Wednesday, April 15, 2009

Combating Malware

Every day we're reading about new viruses, trojans, spyware and other malware on the internet. I was recently asked about the need to reinstall the operating system from scratch on a virus infected machine. Here is the answer from Security Officer at BIDMC:

Is there a valid technical reason for requiring a rebuild? The answer to this is yes. The thing to focus on here is the Anti in the title of Anti-Virus. These applications are intended to stop an infection. Most of them also include a cleaning component and there are many products marketed solely as cleaning products - spybot-SD is a good example. The problem with these products is that malware is constantly morphing. You see this often in the names of the malware , they will contain .a, .b. .c etc. The longer the malware is out the more variants. This means that the cleaning tools need to keep up as well. The fact of the matter is is that they can not. If a system has critical content on it and it appears to be compromised the only way to ensure it is clean is to completely rebuild the system. The more sophisticated viruses will hide in the boot sector of a drive, others will replace O/S files with variants that contain the virus. The former will load on system startup and have not tracks for the AV or file cleaning applications to locate and clean. The later will look like standard files and be skipped over. We also take the precaution of a system rebuild here at BIDMC when we have a system with clinical or privacy content on it that is believed to have been compromised.

On the discovery component - we are also seeing a uptick in Torpig and mebroot. Torpig and mebroot are of the same family - sinowal. These trojans are a high risk trojan as their objective is to steal identity information - and they are good at it. These are of the type that imbed themselves in the boot sector of the system. As I mentioned above it is very difficult to both detect and to clean this type of trojan. I had a family member with this. As an exercise I attempted to clean the boot sector rather then rebuild. I logged over 40 hours of labor on this effort with a wide range of tools - even down to using a disk sector editor to attempt to clean it with no success.

There is no way to determine the original source of the infection without detailed examination of the system. But, this system is used to browse the web, it has Google desktop loaded and it is running MS Office. The infection could be sourced from a web site that is believed to be good. We saw this on not to long ago. These pages link to active advertising sites that are not in their control. Those advertising sites can and often do have malware in them. Google desktop in itself is not an issue - but the actions/benefits it provides automatically link the system to sites in a more automated fashion that increases the exposure of a system. Lastly is Windows itself. During the time between the discovery of a vulnerability and the release of a match all systems are vulnerable. In many cases the exposure time is lengthy. Keeping up with patches is critical but in itself does not ensure protection.

There are companies that offer system analysis. In general you can look to pay $350 - $400 per hour from a quality service. For an 80 Gig drive you are looking at about 4 hours of time for a basic pass over the system. A more detailed analysis will take in excess of 10 hours. As an example we are performing an analysis now on a system. The forensic copy of the disk to perform the analysis took 2 hours. The first pass analysis took an additional 6 hours. We are now starting the second pass and that will be 10 to 12 hours. Our times are about 30% more then a commercial provider due to the equipment we use. This is not a cheap process in money or time.

Due to the high risk that the torpig and mebroot trojans present I would highly recommend to completely rebuild the system ensuring that the boot sector is wiped and re-written. I would then ensure before the system goes back into usage that all windows, Internet Explorer, and office patches are applied.


Ahier said...

We use Norton Ghost and keep current images for standard desktop configurations so that we can more easily reimage machines when malware strikes. We have noticed a rise in malware/virus infections this year of about 19% over first quarter last year.
This does make a more compelling argument for VDI.

Frank Bresz said...

I don't personally know about the specifically mentioned trojans, although I did have a particularly nasty malware incident w/ a family members computer. I threw up my hands and called in some expert advice. Not sure what they spent on the cleanup. On a broader note - my opinion regarding malware is along the lines of white-listing - although not using those specific words. I have been a long time fan of strict controls for servers - anything that is not expressly authorized is malware. Typically this is just a program installed incorrectly or without proper authorization. File integrity monitoring systems - ala tripwire - handle this very well.

Then again - I am perhaps more draconian than needed.