Recently I’ve gotten a burst of traffic from stumbleupon so I would like to thank you for checking the site out and taking the time to recommend it to others. If you enjoy what you’ve been reading, I would implore you to do two things:

Subscribe to the RSS feed

If you are using a spiffy browser it’s already up in the URL bar, just waiting for your click. It’s quick, it’s easy, all the cool kids are doing it.

Feedback

If you like the content let me know. If it sucks eggs, let me know that as well. One thing I’ve learned in my short time on this planet – conversations are more fun when they are read/write.

Thanks guys, stumble on.

The following is a quick and dirty guide to virus/malware removal. These are simple, proven steps to clean out malware and get a PC back and running as quick as possible.  No attempt is made to do any sort of forensics nor are there any techniques included for measuring or controlling the propagation to other machines or networks.  The assumption is that the damage has already been done and you are just cleaning up the mess.

Arming Yourself

The following is a list of tools you will need to have handy.  It is highly recommended that you download these on uninfected machine before hand! There are many types of malware out there that are known to detect file names/ signatures of popular cleaning tools and infect them.  You have been warned!

• Autoruns – http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx
• Combofix – http://www.bleepingcomputer.com/combofix/how-to-use-combofix
• Malwarebytes – http://www.malwarebytes.org/
• Process Explorer – http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx
• Revo Uninstaller – http://www.revouninstaller.com/

Kill Everything That Moves

• Alt-F4 any obvious pop-ups, don’t take the risk of click on the window even if the border “looks like a window”, it could easily be an imagemap
• Launch process explorer and look through all of the running processes. Look very closely, do any of the names look out of place?  Eating up too much memory?  Pay special attention to the “Company Name”
• Once you have killed any running processes, double check for open ports. Got to the command prompt and run netstat -an | find /i "listening" This will show you all ports that are being listened on.

Stop It From Spawning

• Launch Autoruns and look through all of the start-up items.  There is a feature in the latest version to hide Microsoft signed entries, this will make your life much easier. Save the current settings in Autoruns before removing any items. That way if you remove something you shouldn’t you can replace it, Check all start-up items, also pay attention to drivers and service. Again there are many obvious telltale signs of malware – misspellings, invalid directories, etc.
• Check Start->Program Files->Startup

Destroy the Source

Run Combofix. This can talk up 40 minutes to completely run.  For part it will need to be connected to the network to update.  During its run Combofix launches many small utilities that clean various malware. For part of its network cleaning/repair the machine will lose network connection for up to 10 mins.  If you are running Combofix remotely, don’t panic. Seriously, even when you think “God what have I done, I’ve killed the network connection!”, it will come back.

Clean Up the Mess

• Run Malwarebytes quick scan
• Visit Add/Remove programs and remove any “junk” programs.  Use Revouninstaller for stubborn ones

Sanity Check

• Launch IE and verify functionality by going to a few websites.  Also do a search on Yahoo, Bing and Google.  Verify that the search result links actually take you to the correct site (not redirected).
• Review c:\windows\system32\drivers\etc\hosts

Share your tips

Do you have any tips or tricks, any hand software that you use to defeat the ever growing scourge that is malware?

I just took the Sonicwall Phishing and Spam IQ Quiz and I’m proud to say I passed with flying colors.  All told, it probably took under 5 minutes to complete, while I was getting ready to leave for work. 

It’s doubtful if Sonicwallwill ever release any data from this quiz, but I would hazard a guess that the results wouldn’t surprise anyone.  Those who would describe themselves as “technical” probably got near to 100% in all cases, while those who could be described as non-technical probably scored similarly to random chance.  If you consider yourself techincal and still missed a few, consider this.  These emails are deliberately designed to be deceptive.  Any of us scoring 100% probably applied my more care and reasoning to the quiz then we normally do to our email.  If everyone went at their typical scanning speed, I’m sure there would have been no perfects!

So, why is it that to some of us these phishing scams are blindingly obvious?  I think the answer lies in what we look for.  For most of the technical audience taking the test, I would suspect they scanned the emails the same way I did.  Look only at the urls, if they “look” legitimate they probably are, if they “look” fake they are probably a scam.

My thought is that a less sophisticated user would probably read through the email, trying to weigh the tone of authority, the context and various other clues to determine if it was legitimate or not.  And therein lies the problem.  By even reading the email they have started to sell themselves into the “false context” trick of the social engineer.  People will do seemingly careless things (give away social security numbers, passwords, etc) if the context is crafted in a way to make them believe “this is okay”.

How can we defend against this, both for the people we may be educating , but also to ourselves?  My personal plan is to develop “shortcuts”.  Logical rules that will immediately tell me whether something is probably a scam or not.  That way I don’t allow myself to get caught up in the narrative and buy into the context offered.  For instance, in the quiz above, my personal “rule” or shortcut was to look at the url, if it looked odd I would assume that it was fake.  There is little to lose by doing this because if it turns out to be a legitimate request, someone will contact you another way.

Anyone out there brave enough to admit they have fallen for a scam?  What were the telltale signs, that are now obvious, that you didn’t pick up on?  Do you have any personal “shortcuts” that you use when evaluating emails, phonecalls or other requests for your personal information.

If you are a system administrator I implore you to create a similar test for your users and report back with the results!

How do I get data off this thing?

Here’s the situation.  I’m trying to recover data for a client.  Their laptop will not boot into Windows and they need to get data off of it.  To add to the fun, I don’t have an IDE adaptor handy for the laptop harddrive and the laptop is a little crashy (motherboard shorting out?)

I could wait around until I can get my hands on an adaptor, but what fun would that be?

First things first, we need to get the data off of the drive.  Being a minimalist, I first thought of just doing a file copy.  Not knowing whether the file-system is any good, this probably isn’t a good idea.  In any forensics situation you always want to clone your source and then work with it.  i will be taking the same approach, treating the source as “read only” and only modifying the copies I make.  If it turns out the file-system is corrupt I can always clone to a known-good drive and use tools like “chkdsk” (for file-system corruption) or “partimage” (if things are really nasty).

So I have the “donor” machine booted up on a recent cd of Knoppix, connected via crossover cable to our tech station.  I have set ip addressed and tested connectivity between the machines.  Now it’s time for the magic to start.

Using the instructions found here I set my tech station as a netcat “server” and the dead laptop as a netcat “client”.  Score one for the simplicity of pipes, because dd will happily pipe bit for bit data across our netcat tunnel!

“Server”

nc -l -p 9000 | dd of=HarddriveImage.img

“Client”

dd if=/dev/sda | nc 192.168.1.220 9000

I also setup a terminal on the tech station running “watch” to keep an eye on the disk image size

watch -n 1 "du -hca *.img"

Now we wait…in my case 19 gigs…about one hour

We have the image, now what?

Next, I found a handy guide here on what to actually do with the image once I got it.  I am familiar with loopback mounting of iso images, but never before have I tried to loopback mount an entire hard drive image.

So first things first, we need one more important piece of information off the dying computer.  We need to know how many cylinders the hard drive has.  This will come into play, later, in our calculations.

fdisk -l /dev/sda

Disk /dev/sda: 160.0 GB, 160041885696 bytes
255 heads, 63 sectors/track, 19457 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0x00050229

Device Boot      Start         End      Blocks   Id  System
/dev/sda1   *           1          12       96358+  83  Linux
/dev/sda2              13         136      996030    5  Extended
/dev/sda3             137        1109     7815622+  83  Linux
/dev/sda4            1110       19457   147380310   83  Linux
/dev/sda5              13         136      995998+  82  Linux swap / Solaris

This is a different hard drive, so the cylinder count will vary from below.  The cylinder count for the disk we are using is 2432

Now that we know the cylinders we can try to get fdisk to read the image we cloned to see if it is intact

tech@tech-desktop:~/tmp$ fdisk -C 2432 DiskImage.img

The number of cylinders for this disk is set to 2432.
There is nothing wrong with that, but this is larger than 1024,
and could in certain setups cause problems with:
1) software that runs at boot time (e.g., old versions of LILO)
2) booting and partitioning software from other OSs
(e.g., DOS FDISK, OS/2 FDISK)

Command (m for help): p

Disk DiskImage.img: 0 MB, 0 bytes
255 heads, 63 sectors/track, 2432 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0x9dc96e9e

Device Boot      Start         End      Blocks   Id  System
DiskImage.img1               1           5       40131   de  Dell Utility
DiskImage.img2   *           6        2431    19486845    7  HPFS/NTFS

Well, everything looks good!  If you have trouble at this point, keep in mind that the disk may be beyond saving.  Try something like Spinrite and attempt this again.

We know that we want to mount partition 2 “DiskImage.img2″ but we need to get the correct start and end blocks.

tech@tech-desktop:~/tmp$ fdisk -l -u -C 2432 DiskImage.img

Disk DiskImage.img: 0 MB, 0 bytes
255 heads, 63 sectors/track, 2432 cylinders, total 0 sectors
Units = sectors of 1 * 512 = 512 bytes
Disk identifier: 0x9dc96e9e

Device Boot      Start         End      Blocks   Id  System
DiskImage.img1              63       80324       40131   de  Dell Utility
DiskImage.img2   *       80325    39054014    19486845    7  HPFS/NTFS

Now all that is left is to calculate the offset so we can tell mount where to start mounting the loopback image.

Offset = StartNumber * 512

So we have 80325 * 512 = 41126400

No we issue the mount command as follows:

tech@tech-desktop:~/tmp$ sudo mount -o loop,offset=41126400 -t ntfs DiskImage.img /mnt/

That’s all she wrote

Well, we’ve been on a whirlwind tale of data recovery, but I am sure we have just scratched the surface of the different techniques that are out there.  So, what tricks have you used for data recovery before?  Any tips or tools you care to share?