As a consultant, I'm occasionally called on to remove malicious software (malware) from infected Windows computers. A recent case offered a stark example of something well known to techies, no anti-malware software is perfect.
VirusTotal.com has previously provided examples of just how imperfect antivirus software is. VirusTotal is a great website that lets you upload a suspicious file for scanning with over 30 anti-malware programs. A few times, just for the heck of it, I had VirusTotal test some malicious email attachments. The detection rate was always low. Anyone who ran these malicious EXE files, the day I got them, could have been infected even if they were running up-to-date antivirus software.
AutoRuns
Much of todays malicious software defends itself well so my first step in cleaning up an infected copy of Windows is to try and prevent the malware from running in the first place. To this end, I'm a big fan of the free, portable AutoRuns program from Microsoft (see below).
The good news is that AutoRuns displays a huge, comprehensive list of auto-started programs and lets you prevent a program from automatically starting by simply unchecking a box. The bad news is that you have to be well schooled in the internal architecture of Windows to know which programs are legitimate. Still, some programs give themselves away as being malicious, either by their name, their location or their lack of self-identifying information.
This machine had some well defended malware. Even after using AutoRuns to prevent the obvious malware from auto-starting and then rebooting, it remained infected. Specifically it had suspicious BHOs. A Browser Helper Object is a type of program that lives inside Internet Explorer and Windows Explorer. Even if it doesn't run automatically at system startup, it will run the first time either of these two programs runs.
Rootkits
Before using standard anti-malware software I like to first scan an infected machine with anti-rootkit software. Rootkit malware is the hardest to detect because it does a great job of hiding. Normal anti-malware software can't detect or remove something it can't see.
The rootkit detection programs that I used were both portable. That is, they are totally self-contained and dont need to be installed. Thus, they can be downloaded on a clean machine and run on the infected machine using a USB flash drive.
In this case I started with Blacklight from F-Secure, which said the machine was not infected with a rootkit.
But then, I ran the GMER rootkit detector which warned of hidden files and a hidden service. I had GMER remove these, rebooted and scanned with it again. This time too, it found a hidden file and service. Again I had it remove things, rebooted and re-scanned. Finally, it came up clean.
For more on free rootkit scanners see Top free tools for rooting out rootkit spies by Scott Spanbauer.
Malwarebytes' Anti-Malware
The first normal anti-malware program that I scanned the machine with was Malwarebytes' Anti-Malware (MBAM) which has become my favorite anti-spyware program. The free version of MBAM detects and removes malware, but has to be run and updated manually. The paid version runs constantly in the background and prevents malware infections.
I started using MBAM only recently and, not being a lab, had no way to judge its effectiveness. But I ran across an obviously malicious file while working on another infected computer recently, and sent the file to VirusTotal where not one of the antivirus programs flagged it as bad. But, MBAM knew it was malicious.
Back to the computer in question, I downloaded the latest version of MBAM on another machine and then installed it in the infected machine using a USB flash drive. The reason for the flash drive was that I was afraid to connect the infected computer to my LAN until it had been, at least, somewhat cleaned up.
Often, when you download anti-malware software, it includes ancient signatures/definitions/patterns. Thus, until the first update, the software is very limited in what it can detect and remove. Not so with MBAM. On January 5, 2009 the newly downloaded version of the software shipped with "fingerprints" from December 3, 2008.
These month-old malware fingerprints were good enough for MBAM to detect and remove over 100 infections. After it removed what it could, I re-booted the machine and ran a second full scan with MBAM just to be sure. Nothing had returned.
At this point, I connected the suspect computer to my LAN and downloaded the latest MBAM updates which included an update to the software itself, from version 1.31 to 1.32. A full scan with the latest and greatest copy of MBAM found about 40 or so additional infections.
But this was just the beginning.
Malwarebytes' Anti-Malware is not an all-inclusive anti-malware program. It is intended to be run in conjunction with classic antivirus software. Marcin Kleczynski, the man behind the product, commented on this by email:
Our biggest priority is always to detect what common anti-virus software fails miserably to detect -- these are usually the polymorphic Trojans that are a pain to pick apart. We then focus on samples that are less of a priority because of their large detection rates ...
Multiple Antivirus Programs
Thus, I next ran four antivirus programs and this is where things got interesting.
I started with the free online NOD32 scanner from Eset. While some online antivirus scanners only detect malicious software, and use that as a selling point, the NOD32 scanner will remove anything it finds. In this case it found a handful of infections and removed them.
Next, I ran the BitDefender online scanner which also removes the malicious software it finds. It found and removed about 20 infections.
The last online scanner that I used was from Kaspersky. It gave the machine a clean bill of health, so I thought I was done.
But, the machine had no antivirus software installed. So, with the owners consent, I installed Avira's AntiVir, my favorite among the free antivirus programs.
A full scan with AntiVir turned up another dozen "detections".
In old restore points, it found multiple instances of the Drop.Softomat.AN Trojan and a single copy of the Trash.Gen Trojan. This was my fault, I should have removed the old restore points earlier in the process (in Windows XP you do this by turning off the System Restore feature on all drives and then re-enabling it). AntiVir also found the Dldr.Monkif.B.1 Trojan living in the C:\Windows\system32 folder (file mst120.dll).
Conclusions
Despite knowing up-front about the fallibility of anti-malware software, it still hits home to see it so starkly. This is not meant as a knock on any particular product, I'm sure if I had run the four antivirus programs in a different sequence each one would find something the previous ones had missed.
The only conclusion that I think is fair to draw, is that among the free antivirus programs, Avira's AntiVir is a good choice. It found a dozen infections after three competitors had their crack at it.
Then again, this may have all been a waste of time. Although the owner of the computer reported afterwards that it was again working normally, the operating system may still be infected. Had I thrown another antivirus program or two at it, addition malware might have turned up.
Malware can be so hard to remove that walking away from an infected copy of Windows and, instead, restoring a known clean copy (such as the factory fresh state) will often be the right approach.
To that end, this blog will cover disk imaging in near future.