Anyone who knows me knows I enjoy chasing viruses through the darkest recesses of a workstation, and learning what weird and wonderful new way things are hiding themselves (or reinstalling themselves), and I know it can go sideways and get scary really really fast.
And then you move up and up in the ladder of technicians, across the line into guru or mad scientist land. You start pulling craziness from the magician’s hat, only it’s not always a cute little bunny you pulled out of that hat, like people might have expected you to. It’s this horrifying multi-legged gibbering *thing* that came from the deep blackness of the net, and it might eat every machine in a 50-foot radius if you don’t handle it properly. And nobody knows how to handle it properly, and everyone who knows enough about such things knows enough to be a little scared. - JBurton
Was reading a post over at Pelalusa that the virus/malware that ripped through VSB’s offices and classrooms faster than pinkeye is still a problem, even though it’s been four weeks since initial infection. This is a known piece of malware, and I’m assuming it’s viral (spreads by itself, using a known vulnerability in Windows).
So why can’t they get rid of it?
I think a big part of the problem is that people aren’t thinking outside the existing operating system when trying to remove a virus. With a lot of malware these days, they become so deeply entrenched in the operating system, booting up is enough to keep it going again, so trying to remove the malware from within the infected OS is actually much harder than the average SOHO user would think.
What these schools and offices need is a quick course in how to use a boot CD containing one of the MANY MANY custom “Live” antivirus/router versions of Linux. The one that comes to mind right now is “Trinity Rescue Kit,” which has a boot option of starting up, and scanning a system’s HDD with a number of different antivirus products, all of which are automatically updated from the ‘net, if available.
But because the system is booted from the LiveCD and scanned while running a read-only operating system, the infected Windows OS install isn’t actually launched. It’s “frozen” in a shut-down state, so there’s no way for it to keep reinfecting, or to be infected by other machines on the network during antivirus scan.
Maybe it’s worse than other malware out there, but I’ve worked in IT at some of Vancouver’s larger offices (EA Blackbox for 3 years and then Burnaby for another two) and when we had to battle Sasser a few years back, we learned really quickly how to do things like stop a system from shutting itself down. I was the “antivirus guy” at that studio of 2000+ workstations: both the administrator of the AV server itself, and the guy they’d send down to take care of machines that were utterly hooped because someone clicked something in an MSN message.
So, since I was recently laid off from Humanature, I don’t have much to do right now, and when I see that little piece of construction paper that reads “Infected with virus, do not power on” stuck to the computer in my son’s classroom, I want to help.
A $10 box of blank CDs, and we can probably clean up that campus in a day. I’m assuming the malware is spreading office to office though, so that’ll cause problems. Probably need to get someone to put together a $450 workstation at each office that’ll filter for malware at the “point of access,” and some blackhole Snort/Snare boxes here and there that’ll let us know where the inbound attacks are coming from.
I’m not saying I can do it all, but if you hook me up with the right people, I’m certainly willing to help if I can.
There is something to be learned from a rainstorm. When meeting with a sudden shower, you try not to get wet and run quickly along the road. But doing such things as passing under the eaves of houses, you still get wet. When you are resolved from the beginning, you will not be perplexed, though you still get the same soaking. This understanding extends to everything. – Hagakure