Some malware is smart enough to recognize its enemies. I ran across one of these this week cleaning up an infected PC. The PC had a recent version of the Spybot anti-spyware tool (www.safer-networking.org/en/index.html) on it so I started that up to run a scan. Nothing happened. I tried again but still nothing.
So then I downloaded Autoruns from Sysinternals (technet.microsoft.com/en-us/sysinternals/default.aspx). I started that up and again nothing happened. So what can you do when you can't even open your tools to try to get rid of some malware?
In this case, I renamed my tool and ran it under the new name and it worked. The executable at the core of the Spybot version I was using is a file called "spybotSD.exe". I renamed it to some arbitrarily chosen name. I called it "bobo.exe". Then when I double-clicked on that file I just renamed, it opened the Spybot program. I ran my scan. It found the malware and removed it.
So if it seems like one of your scanning tools isn't working, this is one thing to try. Be careful out there.
Showing posts with label Autoruns. Show all posts
Showing posts with label Autoruns. Show all posts
Thursday, September 18, 2008
Thursday, June 12, 2008
Are You A Spammer?
A number of folks had indicated they would appreciate a tip or two to help them determine whether they spam or not. So here I go.
Caveat 1: There is no button you can click that will tell you yes or no about this. What I will describe here will be a series of techniques to help you get clues to answer this question.
Historical preface: During my past 5 years as an MPL employee, I have had to deal with two infections. Both were during the past year. I think this means the bad guys are winning. It could be that I’m just getting more stupid. Folks here suggest as much occasionally.
One infection was only on a single user notebook. The user was looking at their email, knew they should not click on a link presented in an unsolicited email, but they did anyway. A Trojan was downloaded and that user’s notebook became a zombie, which is a PC that does what some remote site tells it to do. It was told to spam. It did and that user’s mailbox was full of “Undeliverable” messages.
The other infection was on my mail server which I have recently described in previous posts. That issue seems to be resolved but it did get worse before it got better.
For both of these issues, the antivirus software initially failed to discern the infection. These were both popular vendors, Symantec on one and Trend Micro on the other. Both were installed so that they were running in the background whenever the PC or server was on. Both had the latest signature files. Both initially failed to catch the infection when a manual scan was run. Do you wonder why you spend so much on antivirus software? I do.
In the first case, I used a nifty product called Autoruns (http://www.sysinternals.com/) to find the offending executable. I then googled the name of the file and found out that, at that point, only one AV company (Pharos) had identified a signature for the Trojan. I then downloaded a trial of their AV software and the Trojan was found and removed.
I have already described what I went through with my mail server but the bottom line is that I probably had the infection for at least a couple weeks before my AV vendor provided a signature file that identified it. So finally a manual scan did turn up an infection.
In both these cases the first symptom was that a users’ mailbox was filling up with garbage. See example below. I can’t tell you how much I wanted to open up the Mexican Wrestling Squirrels message. Alas, it remains a mystery.
Hundreds of these messages would arrive in a short period of time. So it wasn’t hard to think that we had a problem. It was more like a slap in the face.
So technique # 1: If you get a lot of messages with “Undeliverable” in the subject line, you may be a spammer. This will not be hard to discern. It may be hard to clean up the mess though.
#2 Ask your ISP. One of the indicators I had was a friendly call from my ISP saying they had noticed somewhat elevated outgoing traffic on port 25, which means sending a lot of mail out. Your ISP may be so small that they don’t watch things so closely or so large that they don’t care to bother with you.
#3 Check to see if you have gotten yourself on a spammer blocklist. First go to http://www.whatismyip.com/ to see what your outside IP address is. Then go to cbl.abuseat.org and use the IP address lookup to see if you are listed Composite Block List or CBL. Some email vendors filter incoming email traffic based on a block list like this.
#4 Make sure your antivirus program and antispyware programs have the latest signatures and run full scans. When the response comes back clean, still be suspicious.
#5 Run the Autoruns utility mentioned above. This is a great tool but I think a person needs quite a bit of experience at working with Windows under the hood to be able to use it effectively.
That’s all. Excuse my droning. I will make the next post short and possibly sweet.
Caveat 1: There is no button you can click that will tell you yes or no about this. What I will describe here will be a series of techniques to help you get clues to answer this question.
Historical preface: During my past 5 years as an MPL employee, I have had to deal with two infections. Both were during the past year. I think this means the bad guys are winning. It could be that I’m just getting more stupid. Folks here suggest as much occasionally.
One infection was only on a single user notebook. The user was looking at their email, knew they should not click on a link presented in an unsolicited email, but they did anyway. A Trojan was downloaded and that user’s notebook became a zombie, which is a PC that does what some remote site tells it to do. It was told to spam. It did and that user’s mailbox was full of “Undeliverable” messages.
The other infection was on my mail server which I have recently described in previous posts. That issue seems to be resolved but it did get worse before it got better.
For both of these issues, the antivirus software initially failed to discern the infection. These were both popular vendors, Symantec on one and Trend Micro on the other. Both were installed so that they were running in the background whenever the PC or server was on. Both had the latest signature files. Both initially failed to catch the infection when a manual scan was run. Do you wonder why you spend so much on antivirus software? I do.
In the first case, I used a nifty product called Autoruns (http://www.sysinternals.com/) to find the offending executable. I then googled the name of the file and found out that, at that point, only one AV company (Pharos) had identified a signature for the Trojan. I then downloaded a trial of their AV software and the Trojan was found and removed.
I have already described what I went through with my mail server but the bottom line is that I probably had the infection for at least a couple weeks before my AV vendor provided a signature file that identified it. So finally a manual scan did turn up an infection.
In both these cases the first symptom was that a users’ mailbox was filling up with garbage. See example below. I can’t tell you how much I wanted to open up the Mexican Wrestling Squirrels message. Alas, it remains a mystery.
Hundreds of these messages would arrive in a short period of time. So it wasn’t hard to think that we had a problem. It was more like a slap in the face.
So technique # 1: If you get a lot of messages with “Undeliverable” in the subject line, you may be a spammer. This will not be hard to discern. It may be hard to clean up the mess though.
#2 Ask your ISP. One of the indicators I had was a friendly call from my ISP saying they had noticed somewhat elevated outgoing traffic on port 25, which means sending a lot of mail out. Your ISP may be so small that they don’t watch things so closely or so large that they don’t care to bother with you.
#3 Check to see if you have gotten yourself on a spammer blocklist. First go to http://www.whatismyip.com/ to see what your outside IP address is. Then go to cbl.abuseat.org and use the IP address lookup to see if you are listed Composite Block List or CBL. Some email vendors filter incoming email traffic based on a block list like this.
#4 Make sure your antivirus program and antispyware programs have the latest signatures and run full scans. When the response comes back clean, still be suspicious.
#5 Run the Autoruns utility mentioned above. This is a great tool but I think a person needs quite a bit of experience at working with Windows under the hood to be able to use it effectively.
That’s all. Excuse my droning. I will make the next post short and possibly sweet.
Subscribe to:
Posts (Atom)