Sometimes it’s easy to become complacent and assume that you’ll never get a virus infection, or if you do dealing with it will be simple. Last weekend I was witness to what can happen when a friend, who I consider a more technically minded and well prepared user, suffered from a serious virus infection.
A common scenario
This friend runs a business and relies heavily on being able to use their PC for work. If they couldn’t use their PC, it could reduce their income in real time, so the PC is critical. The first thing they noticed were searches being redirected to another URL, which aroused suspicion. Following this they found they couldn’t access database services, then they couldn’t update or run their anti-virus products, and finally they couldn’t boot into safe mode.
This last sign was bad news, as it indicated not just malware, but malware which was changing the way Windows itself worked, a kernel mode rootkit. To remove these viruses there are only two options;
- Completely reinstall the operating system, applications and restore the file data from backup (having scanned it for malware)
- Try and detect and remove the rootkit and any associated malware by booting an alternative operating system from trusted media, and mounting the infected volume from there.
This second option isn’t an available to most users, but it can be completed with some measure of success, certainly enough to allow the user to boot their system and either copy data off to portable media ready for a rebuild, or get short term access to the system if they need it urgently.
I’ve used two rescue CD’s successfully;
- Sophos command line scanner SAV32CLI. Note: you’ll need a Windows boot CD, BartPE or UBCD4Win disk to use this option.
- Avira AntiVir Rescue System. A live boot CD which allows you to update to the latest virus definition before scanning.
There are other rescue CD solutions, I have no experience of the following two but I they should do the trick;
None of these rescue disks options can be guaranteed to be safe, the risk of an infection remaining undetected is too high, but they do offer a quicker recovery option than completely rebuilding the entire system.
In total, the user lost at least 7 working hours, and was unable to maximise his income for this period because he lost access to his business systems. The total cost was probably hundreds of pounds, but could potentially have run into the thousands or tens of thousands, especially if the malware had managed to transfer from the PC to his company website, taking it offline, or infecting site visitors.
There are two things all business should do, especially those whose income is directly tied to their ability to access business systems;
- Protect. Keep your PC operating system and applications up to date by patching them, in particular those applications which are known to be at risk (at the moment that would be web browsers, Java, Adobe Flash, Adobe Reader), and run up to date anti-virus.
- Mitigate. Assume at one point you will be infected; backup your data to an external drive, have a backup PC or laptop which is of a sufficient specification to run the applications you need to run your business (not necessarily fast, but well enough), and keep the installation media and license keys for the software you use, so you can setup your backup PC should it be needed