Do we depend too much on antivirus and antispyware software when attacking malware?
I spent a fair few hours this weekend helping out a fellow MVP by using VNC to remotely clean up his client's laptop which was showing signs of being infected with malware/adware - our primary concern was trying to assess what was on the PC, and whether the system may have been infected with a rootkit. Depending on our findings, we also had to look seriously at whether the client's corporate network may have been compromised.
We approached this task from a perspective of the MVP and his team having run Trend Antivirus and Microsoft Antispyware to see if anything was detected. The primary symptom they were trying to fix was Internet Explorer starting up at random with the page pre-populated by a porn site.
Trend and Microsoft Antispyware both came up clean, therefore the guys assumed that they needed to call in somebody more experienced (me) to have a look-see on the basis the malware may be new/sneaky/a rootkit. Thankfully this does not seem to have been the case.
Compared to some machines I have worked on this proved to be quite an easy cleanup - no sign of rootkits, no self aware malware services, pretty old fashioned stuff.
So, as per my standard clean-up instructions at http://inetexplorer.mvps.org/tshoot.html, the first thing I do is go to Add/Remove Programs to check for malware. I immediately spot "sexy_blondes_au" which, I think, we can blame for the porn popups.
I also found a downloader trojan (Downloader.Win32.Dluca.b) listed as dxvid, an autosearch hijacker listed as ms1src, and a few other bits and pieces.
I'll be honest; I was very surprised that something as 'in-your-face' as an sexy_blondes_au entry in add/remove programs had not been spotted. As part of our debriefing, my friend made the comment that he hadn't thought to check add/remove programs. He had come to depend on the accuracy of Trend and Microsoft Antispyware and was very concerned that his software did not detect the malware that I found via old fashioned eyeballing, research and diagnosis. He was also concerned that perhaps he and his team were depending too much on software when checking for malware. I have to agree with both sentiments.
What are the lessons that can be learned from this weekend's events? First, no antivirus or antispyware product is perfect. They can only detect *known* infections, and there is a window of opportunity between a new virus or malware being released, and detection libraries being updated. The chances of infections not being detected are increased because, for example, random file names are in common use, services and files can be hidden, rootkits are becoming more common. Also, there have been cases where malware detection has been *removed* from an antispyware product after lawyers became involved - check out the list of lawsuits described on benedelman.org:
As my friend's experience illustrates only too well, we cannot depend on detection software alone. There is no substitute for an in-depth familiarity with what is 'normal' in a Windows PC. At the very least, anybody who wants to succeed in the fight against malware needs to get to know the standard services that run on a PC by getting up close and personal with services.msc or msconfig. They need to become familiar with the Windows registry and learn about all the autoload locations that may be used by malware. They need to learn what to eyeball, and when, and how to take advantage of non-spyware specific reporting and analytical software such as Rootkit Revealer, Silent Runners, Autostart Revealer and Advanced Process Manipulation. And most importantly they must ensure that they don't forget the basics (like add/remove programs) ;o)