spyware removal guide

Document Sample
spyware removal guide Powered By Docstoc
					TechTarget Windows Media WinStorage

TechTarget Guide to Spyware, Data Leakage, and Spyware Recovery
The real problem with malware is that sensitive data can be lost or worse, leave your organization and fall into the hands of criminals. This E-Guide from on a single desktop, a handful of machines on a home or small office network authenticated, but remotely connected computers is explored. Finally, dealing with malware when an infection is detected is covered. TechTarget and Websense explains how to deal with spyware and adware, be it or at the enterprise level. Then, the topic of preventing malware infections from


Sponsored By:

TechTarget Guide to Spyware, Data Leakage, and Spyware Recovery

Table of Contents

TechTarget Guide to Spyware, Data Leakage, and Spyware Recovery
Table of Contents:
Spyware responsibilities: From user to admin Malware removal handbook Expert Q & A Resources From Websense


Guarding against malware infection from remote users

Sponsored by:

Page 2 of 14

TechTarget Guide to Spyware, Data Leakage, and Spyware Recovery Spyware responsibilities: From user to admin

Spyware responsibilities: From user to admin
Ed Tittel This tip is about understanding and applying best practices when it comes to dealing with spyware and adware, be expressed as a series of admonitions on ways to make sure your computers (and users) are wise to the ways of spyware and know how to protect themselves against it. it on a single desktop, a handful of machines on a home or small office network or at the enterprise level. It's best

Preventing spyware is a process that has many layers. Some roles are performed by users and some by the administrator. These bits of advice begin with the basics and move on to more advanced practices.

"Protect Your PC"
This is actually the title of an informative and useful Web page on the Microsoft Web site. When it first appeared it advised everybody who visited to (a) keep Windows up to date, (b) use a personal firewall, and (c) use current antivirus software.

These days it exhorts its visitors to "Use Microsoft Windows Security Center" (which covers all of the aforemenspyware pages as well, much to my amazement).

tioned bases), and to "Get antispyware software," which includes the excellent Microsoft AntiSpyware beta software

package (still available for free; Microsoft links to Lavasoft Ad-Aware SE and to Spybot Search & Destroy in its anti-

Use a spyware scanner/screener
You won't be protected against spyware and adware unless you install an appropriate antispyware package. The first such package you install on your machine generally also works just like antivirus software. It will not only run at regular intervals and scan your machine, but it will also check all incoming files, messages, Web pages and so tion by malicious software. forth to look for and block spyware, adware and other malware from taking up residence on your machine. For that reason, the screening function is very important because it provides real-time protection against potential infesta-

Run one or more back-up scans weekly
Recent studies show that, unlike antivirus packages (many of which routinely achieve 100% effectiveness ratings in the virus handling department, as demonstrated by the Virus Bulletin 100% award), no single antispyware package can correctly identify or block all known spyware (not to mention new, unknown spyware). Thus, best practices dictate that you install at least two antispyware packages on all machines. Use one for realtime screening and regular scans; use the other once a week as a backup scanner to catch spyware and adware from allowing spyware to go undiscovered. that the other may miss. And, of course, it's essential to keep both (or more) such packages up-to-date to make sure they're scanning for what's really out there. It's also best to automate this activity to prevent human fallibility

Sponsored by:

Page 3 of 14

TechTarget Guide to Spyware, Data Leakage, and Spyware Recovery Spyware responsibilities: From user to admin

Understand clean-up: process and tools
What antivirus software can do for viruses, antispyware tools can detect and clean up after most known forms of tutorial that explains the general tasks and processes involved. The "official" Hijack This! tutorial also references other great sources of information and instruction on how to use it for detection and to help guide clean-up. exploring as well. MajorGeeks' Spyware Tools page is also a compendium of the most useful such tools. It's worth spending time spyware infestation. Nevertheless, it pays to get to know powerful, general-purpose clean-up tools such as Hijack

This!. You can download it from, where you'll also find a great spyware, adware and virus removal

Use a rootkit detector
There's another kind of malware making the Internet rounds these days. It's a special, extremely stealthy form of software that's designed to install and run itself as undetectably as possible. Rootkits are special-purpose software toolkits that target specific operating systems (or families of systems, like all account names and passwords to facilitate further intrusion and compromise.

Rootkits usually install on one or more systems and operate silently and stealthily in the background collecting user Although these tools often work and run by themselves (and are no less dangerous in that mode), they are increas-

32-bit versions of Windows) designed to mask intrusion and make administrator-level access available to intruders.

ingly incorporated into spyware and viruses by clever hackers. They may even be combined with Trojans to enable ture account info, passwords and other sensitive data.

what they learn to be reported to remote locations across a network or the Internet. They allow keyloggers to cap-

The real problem with rootkits is that most antivirus or antispyware tools can't detect them. A special class of tool, called a rootkit detector, is required to ferret out such malware. What's worse is that no automated clean-up tools tem (and then restore your data files and software from a known clean backup). yet exist to get rid of rootkits, so the only cure for an infestation is to wipe the drives clean and reinstall your sys-

To learn more on this topic and get pointers to detectors, visit, or read the book by that site's principals, Greg Hoglund and Jamie Butler: Rootkits: Subverting the Windows Kernel (Addison-Wesley, 2005, ISBN: 0321294319).

By following these simple steps -- and selecting the right software components to handle the various activities and protections described here -- individuals and organizations can achieve reasonable protection against malicious software.

Sponsored by:

Page 4 of 14

In this era of crimeware, Web attacks are sophisticated, constantly changing, and designed to avoid detection.

As you invest in more layers of security technology, do you know whether your traditional security measures are working? More importantly, are these investments the most effective security against today’s sophisticated web threats? Take the Websense Security Challenge and see what you’re missing.
© 2007 Websense, Inc. All rights reserved.

TechTarget Guide to Spyware, Data Leakage, and Spyware Recovery Guarding against malware infection from remote users

Guarding against malware infection from remote users
Ed Skoudis, CISSP So, you think you've got your malware defenses up to snuff, right? Antivirus tools on the mail gateway? Check. AV defined business need? Check. Thorough malware defenses against infected telecommuters using the VPN from their laptops, home desktops and even handheld devices? Um … well, … Sadly, many organizations today haven't adequately addressed the potential for malicious code infection via deployment on all company-owned desktops and laptops? Check. Firewalls blocking all services except those with a

telecommuters. Often, a home user gets infected by some pathogen on the Internet and then sets up a VPN connection to the corporate network. Once connected, the infected home system acts like the Typhoid Mary on the walls. How can you stop this plague in your environment? The solution requires both policy and technology. internal network -- spreading the malicious code and bypassing your perimeter defenses, including Internet fireMake sure to define policies that require home users to keep up-to-date AV tools installed on their systems, regardthat the AV tool be configured to automatically download new signatures each day and define specific penalties for disabling the AV tool and its update capabilities. Also, specify in your policy that the corporation reserves the right to search the computers of any VPN users across less of whether the machine is owned by the user or the company. In today's new-worm-every-day world, require

the network, again, regardless of whether the system is owned by the employee or the corporation. Employ a warning banner to launch during the VPN login that requires users to click "OK", acknowledging that their personal systems could be searched remotely when an incident occurs. Enlisting permission from the system owner -- the employee, allows your incident-response team to legally conduct the analysis required to address the problem. need to purchase machines for all telecommuters, so make sure the budget can adequately afford you going that route.

Without this policy and warning banner, you have no business searching an employee-owned machine. Alternatively, you can create a policy that limits VPN access to only corporate-owned computers. Of course, your company will

Fortunately, many VPN gateways now offer the capacity to interrogate the client to ensure the host system is running an active AV tool with up-to-date signatures and a personal firewall. Activate these capabilities if your infrafiltering -- only allowing access to absolutely required services and only to those servers that each remote user you to detect and thwart attacks early. structure supports them; Users wanting access to the corporate playground, first must prove they won't infect the other kiddies. Also, make sure your VPN gateway passes all traffic through a firewall that performs comprehensive needs. Furthermore, consider deploying network-monitoring tools, including network-based intrusion-detection and intrusion-prevention systems, on network segments associated with the VPN and filtering devices -- this will enable

Sponsored by:

Page 6 of 14

This is not a game of hide and seek. With Websense® ThreatSeeker™ technology, security threats haven’t got a chance.

Unlike traditional antivirus and intrusion prevention solutions, we search over 85 million web sites daily to find and eliminate threats before they can destroy your business. See what a difference intelligent web security can make. Take the Websense Security Challenge If you don’t have Websense, you’re not protected.

© 2007 Websense, Inc. All rights reserved.

TechTarget Guide to Spyware, Data Leakage, and Spyware Recovery

Malware removal handbook

Malware removal handbook
Kevin Beaver, Contributor It seems that one of the biggest problems plaguing Windows users -- both at work and at home -- is recovering can really take considerable time to remove from a system. from a malware infection. In fact, it's the most common problem posed to me in my Ask the Expert forum. Whether or not they do any damage, certain adware, viruses, and (heaven-forbid) rootkits

I've come across various tricks over the years to remove virtually anything and at the same time keep your cleanup efforts -- and the ensuing stress -- to a minimum. Make sure you consider each of the following steps when the time comes to respond to an infection: 1.

ferent ways and some are certainly better than others, so if you're having trouble getting your system works. Some tried and true options I've used are: • • • • • •

Use several tools for cleaning up viruses, spyware, and rootkits. Many malware removal tools work in dif-

cleaned up, make sure you try two, three, four or more. It's almost guaranteed that you'll find one that


able to point you in the right direction. Here are some that have worked well for me and others in the past: • • • •

Try some of the free tools available for online scanning. A Google query of "free antivirus" should be


registry keys referencing this program under HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/Current tory such as the Windows temp directory. It's therefore important to run a full system scan.

Check all the obvious places such as your Windows startup folder, the Startup tab in msconfig, and any

Version/Run in regedit. Also, you cannot underestimate malware that's located in a seemingly benign direc-

Sponsored by:

Page 8 of 14

TechTarget Guide to Spyware, Data Leakage, and Spyware Recovery

Malware removal handbook


possibly track down the malware in action. You can also run Foundstone's Vision to search for malware

Dig in deeper. Try loading Sysinternals' Process Explorer to view loaded processes and applications and

bound to a local TCP or UDP port. You can also use your personal firewall's application protection feature (if supported) or a network analyzer such as CommView or Ethereal to see what's taking place behind the scenes. This can help reveal suspect protocols and traffic entering and leaving your computer that you'd otherwise be unable to see. Unload any software you suspect to be infected and then re-run your scans. It could be that your

5. 6.

software has files open blocking any cleaning or quarantine attempts by your malware removal software. ning your virus/spyware testing tools. Also, some antivirus programs come with a bootable CD you can run as well. You may have software corruption or a hardware problem rather than a malware infection. Try reinTry disabling system restore and booting into safe mode (here's a good reference) and then run-


stalling Windows or your affected application(s). If that doesn't work, try to recall any recent hardware changes you've made such as adding memory, a video card, etc. You could have some bad memory, a troubleshooting at that level or having it looked at by a qualified technician.

poorly-seated PCI card, or other issue that could take forever to figure out unless you get your hands dirty 8. Don't totally rely on Google or your favorite search engine to find specifics on how to clean up your site and CA's Spyware Encyclopedia site both contain a lot of good information. Also, check Google

system. Check vendor sites directly. I've had to browse antivirus and antispyware sites (Symantec, Trend Micro, Sophos, and others) to find the right answers many times over. Symantec's Security Response anywhere else.

Groups postings as well as they often contain a wealth of information from other users that you can't find Antivirus and antispyware vendors may have specific removal tools that you've likely never heard


of but still need to help with your disinfection. Don't be afraid to use a tool from a vendor other than your current antivirus or antispyware vendor. Their tools should work even though you have a competing product installed and, sometimes, it's the only option. installation media or a known clean system.

10. Hash suspect files using HashCalc or similar tool and compare your results to known good copies off of 11. When in doubt, reload. If you cannot get Windows to load -- it is locking up or continuously rebooting at a certain point -- even in safe mode, then you may have to take more drastic steps to recover your sysreformat and start all over. As drastic as this may sound, it'll likely take less time than trying to troubleshoot this further, and you'll have a clean system to boot. tem. But before you do that, you should try Winternal's ERD Commander to see if you can get back in at least long enough to copy data files you don't want to lose. Beyond that, you can restore from backup, or

Sponsored by:

Page 9 of 14

TechTarget Guide to Spyware, Data Leakage, and Spyware Recovery

Malware removal handbook

12. At the enterprise level, you really need a formal security incident response plan. It's one thing to clean malware off one or two systems but quite another to respond to a widespread outbreak across an entire network. The following sites are great starting points: • • • •

Sponsored by:

Page 10 of 14

“Websense seems to be flawless with this capability. With the other web filter product, they had to either block or allow the entire Web site which resulted in calls to the help desk to unblock. With Websense you just get finer and very granular categorization.”
Walt Robertson Director of Information Technology (IT) Salvation Army, Los Angeles

The first ministry of The Salvation Army in the United States opened in 1880. Today, The Salvation Army has been in California for over 100 years, with several locations around the Los Angeles area. In California, The Salvation Army operates programs for at-risk youth, homeless people, families with HIV/AIDS, veterans, victims of domestic abuse, senior citizens, adults in recovery, pregnant and parenting teens and runaways. The Salvation Army also has service centers that offer food, shelter, clothing and referrals and provides relief for local, national and international disasters. Salvation Army, Los Angeles, chose to implement Websense Enterprise and Websense Security Filtering™ to protect its 1100 member user community. Salvation Army previously had used another web filtering product that was prone to technical problems, complex to use and came with poor customer service. When the time came for renewal, Walt Robertson, the Director of Information Technology (IT) for Salvation Army, Los Angeles, decided to switch over to Websense. According to Walt, as a charitable organization they are sensitive to not just the initial subscription costs but the total cost of ownership. With the other product, Walt was frustrated to find that they had to reboot the network about once a month. The system would completely crash, leaving the network unprotected. They also received poor customer service from tech support when they called to try to get these issues resolved. Walt is very pleased to now have a system in place that runs smoothly, “With Websense, I never even think about it –— it just runs and runs.” According to Walt, customer service with Websense was outstanding in helping with the implementation of the product and that “on the rare occasions that I have needed help from tech support, the team was easy to contact and I received same-day support with numerous follow-up emails and conversations to make sure that I was completely satisfied.”

and allows self-service internet use, they wanted to make sure that the internet was a resource being used for appropriate purposes. Also there were network bandwidth issues that Salvation Army hoped to be able to better manage with a filtering solution. The flexibility and granularity found in Websense Enterprise allows different user groups different usage policies and finite categorization resulting in fewer help desk calls. Walt was very impressed in particular with the granular categorization provided by Websense. For example, at their organization social workers sometimes use the rental pages of Web sites like Craig’s List. However, there may be sections of these types of Web sites that they feel are inappropriate internet uses for their organization. Websense automatically filters these pages within the Web site. According to Walt, “Websense seems to be flawless with this capability. With the other Web filter product, they had to either block or allow the entire Web site which resulted in calls to the help desk to unblock. With Websense you just get finer and very granular categorization.” Walt was pleased that Salvation Army, Los Angeles, realized a great return on subscribing to Websense Enterprise with the bandwidth savings that incurred from blocking the protocols for streaming media. Walt was also impressed that since implementing Websense Security Filtering, they no longer have the spyware problems that have plagued their network in the past. Previously they had instances where spyware was hijacking their computers and redirecting the web browsers. They were spending on average 4 to 5 man hours per week battling various spyware problems. According to Walt, he has not really had to think about spyware since implementing Websense and he “has seen at least a 90% or more reduction in spyware in their network.” See what Websense can do for you. Take the Websense Security Challenge.

© 2007 Websense, Inc. All rights reserved.

There were several critical issues that prompted the Salvation Army to install a web filtering solution. As an organization that often times uses the internet to provide services for people

TechTarget Guide to Spyware, Data Leakage, and Spyware Recovery Expert Q & A

Expert Q & A
How to Deal with a Virus
Q: I am receiving a virus called drstartloader.exe. I received it through IM from someone else which in turn is to remove it? sending itself to everyone on my list. Have you encountered something like this before and, if so, do you know how EXPERT RESPONSE

Did your local antivirus software detect it? Have you done a full system scan and made sure you have the latest tools) I listed in my malware removal handbook to make sure your system is clean.

Windows patches and IM software? Definitely try more than one of the malware removal tools (including the rootkit

How to Deal with Malware
Q: I have a Windows XP Pro and a virus or malicious file has my computer locked up to where Windows will not one computer and then load it on the disabled one. EXPERT RESPONSE open: "access denied to object...". I don't mind paying for a program to fix this but I would like to download it to

is that you'll need a tool like Winternals ERD Commander that I mention.

This can be a tough one. I recommend going through my Malware Removal Handbook for ideas. The bottom line

Is this a virus?
Q: Can a virus affect my sound and video? Back in my college days, I learned how the Intel-based assembly language (a low-level language that some malEXPERT RESPONSE

ware is written in) could be used to do anything from slamming the heads on a hard drive to their breaking point -all the way to burning out the old-style CGA, EGA and VGA video screens. So, yes, anything is technically possible help, it may be worth a call to your computer's tech support line or even having an experienced PC expert take a look at the problem. with malicious code. However, that might not be the problem you're experiencing. If you're having sound and video problems, you should try uninstalling and reinstalling the drivers or trying different ones altogether. If that doesn't

Sponsored by:

Page 12 of 14

TechTarget Guide to Spyware, Data Leakage, and Spyware Recovery Expert Q & A

Spyware, bots and Trojans
Q: Is all spyware dangerous? EXPERT RESPONSE Not all spyware is "dangerous". Much of it simply creates a nuisance to the local user, others track stats for "marketing" purposes, and other types may be considered dangerous. The best way to prevent this is to run one (or another for performing periodic system scans. two) anti-spyware tools - perhaps one for checking real-time memory processes, file/registry accesses, etc. and

Sponsored by:

Page 13 of 14

TechTarget Guide to Spyware, Data Leakage, and Spyware Recovery Resources From Websense

Resources From Websense

Security News and Alerts
The Websense Security Challenge - see what your current security solutions are missing. Websense Security Labs Trends Report - A summary of significant Internet security findings. Subscribe to Websense Security Alerts - get the latest news about malicious internet threats sent directly to your inbox. they find you. Video: Behind the Scenes at Websense Security Labs - learn how we find Internet threats before Webinar: Exploit 2.0! - Web 2.0 is here. Learn how hackers are using the new web technologies to target your organization.

White Paper: Protecting from Complex Internet Threats White Paper: Protecting Organizations from Spyware Case Study: LifeCare Management Services, LLC Chooses Websense to Protect Its User Community

Information Leak Prevention
White Paper: Information Protection and Control: Websense Targets the Insider Threat - Information Leak Prevention Leak Prevention Webinar: Information Protection and Control: Securing the World's New Currency - Information

Sponsored by:

Page 14 of 14

Shared By: