Possible vs Paranoid - Malware

[GreenLantern]

Trying to separate what is possible and what is paranoid here.

What is malware capable of? Can it go undetected even in Windows explorer (i.e. completely invisible to the file system yet be a threat)? Can it jump from pc to pc just by a usb stick?

My hd at work got infected by a clickjacking virus a couple of weeks ago.

Our tech guy in charge at work is a jack of all pc skills, master of none.

I have a degree in CompSci but it's been a while.

He spent an entire week scouring my hd and claimed it cautiously clean afterwards. (I know, fresh install - especially at a business!)

It worked for two weeks until one day I was looking for Tools/Folder Options... and it was gone! So I rebooted. Upon reboot, explore.exe wouldn't kick in. Wallpaper (from my domain profile) showed but no startmenu, nothing. Win-key did nothing, but ctrl-alt-del rendered Task Manager and we were able to see almost no cpu and explorer.exe using about 70k.

Reboot again, same thing but NO response, ctrl-alt-del gone.

Pulled the drive and he took it home to scour. Nothing found. Later that wknd, the pc he used to scour it freezes at WinXP's "progress bar" of boot process.

Now I want to pull a few files off of it using an external drive but he is convinced that we can't even hook the drive up without it corrupting the host pc.

Is that reasonable?

I agree we risk pulling off an infected file but without launching it aren't we safe? (I want my vbscripts for Excel stored in personal.xls). Open it on disposable win install, do screen shots or copy text, save to usb stick.

He is afraid that just the act alone of plugging the usb stick into the infected machine will pass it to the usb stick - thereby infecting any subsequent machines that the usb stick touches. - without ever being seen by the file system or malware detector???

Sounds paranoid to me. I took the drive home myself, external drive to my xandros eee pc, pulled the file, eee is fine, AVG doesn't detect virus, nor Yahoo email that uses Norton.

Can I get some thoughts on what is prudent and what is paranoid here?

I've used my usb stick since, the eee since (10d ago) with no problem.

 

[mechBgon]

Well, to start with, you can disable AutoPlay. Yes, malware can auto-infect USB and Firewire devices, as well as burned CDs and DVDs, and spread from PC to PC that way. But it's like you said... they're not magic, they need to be executed by something or someone. AutoPlay is the main "something."

If you are handling possibly-infected files (or if you just want a safer user account, period), make a separate non-Administrator user account and do it from there. If your version of Windows can do Software Restriction Policy, that's another arbitrary safeguard.

 

[gzervali2006]

Paranoia.. cha cha cha...

 

[RebateMonger]

Several years ago, a friend was browsing the Internet and she SWEARS that the computer spoke to her. I don't remember the exact message, but it scared her to death that she'd been hit by malware.

I scanned it with several AV packages, along with a couple of rootkit scanners and found NOTHING.

She's very careful when browsing the Internet, and I couldn't find anything wrong, but I was always leery of what'd happened. Who knows, it might have been an early form of those web pages that say things when you display them. Such things were very uncommon at that time.

 

[stevf]

have you tried booting that machine from a linux live CD and see if you can get your files that way?

 

[Lemon law]

First of all, GreenLantern has described what a rootkit does. To properly reinstall windows, use something like Dban to completely wipe the drive, and then overwrite it with random X's and O's

The MechBgon advice is excellent.

Then go to spywarewarriors.com, and post a hijack this logfile for review by their really expert readers. In general, to infect, it must install somewhere in the registry. A good process control program like process guard may give you a clue. But Malware can also hide by overwriting Dll's, find something that calls on that Dll, and you are in trobs.

And also realize that failing PC memory, hard drives, CPU, or mobo's can give you exactly the same set of symptoms as it rewrites a corrupt version of your OS over the good. And one by one, your OS functions quit working.

 

[nordloewelabs]

Originally posted by: RebateMongerShe's very careful when browsing the Internet, and I couldn't find anything wrong, but I was always leery of what'd happened. Who knows, it might have been an early form of those web pages that say things when you display them. Such things were very uncommon at that time.

not really. i've seen several pages that play embedded WAVs or MP3s and they dont show on the browser at all.

i remember one time when a i was reading a creepy page about spontaneous human combustion with a friend. all of a sudden, after reading a couple of paragraphs, the main theme for "Blade Runner" started playing really loud.

turns out that, because we were on dial-up, it took a while for the audio file to fully download and then playback in the background (the page had no signs that had audio). that scared the bejesus out of us! :-D

back to the topic.... i was called to fix a virus infection last week in which, according to the client, the computer was speaking to him in different languages... (!) i started his system and waited for the "voices" to come out but they didnt. the PC was indeed infected (Antivirus 2009), but the PC remained silent in my presence.

the client, however, *swore* that the machine was talkative and polyglot before my arrival.

 

[TheStu]

Originally posted by: Lemon law
First of all, GreenLantern has described what a rootkit does. To properly reinstall windows, use something like Dban to completely wipe the drive, and then overwrite it with random X's and O's

The MechBgon advice is excellent.

Then go to spywarewarriors.com, and post a hijack this logfile for review by their really expert readers. In general, to infect, it must install somewhere in the registry. A good process control program like process guard may give you a clue. But Malware can also hide by overwriting Dll's, find something that calls on that Dll, and you are in trobs.

And also realize that failing PC memory, hard drives, CPU, or mobo's can give you exactly the same set of symptoms as it rewrites a corrupt version of your OS over the good. And one by one, your OS functions quit working.

And after playing that game of TicTacToe it then realizes that the only winning move is to not play. And by that I mean that it lights your hard drive on fire

 

[GreenLantern]

I didn't see any autorun files at the hd root to imply that something would auto run.

what of the question of invisible files? can there be an autorun file hidden to the user but visible to the OS?

 

[mechBgon]

Originally posted by: GreenLantern
I didn't see any autorun files at the hd root to imply that something would auto run.

what of the question of invisible files? can there be an autorun file hidden to the user but visible to the OS?

As Lemon law said, a rootkit can hide stuff in that fashion, but first the rootkit has to get onto the system to begin hiding stuff.

If there were an autorun.ini file, it would probably be set as a hidden, system file, so make sure your Folder Options are set to show both hidden and system files.

 

[GreenLantern]

Right.
Showing hidden files is one of the first things I'll do after an install

So it can be said that if no autorun.ini is found with hidden files shown and the hosting pc is healthy, barring a user executing something

a) there is nothing to initiate anything on the USB stick.
b) what you see on the stick is what's there, nothing can be hidden from a healthy machine

correct?

I'm trying to establish that there are, with few exceptions, a finite amount of bases to cover when assessing the safety of plugging a dubious usb stick into a healthy pc

 

[mechBgon]

Originally posted by: GreenLantern
Right.
Showing hidden files is one of the first things I'll do after an install

So it can be said that if no autorun.ini is found with hidden files shown and the hosting pc is healthy, barring a user executing something

a) there is nothing to initiate anything on the USB stick.
b) what you see on the stick is what's there, nothing can be hidden from a healthy machine

correct?

I'm trying to establish that there are, with few exceptions, a finite amount of bases to cover when assessing the safety of plugging a dubious usb stick into a healthy pc

That looks correct to me. The only exception I was able to think of, is a file designed to exploit software you already have. A classic example: the .WMF vulnerability patched in January 2006. If you were to preview or view a picture file (.jpg, .gif, .wmf) designed to exploit that vulnerability, it could execute code at the privilege level of the currently-logged-on user. There's exploits of that nature for Zip software such as WinZip, media players such as QuickTime and WMP, and so forth.

In those cases, you can see the file, you just don't expect it to be malicious.