So the last lab session I attended during HITB was Ching Tim Meng’s presentation on malware detection and removal with antivirus.
- VIRUS! DIE!
In his presentation, he purports that malware requires the stability of the system to survive, and defines malware as a “software designed to infiltrate or damage a system without the owner’s informed consent”. He goes on to list types of malware, including trojan horses, viruses, worms, logic bombs, etc.
I feel that he made one big mistake in that assumption. Let’s take for example -
I’m sure everyone remembers this little dialog box here. The Blaster Worm certainly did not require the stability of the system to survive. In fact, making the system unstable and unusable (after a minute) (without typing shutdown -a) was its primary and only goal.
Witty Worm
Not too far back in 2004, Witty was discovered. And yes, it does destroy the system as well. In fact, it would corrupt the system so much to the extent that at one point, the worm itself would cease to exist.
I’m sure there are more of these malware out there that aren’t as well known, but they do, somehow or another, infect and corrupt your system, one way or another.
However, while his methods of removing malware are not always foolproof and his assumption isn’t exactly accurate either, I would say that his effort was commendable and his method was easy enough for most to understand.
Tags: anti-virus, hitb, malware, tim meng, worm
Hi, I remembered who you are, and I will just clarify about what you mention in your thoughts on my talk.
Funny you mention about Blaster, Witty or even Code Red. These are worms that cause wide-spread disruption, which I did not deny it happened as mentioned in one of my slide “Malware: In the past”. The problem with such malware is that it is TOO OBVIOUS to users that their systems are compromised, and it does the malware writer no good when their malicious code is too rapidly cleared (reinstall, remove, etc). Thus they were almost eradicated by most organisations very quickly as fast as they spread.
Today, if the malware is to survive, it has to be quiet, stable, and non-conspicuous. Think Shinowal, which exist for 3 years mentioned recently in everywhere where RSA took it apart to understand how it works. It is on that previous-mentioned assumption and that most stable malware never corrupts system files, and thus it actually become easier to remove.
So in short, widespread damage + loud == detect faster by people and removed faster, targeted attack + silent == last longer in systems to fulfil its role.
As I mentioned before in my talk, my method is certainly not foolproof, though I can safely say till now I have yet to encounter a malware (over >40+ real world infections + 1 from a classified government organisation that claims that cannot be removed using my technique) that cannot be easily removed via my method. It was through helping so many people that I notice that while most malware can be removed via this method, that I quickly spread the word out so that people do not have to reinstall or send for professional help.
There were professional malware writers present in my talk and have challenged me off-the-record that they have their wares that definitely cannot be removed (like what you mentioned in the last 2 paragraphs). I am not surprised, and I am working with them now on how foolproof is their wares right now. If I have a chance I share the findings on a later date.
Meanwhile I hope the above just clarify my position. Based on your thoughts, I think I did not explain clearly the applicability of my techniques to the various malware out there (Eg: My methods may not cover OS X and Linux too). Will take this into consideration on my subsequent talks with other attendees.
Anyway hope to see you again in Singapore (or HitB) in the future. Good day!
Hi Tim Meng! It’s great to see you respond!
You are right at saying that worms like Blaster, Sasser, are quickly removed by organizations. However, the point I was trying to bring across was that while the trend of malware characteristics is moving towards what you have said, it does not mean that worms with only an intent to disrupt sevices and usage are not created and released. Furthermore, many malware in the wild these days also hog CPU usage to a very high level - also a very obvious sign of infection. I feel that they are as in the past as they are at present and should be encompassed in the definition of “malware”, even in today’s context.
Take for example, I was looking at my cousin’s desktop last year when he mentioned that there was a virus in his computer. He did not have any AV installed so I had to manually check and clean it myself. The worm self-replicated in every possible folder within every existent drive, disguised in a folder icon. Its file size was the same but its file name was randomly generated.
Another point I should bring up based on the above example is that sometimes, using the generic method may not always be the best way to remove the malware completely.
A last point I forgot to mention in my post - one should exercise caution while ending processes and deleting files. The lack of a company/version signature may not necessarily mean that the file / process is illegit.
Do leave me a website or something which I can refer to for finding your latest research. I’d definitely be interested in reading them, especially the irremovable malwares.
If possible, I’d even like to get my hands on them to try out!
Ciao!
Hi,
Heh, no problem, Google was telling me you were talking about my talk. Heh heh.
Err what you said generally is right. Again, the context of my talk wasn’t made too clear again, meaning, if you are stuck with absolutely nothing on hand except Process Explorer, how far can you go? The surprising answer even to myself is that one can go very far with almost no help. Of course, the ideal situation is that one has all the necessary tools (Live CD, hard disk external kit, etc) to clean malware in a more convenient manner. Then again, I was lazy to bring so many things, so I thought what could one do with just one simple tool.
I encounter the malware which you you mentioned in your reply about the worm replicating in different folders. That one is hard to clear, but it still can be done!
You mention about “One should exercise caution while ending processes and deleting files.” I agree, and that I always emphasised to everyone that the lack of it does not mean it is bad, and the presence of signed signature does not mean it is good. The point I want to make is one needs to have that information first before making informed decision, and thus I recommend everyone to have a Process Explorer on hand.
As for website, I don’t really keep a blog/website or anything. If I do find anything I usually just request to a conference to give me an opportunity to speak and demo. If I have anything new to share, maybe I just contact you directly. Heh heh.
OK, thanks for your feedback. Hope to see you again.