Anything related to viruses, Trojans and backdoors.

CyberSec Tips: Malware – advice for the sysadmin

This is possibly a little out of line with what I’m trying to do with the series.  This advice is aimed a little higher than the home user, or small business operator with little computer experience.  Today I got these questions from someone with an advanced computer background, and solid security background, but no malware or antivirus experience.  I figured that this might apply to a number of people out there, so here was my advice:


> Question 1: What is the best way to obtain some good virus samples to
> experiment with in a clean-room environment?

Just look for anything large in your spam filters  :-)

> What I see doing is setting up a VM that is connected to an isolated
> network (with no connection to any other computer or the internet except
> for a computer running wireshark to monitor any traffic generated by the
> virus/malware).

VMs are handy when you are running a wholesale sample gathering and analysis operation, but for a small operation I tend not to trust them.  You might try running Windows under a Mac or Linux box, etc.  Even then, some of the stuff is getting pretty sneaky, and some specifically target VMs.  (I wonder how hard it would be to run Windows in a VM under iOS on ARM?)

> Also, any other particular recommendations as to how to set up the
> clean-room environment?

I’m particularly paranoid, especially if you haven’t had a lot of background in malware, so I’d tend to recommend a complete airgap, with floppies.  (You can still get USB 3 1/2″ floppy drives.)  CDs might be OK, but USB drives are just getting too complex to be sure.

> Question 2: What products are recommended for removing viruses and malware
> (i.e. is there a generic disinfector program that you recommend)?

I wouldn’t recommend a generic for disinfection.  For Windows, after the disaster of MSAV, MSE is surprisingly good, and careful–unlikely to create more problems than it solves.  I like Avast these days: even the free version gives you a lot of control, although it seems to be drifting into the “we know what’s best for you” camp.  And Sophos, of course, is solid stuff, and has been close to the top of the AV heap for over two decades.  F-Secure is good, although they may be distracted by the expansion they are doing of late.  Kaspersky is fine, though opinionated.  Eset has long had an advantage in scanning speed, but it does chew up machine cycles when operating.

Symantec/Norton, McAfee, and Trend have always had a far larger share of the market than was justified by their actual products.

As always, I recommend using multiple products for detection.

> I assume the preferred approach is to boot the suspect computer from USB
> and to run the analysis/disinfection software from the USB key (i.e. not to boot
> the infected computer until it has been disinfected).

A good plan.  Again, I might recommend CD/DVD over USB keys, but, as long as you are careful that the USB drive is clean …

> Question 3: How/when does one make the decision to wipe the hard drive and
> restore from backup rather than attempt to remove the malware?

If you have an up-to-date backup, that is always preferred when absolute security is the issue.  However, the most common malware is going to be cleanable fairly easily.  (Unless you run into some of the more nasty ransomware.)

Pushing backup, and multiple forms of backup, on all users and systems, is a great idea for all kinds of problems.  I’ve got a “set and forget” backup running to a USB drive that automatically updates any changes about every fifteen minutes.  And every couple of days I make a separate backup (and I have different USB drives I do it to) of all data files–which I then copy on to one of the laptops.  I just use an old batch file I created, which replaces any files with newer versions.  (Since it doesn’t delete anything I don’t change, it also means I have recovery possibilities if I make a mistake with deleting anything, and, by using multiple drives, I can rotate them for offsite storage, and even have possibilities of recovering old versions.)

> Question 4: Any recommended books or other guides to this subject matter?

Haven’t seen anything terrifically useful recently, unfortunately.  David Harley and I released “Viruses Revealed” as public domain a few years back, but it’s over ten years old.  (We released it about the time a vxer decided to upload it to  He probably thought he was hurting our sales, but we figured he was doing us a favour  :-)


In recent days there has been much interest in the “BadBIOS” infection being reported by Dragos Ruiu.  (The best overview I’ve seen has been from Naked Security.)  But to someone who has lived through several viral myths and legends, parts of it sound strange.

  • It is said to infect the low-level system firmware of your computer, so it can’t be removed or disabled simply by rebooting.

These things, of course, have been around for a while, so that isn’t necessarily wrong.  However, BIOS infectors never became a major vector.

  • It is said to include components that work at the operating system level, so it affects the high-level operation of your computer, too.
  • It is said to be multi-platform, affecting at least Windows, OS X, and OpenBSD systems.

This sounds bit odd, but we’ve had cross-platform stuff before.  But they never became major problems either.

  • It is said to prevent infected systems being booted from CD drives.

Possible: we’ve seen similar effects over the years, both intentionally and un.

  • It is said to spread itself to new victim computers using Software Defined Radio (SDR) program code, even with all wireless hardware removed.

OK, it’s dangerous to go out on a limb when you haven’t seen details and say something can’t happen, but I’m calling bullshit on this one.  Not that I don’t think someone couldn’t create a communications channel without the hardware: anything the hardware guys can do the software guys can emulate, and vice versa.  However, I can’t see getting an infection channel this way, at least without some kind of minimal infection first.  (It is, of course, possible that the person doing the analysis may have made a mistake in what they observed, or in the reporting of it.)

  • It is said to spread itself to new victim computers using the speakers on an infected device to talk to the microphone on an uninfected one.

As above.

  • It is said to infect simply by plugging in a USB key, with no other action required.

We’ve seen that before.

  • It is said to infect the firmware on USB sticks.

Well, a friend has built a device to blow off dangerous firmware on USB sticks, so I don’t see that this would present any problem.

  • It is said to render USB sticks unusable if they aren’t ejected cleanly; these sticks work properly again if inserted into an infected computer.

Reminds me somewhat of the old “fast infectors” of the early 90s.  They had unintended effects that actually made the infections easy to remove.

  • It is said to use TTF (font) files, apparently in large numbers, as a vector when spreading.

Don’t know details of the internals of TTF files, but they should certainly have enough space.

  • It is said to block access to Russian websites that deal with reflashing software.

Possible, and irrelevant unless we find out what is actually true.

  • It is said to render any hardware used in researching the threat useless for further testing.

Well, anything that gets reflashed is likely to become unreliable and untrustworthy …

  • It is said to have first been seen more than three years ago on a Macbook.

And it’s taken three years to get these details?  Or get a sample to competent researchers?  Or ask for help?  This I find most unbelievable.

In sum, then, I think this might be possible, but I strongly suspect that it is either a promotion for PacSec, or a promo for some presentation on social engineering.


A virus too big to fail?

Once upon a time, many years ago, a school refused to take my advice (mediated through my brother) as to what to do about a very simple computer virus infection.  The infection in question was Stoned, which was a boot sector infector.   BSIs generally do not affect data, and (and this is the important point) are not eliminated by deleting files on the computer, and often not even by reformatting the hard disk.  (At the time there were at least a dozen simple utilities for removing Stoned, most of them free.)

The school decided to cleanse it’s entire computer network by boxing it up, shipping it back to the store, and having the store reformat everything.  Which the store did.  The school lost it’s entire database of student records, and all databases for the library.  Everything had to be re-entered.  By hand.

I’ve always thought this was the height of computer virus stupidity, and that the days when anyone would be so foolish were long gone.

I was wrong.  On both counts.

“In December 2011 the Economic Development Administration (an agency under the US Department of Commerce) was notified by the Department of Homeland Security that it had a malware infection spreading around its network.

“They isolated their department’s hardware from other government networks, cut off employee email, hired an outside security contractor, and started systematically destroying $170,000 worth of computers, cameras, mice, etc.”

The only reason they *stopped* destroying computer equipment and devices was because they ran out of money.  For the destruction process.

Malware is my field, and so I often sound like a bit of a nut, pointing out issues that most people consider minor.  However, malware, while now recognized as a threat, is a field that extremely few people, even in the information security field, study in any depth.  Most general security texts (and, believe me, I know almost all of them) touch on it only tangentially, and often provide advice that is long out of date.

With that sort of background, I can, unfortunately, see this sort of thing happening again.


Lest you think I exaggerate any of this, you can read the actual report.

The death of AV. Yet again.

And in other news, Gunter Ollman joins in the debate as to whether Imperva’s quasi-testing is worth citing (just about) and, with more enthusiasm, whether AV is worth paying for or even still breathing. If you haven’t come across Ollman’s writings on the topic before, it won’t surprise you that the answer is no. If you haven’t, he’s thoughtfully included several other links to articles where he’s given us the benefit of his opinions.

If it’s free, never ever bothers me with popups, and I never need to know it’s there, then it’s not worth the effort uninstalling it and I guess it can stay…

Ollman notes:

In particular there was great annoyance that a security vendor (representing an alternative technology) used VirusTotal coverage as their basis for whether or not new malware could be detected – claiming that initial detection was only 5%.

However, he doesn’t trouble himself to explain why the anti-malware industry (and VirusTotal itself) are so annoyed, or to comment on Imperva’s squirming following those criticisms. Nor does he risk exposing any methodology of his own to similar criticism, when he claims that:

desktop antivirus detection typically hovers at 1-2% … For newly minted malware that is designed to target corporate victims, the rate is pretty much 0% and can remain that way for hundreds of days after the malware has been released in to the wild.

Apparently he knows this from his own experience, so there’s no need to justify the percentages. And by way of distraction from this sleight of hand, he introduces ‘a hunchbacked Igor’ whom he visualizes ‘bolting on an iron plate for reinforcement to the Frankenstein corpse of each antivirus product as he tries to keep it alive for just a little bit longer…’ Amusing enough, I suppose, at any rate if you don’t know how hard those non-stereotypes in real anti-malware labs work at generating proactive detections for malware we haven’t seen yet and multi-layered protection. But this is about cheap laughs at the expense of an entire industry sector that Ollman regards as reaping profits that should be going to IOActive. Consider this little exchange on Twitter.

Imperva’s research on desktop anti-virus has stirred a fierce debate. @gollmann: @dharleyatESET:

@virusbtn @dharleyatESET I don’t know about “fierce”. It’s like prodding roadkill with a stick.

What are we, 12 years old? Fortunately, other tweeters seem to be seeing through this juvenilia.

@gollmann @virusbtn @dharleyatESET Again just methaphors and no data. This conversation is like trainwreck in slow motion :)

The comments to the blog are also notable for taking a more balanced view: Jarno succinctly points to VirusTotal’s own view on whether its service is a realistic guide to detection performance, Kurt Wismer puts his finger unerringly on the likely bias of Ollman”s nebulous methodology, and Jay suggests that Ollman lives in a slightly different (ideal) world (though he puts a little more politely than that). But no doubt the usual crop of AV haters, Microsoft haters, Mac and Linux advocates, scammers, spammers and downright barmpots will turn up sooner or later.

There is, in fact, a rational debate to be held on whether AV – certainly raw AV with no multi-layering bells and whistles – should be on the point of extinction. The rate of detection for specialized, targeted malware like Stuxnet is indeed very low, with all-too-well-known instances of low-distribution but high-profile malware lying around undetected for years. (It helps if such malware is aimed at parts of the world where most commercial AV cannot legally reach.) And Gunter Ollman is quite capable of contributing a great deal of expertise and experience to it. But right now, it seems to me that he and Imperva’s Tal Be’ery are, for all their glee at the presumed death of anti-virus, a pair of petulantly twittering budgies trying to pass themselves off as vultures.

David Harley
AVIEN/Small Blue-Green World/Mac Virus/Anti-Malware Testing
ESET Senior Research Fellow

Comparison Review: AVAST! antiviral

PCAVAST7.RVW   20120727
Comparison Review

Company and product:

Company: ALWIL Software
Address: Trianon Office Bldg, Budejovicka 1518/13a, 140 00, Prague 4
Phone:   00 420 274 005 777
Fax:     00 420 274 005 888
Sales:   +42-2-782-25-47
Contact: Kristyna Maz nkov /Pavel Baudis/Michal Kovacic
Product: AVAST! antiviral

Summary: Multilayered Windows package

Cost: unknown

Rating (1-4, 1 = poor, 4 = very good)
Installation      3
Ease of use       4
Help systems      1
Compatibility           3
Stability         3
Support           2
Documentation           1
Hardware required       3
Performance             3
Availability            3
Local Support           1

General Description:

Multilayered scanning, activity-monitoring, and change-detection software.  Network protection including Web and email monitoring.

Comparison of features and specifications

User Friendliness


The product is available as a commercial package, but also as a free download for home or non-commerecial use.  As previously noted in other reviews, this is highly desirable not simply as a marketing and promotional effort by the company, but because making malware protection available to the general public reduces the malware threat for the entire computing and network environment.  One important
aspect is that the free version, unlike some antivirus products which reduce available functions, appears to be complete.  Scanning, disinfection, network protection, reporting, and management functions all seem to be included in the free version, making Avast a highly recommended product among free downloads.

I downloaded the free version, and installed it with no problem.  It was compatible with Windows 7, as well as previous versions.  The basic installation and configuration provides realistic protection, even for completely naive users.

Ease of use

With ten basic, and a larger number of minor, functions now included in the program, the interface is no longer very easy to figure out.  For example, one of the first things I (as a specialist) need to do is to turn off scanning of my “zoo” directory.  I initially thought this might be under the large “Maintenance” button.  No, “maintenance” is reserved for upgrading and buying additional features.  I did finally find the function I wanted under a much smaller “Settings” tab.  However, as noted, most users will not require any additional functions, and need not worry about the operation of the program.  The default settings provide decent protection, and updating of signatures, and even the basic program, is almost automatic.  (The updates for the free version do push the user to “upgrade” to the commercial version, but it is not necessary.)

I located (eventually) some great functions in the program which I found very helpful.  Admittedly, I’m a very special case, since I research malware.  But I really appreciated the fact that not only could I turn scanning off for a particular directory (my “zoo”), and that I could pull programs out of the quarantine easily, but that I could also turn off individual network protection functions, very easily.  Not only could I turn them off, but I was presented with options to stop for 10 minutes, 1 hour, until the next reboot, or permanently.  Therefore, I could turn off the protection for a quick check, and not have to remember to turn it on again for regular work and browsing.

However, I cannot commend Avast for some of the reporting and logging functions.  Late in the review period it reported an “infected” page, but refused to tell me where/what it is.  In addition, recently Avast has been blocking some of my email, and the message that an email has been blocked is the only available information.

Help systems

Help is available onscreen, but it is not easy to find.  There is no help button on the main screen: you have to choose “? Support,” and then, from a list of six items choose the last one, “Program Help.”  (The standard Windows F1 key does bring up the help function.)  Most other help is only available online via the Web, although there is a downloadable PDF manual.


The system scores well in malware detection ratings from independent tests.  I have been running Avast for over a year, and have not seen a false positive in a scan of the computer system.  I have observed only one false positive blockage of “known good” Websites or email, although this is of some concern since it involved the updating of another malware package under test.

Company Stability

Avast has been operating (previously as Alwil Software) for over twenty years.  The program structure is thoughtful and shows mature development.

Company Support

As noted, most is via the Web.  Unfortunately, in the recent case of a false positive the company, even though I had alerted them to the details of both the review and the warning I had noted, there was no useful response.  I received email stating that someone would review the situation and get back to me, but there was no further response.


The documentation available for download is primarily for installation and marketing.

System Requirements

The system should run on most extent Windows machines.


The antivirus system has minimal impact on the computer system.  When performing a full scan, there are other programs that run faster, but Avast runs very well unattended.

As noted above, the free version has complete and very useful functionality.

Local Support

None provided.

Support Requirements

Basic operation and scanning should be accessible to the novice or average user.

copyright Robert M. Slade, 1995, 2012   PCAVAST7.RVW   20120727

Beware! The “Metavirus”!

In the spirit of many infosec and antivirus company “announcements” of “new threats” in the past year:

A leading (if unemployed) information security and malware researcher, today noted startling developments (which were first mentioned in 1988, but we’ll leave out that bit) in cross-platform malware.

Dubbed the “metavirus,” this threat could completely swamp the Internet, and render literally billions of computers useless.  The chief researcher at the Vancouver Institute for Research into User Security has found that these entities can be created by almost anyone, even without programming knowledge or skills.  “This doesn’t even require a malware kit,” said Rob Slade, who has “discovered” this unregarded vulnerability.

Although the number of metavirus “families” are very small, in comparison to the millions of viruses, worms, and trojans discovered yearly, they are remarkably resistant to disinfection.  Infections tend to be clustered, and can affect almost all machines in an infected company, network or group.

“This is definitely cross-platform,” said Slade.  “It doesn’t rely on a specific operating system, program, or even virtual machine, like Java.”  Infections have jumped between Windows, Mac, Linux, iPhones, Android, and even CP/M and VMS machines.  Transmission can occur via email, sneakernet, wireless, and even phone and fax.  In all cases productivity is affected as time is lost.  In one class of the threat machines can be rendered inoperable.

Rob Slade can be made available for presentations on how to deal with this enormous threat.  Anyone wanting to protect themselves can send first class airfare, proof of prepaid hotel accommodation, and a bank draft for $15,000 deposit.  (US or Canadian dollars, whichever is higher at the time  :-)

Anti-Virus, now with added Michelangelo

Apparently it’s all our fault. Again. Not only is anti-virus useless, but we’re responsible for the evolution and dramatic increased volume of malware. According to something I read today “If it wasn’t for the security industry the malware that was written back in the 90’s might still be working today.”

I guess that’s not as dumb as it sounds: we have forced the malware industry to evolve (and vice versa). But you could just as easily say:

“The medical profession is responsible for the evolution and propagation of disease. If it wasn’t for the pharmaceutical industry illnesses that killed people X years ago might still be killing people today.”

And to an extent, it would be true. Some conditions have all but disappeared, at any rate in regions where advanced medical technology is commonplace, but other harder-to-treat conditions have appeared, or at least have achieved recognition.

I can think of plenty of reasons for being less than enthusiastic about the static-signature/malcode-blacklisting approach to malware deterrence, though I get tired of pointing out that commercial AV has moved a long way on from that in the last couple of decades. Even so, if pharmaceutical companies had to generate vaccines at the rate that AV labs have to generate detections (even highly generic detections) we’d all have arms like pincushions.

However, there are clear differences between ‘people’ healthcare and PC therapeutics. Most of us can’t trust ourselves as computer users (or the companies that sell and maintain operating systems and applications) to maintain a sufficiently hygienic environment to eliminate the need to ‘vaccinate’. It’s not that we’re all equally vulnerable to every one of the tens or hundreds of thousands of malicious samples that are seen by AV labs every day. Rather, it’s the fact that a tailored assessment of which malware is a likely problem for each individual system, regardless of provenance, region, and the age of the malware, is just too difficult. It’s kind of like living at the North Pole and taking prophylactic measures in case of Dengue fever, trypanosomiasis and malaria.

Fortunately, new or variant diseases tend not to proliferate at the same rate that malware variants do, and vaccines are not the only way of improving health. In fact, lots of conditions are mitigated by better hygiene, a better standard of living, health-conscious lifestyles and all sorts of more-or-less generic factors. There’s probably a moral there: commonsense computing practices and vitamin supplements – I mean, patches and updates – do reduce exposure to malicious code. It’s worth remembering, though, that even if AV had never caught on, evolving OS and application technologies would probably have reduced our susceptibility to antique boot sector viruses, macro viruses, and DOS .EXE infectors. Is it really likely that they wouldn’t have been replaced by a whole load of alternative malicious technologies?

ESET Senior Research Fellow

Not the bad news you thought you were reporting …

“The 2012 Norton Cybercrime Report, released Wednesday, says more than 46 per cent of Canadians have reported attempts by hackers to try to obtain personal data over the past 12 months,” according to the Vancouver Sun.

Well, since I see phishing every single day, and malware a few times times per week, what this survey is *really* saying is that 54% of Canadians don’t know what phishing and malware looks like.

(And you others don’t need to gloat: apparently the same figure holds globally …)

Kinda depressing …