Dealing with Drive-by Downloads
End users and customers may call support requesting assistance with removing malware from their PC after being infected by a Drive-By Download. This article provides information on the scope of Symantec's role in assisting the affected customer. Note that this information should be considered general advice and guidance, not strict rules for the customer to follow. The following four points are the main things to consider when dealing with a Drive-by Download victim.
If malware infects someone’s PC, they are at risk of:
At an administrative level, mitigation would include:
From an operating system perspective, integrity is completely compromised. Most commonly, some sort of "backdoor" is installed at the OS level. There might be kernel-level backdoors or cases where OS binaries are modified and malicious code appended to them. While a tech-savvy user with a high level of expertise may be able clean the system up without full OS reinstall, there is no guarantee that the system is fully clean. The general consensus is that the only 100% surefire path is to reinstall the operating system.
In some cases, the malware has the ability to write to the BIOS or system firmware, such as on the Ethernet card. The CIH virus (aka Chernobyl) is one example of malware with this capability.
Also, any media that was in use when system was infected by malware (usb disks, phones, cameras, etc) may also have been infected and should be checked.
From a network perspective, there is also the possibility that a compromised system can become a conduit for attack on other network attached computers. So even if the system is cleaned up, other computers in the same network environment may have been already infected, and consequentially re-infect the system. So proper analysis of other computers should also be carried out.
In addition, there are lots of malware and viruses that reside in the Master Boot Record (MBR) so if doing a reinstall, it may necessary to do a disk format that gets right to the MBR.
Well-crafted malware may not set off any AV alerts, making detection difficult. Armorize has a product called Archon scanner which does pure behavioral analysis on potentially compromised systems. Other Rootkit analysis tools include Sophos Anti-Rootkit or Rootkit Unhooker from antirootkit.com. MalwareBytes is another possible solution. These are not tested or supported by Symantec, they are only offered as a suggestion to the customer.
Mitigation is difficult without a full OS reinstall. General recommendations would be to scan the system with at least 2 different anti-virus programs and then run a separate malware scanning program, such as MalwareBytes.
Beyond these steps, forensic analysis is required to identify system entry points, logs and potential replaced binaries. Symantec does not offer these solutions. The customer should consult a local IT professional for obtaining forensic analysis.
Microsoft Diagnostics and Recovery Toolkit (DART) includes an anti malware tool that allows you to make bootable sweeper disks. DART can be obtained from this link: http://www.microsoft.com/windows/enterprise/products/mdop/dart.aspx
This link has additional information about DART: http://www.ditii.com/2009/09/01/microsoft-diagnostics-and-recovery-toolset-dart-anti-malware-tool/
Once the system is cleaned up (or reinstalled), it should also be properly hardened to ensure that those vulnerabilities which were exploited to plant malware in the first place are mitigated. Without this hardening process, the computer will likely be infected again at some point.
National Institute of Standards and Technology (NIST) has produced PC hardening guides such as this one:
Hardening XP Home: http://www.itl.nist.gov/lab/bulletns/bltnnov06.pdf
In general, to protect the PC against re-infection: