware.com/remove-internet-security-2010.html
The problem faced here, and at a lot of companies that have hundreds or even
thousands of PCs, is keeping Flash & Java up to date when security holes
are found about every 2 weeks or so. Update packages are being deployed, but
just about when they are finished, a new version is out with further security
fixes, creating a perpetual update cycle. One other issue faced is Flash and
Java are very aggressive at running auto updates, which on Windows 7 will prompt
the user due to UAC being enabled by default. Adobe and Oracle have very little
documentation on disabling auto updates, and documentation provided by Adobe
and in forums simply doesn't work in some versions. This has increased the level
of help desk calls.
apexwm 22 June, 2011 19:41
Edit Delete Report offensive content Reply
See, part of it is that when you boot up a Windows machine for the first time,
it's not adamant enough about making run as user instead of as admin. It suggests
it, but that's simply not strong enough to make it clear to users the importance
of it. Then you couple that with the fact that malware is getting increasingly
more sophisticated as time goes by and ever more and more creative rogue security
software, and the average user could easily be looking at a very difficult time.
burningwreckage 23 July, 2011 09:48
Report offensive content Reply