Thursday, February 24, 2005

If Microsoft can't do it, can anybody?

[this is a logical continuation or my last post, berating MS Anti-Spyware...] There is a tool/technology that's sorely needed by spyware/virus removal tools, but is conspicuously missing from anti-malware offerings, mostly due to licensing issues, it would seem. The technology is called a Pre-installation Environment (PE) that boots a functional O/S exclusively from read-only media (such as a CD/DVD.) Happily there is a tool that makes it reasonably easy to build such a boot disk, called Bart PE, it's free, I highly recommend it. It took me about 40 minutes to build my first Bart PE CD. I've since gone on to make several other bootable CDs and DVDs... can't imagine having to do without it now. The reason it's so necessary for effective spyware removal is simple: it's very difficult (perhaps even impossible) to completely remove a malintended process once it's running, it's just way too easy to dump another executable from a resource or create a copy of itself and spawn it before being forcibly shut down. It's even possible to attach a thread to another process. Plus the number of registry locations that can be used to facilitate activation of code is severe. Who would be in a better position to succeed at this than Microsoft? Maybe they haven't really even tried yet, but I can tell you for sure, their current anti-malware product is inadequate. So, you may be asking, what have I done about this besides bitch and moan? For one thing I've created a BartPE disk, that has an Undelete program, the original RegEdt32.EXE, Nero 5.0, Partition Edit and a few other essential utilities. It makes clean-up and/or recovery a much simpler prospect. I've also had some success with some AV software, but the glitch is getting current AV definitions on the fly in a place they can be used. I've also written a couple of partner utilities, that make removal of spyware somewhat painless, and genuinely successful, from within PE. One of them loads (and unloads) the software and user hives under specifically named keys, allowing access to an infected system's registry from within a PE session. (The PE has it's own registry, of course.) This makes it possible to change the registry used by one system, from within another, without the infected system running. Its partner (which has carnal knowledge of those specifically named keys) allows me to recursively deletes registry keys from those loaded hives, by passing the original keynames to it on the command line. For example, let's say you want to remove the key: HKEY_LOCAL_MACHINE\ Software\ Classes\ DyFuCA_BH.BHObj, (which is used by some filthy malware crap) and all of it's subkeys from an infected system's registry. The loader tool loads your infected software hive under the key: HKEY_LOCAL_MACHINE\ offline_HKEY_LOCAL_MACHINE_software Which means the path to the [temporarily] physical key location is: HKEY_LOCAL_MACHINE\ offline_HKEY_LOCAL_MACHINE_software\ Classes\ DyFuCA_BH.BHObj The remover tool accepts the original keyname, but removes it from the loaded hive: DELOFFLINEKEY "HKEY_LOCAL_MACHINE\ Software\ Classes\ DyFuCA_BH.BHObj" The remover tool adjusts the key that's passed to it, which makes it much easier to turn the output of a spyware removal tool into a batch file. (You can see why I won't be going public with these tools any time soon.) [to be continued, if interest exists...] -MM

No comments: