JDPFu.com 2024

Prevention Is Key, …. but

Prevention is important, but in some cases, there is nothing anyone – even security professionals can do to prevent previously unknown attacks. I’ve covered how to secure a desktop before. Also, I’ve covered how to setup your web browser too.

Following those recommendations reduces your risks, but there is still a small possibility that you will still get infected.

So, You Got Infected, What’s Next?

I haven’t had a virus in years.

1. The last time I was cracked was around 2001 and it was a Linux bind cracker running a script. Basically, I was 3 months behind on a name server patch.
2. Around ’96, my first Linux machine, barely on the internet for 30 minutes, was cracked. The root password was changed and my personal account was removed.
3. Around ’91, I had a DOS boot sector virus that infected almost every single floppy disk that I owned. I spent weeks removing the virus.

I’m sad to say this, but once you are infected, it is already too late. You are screwed. If you are lucky, you know exactly when and what you were doing when you were infected. Just like a cavity never gets better, an infected computer doesn’t get better. In fact, it will probably be infected over and over and over again with more and more viruses, spyware, keyloggers, rootkits and worse. If you don’t know the exact moment of the first infection, then you cannot trust the operating system installation anymore.

I’m sorry to say this, but there is only 1 answer to an infected computer. Reformat the entire hard drive.
Your leg (HDD) is infected. It has gangrene. The only thing a surgeon can do is amputate. Nobody likes this option, but there isn’t any other choice. Anything less than amputation could leave part of the infection and kill the patient later. Yep, it is best to cut off the leg.

Prepare for the Next Time

As with many things in life, preparation is critical for the next time your computer gets infected. Here’s what you need to do to prepare to recover from a virus.

1. On a known, fresh, patched, non-infected system, perform a system image. This image needs to be placed on another hard disk that is not used except for backups and the system image. This image should be updated after a few new programs or settings are changed. Image monthly, but at least every quarter.
2. User data needs to be backed up daily or weekly. You need multiple backups, not just 1 mirror.
3. Test your backups on a spare drive.

If you run Windows7, the built in backup tool handles both the image AND the incremental backups just fine. Win7 Pro will write to a network drive, which is great. Win7 HP only supports locally attached backups, but a USB, firewire or eSATA drive can work nicely for a home PC.

If you run Linux or another POSIX system, then I like rdiff-backup as spelled out here. If you need a GUI, then Back In Time is another option.

So, you need 3 drives.

1. Main drive for daily use
2. Backup drive to hold the system image and the daily/weekly backups.
3. Test drive to verify the restores work AND you know how to do it.

If you have a laptop like mine, then it came with a 500GB drive. I have 2 other 320GB laptop drives from prior machines. Nothing is wrong with those laptop disk drives and they are good for backups and a whole drive mirror too. Sure, it would be better if they were all 500GB, but since they aren’t, I’ve taken steps to ensure there is never more than 320GB in data on the main laptop disk. That means those other 2 disk drives are used.

Ok, that really isn’t true. I do network backups to a central backup server using the Win7 backup and rdiff-backup for my Linux virtual machines.

The daily or weekly backups should be incremental. This means you don’t need 7x the storage of the original for 7 days of backups. Actually, the backups are 1.1x the size of the original for 30 days worth of backups. This method is very efficient, when done properly. For 100GB of data, the 30 days of backups are about 110GB total. Nice.

There are other pieces of data that need to be backed up too. The Windows Registry, applications, settings, and any data. On Linux, there are different things to be backed up.

• crontab for each user
• /etc which holds settings for system programs
• /usr/local which holds specially installed programs for just this system
• /opt which holds commercial software
• $HOME directory for each user – which contains everything for a user.
• List of all programs installed on the system – dpkg -l is the command you want the output from.

With this data, you can quickly rebuild a UNIX system and restore the programs, settings and user data. I’m actually typing this entry on a newly rebuilt Lubuntu 10.04 system after restoring everything from backups described above. Do you KNOW that you have good system backups?

Infection Recovery

So you have implemented a good, tested backup strategy. You sleep well at night. Somehow, you get a virus and recognize it a few days later, not immediately. What steps do you take? You know you have a good system image from last month and weekly backups for most, if not all, data.

1. Mirror the drive with the infection to the 3rd disk drive … so you can selectively recover data files manually later. Do this by booting a Live CD.
2. Restore the last known uninfected system image. This should format disk drive, wiping all data on it.
3. Restore the data backups from the day prior to the infection. It is better to go a few days earlier if you aren’t positive.
4. Verify that the system is patched to current levels
5. Verify that the antivirus signature files are current

At this point, you have a workable system with almost all your data, programs and settings on it. All that is missing are updates for the last few days and perhaps some emails if you pull those local (bad idea, but that is a different article). If you’ve been working on files, you probably know the names or you can connect the 3rd disk drive and search for any files changed in the last 5 days. Those are the files you want to manually pull over to the newly restored disk. Of course, you want data files, not programs, dlls, or other unknown data types. Just the data, nothing else or you risk another infection.

Doing this restore should take less than 2 hours, including the manual search for files.

While you are recovering data, do not go on the internet except for AV signatures, system patches or specific program updates. Do no visit social networks. I’ve seen where someone that just did a full restore from the vendor restore partition visited her Facebook page and got infected before she had the latest OS patches. She was re-infected and had to start all over again.

Your system should be clean and ready for use. That is the point after all.

Immediate Detection

If you happen to know exactly when you were infected and disconnect from the network within a few minutes, then you may be able avoid wiping the system and starting over. I wouldn’t trust a system that was infected for even a few minutes, but you may be willing to run some virus removal tools the trust they worked. Lifehacker has a few articles on doing that.