I wanted to write about a bit of spyware history and evolution here, but I think we all know a lot about the problem already. Spywares are annoying, widespread and dangerous.
And hard to get rid of. Today spyware writers are becoming quite good at hiding spyware activity and making sure that an infected computer remains infected. A common approach is to change the winlogon notify registry key to run malware code on every single user login. Yes, even if you start windows in safe mode you have to log in, and if a program is loaded you cannot easily remove it from the computer.
This is an everyday problem for most IT professionals. Cleaning a system that’s already running is almost impossible.
So linux for the rescue:
My solution for the problem is a linux live cd with an antivirus removal tool.
The easy part was the live cd. Ubuntu has a nice live system which is easy to customize, supports almost every available hardware, and also has mature NTFS support.
I got rid of openoffice.org packages because they took up a lot of space, which I needed for the antivirus software.
The harder part was finding the ideal virus removal tool for the job. I really like clamav (we use it to scan our email traffic for obvious viruses) however as of today it knows 472153 viruses. Don’t get me wrong it IS a great tool for slowly evolving or fixed viruses, like mass mailing viruses and older ones, but currently not fast enough for the spyware war. On my first attempts with the live antivir solution it missed a lot newer threats and variants.
So I started to look for another solution. Well “linux and viruses” wasn’t the best search term, but in the end I found a very promising site: Viruspool.net. This site is exactly what I’ve been looking for. It lists unix command line scanners with a percentage of accuracy, ease of install, price and such information. Although it is a bit outdated, but still a good reference point.
Obviously I aimed at the highest accuracy, but because I wanted only to testdrive the products simple availability was important too.
To make a long story short I ended up with the BitDefender product (evaluation version is available after filling a simple form) and they currently run a beta test program for the unix version. They sent me an email about it, so I think I can include the link here http://download.bitdefender.com/SMB/Workstation_Security_and_Management/BitDefender_Antivirus_Scanner_for_Unices/Unix/Beta/
Today it has 2 336 009 signatures, and a lot of it is malware related.
So after creating the live cd I booted the machine with it and simply did this:
#Update the definitions bdscan --update # Mounted the windows partition (in read only mode at first) mount -o ro /dev/sda1 /mnt cd /mnt bdscan --no-list path/to/check
This gave me the list of infected files, but did not change anything on the machine in question.
(On this particular machine, a lot of expected dll-s and .tmp files and an unexpected trojan infection in userinit.exe [this caused the owner to ask for help, because it made the desktop disappear on boot... badly written trojan...]).
This was enough for me. Remounted the drive in rw mode, removed the infections by hand and replaced userinit.exe with a clean copy.
But bdscan can also remove/quarantine/repair(!) infections automaticaly. See bdscan --help for details.
Now I’m quite satisfied with the result.
If I’ll have a bit free time I’ll check more of the products even if it’s a bit harder to get them.
The more engines I try the more spyware I’ll catch, and I currently have quite a few machines to check for malware…
After creating the live cd you can remove /opt/BitDefender-scanner/var/bddt.dat this will keep the software in trial mode, but must be run as root to be able to recreate the file.
I hope this helps a bit, and of course every comment is welcome :)