Is it safe to perform the following tasks?

Discussion in 'other software & services' started by Masterton, Jul 6, 2009.

Thread Status:
Not open for further replies.
  1. Masterton

    Masterton Registered Member

    Joined:
    Jul 6, 2009
    Posts:
    101
    I'm troubleshooting problems present on our computers. The problems seem to do with the faulty USB external drive. But some suggest it may be malware too.

    So I would like to ask if it's possible for a computer to get infected under the following circumstances:
    1. Simply plug in the infected USB drive / discs / USB stick and do absolutely nothing!
    2. Simply copy and paste the infected file, or move the infected file. We will be infected even if we haven't run/executed it!!
    3. Just extracting files from an infected archive (e.g. zip or rar)
    4. Simply double click to open an infected archive without extracting anything
    5. All computers would get infected automatically if one computer in the same local network is infected. It doesn't require any user interaction!!

    What should we do to help minimize the risks of infection if we are handling people with infected PCs, drives or files?

    Please help and confirm. Thanks.
     
    Last edited: Jul 6, 2009
  2. Joeythedude

    Joeythedude Registered Member

    Joined:
    Apr 19, 2007
    Posts:
    519

    1. Minimum -
    You need to prevent the autorun function on your PC.

    2.
    Probably ok.
    In a proof of concept I saw how a single click on a file can run an executable.
    However I don't think this has ever been seen in the wild.

    3.
    Not sure. Probably same as 2)

    4.
    Defo no. The file may show as an zip file but could have a false extension on it. i.e could be bad.exe.zip.

    5.
    No idea. My guess would be prob yes all would be infected,
    if they are on the same network.

    If you need to test for malware , I'd defo switch off the wireless network and unplug any network cables
     
  3. LenC

    LenC Registered Member

    Joined:
    Jul 25, 2006
    Posts:
    846
    Location:
    CT, USA
    I'd install Returnil (or a program like it) and lock down the system before doing anything.
     
  4. axial

    axial Registered Member

    Joined:
    Jun 27, 2007
    Posts:
    477
  5. See here for a fix for the autorun bug. Just save this as a .reg file and double-click it:

    Code:
    REGEDIT4  
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
    @="@SYS:DoesNotExist"
    Re 5: it can happen. If computers on the network have certain services running or ports open, it may be possible for a worm to send them packets that exploit bugs in said services to execute a payload... such as a copy of the worm. IIRC this is how Conficker spread. Having a software firewall obviously helps, although there have even been examples of worms that spread using exploits in firewalls (e.g. Witty).
     
  6. axial

    axial Registered Member

    Joined:
    Jun 27, 2007
    Posts:
    477
  7. Masterton

    Masterton Registered Member

    Joined:
    Jul 6, 2009
    Posts:
    101
    Oh! That's horrible. Many proofs of concept turned into practice by malware writers in the past, rootkits being one of them. It's enough to get alert when a working proof of concept presents.

    Do you have a link to that proof of concept (or page which explains this)?

    I wonder if it's also dangerous to click on the folder which has the malware inside too. :gack:

    What do you mean when the malware has false extension?
    The windows will run it as if it's a zip archive.
    Do I still get infected even if I just open it as if it's an "archive"?
     
  8. Masterton

    Masterton Registered Member

    Joined:
    Jul 6, 2009
    Posts:
    101
    Lockdown programs don't seem to be absolutely safe either:
    MBR Rootkit Malware vs Security Software
    Malwaretestlab 9 Killdisk Virus vs 25 Security Software

    The following programs failed to pass all tests:
    • Shadow User Pro
    • Windows SteadyState
    • Virtual Sandbox
    • Disk Write Copy Pro
    • Hdguard
    • COMODO DiskShield
    • Returnil Virtual System Premium
    • RollBack Rx
    :'(

    So it's safe to know more about what malware can do and prevent from getting infection by doing potentially dangerous operations.
     
  9. Masterton

    Masterton Registered Member

    Joined:
    Jul 6, 2009
    Posts:
    101
    Thanks for the links, axial. :)

    The Witty worm: http://news.zdnet.com/2100-1009_22-135008.html

    It doesn't require any user interaction to get infected from what I understand, correct?

    I wonder if the situation can be prevented if I have a router too even if the software firewall has exploits.

    This story should imply Windows firewall alone doesn't guarantee safe from outside attacks (it can have its own exploits too). Even scarier, malware can still infect even without any user interaction. :doubt: A sophisticated firewall is required to keep our computer safer. Is that what those examples imply? :doubt:
     
    Last edited: Jul 7, 2009
  10. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,698
    Hi there,

    Questions:
    1. Simply plug in the infected USB drive / discs / USB stick and do absolutely nothing!
    2. Simply copy and paste the infected file, or move the infected file. We will be infected even if we haven't run/executed it!!
    3. Just extracting files from an infected archive (e.g. zip or rar)
    4. Simply double click to open an infected archive without extracting anything
    5. All computers would get infected automatically if one computer in the same local network is infected. It doesn't require any user interaction!!

    Answers:
    1. Maybe, depends on the configuration.
    2. Maybe, depends what precedes the copy; if you plugged in an infected USB device and copied the file, you may think the infection comes from the copy, when it comes from previous step. Furthermore, if certain files have all sorts of shell handler thingies, interacting with the file could potentially trigger an infection.
    3. No, but see 2.
    4. Not likely.
    5. Maybe, if the malware is network aware, hosts have no firewall or permit LAN traffic and are vulnerable to the same infection as the one problematic host.

    Best solution:
    Disable USB autorun/autoplay as suggested.
    Use alternative apps to popular mainstream thingies.
    Do not install malware or fiddle with suspected files. If in doubt, no doubt.
    If you must fiddle, use command line (cmd) to perform actions and not GUI.

    Cheers,
    Mrk
     
  11. Joeythedude

    Joeythedude Registered Member

    Joined:
    Apr 19, 2007
    Posts:
    519
    --
    I'd have a different attitude to POC's than you , they would not worry me at all. I was reading though one poster here and basically threats that occured in the wild ,
    and had lots of publicity , were all basically them same.
    They all tried to download an executable file to your PC.
    So POC's don't really bother me.
    --
    Sadly I can't find the link to it.
    It involved adobe I think. The idea was when your in explorer one of the tabs , like size etc , is description.
    Now windows will ask the file for its description.
    When it does so , a bug in Adobe will allow it to run a different command.
    This command could be anything.

    So by just by clicking on the infected Adobe file , it could run something in the background.

    ---

    Regarding the other thing , the bad.exe.zip I think windows will run this as bad.exe , not bad.zip.

    So the malware runs , your zip application doesn't.
    90% sure on that.
     
  12. Joeythedude

    Joeythedude Registered Member

    Joined:
    Apr 19, 2007
    Posts:
    519
    Yeap I'd agree. I'd split those virus into very different groups though.

    The MBR one , is about the most sophisticated malware around. Going the MBR route , and waiting 30 mins to run, and lots of other stuff. So basically I think a virus of that type of sophistication , will get past most defences.
    So put it in the 1% of risk that will always be there.

    The killdisk is a different one. If all it does is wreck a PC , its not going to make its owners any money. So I think those viruses are becoming less common. So while probably detectable, I also wouldn't consider it a big problem.
     
  13. Joeythedude

    Joeythedude Registered Member

    Joined:
    Apr 19, 2007
    Posts:
    519
    I'd look at it a little differently.
    Again it's quite an unusual case.
    A piece of security software was exploited to spread viruses.

    So the lesson I'd take from it.
    Don't rely on one piece of security software.

    However I'd say its very unlikely a piece of security software will be exploited again.
    As it would kill their business I'm sure they take this risk much more seriously after the 2004 exploit.
     
  14. Masterton

    Masterton Registered Member

    Joined:
    Jul 6, 2009
    Posts:
    101
    Would you explain the second part (shell handler) more? How does it actually work? It would be preferable if you know a page which explains this kind of infection.

    And I have another question. If file copy/movement can trigger infection, what if I download the file? Will I get infected when I'm downloading the malware via a link?

    It appears we can still get infected even we have a software firewall installed as long as the hacker can find exploits on that software firewall. The true problem is it doesn't require any user interaction.

    Is it better if I move, or copy (possibly infected) files via command line? Can I be sure I won't get infected during the process?
     
  15. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,698
    Hi,

    Explanations:

    Shell handlers, check out the PDF vulnerability thread and pay attention to Rmus' postsa (use the search function to find them).

    Copy itself won't do anything. The question is, what else does Windows do in the background. Example, email preview. While you're not opening the email per se, the mail client is parsing the code in the email, effectively executing it, without you doing the actual open.

    Another example is malicious PDF files + Acrobat Reader (vulnerable version). Again, check for threads talking about scanning and neutering these files. Do not use Acrobat Reader - this goes under alternative apps. Use cross-platform open-source solutions instead of the popular and populistic things and you'll remove 99% of vulnerabilities.

    Use OpenOffice instead of MS Office, Pidgin instead of MSN or Yahoo IM, VLC instead of Windows Media player and so forth.

    Hacker won't hack your firewall.

    If your machine is infected and the malware is network aware, the attempts to infect other machines will be purely automated, simply sending of packets to possibly listening services and trying to exploit possible holes in them. That simple. Use even Windows firewall that does not permit LAN traffic and all is good.

    This is why you never introduce untrusted things into trusted network.

    Command line, you exclude Windows GUI shenanigans from the picture and avoid a million GUI related problems, including this or that shell handler, this or that image, animation, cursor problem and so forth. Just you and plain text.

    Mrk
     
  16. Eice

    Eice Registered Member

    Joined:
    Jan 22, 2009
    Posts:
    1,413
    Yes, if autorun is enabled.
    Yes, depending on where you extract the file to. For certain functions, Windows and some programs will by design automatically load files located in certain folders.
    Depends on where you extract the files to. See above.
    No.
    Yes, some worms will automatically probe the LAN for vulnerable machines. Correctly-configured software firewalls on each LAN machine will stop the majority of these.
     
  17. Masterton

    Masterton Registered Member

    Joined:
    Jul 6, 2009
    Posts:
    101
    Let us sum it up.
    1. No extension is safe. You may get infected by a PDF file, an image file, or whatever.
    2. You may get infected even if you just select the file without actually running/executing it manually.
    3. You may get infected if you just browse the folder which has the malware inside.
    4. You may get infected even if you just copy/move the files without actually running/executing them manually.
    5. You may get infected even if you just download the malicious file without actually running/executing it.
    6. Plugging in any removable device is unsafe unless you completely turn off Autorun/Autoplay.
    7. Your computer may still get infected without user intervention if the malware makes use of the exploits on your software firewall
    I know select/cut/copy/paste itself is safe, but the environment, the GUI and the software which handles it may have exploitable bugs.

    Does it mean there is really no way to prevent from infection if you try to handle some possibly infected files or drives? :cautious:

    I don't know how high or widespread the risk is, but we want to minimize it, as much as practically possible, since it exists.

    Command-line only operation is interesting but it's much more difficult to do things in DOS only. You may not have the necessary knowledge to do it either. :ouch:

    I'm thinking about LiveCD. Will the chance of infection much lower if I boot the computer via LiveCD to handle the possibly infected drive or files? o_O
     
  18. Joeythedude

    Joeythedude Registered Member

    Joined:
    Apr 19, 2007
    Posts:
    519
    Just in terms of % risk , this would be usefull to keep in mind ( all IMO ) :)

    One thing I would say is that actually executing a malware file is by far the most common means of infecting a PC.
    so don't execute the maybebad.exe

    The Adobe exploits are fairly specific,usually the infected file itself, only opens a internet connection to download the really damaging malware from the internet.

    The other problems mentioned again would be quite rare.
    I mentioned one which was only a POC , so its very unlikely its live malware looking at you.

    Finally PC's have loads of glitchs ( as you know ). IMO Its more sensible to assume a glitch on your PC is a software or driver bug first , and then go down the anti-virus root.
    I would isolate the PC in question first though.

    I think best solution would be
    1) take image of a PC.
    2) install returnil on that PC
    3) detact PC from any networks
    4) connect PC to malware USB drive.

    Its not 100% secure , but its a way forward .
    Returnil will probably take care of everthing but If not you have the backup image.
     
    Last edited: Jul 8, 2009
  19. Masterton

    Masterton Registered Member

    Joined:
    Jul 6, 2009
    Posts:
    101
    I have a slightly different stance than you.

    Sometimes a risk which was rare in the past can become common nowadays. Rootkit is one of them. It has become one of the serious common threat to Windows users now. There is a time gap between a hacker using the technique to infect computers and when the public realise the seriousness of the problem.

    The majority of the malware is marked as "low risk" in the virus encyclopedia. You are going to encounter a few of the "low risk" malware some day although you are not going to meet so many of them.

    I wouldn't lose sleep about them but I would become more alert and try to implement more security measures to prevent them, if at all feasible. I don't want to fall into the next victim.

    Unfortunately the hacker won't name its malware some name like this. ;)
    It would be a nice image file or pdf file which the hacker lures you to open it. You don't suspect those files because you think they are perfectly safe.

    There are over millions of malware existing now, and it keeps rising. It's very hard to know if the malware author has already used the same or similar technique present in the POC to infect people's. There are so many malware which don't have news coverage. Just like there are many accidents happening each day but only a small portion is reported by the media.

    I did see a POC coming into real usage so I won't say we shouldn't care since it's still POC.

    If you are interested this is the problem (explained in depth) that we are currently facing. The post is very long (you have been warned ;)).

    Autorun was off before plugging in the USB drive.
    File transfers to and from that USB drive caused HDD random crashes and BSOD. Either the USB drive or malware is at fault but the computers are acting really funny as if they get infected. Then how come we could get infected if what we did was plugged in and copy/move files?
     
  20. Joeythedude

    Joeythedude Registered Member

    Joined:
    Apr 19, 2007
    Posts:
    519
    My guess is that the files on the usb or the hard drive of the usb is severely corrupted.

    Then when you copy files to a PC , the files on the PC are so corrupted that it causes BSOD.
     
Loading...
Thread Status:
Not open for further replies.