This sparks the debate “re-image or not to re-image” after infection. Re-imaging a system is time consuming, cost ineffective and a loss of revenue and work product. The positive side of re-imaging is that you have thoroughly removed the suspect chance your anti-virus product is not fully cleaning after infection.
The question might boil down to how lucky do you feel?
The recommendations of leading industry organizations have not completely sided one way or the other. The US-CERT http://www.us-cert.gov/reading_room/trojan-recovery.pdf document indicates in paragraph 5 “If the previous step failed to clean your computer, the most effective option is to wipe or format the hard drive and reinstall the operating system.” The previous steps are to run an anti-virus program on the infected system using a live compact disc. This is far from coming out and recommending re-imaging all the time after an infection.
The open source ClamWin Free Antivirus software (http://www.clamwin.com/content/view/146/27/) does go as far as to say in one of its step that should be taken after an infection is to “Perform a clean install of Windows – a format of the drive *should* be completed.”
The National Institute of Standards and Technology (NIST) Special Publication 800-83 (http://csrc.nist.gov/publications/nistpubs/800-83/SP800-83.pdf) Guide to Malware Incident Prevention and Handling states “Because rebuilding a host is typically more resource-intensive than other eradication methods, it should be performed only when no other eradication method or combination of methods is sufficient.”
I recently came across a virus on a system and by using time and date analysis from log entries I was able to narrow down the virus to a file, specifically a compressed file with no extension. It turned out the file was from a java drive-by-download. The system had a current anti-virus solution, McAfee. After hashing the file I wanted to find out why McAfee didn’t catch it. Virustotal.com has McAfee within its depository of anti-virus scanning programs. I hashed the suspicious compressed file and searched the Virustotal.com database to see if it had been scanned previously. The following were the results:
It turns out that McAfee doesn’t catch it. I also noted the submission date and it was quite recent. I wasn’t shock so much as to learn that McAfee didn’t catch it but how much more does McAfee miss or for that matter the rest of the anti-virus solutions available to the public.
In searching for documentation about anti-virus solutions success rates I discovered Mandiant’s report called M-Trends the Advance Persistent Threat (APT) (http://www.mandiant.com/products/services/m-trends). In it Mandiant states “When MANDIANT discovers new APT malware, we scan it with the anti-virus and antimalware programs that most organizations use. Of the samples we discovered and examined, only 24% of all the APT malware was detected by security software.” That was enlightening to say the least that 76% of malicious software gets passed anti-virus solutions.
I than decided to test this claim. While surfing the internet for anti-virus solutions I came across a pretty convincing Fake Anti-Virus (FakeAV) ad. Now the image is clearly from the web browser Firefox but the window appears to be from a Windows Explorer environment. This obviously is to confuse the less sinister minds that are not in the know as to malware coder’s intentions. The screen starts out appearing to scan my computer for viruses, when it really is not, and conveniently discovers numerous infection denoted by the fake Windows Security Alert.
If the user clicks “remove all” a download windows appears and if the user clicks on the “X” to close the window the download window appears also. This is with Firefox web browser, with Windows Internet Explorer the option to run the program appears in the download window.
So I decided to hash the executable and see if Virustotal.com had any info on this file. Turns out there was no information in their database.
So the next course of action was to upload the executable to see if other anti-virus solutions catch it. Come to find out 23 out of 40 anti-virus solutions recognize this executable as FakeAV malicious software. Some particular vendors I would have thought should have picked this up, but didn’t were ClamAV, McAfee and Microsoft. Norton Anti-virus is not a part of the listed software tools within Virustotal.com but it to did not recognize this as malicious.
We’ve established that anti-virus solutions detect only a fraction of the malicious software that is out in the wild.
Now back to the question, of the malicious software that it does detect will it clean, delete, and/or remove all of the malicious software installed or registry changes that the software makes. So I conveniently have my own personally built trojan. Prior to installing the malicious program, InCtrl5 was run on the malicious software to record all the changes made without the anti-virus product installed and the report saved for comparison. I than made sure McAfee was up-to-date on its virus definition and launched the malicious program within VMWare. First the McAfee firewall asked if it could access the internet and I authorized it to do so. After being infected I started a full scan.
It’s not my purpose to just pick on McAfee anti-virus solution. I also picked on Norton. That being said, is it the anti-virus solutions fault for not finding all malicious software. The answer is emphatically no. Anti-virus solutions are only as good as you and I make them. This is evident by Mandiant’s test that they only caught 24% of malicious software. My example above reference the FakeAV I received, it’s your responsibility to help your anti-virus solution out by submitting the executable sample for testing. The anti-virus vendors will write new code into their virus signatures to catch those malicious programs. Remember anti-virus programs are tools and you just don’t have one tool in your tool box.
The scan detected 57 issues and 8 were already quarantined.
After manually removing all the items two appear as not removed which are slimftpd and radmin.
After a reboot McAfee discovered that we had told it to remove slimftpd and it again confirmed its removal.
Let see what wasn’t removed. Since I made the trojan I conveniently know the backdoors created. My trojan installed RAdmin but McAfee reported that it was not able to remove it. I set the RAdmin port as 136 which appears operational. The point here is that its removal wasn’t automatic.
Additional unseen issues actually deal with the Windows operating system default programs. It’s difficult to determine what else was added or removed to include registry changes. Here we see additional accounts were created. Which ones are legitimate? “_” is the default created administrator account with the name changed. “Guest” is default. “HelpDesk” is not default. “HelpAssistant” is default. Further detailed inspection reveals the HelpDesk account was added to admin privileges. Checking the default account HelpAssistant, low and behold that account was also changed with admin privileges.
Noticing also that port 3389 was open on the system. What program uses that port, Remote Desktop? These accounts could be used to access the system with admin privileges. Additionally port 25 appears open and is an open SPAM relay. There are numerous registry changes that were made to include delayed starting actions. Now McAfee caught a majority of the items and removed them but not all.
So the point is made that even though anti-virus solutions say that they have cleaned the system of a malicious program it is probably true minus the items that were missed. The program hopefully does not go as far as to say that the system is free of malicious programs because this is probably not true.
The above point is to emphasize that if a system does become infected with any virus it is imperative that the system be re-imaged to ensure the system is cleaned with a known good operational load, patched, and returned to service.
Update 12 Nov 2010
Received a response back from Symantec. Note the Developer Notes at the bottom.
Update 19 Nov 2010
Additional regulation findings of interest. Thanks Dave Baker, Mitre.org
SANS.org Incident Handling Small to Medium
Enterprise
(http://www.sans.org/reading_room/whitepapers/incident/incident-handling-smes-small-medium-enterprises_32764)
para 2.4 Eradication “Once the cause has been determined, the system can be rebuilt from a known good backup copy of the system. If no backup can be found, then the system must be reinstalled from scratch (including the OS!).”
para 2.5 Recovery “In the recovery phase, operations return to normal. The system has either been rebuilt from scratch or rebuilt from a backup, and it is ready to be validated for production. This includes verifying the system is secure and will not fall prey to the same or similar attacks once it has been put online.”