All that is wrong with the world…

June 23, 2011

OS X – Safe, yet horribly insecure

Filed under: Security, Tech — Tags: , , , , , , , — allthatiswrong @ 2:48 am

Introduction

I have had this article planned since the end of 2009 and have had it as a skeleton since then. I wanted to point out the many problems with OS X security and debunk the baseless myth that OS X is somehow more secure. Despite 18 months passing by before I managed to finish it, not much seems to have changed. I think I am publishing at an interesting time however just as malware for OS X is increasing and Apple are starting to put effort into securing OS X with the soon to be released Lion. There is no FUD in this article, just an analysis of the available evidence and some speculation. My motivation to write this article was the hordes of OS X users who are either blind or have been mislead by false advertising into believing OS X is somehow immune to malware and attacks.

It is one of the most prevalent myths among the computer purchasing public and to a lesser extent those who work in IT, that Apple computers are far more secure than their Windows and perhaps Linux counterparts. The word myth is precisely accurate, as OS X and other Apple software is among the most vulnerable software on consumer devices today. Apple have an appalling attitude towards security which often leaves their users highly vulnerable while hyping their products as secure, simply because they are rarely targeted. It is important before going further to note the difference between a distributed attack and a targeted attack. A distributed attack is one not specific to any one machine or network, but will exploit as many machines as it can affected by a particular set of vulnerabilities, of which OS X has had many. An example of a distributed attack is a drive by download, where the target is unknown, but if the target is vulnerable the exploit should work. Distributed attacks are used to infect large amounts of machines easily, which are then generally joined into a botnet to earn cash.

A targeted attack is more specific, where a single machine or network is attacked. A targeted attack is not blind and is specific to the machine being attacked. Distributed attacks such as drive by downloads are impersonal by nature because they must compromise thousands of machines while the motivation behind a targeted attack tends to be more personal, perhaps to steal confidential files or install some sort of backdoor. The argument always seems limited to distributed attacks which admittedly are nowhere near the problem they are for windows. This is more than likely because Apple has a very low market share of PC’s, simply making it less than worthwhile to invest in writing software to attack as many machines as possible when money is the motivation. I go into this in further detail in a later section.

Using a Mac may certainly be a safer choice for a lot of people as despite being vulnerable they are not targeted. However this is not the same as Macs being secure, something Eric Schmidt erroneously advised recently. I may be able to browse impervious to malware on a Mac at the moment, however I personally would not be comfortable using a platform so easily compromised if someone had the motivation to do so. In this article I address just why OS X is so insecure including the technical shortcomings of OS X as well as Apples policies as a company that contribute to the situation.

A trivial approach to security

One of the most annoying claims made by OS X (and Linux) users is that the UNIX heritage results in a far more secure design, making it more immune to Malware. Nothing could be further from the truth. The Unix Design is significantly less granular than that of Windows, not even having a basic ACL. The UNIX design came from a time when security was less of an issue and not taken as seriously as it did, and so does the job adequately. Windows NT (and later OSes) were actually designed with security in mind and this shows. Windows was not such a target for malware because of its poor security design; it is because the security functionality was never used. When everybody runs as Administrator with no password then the included security features lose almost all meaning. Point for point Windows has a more secure design than OS X, and is used properly the damage can be significantly minimized on a Windows machine than on an OS X machine, UNIX heritage or not.

A lot of OS X users seem to have this idea that Apple hired only the best of the best when it came to programmers while Microsoft hired the cheapest and barely adequately skilled, which not least resulted in OS X being a well designed piece of software completely free of vulnerabilities. In reality OS X machines have always been easily exploited and are among the first to be compromised at various security conferences and competitions. The vast majority of exploits that have been publicly demonstrated could have been used to write a successful virus or worm. Given how lax Apple is with security updates and any kind of proactive protection any prospective attacker would have quite a field day. The only reason this has not happened yet is not because Apple is magically more secure, it’s because no one has bothered to take the opportunity. It isn’t like no OS X viruses exist. Even without the poor approach apple takes to security, there would be no basis for claiming the design of OS X is more secure than that of other platforms.

Apple is generally months behind fixing publicly disclosed vulnerabilities, often only doing so before some conference to avoid media reporting. They often share vulnerabilities with core libraries in other UNIX like systems with samba and java being two examples. They are extremely difficult to deal with when trying to report a vulnerability, seemingly not having qualified people to accept such reports. Even if they do manage to accept a report and acknowledge the importance of an issue they can take anywhere from months to a year to actually fix it properly.

People always get caught up in the hype surrounding viruses and how OS X is seemingly impervious while forgetting that that is not the only type of threat. Personally for me, malware is a minor threat with the impact being negligible as long as you follow basic security practices and can recognize when something looks out of place. The idea of someone targeting me specifically on a network either because it is so vulnerable that it is child’s play or because they want something from my machine is far more worrying. This is significantly harder to protect against on OS X when you can’t rely on the manufacturer to issue patches in anything considering a prompt timeframe or even to acknowledge that vulnerabilities exist. Given that this is the Apple philosophy, it is hard to pretend to be safe on an Apple machine.

Examples and details

Every OS except OS X has a full implementation of ASLR, stack canaries, executable space prevention, sand boxing and more recently mandatory access controls. OS X doesn’t even try to implement most of these basic protections and the ones it does, it does poorly. I don’t understand why security folk use OS X at all, given its plethora of problems. Yes, they are pretty and yes it is UNIX and yes you are every safe using it, but given security folks tend to be working on various exploits and research that they would want to keep private, using a platform so vulnerable to targeted attacks would not seem to be the smartest move.

Apple to date do not have a proper DEP or ASLR implementation, two well known technologies that have been implemented in other OSes for the last five years. Apple did not bother to implement DEP properly except for 64bit binaries, and even then there was no protection on the heap even if it was marked as non executable. Apple technically implements ASLR but in a way that they may not have bothered. The OS X ASLR implementation is limited to library load locations. The dynamic loader, heap, stack or application binaries are not randomized at all. Without bothering to randomize anything except library load locations their implementation is useless aside from perhaps preventing some return to libc attacks. We can see using the paxtest program from the PaX team (the same team who initiated ASLR protections on PC’s) that OS X fails most of these tests (Baccas P, Finisterre K, H. L, Harley D, Porteus G, Hurley C, Long J. 2008). Apple’s decision not to randomize the base address of the dynamic linker DYLD is a major failing from a security point of view. Charlie Miller has demonstrated how a ROP payload can be constructed using only parts of the non randomized DYLD binary. Snow leopard unfortunately did not improve on things much except to add DEP protection to the heap, still only for 64 bit applications. This means that most of the applications that ship with OS X (including browser plugins) are far easier to attack than applications on pretty much any other platform.

The firewall functionality in OS X is impressive, but hardly utilized. The underlying technology is ipfw powerful and more than capable of protecting OS X from a wide variety of threats, however Apple barely utilizes it. The OS X firewall is disabled by default and application based meaning it is still vulnerable to low level attacks. Even if the option to block all incoming connections was set it didn’t do this, still allowing incoming connections for anything running as the root user with none of the listening services being shown in the user interface.

Apple introduced rudimentary blacklisting of malware in Snow Leopard via xprotect.pilst, which works so that when files are downloaded via certain applications they set an extended attribute which indirectly triggers scanning of the file. However many applications such as IM or torrent applications do not set the extended attribute, thus never triggering the Xprotect functionality. A fine example of this is the trojan iWorks which was distributed through torrents, and never triggered Xprotect. At the moment it can only detect very few malware items, although as a response to the MacDefender issue this is now updated daily. Only hours after Apple’s update to deal with MacDefender was released a new version that bypasses the protection was discovered, highlighting the shortcomings of the Xprotect approach. Since it relies on an extended attribute being set in order to trigger scanning, any malware writer will target avenues of attack where this attribute will not be set and for drive by download attacks it is completely useless. Still, it is a good first step for Apple acknowledging the growing malware problem on OS X and starting to protect their users.

It has been a shame to see the sandboxing functionality introduced in Leopard not being utilized to anywhere near its full capacity. Apple are in a unique position where by controlling the hardware and the operating system they have creating a truly homogenous base environment. It would be very easy to have carefully crafted policies for every application that ships with the base system, severely limiting the damage that could be caused in the event of an attack. They could go even further and import some of the work done by the SEDarwin team, allowing for even greater control over applications. They would not have to present this to the user and would probably prefer not to yet doing so would put them far ahead of all the other operating systems in terms of security at this point.

Security wise Apple is at the same level as Microsoft in the early 90’s and early 2000’s. Continuing to ignore and dismiss the problems without understanding the risks and not even bothering to implement basic security features in their OS. With an irresponsible number of setuid binaries, unnecessary services listening on the network with no default firewall, useless implementations of DEP and ASLR and a very poor level of code quality with many programs crashing with a trivial amount of fuzzing Apple are truly inadequate at implementing security. This still doesn’t matter much as far distributed attacks go, at least not until Apple climbs higher in market share but I really dislike the idea of someone being able to own my system just because I happened to click on a link. At least with Apple giving regular updates via Xprotect and including a Malware help page in Snow Leopard we have evidence that they are starting to care.

An appalling record

A great example of Apple’s typical approach to security is the Java vulnerability that despite allowing for remote code execution simply by visiting a webpage, Apple left unpatched for more than six months; only releasing a fix when media pressure necessitated that do so. When OS X was first introduced the system didn’t even implement shadow file functionality, using the same password hashing AT&T used in 1979, simply relying on obscuring the password via a pretty interface. This is indicative of the attitude Apple continues to have to this very day, having a horribly secure design at the expense of convenience and aesthetics, only changing when pressure necessitates it. One of the most interesting examples of this is that regularly before the pwn2own contests where Apple’s insecurity is put on display, they release a ton of patches. Not when they are informed of the problem and users are at risk, but when there is a competition that gets media attention and may result in them looking bad.

Being notoriously hard to report vulnerabilities to does not help either. If a company does not want to hear about problems that put their machines and thus customers at risk it is hard to say that they are taking security seriously. As is the case at the moment if you try and report a vulnerability to Apple it will likely get rejected with a denial and after retrying several times it may be accepted, where a patch may be released any number of weeks or months later. Apple still have a long way to go before demonstrating they are committed to securing OS X rather than maintaining an image that OS X is secure. Having a firewall enabled by default would be a start, something Windows has had since XP. Given the homogeneous nature of OS X this should be very easy to get off the ground and it may well be the case with Lion.

The constant misleading commercials are another point against Apple. Constantly misleading users that OS X is secure and does not get viruses (implying that it cannot) or have any security problems what so ever. Not to mention that they exaggerate the problem on Windows machines, they completely ignore the vulnerabilities OS X has. Most recently evidence Apple’s aforementioned attitude can be seen with their initial response to the MacDefender malware. Rather than address the issue and admit that a problem exists they keep their heads in the sand, even going so far as to instruct employees not to acknowledge the problem. To their credit Apple did change their approach a few days later issuing a patch and initiating a regularly updated blacklist of malware. Their blacklist implementation has flaws, but it is a start.

As much as users and fans of Apple may advocate the security of OS X it is very important to note that OS X has never implemented particularly strong security, has never had security as a priority and is produced by a company that has demonstrated over and over that security is a pain which they would rather ignore, leaving their users at risk rather than acknowledge a problem.

Malware for OS X increasing

While it’s true that doomsday for OS X has long been predicted, despite the predictions lacking a precise time reference. An article by Adam O’Donnell has used game theory to speculate that market share is the main cause for malware starting to target a platform, the result of a tradeoff between a lack of protection and a high enough percentage of users to take advantage of to make the investment worthwhile. The article made the assumption that all PC’s were using AV software and assumed an optimistic 80% detection success rate. If the PC defense rate were higher, then OS X would become an attractive target at a much lower market share. According to the article, if PC defenses were at around 90% accuracy, then OS X would be a target at around 6% market share. The estimated percentage from the article is just under 17%, and just as some countries have reached around that number are we starting to see an increase in malware for OS X. It may be a coincidence but I will not be surprised if the trend continues. Given Apple’s horrid security practices and insecurity it’s going to increase quite noticeably unless Apple changes their act. Aside from market share another important factor is the homogeny of the platform, making OS X an extremely ideal target once the market share is high enough.

A lot of people are saying they will believe the time for OS X has come when they see an equivalent to a Code Red type of worm, except that this is never going to happen. Worms shifted from being motivated by fame having a financial motivation, with the most recent OS X malware being linked to crime syndicates. With the security protections available in most OSes these days (aside from OS X) being more advanced it takes more skill to write a virus to infect at the scale of something like Code Red, and the people who do have that skill are not motivated to draw attention to themselves. These days malware is purely about money, with botnets that going out of their way to hide themselves from users. Botnets on OS X have been spotted since 2009 and OS X is going to be an increasing target for these types of attacks without ever making the headlines as Windows did in the 90’s.

Another contributing factor that should not be overlooked is the generally complacent attitude of OS X users towards securing their machines. Never faced with Malware as a serious threat and being shoveled propaganda convincing them that OS X is secure, most OS X users have no idea how to secure their own machines with many unable to grasp the concept that they may be a target for attack. The MacDefender issue already showed how easy it is to infect a large number of OS X users. Windows users are at least aware of the risk and will know to take their computer in to get fixed or to run an appropriate program as where it seems OS X users simply deny the very possibility. As Apple’s market share increases, the ratio of secure users to vulnerable users continues to slide further apart. With more and more people buying apple machines and not having any idea how to secure them or that they even should there are that many more easy targets. Given the insecurity of OS X and the nativity of the users, I do think it is only a matter of time before OS X malware becomes prevalent, although not necessarily in a way that will make the news. This means the problem is going to get worse as users are going to keep getting infected and not realize it while believing their machines are clean and impervious to risk.

People also have to get over the idea that root access is needed for malware to be effective. Root access is only needed if you want to modify the system in some way so as to avoid detection. Doing so is by no means necessary however, and a lot of malware is more than happy to operate as a standard user, never once raising an elevation prompt and silently infection or copying files or sending out data or doing processing, or whatever malicious thing it may do.

Macs do get malware even if it is a significantly smaller amount that what is for windows. Given the emergence of exploit creation kits for OS X it is inevitably malware is inevitably going to increase for OS X. Even if it never gets as bad as it was for Windows in the 90’s it is important not to underestimate the threat of a targeted attack. Rather than encouraging a false sense of security Apple should be warning users that it is a potential risk and teaching users how to look for signs and deal with it. The Malware entry in the Snow Leopard help is a small step in the right direction. There isn’t much Apple can do to prevent targeted attacks, except maybe fixing their OS and being proactive about security in the first place.

Much room for improvement

One thing OS X did get right was making it harder for key loggers to work. As of 10.5 only the root user can intercept keyboards, so any app making use of EnableSecureEventInput should theoretically be immune to key logging. Of course, if remote code execution is possible then that is a very minor concern. This requires the developer to specifically make use of that function, which is automatic for Cocoa apps using a SECURETEXTFIELD. Of course this does not completely prevent keyloggers from working as applications not making use of that functionality will be vulnerable to keylogging, such as was the case with Firefox and anything not using a secure text field. Of course, given the propensity of privilege escalation attacks on OS X it would not be hard to install a keylogger as root. However this is a great innovation and something that I would like to see implemented in other operating systems.

Apple asked security experts to review Lion which is a good sign, as long as they actually take advice and implement protections from the ground up. Security is a process which needs to be implemented from the lowest level, not just slapped on as an afterthought as Apple have tended to do in the past. I think the app store in Lion will be interesting. If Apple can manage to control the distribution channels for software, then they will greatly reduce the risk of malware spreading. At the moment most software is not obtained via the app store and I don’t ever expect it to be, still the idea of desktop users being in a walled garden would be one solution to solving the malware problem.

Lion is set to have a full ASLR implementation (finally) including all 32 bit applications and the heap. As well as more extensive use of sandboxing it looks like Apple is starting to actually lock down their OS, which means they understand the threat is growing. It will be interesting to see if Apple follows through on the claims made for Lion, or if they fall short much like what happened with snow leopard. Personally I think Lion is going to fall short while the malware problem for OS X will get serious, but it won’t be until 10.8 that Apple takes security seriously.

Update 1 – June 28th 2011

Updated minor grammatical mistakes.

It is amazing the knee jerk response I have seen to this article where people start saying how there are no viruses for OS X, which is something I acknowledge above. I guess people don’t care if they are vulnerable as long as there are no viruses? Then people start attacking the claim that OS X has no ACL, which is a claim I never made. I guess the truth hurts and attacking men made of straw helps to ease the pain.

References

  1. http://secunia.com/advisories/product/96/?task=statistics – A list of OS X vulnerabilities.
  2. http://www.telegraph.co.uk/technology/apple/8550005/Eric-Schmidt-get-a-Mac-if-you-want-to-be-secure.html – Eric Schmidt on OS X.
  3. http://www.sophos.com/en-us/Search-Results.aspx?search=OSX&refine=1a1e9ea6979a493dba64e1b2ced03044 – A list of OS X viruses from Sophos.
  4. Baccas P, Finisterre K, H. L, Harley D, Porteus G, Hurley C, Long J, 2008. OS X Exploits and Defense, p. 269-271.
  5. http://securityevaluators.com/files/papers/SnowLeopard.pdf – Charlie millers talk on snow Leopard security.
  6. http://www.computerworld.com/s/article/9217163/Mac_OS_update_detects_deletes_MacDefender_scareware_ – Apple releases an update to deal with MacDefender.
  7. http://news.yahoo.com/s/livescience/20110601/sc_livescience/newmacdefenderdefeatsapplesecurityupdate – A variant of MacDefender appeared hours after Apple’s update was released.
    http://news.cnet.com/8301-10784_3-9759132-7.html – Charlie Miller talking about setuid programs in OS X.
  8. http://www.zdnet.com/blog/security/mac-os-x-vulnerable-to-6-month-old-java-flaw/3433 – Apple taking 6 months to patch a serious Java vulnerability.
  9. http://www.dribin.org/dave/blog/archives/2006/04/28/os_x_passwords_2/ – Apple using password hashing from 1979 in lieu of a shadow file.
  10. http://www.youtube.com/watch?v=CHFy6egYcUg – Misleading commercial 1.
  11. http://www.youtube.com/watch?v=iPc0NCIZz8s – Misleading commercial 2.
  12. http://www.youtube.com/watch?v=cLVS3QVxhDg – Misleading commercial 3.
  13. http://www.zdnet.com/blog/bott/an-applecare-support-rep-talks-mac-malware-is-getting-worse/3342– Apple representatives told not to acknowledge or help with OS X malware 1.
  14. http://www.msnbc.msn.com/id/43101276/ns/technology_and_science-security/” – Apple representatives told not to acknowledge or help with OS X malware 2.
  15. http://www.securitymetrics.org/content/attach/Metricon2.0/j3attAO.pdf Adam O’Donnell’s article – When Malware Attacks (Anything but Windows)
  16. http://royal.pingdom.com/2011/03/16/the-10-most-mac-friendly-countries-on-the-planet/ – OS X market share by region.
  17. http://www.pcworld.com/article/228961/beware_of_malware_apple_users_even_as_mac_defender_details_emerge.html MacDefender linked to crime syndicates.
  18. http://www.zdnet.com/blog/bott/crying-wolf-apple-support-forums-confirm-malware-explosion/3351 – Many users hit by MacDefender.
  19. https://threatpost.com/en_us/blogs/crimeware-kit-emerges-mac-os-x-050211 – The first exploit creation kits for OS X have started appearing.
  20. http://www.networkworld.com/news/2009/041709-first-mac-os-x-botnet.html” – First OS X Botnet discovered.
  21. http://www.apple.com/macosx/whats-new/features.html#security
  22. https://bugzilla.mozilla.org/show_bug.cgi?id=394107 – A Firefox bug report about a vulnerability to keylogging.
  23. http://www.computerworld.com/s/article/9211599/Apple_invites_bug_researchers_to_scrutinize_Lion_OS?taxonomyId=85 – Apple letting security researchers review Lion.

Update 1 – August 17 2011

A delayed update, but it is worth pointing out that this article is basically out of date. Apple has indeed fixed most of the problems with security with their release of Lion. At least this article is an interesting look back, and shows why mac users should upgrade to Lion and not trust anything before it. Despite Lion being technically secure, it is interesting to note that Apple’s security philosophy is still lackluster. Here is an interesting article on the lessons Apple could learn from Microsoft and an article showing just how insecure Apple’s DHX protocol is, and why the fact it is deprecated doesn’t matter.

November 17, 2009

A short comparison of AntiVirus products

Filed under: Security, Tech — Tags: , , , , , , , , , — allthatiswrong @ 8:10 am

The following summaries of AV software are based purely on my experiences with said software. I’ve been working in the field for about 15 years, and I’ve setup most AV products at one time or another, and seen them in action. I also keep track with reviews and tests, of which two are independent and recognized as somewhat authoritative: AV Comparatives and Virus Bulletin. If you disagree with my opinions, please do leave a comment, and let me know why.

  • AVG is recommended by people who don’t know any better, or had it recommended to them and recommend it in turn. It has poor detection rates, invasive behavior and can have a large impact on performance. While it may be easy to use, it is not reliable, and the company uses stupid techniques like flooding the internet to try and save a dying product. The free version has especially limited functionality in some ways, such as being unable to set exceptions. The product is not overly configurable, is not secure or reliable, and should not be trusted or recommended. There is absolutely no reason to use it in light of the other products available.
  • Avast is a popular choice, and quite decent. easy to use, negligible impact on performance, excellent scanning speed, very configurable, and decent detection rates. Avast is free for home use. I would recommend Avast as second to Avira, as within the last year the development team has been paying less attention to reported viruses, which is a shame.
  • Avira currently has the best detection rates, is free for home use, easy to understand, and relatively configurable. It does not have all of the features of Avast such as a web and IM protection, but this should not be a problem for most people. It tends to rely on ads, however this can be easily disabled after searching to find out how. There is a negligible, if any, impact on performance.
  • Microsoft Security Essentials is the newest product in this list, but it is also among the highest rating. It is released completely free to licensed Windows users, with no limitations. It is unobtrusive, has near to no impact on performance, and has a high detection and low false positive rate. It lacks some of the configurability of Avira and Avast, but is more intuitive and easy to use than both of them.
  • Nod32 tends to be recommended by people who are familiar with it. In reality, it is less effective and has less features than Avira, Avast or MSE. It has lower detection rates, slower performance, is not as easy to use and often does not clean up infections effectively. It also has a high false positive rate, which is just annoying. Considering that it is not free and has no technical advantage over the free products, there is very little reason to suggest this.
  • Norton 360 deserves a mention here. Norton has a well deserved reputation for being a resources hog, and requiring an obscene amount of effort to properly remove, while not being a terribly great virus scanner to begin with. This reputation however, is no longer deserved. Symantec have given the Norton product a complete rewrite, and it is now incredibly fast and efficient, and simple to remove. It has several innovative features that make scanning and threat detection fast and efficient, with detection rates close to or equal to Avira. However, the main drawback here is the price. There is simply no advantage that justifies paying for Norton over one of the excellent free products.

The well known products such as Symantec, McAfee, CA, Sophos and the like tend to be tailored more for a corporate environment, having features that are meant to make large scale administration and configuration simpler. For home use, they are expensive, slow and out of place.

The best choice is currently Avira. It has the right mix of ease of use and flexibility, while having high detection rates and being free. Microsoft Security Essentials is the next best choice, and may be more suitable for less savvy users.You should also use software such as Spybot S&D and Malwarebytes to scan for malware, which can be more of a risk these days. The very best advice is just to employ common sense when downloading and using the internet, and you may not even need a virus scanner in the first place. Stay up to date with security fixes, don’t download dodgy executables etc..

If you do decide to not use an AntiVirus product(a choice I intend to justify in an upcoming article), then two sites which may be of use are VirusTotal and Jotti’s Malware Scan. Both of these sites will allow you to upload a file, where it will be matched against several AntiVirus products(around 30 or more) to identify if a file is suspicious or not. These sites may also be used to verify if a suspected false positive is clean or not.

Warning:There are many fake AntiVirus products, which are actually malware of some kind pretending to be a virus scanner. They may even go so far as to pretend to find viruses and clean files. They tend to have dubious names such as “AntiVirus 2009”. Make sure to thoroughly investigate the software you plan to install on your machine if it is not listed here, or you are not familiar with it. If you think you may have been infected with malware, then my guide to removing malware may help you to restore your system to a clean and working state.

Disclaimer: This is accurate as of Nov 2009…things may well change.

October 19, 2009

Guide to detecting and removing malware

Introduction

Many people make posts wondering if they are infected with a virus or some kind of malware, or if they have some unauthorized software running without their permission or not, and how to get rid of it and regain control over their PC. It is my goal with this text to list many of the basic techniques, and places to obtain software to help people work out if they are infected, and have a go at removing malicious software themselves. Failing that, when they post in a forum, the people trying to help them will know they may have tried the techniques in this text, or can direct them to it. Additionally, tools and instructions to collect relevant information when posting a question are provided. I will try to keep this entry updated as techniques change and toos become replaced or updated. The techniques and tools listed should be valid for any version of Windows after and including XP.

Overview

Malware can be one of the most frustrating, confusing and dangerous things to plague less experienced computer users. Quite often they may not realize that they are infected, may wonder why their computer is suddenly acting a lot slower or may simple want to have peace of mind. The first thing to remember is, that if any malware is detected, DON’T PANIC. All malware can be removed, and can be contained, without risk to your data, or other computer users. You will likely never have to resort to a format and reinstall to restore your PC, and in some cases this would not be effective.

The first steps are to use the tools and instructions contained in the guide, to identify the malware, and then go about removing it, and repairing and collateral damage. More often than not, either one of the listed AV’s or one of the listed anti-malware tools will be able to safely remove the malware. The AV’s I have recommended are both completely free for home use, have very high detection rates, and a very low performance impact. I understand AVG is popular with a lot of people, however this should be removed immediately. It is inefficient, and somewhat untrustworthy, and will only lead to a false sense of security.

The anti-malware tools I have suggested will scan and detect malware that most AV software will generally not detect, nor is it designer to. This includes software such as browser toolbars, adware programs and updaters for certain browsers etc.

Tools to assist in detection and removal

Each of the following are completely free, and valuable to have. If I refer to a tool below, then you can obtain it from the direct link in this list. Alternatively, you may wish to keep some software, such as an AV permanently installed.

Malwarebytes Anti-Malware

Sysinternals Utilities

Spybot Search & Destroy

Avira AntiVir Free Version

avast! antivirus Home Edition

Microsoft Security Essentials

HijackThis

Restore Safe Mode

First steps

Step 1: The very first step you can try, is to use System Restore. If you have System Restore enabled, Windows will be restored to a known good point, before you were infected. You can then use the following steps to verify that your install is clean, and follow the instructions in the Good Practices section to make sure you stay clean.

Step 2: The next step is to install and run an AV scan, if you have not done so already. If you don’t already have an AV installed, I recommend Avira, for the reasons mentioned above. You can set Avira to do a boottime scan, which will be able to scan certain files that the malware may block access to when Windows is running. If anything is found, you can safely delete and/or quarantine the file, which should keep malware under control.

Step 3: You can then download and install Malwarebytes anti-malware, which is linked above. You can run the scan, which is a bit lengthy, and if you have anything Malwarebytes will likely detect it. If it does not, and you are still sure that you are infected, you can install and run Spybot S&D, which may detect somethings Malwarebytes missed.

Step 4: If nothing is detected, and you are still certain you have malware on your machine, then one of the best things to do is to look for some telltale signs. You should looks for any processes running that should not normally be running. Google each process if you are unsure or don’t recognise it. Many malware executables like to take the name of something that seems official, such as update.exe, so make sure you verify that a file with an official name is running from the right path. To check processes, I recommend using Process Explorer from the System Internals tools linked above, which may detect some processes hidden from Task Manager.

Step 5: Another basic step you can take is to inspect the Windows Hosts file. The Windows hosts file is used to resolve hostnames to IP addresses without using the DNS system, it will also override any DNS queries. This means, malware may take a malicious IP and make it resolve to say, microsoft.com. The windows hosts file is located in \Windows\system32\drivers\etc\, and is called Hosts, without a file extension. The only content by default should be an entry for 127.0.0.1, the local interface, or two entries if you are using Vista or later. If you have used antimalware software, there may be additional entries added a countermeasure to prevent malicious sites from being contacted.If there are entries for well known or good sites such as microsoft.com, mcafee.com or similar, then this may be a sign of infection. You can delete these and similar entries from this file aside from the entry for 127.0.0.1 if you have not used a malware program to aid with your hosts file. If you are unsure, you can ask for clarification in this forum.

Step 6: If you are using Internet Explorer 7 or above, you can run Internet Explorer in protected mode(right click, and Start in Protected mode), which will prevent any addons from loading. This will then allow you to see if the problem is isolated to Internet Explorer or not. If the problem is isolated to Internet Explorer, you can go into the addons section, and disable or remove any addons that are unknown to you, or that are unnecessary. Reenabling any you want to keep one at a time to isolate which is causing the problem.

Step 7: If you have a particular file that you think may be malware, of you have an infection but are not able to reliably detect what it is, then you can submit the file to either VirusTotal or Jotti’s Malware Scan, which will give a reliable identification by scanning the file with several(30 or more) AV products. Once you have identified your malware, of if one of the anti malware programs identified but was unable to remove the malware, a quick search on google should produce detailed instructions or a tool for removing the specific malware.

Step 8: You can also prevent unknown software from loading at startup. To do this, I recommend the autoruns tool from the Systems Internals tools linked above. This tool will allow you to disable any processes, registry entries, DLL’s etc that run at startup, so you will be able to isolate the issue. Once you have isolated a troublesome entry, you can take appropriate action, such as submiting to VirusTotal, or simply deleting the file.

Step 9: If some of the techniques listed above are not working, then you should attempt to do them in safe mode. Safe mode should prevent the malware from lading, and will give you a better chance to remove it. Some malware will disable the option to boot into safe mode, in which case you can use the registry fix above to restore the option to enter into safe mode.

Step 10: If you have trouble ending a process or deleting a file that you suspect is malicious, then you can use the Handle tool, from the Systems Internals utilities linked above. The handle tool will allow you to list and close the file handles a particular process has open, allowing you th then close the process. Alternatively, if you have found a suspicious file, you can see the name of the process that has a handle to that file to end it.

Good practices

There are several good practices you can follow, which are quite simple, require minimum effort, and will greatly reduce the risk of reinfection. The first is to use a secure browser. This basically means Firefox with latest updates, or Internet Explorer 7 or 8. Any plugins you have installed should also be updated.

You can also do things like turn on file extensions and hidden files. This will allow you to recognize suspicious files a lot quicker.

Stay Updated

Vulnerabilities in software are on of, if not the main avenue of attack for malware to install. This can include placing files on your computer after visiting a website with an insecure browsers, by exploiting a browser plugin such as flash, or exploiting a vulnerability in Windows itself. Indeed, web browsers, and Adobe products are the major avenue of attacks these days. Generally, as a home user, there is no reason you should not be updated at all times. This is the best approach to prevent infection/installation of malware, and in some cases will fix an existing problem. It will certainly prevent the same problem from reoccurring. Generally, most programs have a facility to update automatically. If you don’t want to enable this, then you should check the manufacturers website semi-regularly to keep a lookout for new versions.

Use Antivirus

If you have any doubts about your ability to detect malware at all, then you should definitely be running an AV. AV’s have come a very long way, are lightweight and non intrusive, and can detect many types of known malware and remove it. The best AV for consumers is currently either Avira AntiVir or Microsoft Security Essentials, both of which will run unobtrusively in the system tray. Avira is more configurable although has ad popups, but a quick google for “avira disable ads” can show how to remove these. Second to Avira/MSE is avast!, which has a slightly lower detection rate, but is more configurable, and just as fast. avast! requires registration, but is then free to use at home. Running an AV is an important step, because aside from protecting yourself from unknown risks, you can help to protect other users by being prevented from forwarding malicious files.

Backup any important files

This goes without saying. You should always regularly back up your files, so in the event you are infected, you can be sure that nothing valuable is lost. Personally, I just organise my files into directories and copy to a harddrive or DVD disc. If this does not work for you, then there are many other approaches, and may other atomicans will be able to recommend you a suitable backup program and/or approach.

Posting a question

If you were unsuccessfully after following the above steps, or need help at any point along the way, then feel free to make a post asking for help. To make it easier for people to answer your question and provide the help you seek, a few basic steps can be followed to make this process as painless as possible. Some of the things that you should include when asking for help are:

  • The version of Windows you are using, including any service packs
  • Any recent changes or software that has been installed
  • Whether or not you are up to date with security patches
  • What, if any of the above steps you have tried.

After this, you should post the complete log produced by running HijackThis within code tags. You can select the text within the post box, and click the rightmost icon that looks like a scroll, to enclose text in code tags. his will then preserver the formatting, and make the log easier to read. Above all else, it is important to be courteous in your post, and to indicate that you have made some effort, even if you don’t completely understand the problem.

I hope that this has been a helpful and informative post. If you liked it, or have some suggestions or feedback, please feel free to leave a comment. I plan on expanding it at a later point, or perhaps following up with a subsequent post to explain how to use System File Checking in Windows, and how to check for and remove rootkits.

Create a free website or blog at WordPress.com.