Scanning for Malware Should Be an Outside Job
A few days ago, at WashingtonPost.com Brian Krebs blogged about businesses that had money stolen from them courtesy of malware on their computers.
One of the companies was Slack Auto Parts in Gainesville, Ga., which lost nearly $75,000 when "cyber intruders used malware planted on the controller's Windows PC .. [to] ... break into the company's bank accounts, create new user accounts at the bank, and then wire payments to money mules around the country."
What makes this particulary interesting is that after the fact, the anti-virus software used by the company (which Krebs did not identify) failed to find any malware. So too a "hired cyber security expert" gave the infected machine a clean bill of health. It wasn't until the company sought a second opinion was the keystroke logging "Clampi" Trojan horse program detected.
The failure of an anti-malware application to detect a particular piece of malware is not news. Many malicious programs do a great job of hiding themselves.
What to do?
Scan a suspect system from the outside, without the suspect operating system running.
This insures that the malicious software does not get a chance to defend itself.
My preferred software to enable scanning from the outside is the free Ultimate Boot CD for Windows (UBCD4WIN). It includes a handful of free anti-malware programs that can run from the CD and even self-update themselves before scanning. Among the free software included with UBCD4WIN is Avira's AntiVir, SUPERAntiSpyware, McAfee's Stinger, Spybot Search and Destroy and AVG free. A full list is available here.
In addition to running software off the CD, UBCD4WIN can also share the infected C disk over a network, allowing it to be safely scanned by your favorite anti-malware program residing on another (presumably clean) computer.
Scanning from the outside is a great first crack at detection, but, by itself, it's not sufficient. You still need to scan for malware from inside the infected operating system after scanning from the outside. The main reason: the registry.
Interestingly, both MalwareBytes and SUPERAntiSpyware are working on mounting the infected registry even when they scan a system from the outside. This should be a big step forward in malware detection and removal.
Date publication:
Author: Keylogger.Org Team
One of the companies was Slack Auto Parts in Gainesville, Ga., which lost nearly $75,000 when "cyber intruders used malware planted on the controller's Windows PC .. [to] ... break into the company's bank accounts, create new user accounts at the bank, and then wire payments to money mules around the country."
What makes this particulary interesting is that after the fact, the anti-virus software used by the company (which Krebs did not identify) failed to find any malware. So too a "hired cyber security expert" gave the infected machine a clean bill of health. It wasn't until the company sought a second opinion was the keystroke logging "Clampi" Trojan horse program detected.
The failure of an anti-malware application to detect a particular piece of malware is not news. Many malicious programs do a great job of hiding themselves.
What to do?
Scan a suspect system from the outside, without the suspect operating system running.
This insures that the malicious software does not get a chance to defend itself.
My preferred software to enable scanning from the outside is the free Ultimate Boot CD for Windows (UBCD4WIN). It includes a handful of free anti-malware programs that can run from the CD and even self-update themselves before scanning. Among the free software included with UBCD4WIN is Avira's AntiVir, SUPERAntiSpyware, McAfee's Stinger, Spybot Search and Destroy and AVG free. A full list is available here.
In addition to running software off the CD, UBCD4WIN can also share the infected C disk over a network, allowing it to be safely scanned by your favorite anti-malware program residing on another (presumably clean) computer.
Scanning from the outside is a great first crack at detection, but, by itself, it's not sufficient. You still need to scan for malware from inside the infected operating system after scanning from the outside. The main reason: the registry.
Interestingly, both MalwareBytes and SUPERAntiSpyware are working on mounting the infected registry even when they scan a system from the outside. This should be a big step forward in malware detection and removal.
