Comparing malware removal methods and results of different OS.

Comparing malware removal methods and results of
different OS.
Nick Van den Steen1
1
Vrije Universiteit Brussel, Brussels, Belgium
[email protected]
September 3, 2012
Abstract
Firstly we will discuss the different threats for each Operating System. After the threats are defined, we will make a comparison between
the methods used to deal with the threat on the different OS by testing these tools on the known threats. This will include the ease of use,
availability, number of tries, the results etc... In general we concluded
that the combined use of manual, real-time protection and bootable
scanning software offers the best protection against malware.
1
Introduction
There is a lot of Malware threatening our operating systems, but which OS
has the best tools available to deal with the threat once it is infected? In
this work we will study and test different methods to remove Malware on a
Windows 7 and Ubuntu 12.04 LTS platform.
2
Malware
In this section we will discuss what Malware is, what programs are considered as Malware and why.
2.1
What is it?
Malware is a shorthand for malicious software. This includes all software,
code and scripts designed to perform malicious actions. Malware is categorized into different subclasses based on their behavior. In the next section
1
we will give an overview of the different subclasses of malware and give a
brief introduction on how they work.
2.2
Types of Malware
We categorize malware in different types based on their behavoir. This
overview is based on “Modern Operating Systems” by Tanenbaum [Tanenbaum (2009)] and “Malware: Fighting Malicious Code” by Ed Skoudis and
Lenny Zeltser [Skoudis and Zeltser (2003)].
2.2.1
Trojan Horses
This type of malware is usually embedded in some useful program. When
the user installs the genuine software, the trojan horse will also be installed.
It tricks the user to allow the malware inside the protected area (computer)
and is therefore named after the trojan horse used to end the conflict between
Greece and the Turks.
Unlike other types of malware (.e.g. worms) the trojan horse cannot
infect other computers by itself and usually does not cause damage to files.
Usually the trojan grants access to a remote user (in this case the hacker
or someone with knowledge about the trojan) by attaching itself to an IP
port.[Tanenbaum (2009)]
2.2.2
Viruses
Viruses work similarly to biological viruses, that is, they both need a host in
order to reproduce. They do so by attaching themselves to other programs.
Viruses ( in contrast with worms) are not self-reproducing1 , they need the
interaction of a human to replicate. When the host program - and in that
way the virus itself - is activated by a human, the virus can infect other
files, disks etc... We will take a look at the different categories of viruses.
They are categorized according to their infection mechanism and the target
of their infection.Tanenbaum (2009) [Skoudis and Zeltser (2003)]
Companion Viruses Companion Viruses will not modify the actual target file. They will in some way trick the user in believing they are the target
file or exploit the chain of execution in the system. We will take a look at
1
The definitions of self-replicating or self-reproducing is not uniform. In this paper we
talk about self-replication or self-reproduction when no interaction from outside is needed
when reproducing or replicating.
2
some examples: When users want to start a program, they sometimes use
the command line or the run option. If the virus is given the same name
as a popular program to be run via command line or run prompt, but with
a different extension, (e.g.: .com instead of .exe) the user may trigger the
virus instead of the intended program (.com files are triggered before .exe
files). When the virus has done it’s job it can still execute the correct program so the user won’t notice that something went wrong. The virus file
itself is often hidden so it won’t be detected that easily. Other ways to trick
the user are to redirect a shortcut to the malicious program instead of the
advertised program or to move the intended program to another directory
and name the virus in the same way as the intended program etc...
Executable Program viruses These are viruses that infect an executable
program. The infection can be achieved in different ways, which are listed
below.
Overwriting Viruses In order to infect an executable, these viruses
will overwrite a part or all of the host code. This will most of the time make
the host program useless. When the program gets executed the user will
notice that something went wrong, but by then it will be too late.
Prepending Viruses Both prepending and appending (see next paragraph) viruses are called parasitic viruses. They attach themselves to a host,
but let the host function normally. As the name implies, prepending viruses
will attach themselves to the beginning of the file. They do this by copying
the original program to RAM, adding themselves to the beginning of the
program and copy it back. Note that the virus will also need to change the
starting address in the header, which indicates where the program begins,
when it infects an exe-file. In this case, it will need to point to the beginning
of the virus. When the virus is executed, the original program code is generally executed to hide the fact that something out of the ordinary happened.
Since the original content of the program is still intact, it is more likely that
we can recover from these viruses.
Appending Viruses Instead of adding itself tot he front of a host,
the virus can also add itself to the end of the file. Depending on the type of
file it infects, it has to take certain measures. A COM file has no header, so
it will need to add a reference to itself in the beginning of the host file, to
have the malicious code executed first. At the end of the malicious code is
3
another jump to the beginning of the original host code. When appending
to an exe-file, the virus needs to change the starting address in the header
to refer to the address on which the virus code starts instead of the host.
Cavity Viruses Some program formats can consist out of multiple
text and data segment. In some systems and for some formats, these segments have a fixed size (e.g. in windows they are multiples of 512 bytes).
When there is some space left in a segment it is filled up by zero’s. A cavity
virus tries to place itself in these “cavities.” A plus is that when the virus is
totally contained within these cavities, the size of the host file remains the
same. This decreases the chance of detection.
Memory-Resident Viruses These viruses reside in memory after the
host program has been executed. They can stay on top of the memory, but
they can also hide in the interrupt vector. They can reside in an unused part
of the interrupt vector or they can copy the interrupt vector and change it to
make it execute the malicious code.This way the infection of other files can
continue after the initial host program has terminated.[Tanenbaum (2009)
& Skoudis and Zeltser (2003)] Spaffor (1990)
Boot Sector Viruses We first look at an extremely simplified and partial
description of what happens before an OS is loaded on an IBM pc. When
you start up a computer, the OS needs to be loaded. The BIOS will load the
MBR in memory. The MBR indicates the location of the boot sectors of the
partitions. Next the boot sector of the active partition is loaded which will
load different sys -and batch-files. When the virus copies the MBR to a safe
place and writes himself over the MBR, the virus has complete control over
the pc since none of the anti-virus systems have been loaded yet. The virus
can after his malicious deeds, refer to the real MBR (which was copied in
the beginning to a safe place). If the virus wants to remain active, it can use
concrete information of how the system loads its interrupt vectors or drivers
to stay in memory when the OS boots.[Tanenbaum (2009) & Skoudis and
Zeltser (2003) & Spaffor (1990)]
Device Driver Viruses Wouldn’t it be easier if we could trick the OS to
load and execute the virus for us, so it is viewed as a legit program? This
can be achieved by infecting a device driver. These drives are loaded every
time the OS boots. These drivers are loaded in kernel mode, so they have
full access to the system!
4
Macro Viruses (Document infection) Many document types now include the ability to make and execute macro’s. These are groupings of commands that can include scripts or VB code. These macro’s can be attached
to subroutines of the editor, like the “open file command”. Most editors
give warnings and the ability to disable macro’s, when opening a document
that contains them. However, not everyone knows what macro’s are and
what they can do, so that makes them easy targets.
Source Code Viruses Instead of infecting exe files, viruses can also infect
source code directly. By including a few lines in for example a header file
and C file, one can make the program execute the virus. We just need
to add an include statement in the header file and an execute line at the
appropriate location (syntactically correct and the execute statement must
be reachable) in the source file.
2.2.3
Worms
The main differences between viruses and worms are that a worm spreads via
the local network or the internet and does this without necessity of human
interaction. Worms are self-propagating via a network. Sometimes however, they need little human interaction, like viewing a e-mail.[Tanenbaum
(2009)] According to Tanenbaum in Modern Operating Systems [Tanenbaum
(2009)], there are 3 main reasons why worms are used:
• To take over a large number of systems.
You can use the exponential infection rate of a worm to take over a
large amount of systems.
• Increase difficulty to perform traceback.
When one system scans another system, a lot of traffic is noted between
the two. But if a large amount of systems can another system, the work
is divided and not easily traced back to the perpetrator.
• To increase damage.
A large number of systems can do a lot more damage than 1 system.
2.2.4
Rootkits
Rootkits are a set of programs that hide malicious programs or code persistently on your computer or let malicious hackers gain access to your computer without being detected. Rootkits can be classified by different criteria.
5
The classification can be on where they hide or were they perform modifications. Since the program needs to perform modifications to hide in a certain
place, these criteria will partly overlap. We choose to present a classification based on hiding location like in “Modern Operating Systems 3E” by
Tanenbaum[Tanenbaum (2009)].
• Application rootkits
Rootkits are able to hide in applications, this can be in a new file or
in an existing file. Large applications consist of many files, so adding
a new file is not suspicious.
• Library rootkits
Hiding in the system library gives extra pluspoints. You can inspect
the return and argument values of system calls and modify them if
needed.
• Kernel rootkits
By hiding in a driver or kernel module (adding yourself to it but keeping the old one functional) you have a good way to hide and alter the
system.
• Hypervisor rootkits
If the rootkit is able to start the entire operating system in a virtual
machine, we talk about a Hypervisor rootkit. This rootkit controlls
every aspect of the OS. The beauty of it is that it is very hard for
a detection program that runs in the OS inside the VM to find the
rootkit since no files were altered in the OS.
• Firmware rootkits
By replacing the BIOS with it’s own version a rootkit would gain
control every time the system booted and each time a BIOS function
was called. To be able to hide properly it would need to encrypt and
decrypt itself.
2.2.5
Spyware
Spyware consists of a large group of malicious software. It is not easy to
define, since it overlaps with certain policies that have no malicious content,
like the auto updating of certain programs (e.g.: an antivirus). We therefore
follow the definition given by Barwinksi et al. in the paper ‘ ‘Empirical Study
of Drive-by-Download Spyware (2006)”. which relies on the behavior of the
6
software, to determine whether it is considered spyware or not.[Barwinski
et al. (2006)]
• It hides.
Spyware tries to remain hidden for its own benefit (instead of for the
user, by not bothering him). The more it hides, the more likely it
can continue its activities. Therefore it tries to hide the location of its
installation as well as the fact that it is installed, furthermore it will
hide communication by encrypting the messages.
• It collects data.
The program collects all kinds of data, depending on the specific target of the malware. This includes personal information like medical
information as well corporate secrets as well as general user statistics
like search engine preferences.
• It communicates with third party.
It will try to communicate with third party, to deliver the collected
data, without asking permission from the user or notifying him or
her. Communication can go by any network possible, like Ethernet or
Bluetooth.
• It tries to survive as long as possible.
Even when it is detected, it will try to overcome the attempts at
removal by for example using redundancy.
Possible ways to get infected by spyware are:
• Trojan horse in some free software” and on some websites.
If you want to spread spyware you can create free software that is
desirable and infest it with spyware. People who install the program
will also install the spyware. Banners on some websites direct you to
sites that will try to infect your computer with sypware.
• Drive-by download.
Some sites try to infect your computer with spyware by proposing you
to install some program. They will do everything to convince you that
the program is decent and very helpful (e.g. certified by a Certification
Authority and will help speed up your computer). If you refuse to
install, they can try to install it anyway by using a vulnerability of the
browser or system.
7
• Exploit activeX controls.
By exploiting activeX controls (these are binary plug-ins for Internet
Explorer(IE) ), one can install spyware on a computer. The ease by
which this is done depends on the security settings of IE.
2.2.6
Adware
Advertising-supported software, better known as adware, is any software
that displays advertisements. The displaying can be done in different ways,
for example by the use of pop-ups or displaying banners on the application’s
main screen etc. Adware can be, but is not always considered spyware.
When a user downloads a free application, from a trusted source, it is possible that the free application contains adware to support the vendors. Usually
a paying alternative without adware is available.[Schwabach (2006)]
2.2.7
Backdoor
A backdoor is a way for a person to access a system by getting around all
security protocols. These backdoors used to be quite commonly installed
by system administrators, but are now more frowned upon. When a malicious person installs a backdoor on your system, he can access your system
with ease, making your system a zombie.[Tanenbaum (2009) & Skoudis and
Zeltser (2003)]
3
Closer look
3.1
3.1.1
Malware designed for Windows 7
Malware retrieval
A large part of the malware tested in this paper is taken from http://www.offensivecomputing.net/.
We also use http://www.malwaredomainlist.com to obtain malicious websites where we could be infected with malware.
3.2
3.2.1
Malware designed for Ubuntu 12.04 LTS
Malware retrieval
Most samples were acquired via https://www.offensivecomputing.net/, a
few samples were taken from http://www.kernelmode.info. The list from
https://help.ubuntu.com/community/Linuxvirus with know malware for Linux
was used to search viruses able to infect Ubuntu.
8
4
Remove options and tools
4.1
For Windows 7
We distinguish two kinds of malware removal methods: the manual and the
automated approach. Manual removal does not mean we cannot use any
tools, just that we have to interpret the output of the tools ourselves and
respond to it in an appropriate way. In case of the automated removal most
of the work is done for us. The automated program tries to find the malware
and depending on the settings will deal with it appropriately or request the
user to make a decision on what to do next.
4.1.1
Manual removal
In this section we discuss possible ways to remove malware manually with
the help of some useful tools based on “Manual Removal of Malware - Is
It Still Relevant?” by S. N. Alsagoff Nasir (2011). This paper states that
there are 3 sequential steps needed to get rid of malware:
1. Terminate the process that is performing the malicious acts.
Before we can try to delete the malware files, we first have to stop
the malware process to be able to modify (i.e. delete) the files. We
can try to do this using the Windows Task Manager, but this is often disabled by the malware. A convenient tools is the CurrProcess
Process viewer utility ( http://www.nirsoft.net/utils/cprocess.html).
It does not however guarantee success, since the malicious process can
run as a system process which can not be terminated so easily. An
alternative is to startup in safe mode and hope that the malware is
not started. If however the malware process is active, we need another
approach. We can boot an OS from disk or USB (like BART PE) and
delete the malware via the other OS or we can remove the drive and
add it to another pc as a slave drive. Alsagoff recommends FileMon
& RegMon as monitoring tools to check for walware activities, these
tools have been replaced by Process Monitor. The TCPView tool is
still available. We will use these tools to attempt manual malware
removal in the “Practical tests” section.
2. Disable the startup of the malware.
To prevent the malware from becoming active again, we have to interfere with the startup of the malicious program.
9
3. Delete all the malware files.
The last step is to delete all the files connected with the malicious
software.
4.1.2
Automated removal
There are a variety of anti-malware and anti-virus software, both free and
commercially available. In our tests, we use both free and limited trial
editions of commercial software.
4.2
Ubuntu 12.04 LTS
4.2.1
Manual detection
In Ubuntu 12.04 we use tools to detect whether the system is compromised
or not. These tools however, do not propose a way to take care of the threat.
4.2.2
Automated removal
We use opensource and free or limited trail editions of commercial software.
5
5.1
Practical tests
Windows 7
The tests for windows 7 are performed on Windows 7 Professional with
service pack 1. Before the test avast! Free Antivirus 7.0.1456 (with all
updates available at the moment installed) is disabled as well as Windows
Defender.
In the next test we run a number of programs (see figures 1 & 2 for a
scan of the files before the infection), which are infested with malware.
10
Figure 1: Scan of the infected files before they are run
Figure 2: Scan of the infected files before they are run
5.1.1
Automated removal
After the test we activate avast Free! Antivirus again. Upon opening of the
userinterface, after the protective shield were activated, we get a read error
(see figure 3). The UI of the antivirus however does start. When we try
to perform a full scan, we again get an error (see figure 4). It seems that
one or more of the malicious programs messed with the antivirus. In case of
the second error, it seems that avast creates a file when trying to perform
a scan, when the file already exists it creates problems. We continue by
confirming we read the error and the scanning does seem to start. However
on termination of the scan, no infections were discovered. We know this
cannot be correct since the exe-files which we ran, are still in the desktop
map. Our scanning software seems to be corrupt.
11
Figure 3: Read error when trying to open the avast UI
Figure 4: avast scan error
We deal with this by uninstalling avast Free! antivirus and installing
another antivirus: Panda Cloud Antivirus (Free version). We again perform
a full scan. This time 5 dangers where neutralized: 2 adware programs, 2
trojans and one cookie.
5.1.2
Manual removal
We now execute a different set of examples (seen in figures 5, 6 & 7).
12
Figure 5: avast scan of malicious files before they are run
Figure 6: Ad-Aware scan of malicious files before they are run
Figure 7: Real-time protection of Ad-Aware before the malicious files are
run
This time we try a manual removal of the malware. We can still access
the Task Manager (see figure 8), which contains 2 questionable processes,
i.e. AntiVirusPro2009.exe and dwdsregt.exe*32. We can terminate AntiVirusPro2009.exe without a problem, but when selecting dwdsregt.exe, it
13
gets unselected after around a second or two. At some point there are two
dwdsregt.exe processes, one with description and one without, but they get
quickly reduced to one. The process seems to constantly restart itself, which
makes it harder to terminate the process. This method is not fast enough,
since we were still able to terminate it by reacting fast enough. We open
CurrProcess next, to check if our Task manager was not compromised (e.g.
not showing the whole list of active processes). CurrProcess only shows itself and the avast UI (see figure 9), which still runs (cannot be terminated
via Task Manager, but avast protection is disabled).
Figure 8: Task Manager
14
Figure 9: CurrProcess
Next, a HiJackThis scan is performed, which indicates a startup entry
for dwdsregt.exe (see figure 10). We remember the location of the .exe file
(which is C:\Windows\SysWow64\) and delete this entry via HiJackThis.
Next, we delete the exe file by going to the previously obtained directory
(see figure 11).
15
Figure 10: HiJackThis
16
Figure 11: Deleting Dwdsregt
results of manual removal & comparison of anti-malware software
In the next paragraph, we test how well are manual removal preformed.
We use different virus and malware removal software, this allows us to evaluate the results of the manual removal attempt, but also to compare the
different anti-virus and anti-malware software
We download and install Malwarebytes (http://www.malwarebytes.org/),
which by default enabled the free pro trail. We perform a full scan, which
reports 14 threats (see figure 12). The kind of malware found is not really
displayed, it can however sometimes be determined via the name of the vendor. We choose to remove the threats, which was successful. After the logfile
display (every action is logged and available under the log tab), a request
for a restart to finish the removal is prompted, in the log file however, every
removal was already marked as successful. During the restart, the screen
remains black for a while, until the desktop loads and no extra message or
prompt is shown.
17
Figure 12: Malwarebytes full scan
We perform an avast Free! antivirus scan on the same case, with the
version that was already installed but disabled at the moment of infection.
After a full scan, 17 threats were reported (see figure 13). The default
action to move the threat to the vault succeeded in all but two cases, a file
not found error was given for BestAntivirus2011.exe and malware.exe due to
duplicates in the threat list. So only 15 unique threats were found. Of those
15 unique cases, 10 alerts about the files we uncompressed to the desktop,
which we then used to install the malware.
18
Figure 13: Avast full scan
Again on the same case, we run the Microsoft Safety Scanner and get 5
reported threats: 3 rogue malware threats, one trojan and one backdoor. 2
Rogue malware and 1 backdoor could be completely removed, the remaining
trojan and rogue malware could only be partially removed (see figure 14).
The program recommended to perform a scan with an anti-virus program,
since the Safety Scanner is no alternative to an anti-virus program.
19
Figure 14: Microsoft Safety Scanner
The next scan is performed by the Ad-Aware Free Antivirus+ (from
LavaSoft). When installing the software, a quick scan is performed (which
can be aborted when it runs). One threat consisting of 12 cookies was discovered and quarantined. After a reboot, we open the UI of Ad-Aware. We
notice that the real-time protection detects 10 threats. The systems detects
two processes (8 instances of SearchProtocolHost.exe and 2 of Explorer.exe),
which are ran by the malware (see figure 15).
20
Figure 15: Ad-aware real-time protection
Next we perform a full scan,in which 8 threats and 39 traces were detected. The program also scanned the compressed files which were not password protected, so a few compressed malware files are also scanned. Of the
8 threats, 6 were classified as trojans, one as worm and the last as rogue
security program. All threats were quarantined. A summary is kept of every
scan, but no detailed version with list of infected files is kept. The files previous location can be retrieved from the quarantine section, when examining
the details of a threat (see figure 16). In total 14 trojans, 2 rogue agents, 1
worm and 12 cookies were detected and quarantined by the quick scan, full
scan and real-time protection combined (see figure 17).
21
Figure 16: Ad-Aware quarantine
Figure 17: Ad-Aware report
We again perform a scan on the same case, but this time performed by
F-Secure Online Scanner 4.2. We first have ton intall JRE, after which we
can run the online scanner. We choose for a full scan, which reports 30
22
infected files. Of these threats, 21 can be cleaned, but 9 remain infected.
No opions to remove the files are available ( see figure 18). The only option
is to restart the scan. A full report is available as a html file. This report
lists 19 successfully cleaned spyware infections, 9 viruses that were cleaned
and 2 viruses that were renamed and submitted to F-Secure.
Figure 18: F-Secure Online scanner4.2 results
For the next two scans, we create a bootable UBCD4Win recovery cd
(http://www.ubcd4win.com/) using an XP Professional cd with service pack
2. We boot via the newly created disc. We get a working desktop with a
lot of anti-malware, recovery and other tools pre-installed. We use Avira
AntiVir Personal to perform a scan of the entire system. We tried to update
it first, but that failed. It seem the license is not valid anymore. The full
scan reports 9 detections, which are all successfully moved (see figure 19).
Next we perform a Spybot: Seach & Destroy scan (without reverting the
system). The scan detects and removes 11 cookies and 2 registry changes
(see figure 20).
23
Figure 19: Avira AntiVir Personal
24
25
Figure 20: Spybot: Search & Destroy
The last scan is performed by the F-Secure Rescue CD. We boot via the
CD and select to scan the MBR and all the discs ( only one disc in the VM
is present). The scan discoveres 42 malware threats (see figure 21). The
discovered threats can be viewed, but not much information is available. It
only states that files that could not be removed, would be renamed. When
we restart the pc, we see that some files (both rar and exe files) got the
extension .virus and one file has no more extention.
Figure 21: F-Secure Rescue Cd scan results
Summary We provide a comparison summary of the automated tools used
in this section.
Rogue software In this paragraph we specifically install rogue malware
and try to remove it, first manually, next by using an anti-malware program.
We install Intelinet Smart Security 3.1.0. We run the software and it
performs a fake scan, which detects all kinds of problems (see figure 22).
When we try to fix these “problems”, we are redirected to a website which
offers us the full version + extended download service for 49.96 EUR (see
figure 23). We try to remove the program via the remove installed program
from the Control Panel, but the rogue software is not listed there! There
is however an uninstaller in the programs folder. We run HiJackThis and
26
discover two Intelinet entries, which we delete and are required to restart
the OS.
Figure 22: Intelinet
27
Figure 23: Rogue security software website
We run Ad-Aware and discover that there are still 11 traces left of the
Rogue Security Program (see figure 24).
28
Figure 24: Ad-Aware scan after installation of rogue security software and
manual removal attempt
5.1.3
real-life infection
The next case is a real-life infection on a Windows 7 Professional machine
with service pack 1. When entering a string in the URL filed that is not a
URL, the page redirects to mywebsearch. We first try a manual removal approach of the malware. We uninstall the toolbar “TelevisionFanatic”, which
we claim is responsible for the malware infection, via the control panel, remove software option. Not surprisingly this only removes the toolbar in the
browser and not the redirect to mywebsearch which occurs in both Microsoft
Internet Explorer and Mozilla Firefox. We install an run HiJackThis and
perform a scan. The first line looks suspicious (see figure 25), which sets
the internet explorer start page to mywebsearch, we remove this line with
some other office plugins that are not necessary. We open regedit next and
search for “mywebsearch”, we find two register entry folders connected to
the mywebsearch malware (see figures 26 & 27). We delete these two folders,
after which we open Internet Explorer and Firefox to test the efficiency our
approach thus far. Internet Explorer seems to be malware free, but the problem still persists in Firefox. Finding no “shady” entries in the HiJackThis
scan anymore, we opt to reinstall firefox, deleting all personal date (having exported the bookmarks beforehand). After the reinstall, Firefox does
not show any signs of infection anymore. We next search the registry for
29
“TelevisionFanatic” and find again two folders with register entries, which
we also delete (see figures 28 & 29).
Figure 25: HiJackThis
30
Figure 26: mywebsearch
31
Figure 27: mywebsearch
32
Figure 28: TelevisionFanatic
Figure 29: TelevisionFanatic
33
5.2
Ubuntu 12.04 LTS
We run the malware we retrieved previously ( see section 3.2.1) by executing
a script ( see figure 30). We get a lot of errors, and it seems that one of the
malicious files keeps running, so we abort it and run all the malware except
for that flie again.
Figure 30: The script for the uncompressing and execution of the malicious
software
5.2.1
Manual detection
We install and run chkrookit to determine if a rootkit was installed (see figure
31). We get one infection warning ( about inetdconf) and one warning about
the possibility that an LPD worm is installed. The inetd.conf file is created
and contains the following line: ”666 stream tcp nowait root /bin/sh” which
adds a shell prompt to port 666. When we run chkrookit on a clean system,
no warnings are issued.
34
Figure 31: Chkrootkit alerts that a LPD worm was possibly installed
We install and run rkhunter to look for rootkits, backdoors and exploits.
During the run we have to conform to continue if one part of the scan is
completed. The scan results in 8 warnings, the reason for these warnings
needs to be checked in the logfile (see figure 32 for a list of the warnings and
a check summary).
35
Figure 32: rkhunter log warnings for an infected system
When we run rkhunter on a clean system, we get 4 types of the warnings
we also saw on the infected system (see figure 33, but sometimes with less
entries, like for the hidden file warning.
36
Figure 33: rkhunter log warnings for a clean system
While these are great tools for detecting if your systems is compromised,
no solution is provided to get rid of the malware.
5.2.2
Automated removal
We install Avast for Linux. Before the installation we get a warning that
the package of avast is of bad quality because it does not provide a valid
installed-size control field, which is part of the Debian Policy. We ignore
the warning and finish the installation. We however have to change the
maximum size of a SHM memory block, before we can run Avast (see figure
34). The first time we run, we enable the “test archives” option and the
trash with malware exe files is not emptied. Viruses were found and were
moved to chest. We scan again, but this time disable the scanning of archives
and empty the trash beforehand. No infected files were found.
37
Figure 34: Change size of shm block
We install ClamTk and check for updates. Only the GUI is out of date,
but no automatic update is offered. We check the preferences and check off
all boxes, for maximum detection (see figure 35). We perform a recursive
scan on the whole file system which reports 6 threats. These threats seem
to be present in the cache of the browser. We successfully quarantine all
threats (see figure 36) and remove them afterwards.
38
Figure 35: ClamTk preferences
Figure 36: ClamTk quarantine
We install another anti-malwar program named BitDefender Antivirus
Scanner for Unices, which is freely available for home users after requesting
a free license. We update the key to switch from trail version to the free
version for Unices. After a full scan, BitDefender reports 564 infected items,
which are all the malware installation files (the ones in the linux malware
directory and the ones in the trash. These are all quarantined. BitDifender
39
does however report 845 I/O erros.
Figure 37: BitDefender
When we restart Ubuntu, we see that there is an extra user account,
named “kork” available that does not require a password. However when
trying to log in, it reverts to the login screen. We revert back to a state
where the malware is installed, but no anti-malware program has run yet.
We restart the system and try to log in on the “kork” account, but with the
same result, no login via that account is possible.
40
6
6.1
Troubleshooting
Finding malware
With most people trying to get rid of malware, a big industry has grown
around the removal of malware. When searching for malware on the internet,
numerous anti-malware programs are proposed. Although not all of them
are trustworthy ( think of rogue anti-malware software), it seemed not so
easy to find malware samples. Who would want to voluntarily download
malware? In our opnion only people who do research on how to get rid of
them and people with the intent to create or spread malware. Since the
sources to find malware to test are scarce, the ones that do exist have to
limit their network traffic and often require the exact name or MD5 hash
of the virus in order to download it. An easier way for a windows machine
is to find a listing of malicious websites and visit them to get infected with
malware. For Linux however, these listings are scarce.
6.2
VM problems
To be able to repeatedly test the same case with different software, we used
snapshot function in VMware Workstation, this creates however large files,
varying from 200MB to 12 GB, depending on what was changed. This
created problems on the quite small logic partition on the disc, that was
created to host the VM files. An entry to save the files in a different place
was added to the configuration file of the VM and a Symbolic link was
created to be able to host some of the files on a different partition. However,
not all files were saved on the new disk and a manual move of the files was
required.
7
Comparison
We now compare the different tools available for malware removal and detecting in windows 7 and Ubuntu 12.04
7.1
Manual removal
For Windows 7 a lot of tools are available which can aid in the detection
and removal of malware. One example of this is HiJackThis which we used
a lot. It is however not always very clear which entries need fixing. Other
tools like, Process Monitor flood you with a lot of date, which you can filter
ofcourse, but you need to know what to look for.
41
For Linux ( in our case Ubuntu 12.04) the chkrootkit and rkhunter specifically tell you if something is wrong and they only take about a minute to
run. You are exactly told what the problem is (e.g.: file is overwritten). It
is however not clear how one should react on this, the tools itself do not
provide solutions, they just analyze.
7.2
Automated removal
Since only a small number of (known) malware is available for Ubuntu, it
is not easy to compare the tools to remove the malware. Some of the antimalware software was harder to install then on a Windows 7 machine, but
that is probabely due to our limited experience with Linux. Due to the fact
that Windows machines have to cope with a large malware threat, more
anti-malware software is available (or at least marketed). The anti-malware
software does not really seem to focus on the properties of a Linux OS. The
extra user accounts were never erased while password free user accounts are
not allowed in Ubuntu.
Automated removal tools seem to be more reliable than manual removal
methods in the hands of a novice user (concerning malware removal). They
are however not prefect. We would recommend to use manual removal methods in combination with automated removal tools. We also give preference
to a bootable anti-malware program (like a rescue cd) in combination with
real-time protection.
8
Conclusion
Both for Windows 7 and Ubuntu 12.04 numerous anti-malware software is
available. Some of these programs focus on detection and manual removal
while others are automated. Due to the limited amount of known malware
for Linux, the anti-malware programs for Linux seem in our opinion less specialized for Linux itself. The rise in malware targeting Linux could become
a real problem in the future, even more because not a lot of users realize
that they might need to install some anti-malware software.
Manual removal tools can most certainly aid in the removal of malware,
but unless you are an expert, we would recommend to always use them
in combination with automated removal tools. We would recommend a
bootable anti-malware program in combination with a program that offers
scanning and real-time protection.
42
References
Barwinski, M., cynthia Irvine, and Levin, T. (2006). Empirical study of drive-by-download
spyware.
Nasir, A. S. (2011). Manual removal of malware - is it still relevant? International Journal
of Research and Reviews in Information Security and Privacy, 1:6–10.
Schwabach, A. (2006). Internet and the law: technology, society, and compromises. ABCCLIO.
Skoudis, E. and Zeltser, L. (2003). Malware: Fighting Malicious code. Prentice Hall PTR.
Spaffor, H., E. (1990). Computer viruses - a form of artificial life?
Purdue University.
Technical report,
Tanenbaum, S., A. (2009). Modern Operating Systems. Pearson Prentice Hall, 3rd, edition.
43