Adam Caudill

Security Leader, Researcher, Developer, Writer, & Photographer

State of the (virus) art…

Imagine my surprise when one of my developers mentions he has a virus and I see this on his screen:

No, the items listed aren’t the issue, it’s Security Tool that’s the virus. It’s vicious, plain and simple. It prevents almost all software from running (either by presenting a “virus warning” or simply killing the process), presents fake BSODs, and who knows what else that we didn’t notice. Only Explorer and Internet Explorer were operational, all other software was disabled.

As soon as the issue was found, the workstation was removed from the network while we attempted a clean-up via Malwarebytes and a couple other similar tools. After running a scan from each tool in safe-mode it looked like we had it beat. We were wrong. The next reboot, and it was back – I’m not surprised but somewhat disappointed that none of the tools actually performed the cleanup correctly. There are several routes it could have taken to ensure that it would re-infect on boot, seems at least one of those was missed.

The one saving grace is that for some reason, it doesn’t attack while in safe-mode. Had this not been the case, data recovery would have been far more time-consuming than it was (about four hours). Once the data was secured and logs and various backups for later analysis were captured, the workstation was re-imaged. In total, probably 30 hours were lost among development, technicians, and networking – not to mention the time spent by the security team members. A rather costly exercise, all things considered.

There’s still one question floating around – how did this happen? The workstation in question was running a fully patched Windows XP install, Symantec Corporate anti-virus with the latest updates, behind a firewall and content filters, yet it still happened. How did our pricey anti-virus solution not detect this? Why didn’t it detect anything at all?

It amazes me that here in 2010 we still have to worry about computer viruses (or virii, if you prefer); but I find it utterly unacceptable that a top-tier, fully managed and updated anti-virus product allows such a debilitating pile of code to execute. Computer science has made amazing strides and modern PC hardware has more than enough resources to perform more intense analysis and monitoring – yet it still happened.

Have we actually lost this battle?

Adam Caudill

Related Posts

  • Am I doing too much?

    (Disclaimer: This is something of a rant, and was written at 3AM. My apologies if it doesn’t make sense. Feel free to ignore.) It’s 3AM, and I’m up reading, again. Is it the latest great novel or one of the classics that I enjoy so much? No, it’s research for my latest hobby. It’s lasers this time, but this pattern is far from new. I’m starting to think I just try to do too much, I go in too many different directions.

  • What It Takes To Be A Great Developer

    Recently a programmer I know decided that it was time for a career change, leaving the IT field entirely. This gave me cause to think; what does it take to be a great developer. Many people go through school believing they have what it takes, only to receive a rude awaking once they enter the real world. Before I go on, I think it’s important to define what I mean by developer, and the differences between a developer and a programmer.

  • Buying a MacBook from CowBoom.com

    I have a project coming up that will require some iOS development – which means that it has to be done on a Mac. Seeing as I didn’t own a Mac, and as the more I spent on acquiring one, the less money from this project will end up in my pocket; I needed a cheap solution. In the end I acquired a very nice 13″ MacBook from CowBoom.com; so this is both about the deals that are available and a review of my experience with the seller.

  • Millions of Jobs

    It has been 20 years since I first used machine learning to solve a complex business problem. The underlying problem was simple: the company was selling a new service and wanted to know who was most likely to buy it. We had millions of records, and each record had hundreds of fields. A vast amount of data, but no idea how to extract insight from it. Countless hours from various data analysts had been invested into finding a pattern, but none was forthcoming.

  • The (Questionable) Future of YAWAST

    The last release of YAWAST was on January 1, 2020; while the release history was sometimes unpredictable, the goal was a new release each month with new features and bug fixes. I intentionally took January off from the project. In February, I left the company I was at; the team of penetration testers there had helped to inspire new features while looking for ways to make them more productive. But something else happened in February, an issue was opened – something that appeared to be simple, but in fact, made me realize that the entire project was in doubt.