Re: [LUG] Windows help - recovery disk recommendations

From: tom <tompotts@xxxxxxxxxxxxxxxxxxxxxx>
To: list@xxxxxxxxxxxxx
Sent: Thursday, 10 November 2011, 16:11
Subject: Re: [LUG] Windows help - recovery disk recommendations

On 10/11/11 12:21, Keith Abraham wrote:
> On 10/11/11 10:55, tom wrote:
>> Friend with XP thinks he has something deleting files on his system.
>> He's turned it off but where do we go from here?
>> Any advice welcome...
>> Tom te tom te tom
>>
>>
>
> I've done all of the following at one time or another.
>
> Easiest method is to hope the user has set a System Restore Point and go back to that. i.e. Start/All Programs/Accessories/System Tools/System Restore.
>
> Failing that reinstall.
>
> OR
>
> Boot into SystemRescueCD (google for it) or any linux livecd with clamav on it.
>
> run clamd and then freshclam (ensures clam database is up to date)
>
> run fdisk -l and note the boot partition marked with and asterisk (eg/dev/sda1)
>
> as root type:
>
> cd
> mkdir mnt
> mount /dev/sda1 /mnt/windows
> (/dev/sda1 is the partition labelled with the asterisk and it's now mounted as /mnt/windows)
>
> cd /mnt/windows
>
> now run clamscan -irv --remove /mnt/windows
> (this will scan all files and show a summary) This step is where the expertise comes in. If an infected files is found you'll be prompted to remove it yes or no. If the file is a system file then it's probably easier go into Safe Mode back up user data, format and reinstall else just remove the file.
>
>
> And
> Educate the user about security.
>
> Keith
>
>
Thanks for that - the user is normally ok with security but was talking to BT on the phone about something yesterday and omitted to turn his firewall back on after accidentally turning it off and got hacked almost immediately.
Tom te tom te tom

-- The Mailing List for the Devon & Cornwall LUG
http://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/listfaq

This is good advice, but clamav and system restore aren't going to help much if he's been unlucky enough to catch any of the more recent APT/rootkits that are floating around the internet these days - the only way to be sure is to remove user files, scan them on another machine and nuke the box. Restore them to a fresh install afterwards. System Restore points are a favourite place to stash respawning rootkit files and unless you're a very confident registry hacker, they're just going to come back again.

If nuking/reinstalling isn't an option, the only way is to follow forensics procedure: create a blank VM in the tool of your choice (vmware, virtualbox or preferably kvm - use libguestfs to manipulate the VM) and boot both the fresh VM and the target machine with a live distro - Keith's recommendation of SystemRescueCD is a good one. Attaching the removed disk via write-blocker works too, and is quicker. Use dd to clone the the infected disk(s) through a ssh/netcat/whatever tunnel and now you have a sandboxed virtualized copy of the compromised system to analyse and disinfect with whatever tools you are comfortable with. On the virtual network segment you can then analyse the malware's traffic with wireshark, tcpdump, ratproxy and friends and fingerprint it so you know what you are dealing with and manually clean up. Snapshot the VM frequently so you can step through all the stages of your work. When done, dd the image back to the target and have sysprep at the ready because Windows will need some drivers restored and will potentially require reactivating.

This is the *only* way to be sure. If this is just too much time/effort, the 99% effective slacker method is to just run combofix.exe in safe mode on the victim machine and be done with it but then the user will have to live with the fact that he may still be screwed because it won't catch the worst and newest infections, and they're the ones you really have to worry about...

Cheers,

Mat