Imran's personal blog

September 22, 2009

More virus info

Filed under: Uncategorized — ipeerbhai @ 11:08 pm

So I spent some time analyzing the infection I got recently.

Here’s what I think:

So it was a drive by install that exploited Adobe Acrobat.  The site hosting it is a common commercial site, which I’ll leave anonymous to protect me from lawsuits…  I managed to capture a copy of the malformed PDF.  I noticed that the exploit probably also works on the Mac version of Acrobat — the malformed PDF starts Acrobat trying to run code — that does nothing but chew up memory until the kernel “Access Violates” Acrobat, since the payload is a Windows executable.  This means the exact same exploit could work on the Mac, which stays safe only because the Virus targets PCs.  I know for sure my Mac version of Acrobat is up to date, though I don’t know for sure about the PC version( since I can’t use that PC right now…).  This means it’s likely a new exploit…  There but for the Market share of Windows go I…  I’d probably have been equally hosed had the exploit targeted the Mac.

OneCare can’t fix it — and it’s hidden well enough that my expertise isn’t enough.  There’s some exploited ASEP left over someplace, but Windows has so many ASEPs that I can’t go through them all with a fine tooth comb…so I’m co-nstalling a secondary OS.  Luckily I break my PC into OS and Data partitions — so I shouldn’t lose any data.   Unfortunately, I can’t find my OEM CDs.  This means Vista will be my “clean” OS 😦

It also means I’ll be ditching OneCare and any MS virus protection.  I’ll be switching to Eset Nod32.  Why?

1. Eset has advanced instructions and I can build an offline scan/clean CD with them.  Their implementation is difficult to use, probably due to licensing issues with WAIK– but at least they have this feature.  This feature is critical, and absolutely should be in any AV product.  A good rootkit can defeat any AV.  But a good rootkit can’t win if it can’t run… Who knows when MS will have sigs that can detect all components and fully clean this virus?  A day?  A week?  A month?  A year?  With Eset, I can try more cleaning options.  Isn’t that what AV is supposed to do?

2. Eset has good advanced UI for cleaning an infection.  It saves me from manually hacking the registry and Filesystem.  That saves me time.  I like that.

3. Eset has good detection — probably better than any other Av company.  This is arguable — but OC is missing a component of the Virus.  I had actually gotten “clean”( aka full scan detected nothing ), then got another “infection” when I went online, before I even started up a browser — behind a hardware firewall — and with OC Firewall turned on.  This is not acceptable.

I’m almost tempted to buy Nod32 on Physical Media rather than download it, and then install it with the network disabled, then go online just long enough to update signatures, and see if they can clean it.  If that works, then I wouldn’t have to co-install Vista or re-install any software.  I think Physical Media is important for AV software — at least be able to make it on the fly from a download site or something.  Many of us have access to multiple computers…

For those in the Av industry who may one day read this blog:  AV software that can’t detect, can’t clean, and is missing recovery options isn’t AV software.  If the product can’t do the core work — if it’s only good at collection scans — then it’s no good.  Some core features that absolutely must be in any AV software:

1. Make sure to have a full offline mode.  This means your software should allow me to burn a bootable CD that can then be used for cleaning malware.  Burning a CD from a website is fine — you can then check and use the locally downloaded sigs, or you can make sure I’m a “registered user” — or whatever.  Without this feature, it’s not AV software — it’s just a collection scanner.

2. Make sure to have a recovery UX.  This is essentially UI that speeds up the recovery/clean up process.  It’s just good user experience.  For example, allow advanced users the ability to check ASEPS in an “ASEP View”, list the drivers that are booting and in what oder, etc…  Yes, we can do this by hand — but a faster way makes us love you.

3. Have a “hosed mode” that disables all inbound and outbound connections from your firewall except the bare minimum to get new signatures.  Allow the user to set that at any time.

4. Track multiple re-detections — if you redetect the same Virus 3 or more times, then display a “You’re hosed” UI and stop force cleaning the machine.  Instead, tell the user, ask if they want to go to “hosed mode”, then keep checking updates and rescanning daily.  Some users have multiple PCs.  I’d be OK waiting a few days to get sigs that could clean me — it’s less work than an OS install…

5. Make sure you can run as a stand-alone executable in a safe boot scenario.  I Booted from my Vista CDs, but couldn’t run the command-line scanner in that case.  This is different than the Recovery CD scenario I first mentioned — in this scenario, the user boots off their own CD/DVD, and runs the “installed” product sitting on their hard drive.  Like My Vista DVD.  Make sure there’s a single, discoverable command line that will run in that scenario.

These kinds of features are critical — AV software without these features is hamstrung — and being great at collection scans means nothing if it doesn’t work against real malware.

Well, those were my thoughts and experiences.  Hope they help you out!




  1. First we hit it with a scan from Malwarebytes Anti-Malware, a free scanner you can download here: []

    Then, on the infected computer, we download and run (in safe mode) a somewhat obscure free program called Combofix, which is available here: []

    After that, we run one more follow-up scan with Malwarebytes to ensure that the computer is clean.

    original URL:

    Comment by ipeerbhai — October 3, 2009 @ 12:00 am | Reply

  2. Final update — this process mostly worked. I used a mixture of Malware bytes and Sophos, since ComboFix was under rewrite at the time. Both were able to remove the final component that OC/MSAV missed, and the PC scans clean with multiple products. I can never be sure it’s 100% clean, but it scans clean, acts clean, and I see no strange activity in netmon or taskman. I won’t use it for banking or other activity — I do have my mac, so I can use that for things I want to be secure on. It’s so nice to have this PC back online and working, as it’s far more comfortable to write code on a full size screen/keyboard.

    Comment by ipeerbhai — February 17, 2010 @ 12:14 am | Reply

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at

%d bloggers like this: