Your Windows PC is infected with a new virus. I mean, really infected, the virus was executed and installed itself permanently. You update your antivirus product (AV) and start a scan. It detects the virus and cleans your machine: it kills the process, it deletes the files and removes the startup registry keys (like the Run keys). But is your PC really cleaned? Is everything the virus did undone? Who knows?
Malware can carry a very destructive payload that no AV can undo.
Take the W32/Bagle.fb virus. It deletes the SafeBoot key, only a couple of assembly lines are needed to wipe your Safe Mode configuration:
PUSH raehtvlv.00415AE8 ; ASCII "SYSTEMCurrentControlSetControlSafeBoot"
CALL raehtvlv.00409024 ; JMP to shlwapi.SHDeleteKeyA
But this is not easy to correct. No AV product will do this for you. It will delete the files (this bagle doesn’t only install itself, but also a rootkit, m_hook.sys, to hide itself) and remove the startup entries from the registry, but it will not reconstruct your SafeBoot key.
This Bagle also disables an enormous amount of security related Windows services, like the AV your running. It uses this subroutine to disable a service:
00404583 /$ 55 PUSH EBP
00404584 |. 8BEC MOV EBP,ESP
00404586 |. 81C4 4CFFFFFF ADD ESP,-0B4
0040458C |. C785 4CFFFFFF >MOV DWORD PTR SS:[EBP-B4],94
00404596 |. 8D85 4CFFFFFF LEA EAX,DWORD PTR SS:[EBP-B4]
0040459C |. 50 PUSH EAX
0040459D |. E8 7A490000 CALL raehtvlv.00408F1C ; JMP to kernel32.GetVersionExA
004045A2 |. 83BD 50FFFFFF >CMP DWORD PTR SS:[EBP-B0],5
004045A9 |. 72 62 JB SHORT raehtvlv.0040460D
004045AB |. 68 3F000F00 PUSH 0F003F
004045B0 |. 6A 00 PUSH 0
004045B2 |. 6A 00 PUSH 0
004045B4 |. FF15 5DF64100 CALL DWORD PTR DS:[41F65D] ; advapi32.OpenSCManagerA
004045BA |. 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
004045BD |. 0BC0 OR EAX,EAX
004045BF |. 75 04 JNZ SHORT raehtvlv.004045C5
004045C1 |. C9 LEAVE
004045C2 |. C2 0400 RETN 4
004045C5 |> 6A 22 PUSH 22
004045C7 |. FF75 08 PUSH DWORD PTR SS:[EBP+8]
004045CA |. FF75 FC PUSH DWORD PTR SS:[EBP-4]
004045CD |. FF15 61F64100 CALL DWORD PTR DS:[41F661] ; advapi32.OpenServiceA
004045D3 |. 0BC0 OR EAX,EAX
004045D5 |. 74 2D JE SHORT raehtvlv.00404604
004045D7 |. 50 PUSH EAX
004045D8 |. 8D55 E0 LEA EDX,DWORD PTR SS:[EBP-20]
004045DB |. 52 PUSH EDX
004045DC |. 6A 01 PUSH 1
004045DE |. 50 PUSH EAX
004045DF |. FF15 65F64100 CALL DWORD PTR DS:[41F665] ; advapi32.ControlService
004045E5 |. 8B1424 MOV EDX,DWORD PTR SS:[ESP]
004045E8 |. B9 07000000 MOV ECX,7
004045ED |> 6A 00 /PUSH 0
004045EF |.^E2 FC LOOPD SHORT raehtvlv.004045ED
004045F1 |. 6A FF PUSH -1
004045F3 |. 6A 04 PUSH 4
004045F5 |. 6A FF PUSH -1
004045F7 |. 52 PUSH EDX
004045F8 |. FF15 69F64100 CALL DWORD PTR DS:[41F669] ; advapi32.ChangeServiceConfigA
004045FE |. FF15 6DF64100 CALL DWORD PTR DS:[41F66D] ; advapi32.CloseServiceHandle
00404604 |> FF75 FC PUSH DWORD PTR SS:[EBP-4]
00404607 |. FF15 6DF64100 CALL DWORD PTR DS:[41F66D] ; advapi32.CloseServiceHandle
0040460D |> C9 LEAVE
0040460E . C2 0400 RETN 4
In a nutshell:
1. this subroutine is called with the name of the service to disable on the stack
2. it checks if it’s running on Windows XP, and returns if not
3. it opens the service manager, and returns if this fails
4. it opens the service to disable, and returns if the service doesn’t exist
5. it disables the services (sets the start parameter to disabled)
6. it closes the service
7. it closes the service manager
This subroutine is called for each entry in a long table of security products:
Ahnlab task Scheduler
BTW, wuauserv is the Windows Update service.
As a developer, I’m not impressed with the quality of this code:
- testing for Windows XP: do this only once, no for each service
- the service manager: open the service manager, process all the services, and then close the service manager. Opening and closing the service manager for each service is too much overhead.
And if I were a malware developer, my routine would be more destructive. The ChangeServiceConfig system call is called with mostly null arguments:
hService = 0015D840
ServiceType = SERVICE_KERNEL_DRIVER|SERVICE_FILE_SYSTEM_DRIVER|SERVICE_ADAPTER|SERVICE_RECOGNIZER_DRIVER|SERVICE_WIN32_OWN_PROCESS|SERVICE_WIN32_SHARE_PROCESS|SERVICE_INTERACTIVE_PROCESS|FFFFFEC0
StartType = SERVICE_DISABLED
ErrorControl = SERVICE_NO_CHANGE
BinaryPathName = NULL
LoadOrderGroup = NULL
pTagId = NULL
pDependencies = NULL
ServiceStartName = NULL
Password = NULL
DisplayName = NULL
This means that those parameters remain unchanged. Take the BinaryPathName argument, it sets the service parameter that points to the executable and often contains command line arguments. Without this information, the service manager doesn’t know which program to start. Setting BinaryPathName to a string, e.g. “wiped”, will overwrite this information and you’ll have a very hard time correcting this…
By now you should be convinced that this Bagle is nasty, that it could easily be made nastier, and that your AV will not restore your OS to its former glory and that you’ll have a hard time fixing everything. And this is “just” a mass mailer virus. Spyware is notoriously harder to clean.
Removing the infection is one step, and your AV should do this, but restoring your computing environment is another essential step, and your AV doesn’t help you with this.
That’s why I advise to rebuild an infected machine: format the disks and reinstall the OS, the applications and the data.
But I only advise this in case of a “real” infection (the malware was executed) and when it ran with local admin privileges.
If you’re sure the malware wasn’t executed (e.g. it was in a ZIP file and the AV detected and deleted the ZIP file when it was downloaded), there’s no damage done.
If it was executed with the authority of a normal user (not a power user or local admin), it will be easier to clean up, because it cannot modify the OS or the security products (privilege escalation aside and provided your security products are protected). Scanning the user’s profile and data, and checking the user’s startup entries is enough to remove the infection, and the computing environment doesn’t need restoring.
But if the malware ran with local admin privileges, all bets are off. It can do anything to your system, you can never be 100% sure what it did. Do you trust the malware descriptions of your AV product for 100%? Do they list everything in detail? If they omit something, you will not know about it and cannot fix it. For example, not all AV vendors did mention the deletion of the SafeBoot key for this Bagle virus.
And if the infection was a downloader (a program that downloads several other malwares from the Internet and installs them), not even the AV company can tell you what the malware did. Because nobody can tell you what was downloaded and executed. Even if you obtain the URL, download the malware and analyze it, you cannot be sure you downloaded the same malware.
Reinstalling a machine can be costly, especially if you’re not organized and prepared for it. You can decide that reinstalling is more costly than cleaning, and accept the risk of using a corrupted machine. It all depends on the risks you’re running, i.e. what you use your computer for.
Let’s assume you can wipe out the infection completely. Then you still need to ask yourself if your OS and security applications have not been tampered with and if you’re willing to trust them.
- Rootkit techniques to subvert your OS become more prevalent in malware.
- Tampering with security applications is still limited to disabling/crippling them, but I’m sure these attacks will become more complex. For example, I was able to “patch” my AV. It’s completely functional, but it doesn’t alert anymore when a virus is detected. And if I can do it, …
I’m prepared for an infection:
- First of all, I don’t trust unknown programs and attachments
- I use an antivirus and a Host Intrusion Prevention System
- I use a normal user account
- My data has its own directory and is encrypted (Truecrypt)
- I make regular backups
o Monthly Full image backups on a USB hard disk (on-site and off-site)
o Weekly data backups
o Daily online backups of essential data
- I patch diligently
- I maintain an unattended, slipstreamed Windows installation image (nlite), mainly for building virtual machines, but I can use it to rebuild a real machine
- I maintain a list and backup of the applications I install
- My banking applications run in a dedicated, virtual environment
You’re probably thinking that the cost of these mitigating actions is higher than the cost of dealing with a real infection, and you’re probably right. Except that these actions also mitigate other risks that I run, like data loss, disasters …
And cost is not only expressed in money and time, but there’s also the “sentimental” cost a person can incur. I’ve taken more than 10,000 digital pictures over a decade, and they’re priceless.