Tuesday, August 10, 2010

Windows Virus/Trojan busting with SUSE and ClamAV

Not once but on two separate occasions over the course of last week, I was called upon to help do some virus & trojan busting on badly infected laptops. It was so bad that traditional anti-virus software just could not seem to completely eradicate them. It would appear that these viruses and trojans could hide and re-create/spawn instances upon shutdown and reboot of Windows XP.

Honestly, I'm "new" to this as this is not my day job or something I do on a regular basis. Since using the installed anti-virus program route did not work, I opted to physically remove the infected 2.5" hard disk drive from these laptops and put them in my secondary hard disk bay of my Thinkpad running SUSE Linux Enterprise Desktop 11 SP1 (SLED 11 SP1 for short).

Tip: If you do not have nor want to spend money on a secondary hard disk bay for your laptop, there are many more affordable adapters in the market where you can connect a SATA or IDE 2.5" hard disk drive and connect them to your laptop via USB. SUSE Linux Enterprise (Desktop/Server) and openSUSE will automatically mount them under the /media directory.

My idea/solution was simple, boot up my Thinkpad with SLED 11 SP1 with the infected hard disk mounted as a secondary drive (ie no programs are executed on boot). Further, its unlikely these nasty viruses/trojans will execute since I'm using a different operating system. Next, use ClamAV (anti-virus scanner that comes with SLED 11 SP1) to scan for known Windows viruses & trojans on the mounted secondary drive (which is the Windows hard disk from the infected laptops).

Note, if you are using clamscan for the first time, ensure that your virus database is up-to-date or it will not work. To do that, ensure you've got Internet access and execute freshclam. Thereafter, you can execute clamscan -ri . The "r" flag means recursively through the directories and "i" flag is to only print infected files detected to the screen. In my case, I mounted the infected disk via mount -t ntfs /dev/sdb1 /mnt/temp and so I executed clamscan -ri /mnt/temp/ for my virus/trojan busting.

Its IMPORTANT to note that clamscan does not have virus/trojan quarantine or disinfecting capabilities. To remove the virus, it would delete the infected file. Hence, I did not specify the --remove=yes parameter as I wanted clamscan to detect the infected files first and leave it to me to decide if these files should be removed permanently.

Using this method, I managed to detect and selectively remove infected files (some of them made to look like Windows system files). The first instance, I detected and removed over 25 trojans. In the second instance, I detected and removed 2 trojans.

Finally, I believe (please correct me if I'm mistaken) the original intent of packaging ClamAV with SUSE Linux Enterprise is to have the ClamAV daemon work with email server software in scanning emails that may contain Windows viruses and actively block or remove them before it reaches end user machines running Windows.