Sunday, February 19, 2012

Trinity Rescue Kit to the ... rescue!

So, after playing with my virtual machine and the malwares I downloaded from my e-mail account, time for some experiments from the other side: the clean-up effort.

Cleaning up after a virus infection is probably the most horrible task I have ever had to perform. Not only it takes a long time, but you can't rely anymore on the installed Operating System, all systems have to be taken down or isolated to control the spread of the infection, the users call every 30 seconds asking when "they will be able to work because they have important things to do" and, of course, it always happen when there is something else interesting to do.

Until recently, when I had to be involved in a clean-up effort, I tended to ask for the hard drives to be imaged - to keep a copy of the infection - then I connected the drive to another machine known to be clean, and I ran the antivirus tools from there. Not only this was extremely time consuming, but there was a need to have access to the machine, which is possible with workstation or stand alone servers, not so much with virtual machines, and I don't mention the fact that servers have, nowadays, multi terabyte storages drives on SANs. Another solution had to be found.

There comes a cool distro: TRK - the Trinity Rescue Kit. It does way more than just virus scans, but that's a non negligible part of its job. Among the other tasks, let's just mention the password recovery, the junkfile clean up, the backup/restore and the imaging facility.

Back to the virus clean-up. TRK comes with not less than five different AVs: ClamAVF-ProtBitDefenderVexira and Avast. This last one requires that you register to get a key, and it's free.

To access these tools, two solutions, either the menu-driven way or the command line.

First stop: mounting the local file systems. The menu-driven has an option to mount all the local file systems automatically, and all the operations are taken care of: if your NTFS was not unmounted cleanly, i.e. you powered the machine off in a rush, the automated mount will mount it after taking care of the possible issues. A small caveat though: these file systems are mounted read-write when possible, so be aware that there is a risk of touching things on the hard drive.

An interesting point: in one of my tests, I ran TRK on a mac book pro. It automatically mounted the local drive (UFS), but read-only.

If you want to keep a maximum control, I recommend opening a shell and mounting the relevant file systems by hand, using mount. For the NTFS file system, the suite ntfs-3g is present and can be used to achieve that purpose.

Next step: the virus scanning. Again, either menu-drive and you chose your AV, or at the command-line using the virusscan command.

After selecting the destination to scan, you proceed and select the AV to run.

As mentioned, the other way is to use the virusscan command. This is a form of one-stop shop for scanning a file system, and it takes care of all the necessary steps, such as downloading and installing the relevant packages, updating the virus definitions, and running the scan.

I found I needed to use this way with the mac book pro scan: by default and through the menu-driven, a log file is written in the mount point, which is at the root of the scanned file system. When the mount is done read-only, as it was with my UFS, this is not possible, and the scan will fail.

By default, "ClamAV" will be run. Concerning this one, an important note is that infected files will be reported and quarantined, but not deleted.

An example of the command is:

virusscan -a clam,fprot -d /sda1 -l /

This will run both ClamAV and F-Prot against the file system mounted in /sda1, logs will be written under /, and not on the mounted file system.

A gotcha: if you try to run Vexira, it will fail, due to an error in the command-line switch for the updater.

Here is a workaround:

virusscan -a va -d /<to scan>
# This will fail, that's normal
cd /linkedfs/usr/share/vascan
This will start the download of all the updates. After that, you may proceed and run the scan normally

cd /
virusscan -a va -d /<to scan>
Back to the test. My virtual machine was infected with the strain I got in the "" e-mail. Running the various scans in sequence I have:

ClamAV - 0 infected file detected
F-Prot - 1 infected file detected
BitDefender - 0 infected file detected
Vexira - 0 infected file detected
Avast - 0 infected file detected

To be fair to BitDefender, Vexira and Avast, they were run after F-Prot, so they may have detected it if given the chance.

The file F-Prot categorized as a malware is "/Users/Administrator/AppData/Roaming/winc.exe", as W32/Trojan.DFP. The file was removed.

However, when the machine restarted and was logged on, another access was made to "", meaning the actual infection was not removed. After rebooting and rescanning with F-Prot, no file found infected, so indeed, something is still present on the system, but not yet detected.

If you recall, in order to execute the malware on my 64bits install of Windows 2008, I had to disable DEP. After enabling it back and rebooting the machine, an executable was blocked: memnvexec.exe. This file lives in /Users/Administrator/AppData/Roaming. This is actually the same file as "servicesa.exe" that I saw downloaded from a website in Germany during my initial run of the strain. As of now, this file is not detected by any AV present on virus total.

Conclusion -

I do like TRK. This is an awesome tool for helping in dealing with outbreaks. However, it suffers from the same ailments as all AVs: this is a reactive business, signatures may take time to make it to the end user and not everything qualifies as a malware.

The menu-driven interface makes it really easy to use. Advanced users will make a heavy use of the command line for a variety of tasks, such as taking images over a network to a NFS server, doing virus scans or deploying images. Additional functions are possible, such as network booting TRK on multiple computers to take care of larger networks.

If you are an IT or a security professional, this definitely has to be in your toolbox.

No comments:

Post a Comment