Re: Virus? - Disable .EXE, .COM, .LNK and group policy.
From: cquirke (MVP Windows shell/user) (cquirkenews_at_nospam.mvps.org)
Date: 05/27/05
- Next message: cquirke (MVP Windows shell/user): "Re: MS AntiSypware bug?"
- Previous message: cquirke (MVP Windows shell/user): "Re: Virus? - Disable .EXE, .COM, .LNK and group policy."
- In reply to: Zvi Netiv: "Re: Virus? - Disable .EXE, .COM, .LNK and group policy."
- Next in thread: cquirke (MVP Windows shell/user): "Re: Virus? - Disable .EXE, .COM, .LNK and group policy."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 27 May 2005 11:22:47 +0200
On Thu, 26 May 2005 18:24:08 +0300, Zvi Netiv
>"Brian Hoyt" <hoyty@hoyty.com> wrote:
>> First I want to say I am not interested in removing the problem as I can
>> reimage machines, I am more interested in figuring out the cause and
>> prevention methods.
>Figuring out the cause and preventing reinfection requires that you find out how
>what stung these computers entered the system.
Yep. A common myth is "I don't need to scan for active malware
because I just wipe and rebuild instead". Two problems:
1) Every general troubleshoot needs malware exclusion
Do you "just" wipe and rebuild whenever anything fails to work as
expected, in anything other than a clearly-defined way?
2) Rebuild just reproduces the original infectable state
The fact that your system was infected, indicates that your defences
failed. Blindly rebuilding the same system that failed is not a
winning strategy, especially of your system is now spotlighted by
external entities that may re-assert the infection.
The worst-case version of (2) is where that entity is human. They see
the PC vanish of radar, and come back clean, so they know they screwed
up. They know what they did, and look back on that to see what might
have tipped you off, and they don't do that next time. They are
learning how to own you more effectively. You are learning nothing.
>> We have recently started seeing behavior on laptops that appears to be a
>> virus, I am however having great problem tracking it down. The symptoms
>> include but are limited to:
>> Disable in registry .EXE, .LNK and .COM
>Run www.invircible.com/download/fix_exe.reg. It's a registry merge file that
>fixes the "shell open" command association that are stolen by many malware.
Something like this?
<paste>
<...to be pasted when found...>
</paste>
>stubborn cases, you will have to run the merge file in safe mode *with command
>prompt* to regain control on your utilities, that will let you find out how that
>malware initializes. Which is what you are after.
Stubbon cases may need more than Safe Mode, because where malware is
coincerned, Safe Mode isn't. MS offer blow-all for that, if you are
on NTFS, but fortunately others do, e.g. Bart's PE.
>The apparent disabling of the LNK association is the byproduct of stealing the
>shell-open command from COM/EXE. There is none for LNK.
.LNK does have entries in the registry that are conjoined to your HKCR
view, but they don't take as simple a form as .exe -> exefile
.LNK are not as exploitable as .PIF, as the OS is cluefull enough not
to run raw code in what is supposed to be a .LNK, as it does for .PIF;
.PIF is just another indication as to why generic "open" is a menace.
>This is why I offered the REG version of the fix file. The executable version
>is www.invircible.com/download/fixregex.com
You may have to do some more dancing, such as renaming REGEDIT.EXE to
something else, if .EXE is mis-associated and/or the name is blocked.
If Regedit.exe is blocked at a deeper level, you may have to operate
from outside the infected OS altogether. It just depends on how
serious the malware is about retaining ownership of your system, and
how skilled and dilligent the malware coders are.
Now that malware coders are salaried by commercial malware vendors,
who are in turn bankrolled by vulture capital, you can expect more
proficient malware. Organised crime has similar budgets, but less
need to pose as legitimate business; malicious behavior may be harder.
>Something that isn't always understood well enough: Real-time AV and
>anti-spyware cannot stop malware that is being installed across the network,
>*even* if the malware is know to the protection SW, and the definitions file is
>the latest available. The reason is inherent to how AV work.
More on that, please?
>Seems that whatever that is, it enters through weakly protected shares, like
>admin$. The random characters displayed at the login screen could be the
>password guessing routine at work.
If you don't need hidden admin shares, kill them. Writeable access to
the startup axis is insanely unsafe hex practice, and "hidden" shares
with known names is another sick joke.
>The following page and white paper could be worth reading:
>www.invircible.com/item/53 describes general methods to deal with malware
Nice. It's always hard to know how complete such documents should be,
without feeding the kiddies, and as forseable exploits get discovered
and used ITW, what is "complete" in terms of "in use In The Wild" is a
moving target too. Prudence may also be why this paper doesn't
elaborate on which integration methods remain active in "Safe" mode.
It shakes down to this:
- intra-file infection or code replacement
- explicit (by design) integration
- implicit (by exploit) integration
To regain ownership of a system, you need to:
1) Formally scan for altered or replaced code files
2) Enumerate and manage all integrations
3) Scan for internal surface exploiters
Each of these requires a minimum level of formality:
1) No code off the infected system may be run, i.e. non-HD OS
2) No explicit integrations may be run, i.e. a true Safe Mode
3) No exploitable internal surfaces must be exposed
A mOS (maintenance OS) should be able to meet all three criteria,
though many canidate mOS may fail on (3). Simply not running HD code
during boot, and not processing the HD's integration settings, is no
longer enough to be properly formal.
A true "Safe Mode" should be able to meet (2) and (3). The advice to
use Safe Mode Command Only is an attempt to address (3), but Cmd.exe
offers its own exploit opportunities (always stipulate path and .ext)
Currently, XP on NTFS is like a car with no service tools and the
engine compartment welded shut. Runs great, until it goes wronng and
you find yourself locked inside a blazing wreck.
MS offers no mOS for (1), and no properly Safe Mode for (2) or (3).
There are no tools that comprehensively enumerate and manage all
explicit integration points. So we are left to flail around with a
Safe mode that is not safe, and 3rd-party tools such as Bart's,
HiJackThis and ShellExView to help the OS wipe its own butt.
Let's hope LH is continent and toilet-trained. Not holding my breath.
>---------- ----- ---- --- -- - - - -
Gone to bloggery: http://cquirke.blogspot.com
>---------- ----- ---- --- -- - - - -
- Next message: cquirke (MVP Windows shell/user): "Re: MS AntiSypware bug?"
- Previous message: cquirke (MVP Windows shell/user): "Re: Virus? - Disable .EXE, .COM, .LNK and group policy."
- In reply to: Zvi Netiv: "Re: Virus? - Disable .EXE, .COM, .LNK and group policy."
- Next in thread: cquirke (MVP Windows shell/user): "Re: Virus? - Disable .EXE, .COM, .LNK and group policy."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
