Last Updated: 2013-02-23 19:02:06 UTC
by Kevin Liston (Version: 1)
I'm certain that something like this has happened to you. You're at work/home/shopping and a friend/coworker/family-member asks/phones/sends-a-telegram to you basically stating: "My computer is acting strangely, do you think I have a virus?"
I had this happen this week so I asked: "describe strange."
So they listed off some symptoms:
- slow to boot
- takes a while for the computer to catch up to what you're typing
- can't get rid of this silly toolbar
- password to (some service) is no longer working
"Stop right there. I know what the problem is, you've got (fill-in-the-blank-banking/keylogging trojan,) so you need to rebuild you system."
"Now's not a good time to do that. Is there anything else you can do?"
"Yes, but I don't recommend it."
What You Should Do
The correct response when suspecting a compromise like this on a non-enterprise device is to simply buy a new hardrive and an external enclosure for you old drive. Then install fresh, and migrate what you need from the old drive. It's time-consuming and a hassle (because people invariably install a bunch of things on their systems and forget passwords and license keys, etc.) But it's the only way to be sure, and it's non-enterprise equivalent to nuking-from-orbit.
What I Did
Becuase I'm sensitive to the realities of life and the solution above does not fit all cases. I started off with a quick assessment of the device. Using Autoruns (http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx) the slow boot problem was pretty obvious-- there were at least 3 different anti-virus programs running on the system and competing for resources.
Since we agreed that we weren't going to seek prosecution on this incident, "just clean it up and get it working again," I just dove into ripping out all of free/demo AV programs, and some of the other bloatware introduced by the manufacturer.
That fixed the performance issues on the next reboot. But how do we keep the machine safe? We picked one AV solution. I'm a fan of defense-in-depth, but multiple AV programs is no defense-in-depth, it's width... or something... anyway it's not good. I also recommend an up-to-date browser and if you use Firefox I really, really recommend NoScript(http://noscript.net/), and healthy dose of paranoia when it comes to clicking on things.
Was the System Compromised or Just Over-protected?
So I'm still left wondering if the system had an undetected infection, so I dropped a Redline collection agent (http://www.mandiant.com/resources/download/redline/) on the box to pull a comprehensive memory analysis. Before I run the capture, I open the browser and go to my bank's website and I put in bad username/password pair, and then run the capture.
Golly that takes a while to run (about 2 hours on a 4Gb system, creating 6.5Gb of data.)
After plodding through with Redline and Volatility I haven't uncovered anything yet... yet.