Hello! I'm Defron and this is my blog.

Data Privacy Day: Passwords

Part One in a five-part exposé for Data Privacy Day

Data Privacy Day: Smartphones

Part two in a five-part exposé for Data Privacy Day

Data Privacy Day: Web Browsing

Part three in a five-part exposé for Data Privacy Day

Thursday, June 20, 2013

Proper Computer Infection Triage

It's been a looong time since the last time I've cleaned up an infection. I do my best to keep it from happening on my computers that run Windows as well as those I manage. Of course eventually something gets through. Yesterday (my day off since I work Saturdays), I got a call from the office about a computer acting weird. It turned out it was the System Care Antivirus rogue software. According to file timestamps, infection occured around 1:34 PM. I was notified approximately 10 minutes later.

Like a stroke, I believe that fast action is important, and the mnemonic FAST still applies, albeit a bit differently, as it relates to triage instead of identification:
  • F[ull stop]: Once you think you're infected, don't do anything with the computer.
  • A[lert (me)]: I need to know ASAP
  • S[hutodown]: I'll do it if I'm there. Otherwise Get that computer turned off asap (usually a hard poweroff. I'd rather have a single PC damaged than risk malware spread over the LAN)
  • T[ime]: This one stays the same. Time is important. The longer a virus has to act, the more extensive the damage, and the less likely infection removal will be the right course of action. Files may be irreversibly damaged without a reinstall and you just never know.
As hinted  in that last one: I'm a strong believer in disk imaging. Clonzilla is awesome; RedoBackup is great for those who want a GUI. Haven't gotten around to messing with FOG, but it's definitely a project that interests me (and of course Windows 7 and 8 can create an image natively as well as some Server-side ways via Windows Server). I don't usually deal with viruses, because it takes more time to clean up the mess than it does to restore an image. This time was an exception. The EHR software we use at work had been upgraded, along with some other programs on that particular computer. I hadn't imaged it since these upgrades (my bad). It would have taken longer to install those programs (as with some of them, all other clients need to be exited before a new client can be added) than it would have taken to clean it since triage had been followed. Had triage not been followed, I probably wouldn't have tried. Triage really makes that big of a difference in my opinion.

So now to explain FAST.

F -- Full Stop

Many infections start out as a simple file that was able to execute itself in the %AppData% area of your computer. It doesn't have much permissions yet and damage is usually not that bad. It will then try to trick you into giving it more power by clicking on something. By stopping everything and not touching anything, you can in many cases stop the virus in its tracks. This wasn't the case this time. It looks like the virus used an exploit in Adobe Flash Player to infect a bit worse -- more on this later.

A -- Alert (me)

If you aren't computer savvy, now is the time to get help. In the case of my office, I'm the one alerted. The sooner the problem is brought to the attention of others, the more easily it will be resolved. If you are at work, please note this: you will not be able to keep an infection a secret. Eventually it will come out. All you are doing is putting your coworker's computers, and the business at risk. Tell someone and tell them fast. I am quite proud how well it was handled. The person whose computer was infected told the office manager, who promptly instructed her to call me, just like it should have been done. It was beautifully handled.

S -- Shutdown

This one goes along with Full Stop. If the computer has been truly compromised (which the alerted person should be able to tell), then it's time to power that bad boy off. Some malware will try to stop this. Solution: Hit the switch on the power cord. A hard power off is much better than other computers getting infected. I instructed the coworker to turn off the PC and it stayed off until I got there. She was given a laptop to work on in the mean time.

T -- Time

Time is of the essence in an infection. Just like in a real medical emergency, triage is designed to quickly ascertain the severity of the problem. The longer it takes to triage, the more at risk the bad cases are. In the case of a computer infection, the longer it takes to get a PC squared away the worse it is going to be and the less likely cleanup will be at restoring a PC to its former glory.

I have two time counters: The first one is time from infection until the end of triage. I give this 30 minutes. If more than 30 minutes have passed and the PC is still being actively used, most likely that infection is going to be in every nook and cranny of the PC, maybe even jumping across the network. The second time is cleanup time. This one is 60 minutes. If no progress on cleaning up the infection has been made in one hour, it's probably time to wipe and start from scratch. Infection cleaning is a race against the clock in every aspect. The longer you spend cleaning, the more appealing the wipe-and-reinstall method will be. I find one hour to be a good compromise. If I've made good progress and everything seems in order by then, I'll continue cleaning up the infection. If I haven't even come close to getting it under control then it's time t wipe and reinstall.

My Case

As mentioned, this was my first cleanup in a long time. My first cleanup in years in fact. It was quite pleasant. Or at least as pleasant as a cleanup can be. I contribute most of this to the triage method described above. None of the network shares were infected and the PC is back up-and-running.

The infection appears to have been due to an outdated Flash Player install. I don't know how that happened. It should have been updated, but wasn't. The user had visited a website (the website in question seems to have been compromised. It doesn't appear to have been a malware website) and then wham, the popup of System Care started sceaming its alerts at her. She did the best next move by telling the office manager. The office manager than told her to call me. I got the call. I told her to shut down and she got a laptop. I arrived the next day and started cracking.

First, it was taken out and brought back to my office room. It was disconnected from the network and booted up into safe mode. I had done my research beforehand and quickly deleted the files and removed the registry entry related to the malware via the command prompt. Total time? A few minutes (spent more time getting the PC to my room than deleting these files). All was looking good so far, so I booted into Windows normally, expecting the worst. I booted in to windows and it wasn't bad. I was able to launch things and it wasn't a problem. First I launched the antivirus software (Vipre Business). Lookie there! It had caught two files. It may not have been a full success, but it did catch part of the malware and was probably why it was so easy for me to delete it manually with no problem (along with the blitzkrieg tactics in my removal methods). So now it was time to get some better malware scanning software and get the AV up to date.

Before I did that, I noticed that there was an Action Center alert. Apparently the malware had disabled Windows Security Center Service. I went into services to try and re-enable it when I saw it didn't exist. Uh-oh. Looks like the malware did more than I initially thought. Most likely it deleted a few registry values, causing the service to disappear. Knowing that, I decided to gamble on a System Restore. I consider System Restores a gamble because many malware programs will infect them, so when you restore them, you just end up restoring the malware too. I thought "if this doesn't work, I won't have wasted much time and I'll just wipe and reinstall" that way I don't waste much time. I chose a restore point a bit older in hopes that an older restore point would lower the chances since this malware had all of about 20 minutes before I deleted its core files and registry entries.

It was successful! Security Center and firewall and everything were all back after the system restore, and still no traces of the malware! So now I needed Internet access.

Even though I had done some cleanup and everything was looking good, I'm far too paranoid to just plug this computer into the LAN after it's been infected. It won't get LAN access until I've given it a clean bill of health. So what to do? I don't have a secondary Internet connection to use. This is where my Quarantine LAN comes into play. Using a DD-WRT router and some iptables rules, I made it so the desktop could connect to the Internet, but not to any computer on the LAN. Using a different subnet for the quarantine router and blocking the DHCP pool of the servers outside of it, I guaranteed that this computer couldn't infect my LAN even if it was filled with the nastiest of nasty malware (which is wasn't at this point). So then I went on and installed some more antimalware stuff and updated all the cleanup tools to the latest definitions and versions. CCleaner took care of any temporary files, with me cleaning up some it missed manually. the antimalware software was humming along, removing traces in cached and temporary files every now and then. It was the log in Vipre that informed me that it seems Adobe Flash Player related. The computer this entire time hasn't been exhibiting any infected signs: everything was running fine and nothing weird was going on. After a few runs with the various scanners, things were coming up clean. HijackThis logs were clean of anything worrying too. I put the PC back and that was it.

I ended up spending a few hours due to me being cautious. Rebooting, rescanning, scanning with all sorts of things. It eats a lot of time, but I wanted to be confident in my clean bill of health before I put it back in place. During the time I was also running scans on the network shares and other computers just to be safe.

In the end, it was a pretty successful cleanup story. And for the future? Well, I might implement Click-to-Play for flash content now.