Threat Level: green Handler on Duty: Renato Marinho

SANS ISC: "My Computer is Acting Strangely" SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
"My Computer is Acting Strangely"

I'm certain that something like this has happened to you.  You're at work/home/shopping and a friend/coworker/family-member asks/phones/sends-a-telegram to you basically stating: "My computer is acting strangely, do you think I have a virus?"

I had this happen this week so I asked: "describe strange."

So they listed off some symptoms:

  • slow to boot
  • takes a while for the computer to catch up to what you're typing
  • can't get rid of this silly toolbar
  • password to (some service) is no longer working

"Stop right there.  I know what the problem is, you've got (fill-in-the-blank-banking/keylogging trojan,) so you need to rebuild you system."

"Now's not a good time to do that.  Is there anything else you can do?"

"Yes, but I don't recommend it."

What You Should Do

The correct response when suspecting a compromise like this on a non-enterprise device is to simply buy a new hardrive and an external enclosure for you old drive.  Then install fresh, and migrate what you need from the old drive.  It's time-consuming and a hassle (because people invariably install a bunch of things on their systems and forget passwords and license keys, etc.)  But it's the only way to be sure, and it's non-enterprise equivalent to nuking-from-orbit.

What I Did

Becuase I'm sensitive to the realities of life and the solution above does not fit all cases.  I started off with a quick assessment of the device.  Using Autoruns (http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx) the slow boot problem was pretty obvious-- there were at least 3 different anti-virus programs running on the system and competing for resources.

Since we agreed that we weren't going to seek prosecution on this incident, "just clean it up and get it working again," I just dove into ripping out all of free/demo AV programs, and some of the other bloatware introduced by the manufacturer.

That fixed the performance issues on the next reboot.  But how do we keep the machine safe?  We picked one AV solution.  I'm a fan of defense-in-depth, but multiple AV programs is no defense-in-depth, it's width... or something... anyway it's not good.  I also recommend an up-to-date browser and if you use Firefox I really, really recommend NoScript(http://noscript.net/), and healthy dose of paranoia when it comes to clicking on things.

Was the System Compromised or Just Over-protected?

So I'm still left wondering if the system had an undetected infection, so I dropped a Redline collection agent (http://www.mandiant.com/resources/download/redline/) on the box  to pull a comprehensive memory analysis.  Before I run the capture, I open the browser and go to my bank's website and I put in bad username/password pair, and then run the capture. 

Golly that takes a while to run (about 2 hours on a 4Gb system, creating 6.5Gb of data.)

After plodding through with Redline and Volatility I haven't uncovered anything yet... yet.

Kevin Liston

292 Posts
ISC Handler
IMO ur describing most typical private customer problem...

My solution to that kind of "problem" is quite straight forward...

1) Registry clean (CCleaner or similar sofware) (fixes quite a lot of slowing problems)...
2) Hijack This (similar tools are found from SysInternals pkg, shows browser hijacks & autoruns)...
3) run cmd (on windows machines services.msc) and if Windows Management Instrumentation Service is running [wmiprvse.exe], just stop the the service and disable it from running [at least on Celeron processors that service is the main cause for slow running]... (All private systems works just fine without that process, I'm not so sure abt corporate OSs... [All knowledge abt that process and its "necessarity" is appreciated...
4) Now those SysInternal tools come handy... Some AV softwares used with certain SW Firewalls cause memoryleak (or are not working properly with each other)... Checking those, [formerly filemon.exe & regmon.exe; nowadays combined tool <some1 might know that tool's name, I haven't used that for ages>..:
5) Next step for me is to run regedit (or similar) and I manually go through the registry (most vulnerable parts of it; HKLM/HKCU all microsoft / windows -related keys...
6) Plug the HDD in question on Linux machine and do AV/Malware scans with every software available over network [Not booting HDD in question with any OS]...

Those are basic performances I do (same things may be done easier / more cost-efficient, I know)...

Toolbars are quite a different thing.... [I just hope that mainly ppl use other browser than IE for their customers]...

At this point (if everything checks clear on possibly compromised system), I just connect it to my SIEM -system -- Networking allowed but questionable system not accessing my LAN, only my SIEM-controlled LAN and Internet... If all shows clear, then I have (little) trust that that system is trully clear...



Teemu

9 Posts
When someone confronts me with those symptoms, I usually perform a similar set of steps to Teemu. I've never heard of Redline, but I'll have to check it out.

CCleaner + winapp2 will clean out a lot of temp files and old data no longer needed, but it also has a set of tools for disabling autoruns, browser plugins, & scheduled tasks. I find it's registry cleaning a little weak, so I use Wise's Registry Cleaner. Then, I download Process Explorer by Sysinternals/MS and go through and look for anything abnormal. I'll also run Malwarebytes to check for anything unusual. I'll also run Secunia PSI and FileHippo's update checker to make sure all their software is up to date.

A good defrag always helps too, since most people never do it. Here's a bitly bundle of most of the software I've mentioned: http://bit.ly/VcLIw4

Depending on what OS they are running, you might have to do more in depth stuff. Win7 is really good with automatically running their own updates, and with Adobe Flash, Chrome, and Firefox now updating w/o user intervention that helps a lot too. I also usually switch their DNS over to OpenDNS and might install McAfee Siteadvisor to prevent phishing & drive by downloads. One other tweaking tool I like a lot is Outertech's Cacheman. It's really meant for XP and older systems, but it still works well. It has a lot of system tweaks that can help speed up the system. I recently read about a tool called xpy that is a tweaking tool, but haven't had a chance to play around with it yet http://whyeye.org/projects/xpy/

Of course, if a system is really fubar'd, I might have to load up a copy of Hiren's BootCD, or run memtest86 or Spinrite depending on the circumstances. From my past work in end user tech support though, I find most people just have way too many things running in the background & have never once run a scandisk or defrag.
pogue

17 Posts
I'm a systems and network administrator by profession and I loath being called by friends to go fix problems caused by their bad clicking habits or just bad-browsing-habits!

One 'friend' in particular was constantly calling on me until it got to the point of becoming irritating! He prompted me to dig deep to find a lasting solution! What I stumbled on was sandboxie. This tool was a **** send as I no longer have to visit his house! In fact, a call to him after a few silent months revealed that he has evangelized sandboxie to his bad-browsing-habits buddies and they are all now practising safe browsing!

As the saying goes:
A sandbox is to browsing what a condom is to **** - **** good protection. Once done with it, you can safely trash it!


Cheers,
ak.
ak2766

1 Posts
I would recommend setting them up to use a non-privileged account whenever/wherever possible. True, it won't stop everything but it will stop a lot of the crud from spreading and doing any real damage.
rand0m

8 Posts
I'm only a believer in the scorched earth approach. With the right tools, and the needed media, it's the surest path to success. 0 day goodies make cleaning tools irrelevant (IMO of course), in terms of being able to ensure that all unwanted software has been removed. If it is a personal request: Pull old drive, install new one. Use external enclosure to migrate critical files. At some point the old drive could be wiped and used for additional storage. Drives are cheap, untying your credit from identity theft is not.

Configure new system with at least two accounts (admin and user). Don't install Java, don't install flash. Turn on the host firewall. Configure updates to run automagically, never leave it up to the user. I do usually install security essentials or Malware bytes or another solution. The folks who come back again and again are the ones who insist in having admin rights for daily use.

I hold virus scanning in very low regard. As long as a user is operating with administrative privileges, there will be very little you can do to protect them at the client level.

At work, we would wipe and re-image. Files stored locally are (by policy and practice) considered disposable.
rand0m
1 Posts
This may be a bit over the top, but I have two friends that were constantly asking me to fix their Windows laptops. After the 3rd time, I asked them what they used their computer for and the response was basically surfing the internet. They only used web based emails, only looked at a few documents (word and pdf) and didn’t play any types of games. With this, I set them up with Ubuntu and Windows dual boot. Told them to use Ubunut for all internet surfing and only use Windows if they truly needed it. Crossing my fingers, but after over a year, I have not had any complaints.
Every month or so while we are hanging out, I’ll do an update and a clamav check. I’m not saying this is a malware free solution but it has certainly reduced the amount of work I’ve had to do to keep them up and running.
rand0m
2 Posts

Sign Up for Free or Log In to start participating in the conversation!