Dealing with Drive-by Downloads
End users and customers may call support requesting assistance with removing malware from their PC after being infected by a Drive-By Download. This article provides information on the scope of Symantec's role in assisting the affected customer. Note that this information should be considered general advice and guidance, not strict rules for the customer to follow. The following four points are the main things to consider when dealing with a Drive-by Download victim.
If malware infects someone’s PC, they are at risk of:
- Data theft - This includes any passwords that are stored on PC (within password managers and so on), authentication credentials, crypto certificates, credit card numbers, sensitive documentation, files and so on.
- Keystroke capturing - Any passwords or credit card numbers that have been entered since malware infected the system could be compromised.
At an administrative level, mitigation would include:
- Changing all online passwords from a different PC.
- Monitor credit card and bank accounts for unusual activity.
From an operating system perspective, integrity is completely compromised. Most commonly, some sort of "backdoor" is installed at the OS level. There might be kernel-level backdoors or cases where OS binaries are modified and malicious code appended to them. While a tech-savvy user with a high level of expertise may be able clean the system up without full OS reinstall, there is no guarantee that the system is fully clean. The general consensus is that the only 100% surefire path is to reinstall the operating system.
In some cases, the malware has the ability to write to the BIOS or system firmware, such as on the Ethernet card. The CIH virus (aka Chernobyl) is one example of malware with this capability.
Also, any media that was in use when system was infected by malware (usb disks, phones, cameras, etc) may also have been infected and should be checked.
From a network perspective, there is also the possibility that a compromised system can become a conduit for attack on other network attached computers. So even if the system is cleaned up, other computers in the same network environment may have been already infected, and consequentially re-infect the system. So proper analysis of other computers should also be carried out.
In addition, there are lots of malware and viruses that reside in the Master Boot Record (MBR) so if doing a reinstall, it may necessary to do a disk format that gets right to the MBR.
Well-crafted malware may not set off any AV alerts, making detection difficult. Armorize has a product called Archon scanner which does pure behavioral analysis on potentially compromised systems. Other Rootkit analysis tools include Sophos Anti-Rootkit or Rootkit Unhooker from antirootkit.com. MalwareBytes is another possible solution. These are not tested or supported by Symantec, they are only offered as a suggestion to the customer.
Mitigation is difficult without a full OS reinstall. General recommendations would be to scan the system with at least 2 different anti-virus programs and then run a separate malware scanning program, such as MalwareBytes.
Beyond these steps, forensic analysis is required to identify system entry points, logs and potential replaced binaries. Symantec does not offer these solutions. The customer should consult a local IT professional for obtaining forensic analysis.
Microsoft Diagnostics and Recovery Toolkit (DART) includes an anti malware tool that allows you to make bootable sweeper disks. DART can be obtained from this link: http://www.microsoft.com/windows/enterprise/products/mdop/dart.aspx
This link has additional information about DART: http://www.ditii.com/2009/09/01/microsoft-diagnostics-and-recovery-toolset-dart-anti-malware-tool/
Once the system is cleaned up (or reinstalled), it should also be properly hardened to ensure that those vulnerabilities which were exploited to plant malware in the first place are mitigated. Without this hardening process, the computer will likely be infected again at some point.
National Institute of Standards and Technology (NIST) has produced PC hardening guides such as this one:
Hardening XP Home: http://www.itl.nist.gov/lab/bulletns/bltnnov06.pdf
In general, to protect the PC against re-infection:
- Keep the computer system up-to-date and patched. This includes OS, browsers, and all installed software applications.
- Using an OS other than Windows is a great idea as injected malware tends to focus wholly on Microsoft. However, this is generally not a practical piece of advice for the average user.
- If using Internet Explorer, then upgrade to IE 8 which offers more security than earlier versions. It may be a better idea to move to another browser completely. Remember -- the less popular the software is, the less likely it is to be exploited.
- Where possible, replace popular software/browser extensions such as IE, Adobe Reader and WinRAR with alternatives such as Firefox+noscript (browser), Foxit (PDF), 7-zip (file compression)
- Current malware trends indicate most attacks target 32-bit platforms. Moving to a 64-bit platform might provide more security for the end user.
- When reading email, set your default to be plain-text mode as opposed to HTML. This will ensure all embedded links are clearly visible and unlikely to auto-execute.
- Personal firewalls are not a bad idea, but in general, they will not offer protection against a download in the HTTP response stream.
- It is also worth installing (and updating) anti-virus and anti-malware software programs. However, the user should not rely on these alone.