One major problem detecting and neutralizing much of the current crop of malware is that the malware very effectively protects itself from detection and removal by many of the more traditional security methods. Since many of today’s most prevalent PC security threats load when the computer is booted and often involve a rootkit, common security software may either be unable to detect the malware or may actually be deactivated by that malware but still appear to be running normally. According to Wikipedia, “A rootkit is software that enables continued privileged access to a computer while actively hiding its presence from administrators by subverting standard operating system functionality or other applications.” Many users erroneously believe that they are always protected from all malware threats because they purchased name-brand security software that is supposedly updated automatically, and that by periodically running a security scan with that same software, their computer is clean and free of malware. That is not always the case.
Recently a student brought me her computer, which was very clearly taken over by one of the many rogue security software utilities that alleged that her computer was heavily infected by other malware. The software, “Vista Anti-Spyware 2011,” informed her that for a fee of $39.95 charged to her credit card, this scam utility would remove all of the alleged malware and restore her computer to proper operating condition. If she would have done what was asked by the scammer and given up her credit card number, expiration date and CVV security code, a crook, probably in Russia, would not only not rid her computer of malware but also likely have sold her credit card information to other Internet crooks! She had thought that her computer was secure as she had installed one of the major retail security software packages, and had a second layer of security provided by a third party-utility that was supposed to protect her from malware. While doing research for a term paper on one of the major search engines, she clicked some links on the top of the search results; one of the listings had been hijacked by an Internet crook, and the purloined Web site loaded the malware onto her computer. She was greeted by the pop-up Vista Anti-Spyware 2011 window that informed her that there were hundreds of different malware items on her computer, and that she had to pay to remove them. She tried to run her commercial security software by either clicking on the icon by her clock or the desktop icon, but whatever she clicked on, this Vista Anti-Spyware 2011 window appeared. If any other icon was clicked, including the word processor that she had been using to type her term paper, this scam window appeared; closing the window allowed all of the other programs to run except her security software. Even using Windows Explorer to go directly to her security software and running it from there, the rogue security program appeared; her name-brand commercial security software had been effectively destroyed.
Using the security software I carry on my keychain flash drive, and booting into safe mode (F8), I was able to remove over 300 pieces of malware, but her computer was still heavily infested. I had to create a bootable CD with an integral malware detection utility to remove the last of the infection, which included a rootkit.
There are several sources of utilities to create bootable CDs that contain some form of malware scanning software. Directories of free bootable utilities can be found on the Gizmo’s TechSupportAlert.com Web site and at Raymond’s “13 Antivirus Rescue CDs Software Compared in Search For the Best Rescue Disk.”
Among the recognized publishers of software that can create free bootable CDs (and sometimes bootable USB flash drives) that contain software to detect and kill malware are Kaspersky, Avira, F-Secure, Panda, BitDefender (USB), AVG, and several others. Using a bootable CD (or bootable USB flash drive) to detect and kill malware is quickly becoming the preferred method of malware removal because when booted from the CD, the malware cannot load, even if it is a rootkit. The bootable CDs or USB flash drives typically contain a non-Windows operating system, usually some version of Linux or WinPE, thus the version of Windows on the hard drive never loads. Since the Windows does not load, any infections harbored on the hard drive are not loaded, and then can likely be detected and removed by software on the bootable media. Not to be outdone by its smaller competitors, Microsoft has joined the fray by releasing a beta (pre-release) version of its new “Windows Defender Offline Tool (beta).”
What Microsoft has done is take an improved version of its Windows Defender security software and mate this popular security software with bootable media such that a CD or bootable USB flash drive created with the free downloaded software can be used to boot an infected computer, and then scan that hard drive for malware, including otherwise difficult to detect rootkits. Since the scanner is running outside of Windows, the malware cannot easily protect itself from detection and removal.To use the free Windows Defender Offline Beta, download the small 764 kb installer directly from Microsoft, preferably to another “clean” computer. The installer file is available for either 32-bit or 64-bit computers; most newer computers are 64-bit, while most older computers are 32-bit. Insert a blank CD or DVD into the CD drive, or insert a USB flash drive that is not password protected and has at least 250 mb free space. Run the downloaded installer (mssstool32.exe or mssstool64.exe), which will open a window asking the user to select create a bootable CD or DVD, bootable USB flash drive, or create an ISO file to be installed to a CD. For most users, the bootable CD option is the simplest and most trouble free. The installer utility will download a large file from Microsoft (about 250 mb), and guide the user in the steps to create the bootable media. The installer contains all of the software necessary to create the bootable media; no other software or utilities are required. Once created, insert the bootable media into the infected machine and reboot using the newly created Windows Defender Offline Beta media. By default, almost all PCs will automatically boot off of a bootable CD. If the computer does not boot directly from the CD or flash drive, it may be necessary to tell the BIOS to change to boot sequence, putting the CD drive or USB drive first in the sequence; instructions for doing this are often briefly shown on the splash screen when the computer is first booted, and says something like “Press delete (or some other key) for setup” or “Press (a specific key) for boot sequence.” If additional help is necessary, Microsoft has detailed instructions online. This will open the BIOS window, and one of the selections is usually to choose the device from which the computer boots. Once booted into Windows Defender Offline Beta, the user can perform a scan for malicious software, and get rid of it. Once cleaned by the Windows Defender Offline scanner, remove the CD or flash drive, and reboot the computer. The computer should boot normally, free of the malware infection.
If it is ever necessary to perform another scan from bootable media, Microsoft recommends that a fresh CD be created, as an updated malware signature file will likely be available, as it is updated frequently. If a bootable USB flash drive was created, it will not always be necessary to create a new one, as the digital malware signature files on the flash drive can be updated by the integral wizard while on an Internet connected computer.
Since many of the contemporary malware types destroy the installed security software, leaving the computer open to subsequent attacks and infection, it may be necessary to reinstall a fresh copy of whatever security software is desired. Either the previous software can be installed and updated, or new software can be installed. Commercial software is readily available (I recommend the comprehensive suites rather than just the traditional antivirus software), or comparable free security software can be downloaded and installed (techsupportalert.com/content/probably-best-free-security-list-world.htm).
It is obvious that while offline bootable media may currently be an optimal way to detect and remove difficult malware, it is only a matter of time until the malware authors come up with some devious new way to hide malware to counter this method, just as they had done with the previous methods. Still, it is necessary to stay on top of the threats, and perform a variety of security scans using different methods, media, and software.