A laymans guide to malicious files and why you shouldn’t always trust the software.

It was an interesting week at work with several malware infections making it through the various av protections that we have in place which proves that end user education should be your primary line of defense in the fight against virus’. It is amazing how often people will click on random emails that have been sent to them with random filenames just because the email arrived in their inbox (or in another mailbox that they happen to have access to), even if it was not addressed to them.

I was lucky enough to get one of these emails through to my corporate mailbox on Tuesday this week, evading detection by McAfee email protection and Forefront on the desktop. (Using another av solution would not have prevented this as you will see later)

Fake looking email
Would you trust this email?

This was obviously some scam with the description of the user not even matching the email address of the user. Being curious, I naturally saved the file to my hard drive and then uploaded it to virustotal. On Tuesday, only 1 of 58 av engines recognised this as a virus – kudos goes to Quihoo-360 for being the sole detector. I must admit that I’ve never even heard of this software and I was very surprised to see that only 1 av vendor recognised the file.

Tuesday morning's virustotal result - only one av picking it up from Quihoo-360

I submitted the file to McAfee for scanning by zipping the file up with 7-zip and password protecting it with the phrase infected and sending it to their response team at [email protected] Incidentally, McAfee’s instructions for doing this are very outdated as Windows10 no longer has the option to password protect a zip file. McAfee immediately came back saying that their analysis was inconclusive and the file had been submitted for further research.  This was an improvement on the previous sample I had submitted on Friday for a cryptolocker variant that came back as no virus found!

Wednesday morning I uploaded the file to virustotal again to see what the state of detection was.

This time the detection rate was slightly better – 9 products including Sophos that I use at home, but neither of the products in use at the office.

Wednesday morning detection rate

Thursday morning, two days after receiving the virus I received a response back from McAfee that confirmed the file was malicious. They included an extra.dat that would detect the file.

By this time, virustotal was showing 25 out of 53 products detecting the virus so it is getting better. Microsoft’s product was listed as detecting the file, yet Forefront was still passing it through as clean. Although virustotal has the definition date of 7/28, my computer was showing “defs of 7/26, update on 7/27”. Not sure why there is this discrepancy of the definition dates.

Yesterday, my laptop at home still had old definitions as it was not connected to the corporate lan and was still showing the file as clean which is pretty scary.

This morning I downloaded the file to my personal laptop, saving the file with a .txt extension so I would not accidentally open it – something that is easier to do on a touch screen tablet. Interestingly Sophos did not detect anything wrong with the file. Launching the file in notepad, it starts with the letters PK which implies the file is actually a zip file and there are several strings referring to HP printers and Adobe Photoshop.Snipped notepad view of infected file

At this point I’m not going to risk my machine further by opening it with 7zip to see what happens.

However when I copied the file to .zip or to .rtf Sophos did spring into action and quarantine the file. This is really handy as it protects the file from being saved to the machine in an executable form, but also allows you to save the file to the hard drive for further analysis in your debugger of choice.  Other applications will quarantine the file no matter what the extension is, making it harder to retrieve. On the other hand, you now have an infected file on the machine that av is not discovering.

This Sunday morning, I uploaded the file to virustotal again. This time we’re slightly better at 29/54 detections. However, Comodo, Malwarebytes, Panda, SuperAntiSpyware,Symantec, TrendMicro and Vipre (among others) do not detect the file as malicious.

Malware bytes is an interesting discovery as it’s not usually regarded as an av product as it typically protects you from software being installed into suspicious locations such as autorun, startup, browser toolbars etc as opposed to traditional av that scans every file being written or read to the hard drive. However in this case and my recent cryptolocker, MalwareBytes failed to find anything malicious although HitManPro did find the Cryptolocker exe file on the machine (but MalwareBytes and McAfee did not).

The best av is the human kind that recognises a file is suspicious or unexpected and does not open it – although even this kind of av can fail (and some are more prone than others!)

Incidentally, one of my favourite solutions for the Cryptolocker variant, in theory at least, is pretty drastic and requires the permissions of file shares to be changed so that files can be created but they can’t be edited. Users (and software) would be able to write new files to the file share, but any edits to the file would not be allowed unless the changes are written to a new file. This forces users to do Save-As all the time, may break Office documents that insist on modifying the original file, but would stop Cryptolocker from overwriting files on the drive. Obviously this takes up a lot more disk space and would not be suitable for shares holding Autocad documents.

*Please note that this post is not meant to denigrate any one particular av product in particular as I understand that definitions take time to produce but av software that does not detect infections 5 days later should probably be evaluated to see if it is safe for continued use.  I do reserve the right to moderate comments on this post if they are not helpful and just say “Product XYZ is useless”

Latest malware removals.

I had two pc’s given to me last weekend to fix various speed issues. Thankfully I had downloaded the AntiMalwareToolkit from Lunarsoft recently so I did a quick update which meant I had a lot of antivirus and antispyware tools with up to date definitions ready on a cd.
The first machine was pretty straightforward and just needed ad-aware removing and reinstalling to fix ad-aware crashing on bootup. At the same time I scanned for virus and was pleasantly surprised to see none on the machine. The combination of Norton 360, adaware and malwarebytes had done a good job. Norton was crippling the speed of the machine though and I had to disable Norton whilst I ran other diagnostics on the machine as it was just painfully slow whilst running.

The other machine was a whole other story. Norton AV2004 does not do a good job of keeping machines protected when the definitions were last updated in 2005, although I think you’d all agree that no other product would either! Running MalwareBytes detected 400 antivirus files ranging from vundo,trojans, spyware2009 and other infestations. My initial scan was run after booting the machine into safe mode – normal mode was unusable, taking 6 minutes to launch regedit after eventually managing to hit start/run and type in regedit.
The initial scan took over 8 hours to run. Unfortunately I had not cleaned out the temporary internet files on the machine – all 18gb of them! After the first scan completed I selected all the temporary internet files and deleted them. It took about 20 minutes for windows to finish the “preparing to delete” stage. I’m not sure what exactly it is doing, but it is incredibly annoying to hit delete, walk away from the computer and come back 20 minutes later to see it then popup and say “are you sure you want to delete these files?”. I could have deleted the files from a dos prompt but it was taking forever to do anything, so opening a dos prompt and then navigating would have been very painful.
So after 3 hours of deleting files, a reboot I did another scan. This time it took 2 hours. So the moral of the story is to delete temporary internet files first. Interestingly I later ran AdAware and that actually asked me if I wanted to delete these files before it did the scan.
The machine was now fairly responsive…..in safe mode, but still took forever to do anything in normal mode. Scans were coming up clean so the configuration was obviously still screwed up somewhere. I tried to uninstall symantec using their uninstall package but that just hung using no cpu usage so it was a hard reboot and I tried the Norton Removal Tool. The first time it would unpack the self extracting exe but do nothing after that.
At this point I came across a thread in software tips and tricks with the same symptoms of the machine running slowly and the start button being unavailable. This thread was started in 2004 so I was a bit pessimistic about the solution of running a reg cleaner (as most of them are not really worth bothering with). However several people had responded saying that the solution worked, with a couple of posts from Jan 2009 so I figured it was worth a try. I had never heard of the registry cleaner, but I had heard of Jv16 Powertools, so I downloaded RegSupreme and let it do it’s registry cleanup. I looked briefly through the results and could see nothing really unusual so I rebooted and was really surprised that the machine started to respond normally. I was then able to run the Norton Removal Tool and remove Norton from the machine completely.
I haven’t completely finished with the machine yet, but I’m nearly there. You may be wondering why I took so long on this machine. To be truthful, if it was mine I’d have wiped it straight away, but as the issues got harder to fix, my stubbornness and curiosity got the better and I needed to know how to fix the problem and retain the data on the machine. After all, formatting is the easy way out and one day I’ll have a machine that I MUST repair in order to get data and this experience will have given me some helpful experience and preparation for that day.