[ale] [OT] Databases of viruses/malware

Ron Frazier atllinuxenthinfo at c3energy.com
Wed Mar 2 15:12:08 EST 2011 

Hi Mike,

I'm not a virus expert, but here are some resources I've come across in 
my reading and listening to virus related news over the years.

Modern viruses can be very devious by design.  They dig their hooks into 
a system so deep and are so crafty about coming back that many people in 
the tech industry do not recommend trying to disinfect a computer.  The 
preferred approach is to boot from a rescue cd, etc., backup the data, 
format the hard drive, then restore from backups (if known to be good) 
or reinstall the system then restore the data.  That's the only way you 
can truly trust the hard drive again.  Questionable backups should be 
destroyed.

I've never had a confirmed virus on my Windows system.  One time, I was 
getting some suspicious results from a virus scanner, and did, in fact, 
reformat and reinstall.  I operate with my defenses at a paranoid 
level.  To the extent that it is possible for end users, that's one way 
to protect them.  For example, I use the NoScript plugin with Firefox to 
disallow all scripting unless I trust a site explicitly.  This almost 
completely closes off one virus vector.  Even if I click on a bad link, 
unless I've trusted the site, no script can run.  I also have javascript 
turned off in the Adobe PDF reader.  Of course, this won't protect from 
things like malformed JPG files, or phishing attacks where the user 
actually allows an installation program to start.

In your case, I would boot something like an Acronis TrueImage or 
Clonezilla CD and clone the infected computer's hard drive twice, once 
for restoring data if needed, and once for playing with in a sandbox.  I 
would mark both external drives physically as tainted.

Then, you may wish to boot a Linux CD on the infected computer and use 
one of the online scanners below to scan the machine to try to identify 
the virus.  You could attempt to remove it, but that may or may not 
work.  Another option is to download and build one of the recovery CD's 
from the AV makers and scan from that.  Once the virus is identified, 
you can go about doing research on what it is and what it does.  It's 
not a good idea to rely on scanning for the virus from the infected 
system's installed AV software, as the virus may be able to mask its 
presence if the infected OS is running.

These are some old bookmarks I dug up.  Some of the info may be a bit 
dated.  I haven't used any of these recently.  However, I seem to 
remember having luck with the ESET online scanner and the AVG recovery 
CD.  If using an online scanner, it is preferable that it doesn't depend 
on any system binary files to run, or depend on Internet explorer if 
you're booting from a Linux CD.  I don't know if the ESET scanner will 
run from a Linux boot CD or not.

Here are some links to AV recovery CD's:

http://www.avg.com/us-en/avg-rescue-cd
http://techblog.avira.com/2010/12/07/improved-avira-antivir-rescue-system/en/
http://kb.bitdefender.com/site/article/627/
http://download.bitdefender.com/rescue_cd/
http://www.f-secure.com/en_EMEA-Labs/security-threats/tools/rescue-cd/

Here are some links to online scanners you could try:

http://www.f-secure.com/en_US/security/security-lab/tools-and-services/online-scanner/index.html
http://www.bitdefender.com/scanner/online/free.html
http://www.eset.com/us/online-scanner

Once the virus is identified, you can try these databases to find out 
more about it.  Most AV vendors keep a database, and sometimes the 
viruses are named differently in each.  If one of the online scanners or 
rescue CD's identifies the virus, you may wish to go to their website.

http://www.avg.com/us-en/virbase
http://home.mcafee.com/virusinfo/
http://www.microsoft.com/security/portal/Threat/Threats.aspx?id=1
http://us.norton.com/security_response/threatexplorer/index.jsp

For general security and threat research, try these.  If you contact 
them, they may be able to help you research specific threats.

http://www.us-cert.gov/current/
http://www.cert.org/cert/
http://www.sans.org/

I would recommend running Microsoft Security Essentials on all Windows 
systems.

http://www.microsoft.com/security_essentials/

Finally, I used to work at a technical college in GA.  They used a 
product called DeepFreeze on every computer.  Basically, it freezes the 
system's main boot partition so that any changes made to it are 
completely reversed when the system is rebooted.  So, if you get a 
virus, or if a user vandalizes the system, just reboot, and it's gone.  
You have to set up separate paratitions or shares for data storage.  You 
also have to jump through some hoops to allow system updates, etc.  
However, if you have control over the client's computers, this might be 
a good option.

http://www.faronics.com/en/Products/DeepFreeze/DeepFreezeCorporate.aspx

That's all I can think of at the moment.  Hope this information is helpful.

Sincerely,

Ron


On 03/02/2011 01:16 PM, Michael B. Trausch wrote:
> Well, alright, so I'm not technically sure if this would be considered
> off-topic or not.  I'm going to err on the side of safety and say that
> it most likely is, though this is something that has to be dealt with on
> Linux servers that handle Windows clients.
>
> In any event, I'm looking into a problem, and one of the things that I
> need to do is find (good, useful) information on the particular item
> that is being problematic.  How it works and so forth.  I'd assume that
> there is a database of viruses and malware somewhere that provides such
> useful information, but I'm missing it if there is.
>
> In lieu of that, is there a place somewhere out there that makes these
> sorts of things available?  Obviously, I can see the abuse potential for
> something like that, but it would also be useful for finding things and
> obtaining them to run them in isolated sandboxes in order to assess
> their total impact to a system.  It seems that even with all the
> well-known problems that exist in the Windows world, it's difficult for
> legitimate AV/AM solutions to clean up after cruft that manages to land
> in a system.
>
> In particular, the baddie that I'm looking at has managed to get around
> the permissions setup in the system (we're talking about a completely
> restricted user account environment) and infect the system proper.  I
> want to know just how it did that.
>
> 	--- Mike
>    
>
>    

-- 

(PS - If you email me and don't get a quick response, you might want to
call on the phone.  I get about 300 emails per day from alternate energy
mailing lists and such.  I don't always see new messages very quickly.)

Ron Frazier

770-205-9422 (O)   Leave a message.
linuxdude AT c3energy.com

More information about the Ale mailing list