Sunday, August 16, 2009

Its Not Always A Security Issue

I've been spending this weekend fixing my in-laws computer. Like most of you, I'm the family "tech support" for anything that goes wrong with a computer. This past week I received a call from my mother-in-law that she was getting pop ups on her computer stating that it was infected and that the program would remove it if they paid for the full version. Classic sign of fake anti-virus.

After some quick research, we were able to determine that it was Advanced Virus Remover. It appeared to be pretty simple to get off (delete some files, clear out some of the registry, etc) but since I was not there I decided the best way was to have her reboot into safe mode and perform a system restore. (Unlike some of my relatives, my m-i-l can actually do things like that without me hand-holding.) Of course, when she tried to go into safe mode, it blue screened.

The next day I went over to see if I could figure out what was going on. I was able to remove the malware (and two others) fairly quickly, but we were still getting errors. In short time I realized that part of the hard drive had gotten corrupted and was causing the BSODs - not the original malware.

This made me remember another story from a job in a previous life. I had been called down to another department by a friend. The entire department were having some odd problems. Whenever they tried to print their machines would BSOD. Since I was the resident "malware guy", they decided to call me in to see if I could find anything. When I got there, some Windows admins were also there looking at some of the systems. My friend took me to the system with the original problem and I started to examine it.

After a few minutes I couldn't find anything indicative of malware on the sytem. I even booted with a Helix CD just in case there was a rootkit on the system. Nothing. After a few minutes the Windows admins came over and asked me what I thought. I replied I didn't see anything but there were reports of a 0-day attack against the Windows printer system that day which were indicative of what we were seeing. However, I stressed, I didn't know and didn't think this was related.

Of course, within minutes the Windows admins had me on a call where they were explaining how I thought we had been hacked using a Windows 0-day attack against the printers. It took at least 45 minutes for me to sort through everything that was being said and to finally point out that I had not found any proof of any attack and that I didn't think this was the problem. When the Windows admins finally went back to troubleshooting the problem, they found that a corrupt Windows printer driver had gotten pushed to these systems and thats what was causing the issue.

I learned two things that day:

1. Never say that you think something has been compromised (or even could be compromised) until you have some type of proof. People love to over-react in a situation like that and that just provides fuel for the fire.

2. Not everything is a security incident. Just like my in-laws computer, the presence of malware may not be the reason for the overall problem. A corrupt hard drive could just be a corrupt hard drive. If you start reading compromises into everything you see, you may miss what is actually there.

1 comment:

Mike said...

As a support tech in my "previous life", your advice is welcomed and anybody who does *any* support should heed it.