Re: Help as a "system cleaner"!
From: cquirke (MVP Win9x) (cquirkenews_at_nospam.mvps.org)
Date: 02/19/05
- Next message: RipperT: "Re: Help!!"
- Previous message: David H. Lipman: "Re: spyware."
- In reply to: Matt Gregory: "Help as a "system cleaner"!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 19 Feb 2005 22:30:50 +0200
On Wed, 16 Feb 2005 15:12:27 GMT, Matt Gregory
>I can't really call it systems administration anymore, since it's
>nothing but a maid's job. What is the best way to approach going
>to people's houses and offices and cleaning malware and viruses
>out of their computers?
You are right; it's NOT system administration!
As a sysadmin, you are there to represent the owner's interests at the
costs of the users'; typically, you constrain the users' rights to do
unapproved things on the PCs they have to use.
That is an utterly alien mindset to what you are now being called to
do. Now, you are there to represent the users' interests, so
facilitate whatever it is that they want to do, and defend them
against all the other creeps in the world (including businesses).
In my experience, 80% or more of everything you see, in terms of
vendor documentation, certificationm, training, etc. is going to serve
the "sysadmin" requirement, and is thus generally not applicable. You
may well find that what works for your new world will fly in the face
of standard IT advice, but press on; you have to find your own clue.
The first decision to make, especially when you get busy, is what jobs
to tackle on site and what jobs to take home. For anything that's
open-ended, and for most first-contact as you describe, I take home.
General approach:
- verify hardware and file systems
- formally exclude/clean traditional malware
- clean up commercial malware
- purge temp, TIF, SR and set new SR baseline
- defrag
- patch
- manage risk, data stores, and backup
- apply defensive software
- test and troubleshoot user's listed failure patterns
I've written about these things in various ways:
http://cquirke.mvps.org/9x/badpc.htm
http://cquirke.mvps.org/9x/bthink.htm
http://cquirke.mvps.org/pccrisis.htm
http://cquirke.mvps.org/whatmos.htm
Zooming in only on steps 2 and 3 in the first un-numbered list, I do:
DOS mode diskette boot, F-Prot for DOS scan all (can't scan NTFS)
Bart's PE CDR boot, and from there:
- Trend SysClean
- Avast scanner
- McAfee Stinger
- ADSSpy (if NTFS)
- install, update and scan AdAware
- install, update and scan Spybot
HD boot Safe Command Only:
- may repeat above scans
- HiJackThis
- manual tools to taste
HD boot, each user accounts:
- repeat anti-cm scans (AdAware, Spybot)
- repeat HiJackThis
General approach is:
- detect only, log results
- research unfamiliar malware for caveats
- clean, log results
When scanning formally, you'd typically be using an environment and
tools that can knock out malware files, but can't resolve integration
references to them. That can create a DoS situation, or worse - which
is why you may want to preserve an undo trail (e.g. rename-away rather
than delete stand-alone malware files, log all that you do).
Also, when working outside the OS as above, SR can't maintain that
undo trail for you. You have to assume responsibility for that.
>I had this one computer, it had Windows XP with no patches,
>no firewall, nothing but a really old version of Norton that's never
>been updated. They had Kazaa, several chat programs, and
>Internet Explorer and that was about it.
That is the usual starting point. It represents a tremendous
opportunity to add value and establish your reputation! Ideally, you
want the PCs you work on, to:
- be clean
- *stay* clean
- lose no data at all
- be faster and nicer to work with
A "big-bang" first-contact session can mean a lot of changes,
especially where you assess thier risk profile and strongly recommend
changes that are not transparent to the user - e.g. changing email
apps, switching from Kazaa to safer alternatives or (at least) Kazaa
Lite, that sort of thing. Be prepared for a long user session on
re-entry, and possible follow-up sessions.
By the same token, you may decide not to make too many changes at
once. In order to establish a clean baseline, I import email into
Eudora so that all hidden attachments are exposed and can be scanned
and cleaned - and thereafter, I strongly discourage going back to
original email apps that still hide malware. I may make several other
changes too, and more I change, the more I may have to follow up.
So I generally do NOT gratuitously upgrade BIOS, device drivers or
apply Service packs at this stage. I'd rather wait until things
settle before doing that (if I ever do). But some things HAVE to be
fixed, e.g. IE has to be made safe against MIME-spoofing attacks,
RPC/DCOM (Lovesan) and LSASS (Sasser) holes have to be fixed, etc.
>thing must have had at least fifty viruses on it. It would not run
>at all when I first got it. I tried David Lipman's procedure, which
>got rid of a lot of it, but it still had this one called ckey.exe
>on it, which, when hooked itself into the operating system to receive
>WinLogon notifications, it installed a BHO into Internet Explorer,
>and I don't know what else it did, but every time you tried to kill
>it, it would respawn attached to another process on the system, which
>would usually crash that process. All I could really do was suspend
>it. Anyway, I worked on the thing for probably 8 hours and when I
>finally got rid of it, the registry was damaged. The Add/Remove
>Programs applet was just no longer operational, so I wound up
>reformatting the whole thing from scratch anyway. It was a complete
>waste of time trying to clean it.
Not really; you found out what was there, figured how it got in, and
could tackle that, and you learned some stuff. The last is value to
your account rather than the users', but it's value nonetheless.
If necessary, be brutal. If the client goes "why must I change
{anything}?" or "I can't be infected; I use NORTON", then explain
bluntly that whatever they have been doing to stay safe has FAILED,
and therefore some changes are obviously necessary.
>So how do you deal with this? When you sit down in front of an
>infected machine that you've never seen before, do you just reformat
>the whole thing every time or what?
Never. That's a luxury only sysadmins can afford, and is the reason
why they have little of value they can offer you. Remember, losing an
installation is to stand-alone users what losing the server plus all
backups is to a sysadmin. Different folks need different strokes.
>I usually try not to do that and save the user's data, but have
>things gotten so bad that it's just not practical anymore?
Consider what you are implying, by that assertion. If this is indeed
the case, then Windows is no longer fit for consumerland use.
>Are there any tools anyone could recommend for this job?
Your cleanup tools are...
1) Mugshot-recognition scanners for traditional malware
2) Mugshot-recognition scanners for commercial malware
3) Non-editorializing visualization and management tools
...plus the OSs that host these.
Category (3) include HiJackThis, which is a great overall starting
point, but it doesn't maintain an Undo trail. In addition to that, I
use several niche tools for particular purposes:
- ADSSpy, to list and manage Alternate Data Streams (NTFS)
- Shell Extension Viewer, for shell integrations (reversable)
- LSPFix, to clean up Layered Socket Provider damage
- BHOList, to list and manage Browser Helper Objects
- Eudora, to import mail and thus expose attachments
The big thing to remember about category (3) tools, is that they don't
give you answers on a plate, and you WILL screw up if you just "fix"
everything <g> ...approach with the same care as Regedit.
Finally, watch out for MS's new anti-spyware tool; it's still in beta,
but it's good combination category (2) and (3) tool.
After cleanup, your defensive approaches include these tools...
a) Firewall
b) Antivirus resident scanner
c) Other hardenings, e.g. Spyware Blaster
d) On-demand scanners, e.g. AdAware and Spybot
...but should go beyond, to address every point in the risk stack:
Intention: Educate users
- "think before you click"
Safety: Counteract bad software design
- avoid crappy apps
- risk-manage to block clickless (autorun) attacks
- risk-manage to show risk-relevant information
Sanity: Fix or amputate defective code
- OS and IE patches
- Sun Java versions (kill old vulnerable ones)
- application versions/patches; Moxilla, Winamp etc.
Risks are not only from malicious software, but natural data
corruption and hardware failure too. Prepare for these, and mitigate
them as far as possible, e.g.
- keep data off C: (usually practical only for rebuilds)
- avoid deeply-nested data paths
- separate data, risky material, code and bloat
- set up data backups, automated if possible
- avoid "data deathtrap" applications
This is the worst sort of "data deathtrap":
- proprietary data format
- mixture of data plus risk (incoming) material
- huge often-updated files
- deeply-nested locations, esp if mixed with infectable code
- known and non-changeable data locations that ease attack
- data is bound to application version
- application is bound to OS or office suite version
If that sounds like "avoid MSware for email", then duh; yes!
HTH
>-- Risk Management is the clue that asks:
"Why do I keep open buckets of petrol next to all the
ashtrays in the lounge, when I don't even have a car?"
>----------------------- ------ ---- --- -- - - - -
- Next message: RipperT: "Re: Help!!"
- Previous message: David H. Lipman: "Re: spyware."
- In reply to: Matt Gregory: "Help as a "system cleaner"!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
