On the sense and senselessness of Malware cleaning

Whether it even makes sense to clean infected computers is a topic of repeated heated discussion in the IT security world. Questions such as “Can I ever really trust a computer again once it has been infected?” or “Is it technically possible to completely clean a system?” always come to the forefront of these discussions.

How do Malware infections work?

To answer this question, a number of different types of Malware must be individually analyzed:

• Viruses

  Until recently, most of the known damaging programs were viral in nature. One property of Viruses is that they use other host applications in order to be able to run. A Virus always attaches itself to a benign program by inserting its own Virus program code into the executable file of another program (e.g. an .EXE file). Once the benign program is loaded the Virus can begin its damaging routines and use other programs to reproduce itself. These days, Viruses play a much smaller and less important role in the Malware sector.

• Trojans, Backdoors, Bots, Worms

  Most of the new damaging programs these days are Trojans and Bots. They do not require a host program to run because they are independent programs. Bots attempt to remain as inconspicuous as possible and usually hide well camouflaged in the depths of the operating system. Their activities include opening the PC for attackers who thereby gain full control of the PC, mass-mailing of illegal Spam mails, or the coordinated overloading of individual websites through too many manipulated queries at once (DoS). The PC can only be regarded as infected when this type of software is actually active. Files that are not running do not represent a danger. However, Trojans and Bots usually have numerous features to ensure that they are automatically started every time the system is booted. Autostart entries are created in a wide variety of system Registry locations, file suffix assignments are redirected, or other new tricks are used that most security tools are not yet aware of.

• Spyware, Adware, Bogus Security Software

  A new Malware trend is to manipulate important system components so that the Malware file can no longer simply be deleted. Some types of Spyware start multiple processes (program instances) in parallel that monitor each other. When one process is terminated the other process starts it again, etc. Bogus security software, so-called rogue Anti-virus and Anti-spyware tools, inject themselves into essential system processes such as (e.g.) winlogon.exe. If you attempt to terminate the Malware, by terminating the host process and deleting the damaging file, the action ends with the dreaded bluescreen and the system comes to a standstill.

• Rootkits

  Rootkits go one step further. They manipulate the operating system so that the Rootkit files are no longer visible and can no longer be detected by Anti-virus programs. Registry entries, open ports, and active processes can also be made invisible, thus leaving no traces of the presence of a Rootkit.

The infection types described above represent the most common Malware segments. Of course, various combinations of these techniques also exist.

Is it even possible and sensible to clean a system?

Malware constructed in a simple manner can usually be completely removed from a system with a high level of reliability. With more complex types a number of problems can occur:

• Virus Disinfection

  Since Viruses attach themselves to other programs, cleaning just requires removal of the appended code. This sounds easy but can be tricky. When a Virus not only appends itself but also manipulates the original program file in other ways, e.g. through compression or encryption, then disinfection is almost impossible. As a result of the evolutionary development of Viruses, years ago the Anti-virus manufacturers began completely deleting infected files or placing them in quarantine. This also prevents a failed disinfection from destroying a program file. Virus disinfection can also be extremely technically complicated and is usually only provided for the most common Viruses.

• Cleaning a Trojan Infection

  To free a PC of Trojans or Bots it is usually sufficient to kill the active damaging process and then delete the executable Trojan file(s). Almost all Anti-virus and Anti-malware scanners do this. Some scanners also then search the system for Autostart entries or additional Malware modules and destroy these as well (even if they no longer represent a direct threat).

• Removing Spyware and Adware

  The term Spyware now covers a relatively wide spectrum of programs. Some are regarded as undesirable software because they gather data and violate user privacy. Apart from this, these programs do not attempt to prevent their deletion. In an ideal case you can simply de-install them via “Control Panel / Add or Remove Programs” or using the uninstall feature of the program itself. Adware or bogus Anti-virus programs are a completely different case. These use every possible means to force the user to spend money. The creativity shown by the programmers seems to be unlimited. Often, the only way to remove some of these programs is to use special tools that allow files to be deleted before the system actually boots. Very few security programs are currently capable of removing such infections.

• Removing Rootkits, the Premiere League

  Rootkits have almost perfect camouflage properties. To remove them you must first know that a Rootkit even exists. This brings us to the main problem in this topic: All current Rootkit scanner technology is unable to provide a guarantee that an active Rootkit has not fooled the scanner and hidden its own existence. This is the same old cat and mouse game: Hackers find new ways of hiding – Anti-rootkit manufacturers discover these and extend their detection methods, until the Hackers once more find new ways…

Once the PC is infected – Install from scratch!

The more complex the Malware, the more difficult the cleaning process. The main problem is that you can never be really sure that the cleaning was completely successful. In many cases the cleaning functions of security products function as placebos that disguise the true facts: The logical conclusion that the PC can no longer be trusted once it has already been infected by Malware.

Why?

• Even after cleaning, a hidden Rootkit may still exist on the computer that is not yet detectable by current Anti-rootkit technology.
• It is much more likely that an infection has manipulated important operating system components. For example, file shares may have been created that open the PC to attacks, or programs may have been changed so that they embed damaging code in created files.

The ONLY way of making the PC usable again is therefore to format the hard drive and reload the operating system!

A better solution: avoid infections

Do not trust cleaning alone. Protecting the PC against Malware infection in the first place is always better than subsequently attempting to clean up the chaos created by an infection. This means using a multi-layer protection system consisting of:

• Keeping software up to dateA significant number of damaging programs gain access to the PC through security holes. Always keep your operating system up to date. The automatic Windows Update should always be activated because often only a few days pass between the publication of a security hole and the massive exploitation of this hole by Worms. It is also necessary to keep all programs accessing data via the Internet up to date. These include Browsers, PDF Readers, MP3 Players, Image Viewers, etc. because these process data that can contain damaging code.
• Web Protection Avoid navigating to dubious websites where you can catch Malware. This can be easily implemented by using Host Blockers or Firewalls with appropriate functions.
• First Major Hurdle: Signature ScanIf you still download and start a dangerous file, there is a 99% probability that this will be detected and prevented from starting by a signature-based Malware Guard.
• Second Major Hurdle: Behavior AnalysisNew Malware, and programs designed for specific individual attacks can only be detected and prevented from starting by behavior analysis based Malware Blockers.

Emsisoft Anti-Malware
cannot ensure that your operating system and programs are kept up to date but it provides all the other protection components listed above.

Have a Great (Malware-Free) Day!