18

I see a number of companies offering "malware removal" services. I see some software that claims to be able to remove malware from an infected machine.

Is using a removal software tool to 'clean' an infected machine acceptable practice, or is the only safe method to reformat the machine and then carefully restore data after that data has been thoroughly checked?

DanBeale
  • 2,074
  • 3
  • 18
  • 27
  • 3
    One point to note, a lot of ads you might see for anti-malware, is actually a "clever" phishing technique to get you to install *their* piece of malware. – AviD Sep 14 '11 at 10:52

4 Answers4

14

It actually depends a lot on the malware in question as to whether a removal tool is in fact a really feasible option. Whether said tool works or not depends on how much the author of the tool knew about the original malware and what it did.

To illustrate my point, take a look at something like Autoruns. There are a whole slew of ways to get your chosen executable to run on windows startup which autotools mostly displays, but only two of those are standard choices for the average software engineer. Malware authors can easily use many of the other areas, or even multiple areas, to become much more persistent across reboots.

Next up is the damage you can to the windows registry. For example, the handling of .exe files is in fact denoted by a registry entry, so there's an attack point with which I could damage your system if you undid it naively. Likewise for other common extensions such as word documents. The question becomes, does the removal tool author know what these values were prior to the viral infection? Does the tool even detect these changes? I could easily hide a re-install malware executable in such a route, triggered by say a plugin load into internet explorer, or such like.

Next up is the most difficult to recover from - what if said virus starts trampling all over various files you own? It's entirely possible it could patch parts of windows this way, or your user data and programs, storing copies of itself, which means you'd have to know it did this and search for the damaged files, or else scan all files for the payload. Which gets even harder if it is self modifying. If any of these payloads are triggered, a re-install is a likely behaviour.

The final case is the old rootkit, which could hide the infection from the cleaning program. You can go some way to detecting rootkits if you try hard, but it is significantly non-trivial.

I should also point out at this stage that websites offering to clean/disinfect your computer are a great attack vector for any malware author. Emails introducing yourself as Mr So and So with £850,000 USD they just happen to want to give away are pretty obviously frauds to most people, but the computer says "alert, you have a virus" in a way that looks legitimate to your average home user and before you know it, they've installed said "product". They don't necessarily have the technical expertise to realise the scam here.

I do not trust said cleaning tools or services unless they come from reputable vendors.

The insurance industry employs the term "write-off" when the cost of repairing or fixing something is greater than the cost of replacing it. In my mind, undoing the damage to an operating system a "good" (as in, highly effective) piece of malware can do is probably not worth the time and effort it takes unless you are (very) determined to learn about the infection and the behaviour of the malware. So I would write off the install in all likeliness.

That said, some malware is fairly simple and does not impact the system as badly as it could. In which case, a removal tool might well be all it takes to clean it. The problem is knowing that it is in fact just a simple piece of malware.

Further update: Based on this.josh's comment - a lot of malware I personally have seen has not been so advanced as to be incredibly difficult to remove. However, a common trend I have seen on infected PCs is for the PC to be infected with multiple pieces of malware, all doing different things. Often, a single initial infection seems often to be built entirely to do this. Tracking all of those pieces down and deducing whether they're part of a whole, or separate entities and what variant they are is a time-consuming process which keeps full time malware analysts employed at varying reputable vendors. I personally therefore have two questions of "malware removal" tools you find:

  • Do their authors have the same level of experience in removing malware as the likes of Symantec, McAfee etc?
  • Have their authors had the same amount of time to analyse the malware? I know how to use disassembler tools, but I can tell you the process of working out what something does from disassembly is one that takes a lot of time to learn and time to do even if you're an expert. I know because I'm not that great at it.

I have a hard time believing what appear to be "silver bullet" solutions.

Obviously there is a caveat to this - reputable companies offering virus cleaners (which happens sometimes) are likely to work and unlikely to be malicious. It's about making a judgement call as to how much you trust the author of the tool and how sure you are they are who they say they are. I would say, however, that it is known that some malware is capable of disabling reputable anti-malware products (although it isn't common) and that prevention is pretty much always preferable to cure.

Compare it to being burgled, if you've ever had the misfortune to have that happen. Some things are obviously missing, like the TV. However, to give a full list of what is missing and out of place is very hard to do - did they take X, or did you just leave it at someone else's house? Or in the car? Where's Y? The same applies to malware - a full account of the damage done is hard, especially as, just like thieves, each piece of malware is different. Like thieves, malware has some common traits, like targeting autorun methods so that is what makes it obvious there's been an intrusion, but as I say, fully accounting for everything is hard.

  • 1
    Excelent point that not all maleware removers are benign. Even if they do clean your machine they may look through your personal data. I understand that the OP left the scope very open, but how common is sophisticated malware infection? If the rate of embeding, self-modifying, and rootkit infection is low, I think you should point that out in your answer. – this.josh Aug 23 '11 at 02:02
  • @this.josh Really sophisticated malware doesn't attack people daily, although the last two pieces of really-hard-to-remove malware I've had to (try to) remove were both false antivirus products. What is more common in what I've seen on infected machines is to have multiple infections of a whole pile of different malware. Whilst not so deeply embedded, there's often still a whole lot of stuff and removing "the infection" as in becoming malware free is quite difficult. –  Aug 23 '11 at 10:42
12

It depends on how important the machine is. I know others say differently, but for my own machines, I always reinstall from scratch when I think something funny is going on. Given that AV scanners pick up only about 50% of malware on any given day (your stat may vary, but it's bad in any case), I'd be at least a little bit suspicious of removal tools too.

It also could be said to depend on the malware, if you believe that there are degrees of "owned" - although, given how easy it seems to be for determined attackers to escalate from a nonprivileged account, I'm not sure I believe in that concept myself.

Incidentally, you might consider reinstalling any VM guests that the malware would have had access to. I'd change passwords that have been typed into infected computers as well, including guests of infected hosts.

As I said, there are other reasonable answers to this question, but unless the box is pretty low-sensitivity, and is never used to access high-sensitivity resources, I'd probably just reinstall.

Steve Dispensa
  • 3,441
  • 16
  • 20
  • "reinstalling VM guests" - Why not just revert to a known good snapshot (even better if its from a backup)? Changing a snapshot of a VM sounds like a very targeted virus – TheLQ Aug 23 '11 at 19:29
  • @TheLQ - It's not about a targeted virus. It's about cloudburst style attacks where the malware is intentionally build to escape the VM and propagate to the host...I mean most of the time they have unadulterated access to the system(have to be at root/administrator level for frame injection) It's not what he said or meant, but it's where the real danger lies – RobotHumans Sep 16 '11 at 21:52
4

My opinion, bare metal is it. I don't trust removal tools to get it all. This can be easily demonstrated. Even the US DoD now uses read only media for secure remote operations. Their theory, reboot before every secure transaction. I completely agree and have advocated this for years.

RobotHumans
  • 335
  • 1
  • 12
  • 2
    Agreed, I deal with hundred's of malware infections daily. The only way to remain truly safe is to DBAN the sucker. – detro Aug 23 '11 at 19:25
1

Both aren't safe options.

We don't need to talk about the removal tools, which might work sometimes, or work under special conditions (when run from a clean device).

But you will restore a system which got infected, so there is at least one main vulnerability left: your system and its applications or your behavior - maybe both.

user unknown
  • 494
  • 5
  • 11
  • Your answer is confusing. Are you saying that there is no way to make a system secure after it has been compromised? – this.josh Aug 23 '11 at 01:56
  • @user Yes, one has to keep in mind that some "reputable" software packages have been both intentional and unintentionally shipped with malware included in them. (See, for example, this story: http://news.cnet.com/2100-1001-935994.html .) **If one of your favorite apps has something in it, there's a 0% chance formatting will work**. On top of that, if you are the target of an attacker and format your computer without changing your IP (or if you allow him to see the new one,) he's just going to put his stuff right back on your machine. Formatting is an option, but definitely not 100% safe. – Michael Aug 23 '11 at 02:15
  • @this.josh: Not exactly. If it was your misbehaviour (you downloaded cracked software, fishy porn-apps, executed programs which you should not trust), than you have to stop this misbehaviour, or it will happen again. If it wasn't your misbehaviour, but an error in the system you're using, than restoring this vulnerable system will put you in an exposed position again. You might have more luck the next time. Or even less. – user unknown Aug 23 '11 at 08:00
  • @Michael: Not just malware - vulnerabilities, which are exploited by malware is enough. And not only fav. apps, but OS too, and apps which you don't know, which are working in the background, or which you know, but wouldn't call `favourite`; for example AV-software, which stumbled over malicious archives. But your idea of `visible IP` is completely wrong. – user unknown Aug 23 '11 at 08:04
  • @user-unknown I don't think the the Question requires you to re-install software with known vulnerablities. – this.josh Aug 23 '11 at 08:38
  • If you assume that you know which software had the vulnerability, but how would you know? – user unknown Aug 23 '11 at 08:53
  • There are several methods for finding vulnerability points. On top of that there are forensic techniques to find the entry point for malware. Most malware does not have sophisticated covert capabilities. While a system may be compromised by malware with sophisticated covert capabilities, the occurrence is rare. It is not impossible to operate a secure system, nor is it impossible to recover from a compromise. – this.josh Aug 23 '11 at 17:07
  • @user If someone, for example, was determined to root your computer, and you formatted and reinstalled the same software with the same vulnerabilities that he has already exploited, then his first course of action would be to repeat what he had previously done, and if he has a way to communicate with your computer (same IP,) he can do so. The only way to avoid him reinstalling the root would be to 1) cleanse your system + patch the vuln, or 2) format/reinstall and disappear from his view (i.e. change your IP.) I don't understand how one could disagree with this??? Please explain. – Michael Aug 24 '11 at 00:02
  • @this.josh You are assuming that the person running the computer is an expert that can diagnose the entry point. This does not describe 99.9% of people. Also, in regards to running a "secure" system, it depends on the definition of "secure." Of course, it is not impossible to run a *relatively* secure system, but a relatively secure system is not a 100% secure one. Even OpenBSD, regarded as one of the most secure OS', has had a few vulnerabilities; we need not even mention Windows or Mac. You seem a bit too optimistic. – Michael Aug 24 '11 at 00:10
  • @this.josh: `There are several methods for finding vulnerability points.` There is no known method to find all vulnerabilities (not even a reasonable amount) else it would be easy for software vendors to only ship vulnerability free software. `On top of that there are forensic techniques to find the entry point for malware.` What? How? Where? Costs? As Michael mentioned: Most people can't do it themselves, and can't pay for such service, which isn't even guaranteed to succeed (see point 1 and 2). – user unknown Aug 24 '11 at 01:16
  • @Michael: How did he find the IP the first time? Why shouldn't it happen again? Maybe another person with the same toolkit. – user unknown Aug 24 '11 at 01:25
  • @user Presumably, if he has rooted, etc. your computer, he has your IP. If you are surfing without a proxy, then he will know your IP just prior to infection (i.e. when you visited his site) Even if it was distributed without him knowing your IP prior to infection, then the rootkit, etc. might still send a message to his computer/server that his efforts to infect your computer have been successful. Seems to me that it would be more likely for him to have your IP than to not have it. – Michael Aug 24 '11 at 02:34
  • `If` and `when`. And if not? I thought we `can NOT diagnose the entry point`. If you have a fresh install, without his rootkit, but he has your IP - what does it serve him? And if you visit his site again, where you got the malicious code, you will get it again, and now he has your new IP. If your security depends on other people not to know your IP, you're already ... – user unknown Aug 24 '11 at 03:15
  • @user I think entry-point diagnosis should be considered possible, but not taken for granted. Anyways, if you got it from going to a site, downloading an email attachment, etc., sure, changing your IP won't help if you do it again; that's true. But, on the other hand, we both agree that vuln's exist in software, even if it is fully patched, and if he got into your system through a OS/driver/app vuln, and he knows your IP, patching the initial entry point is only going to be a speed bump until he's finds/tries another vuln. (Worse still, maybe he has a dozen ways into your system, and... – Michael Aug 24 '11 at 19:20
  • they are replenished faster than you can patch them... meaning that you're in a situation where it would be impossible to keep him out for any significant period of time.) If that is the case, then something drastic would be mandatory (e.g. a massive security audit, which is going to cost a lot of money) or, if the guy is so good that even that doesn't help, simply going into hiding (changing your IP.) Obviously changing the IP of a web site server wouldn't work at all, but when it comes to a personal computer, it seems like an easy way to disappear. – Michael Aug 24 '11 at 19:27
  • At any rate, we both agree that neither using an A/V nor formatting/reinstalling guarantees security. At this point, I think we are getting into situations where we are making different assumptions (web site server, personal computer, whether or not the operator is competent, etc.) and these different assumptions have brought us to different conclusions. It would be futile to attempt to discuss all possible situations, so I think we should just leave it at "neither will guarantee safety" -- something that is definitely true, even if, surprisingly, others here disagree. – Michael Aug 24 '11 at 19:32