Removing malware, antivirus software won't save you here


Sep 12, 2013
So I wanted give a guide on how to remove malware the right way, of course I could say download this antivirus click scan, you're done, to best completely honest that is not the correct way of getting rid of malware. I won't be publishing the full tutorial at once, so you may new to come back in a week or so for the full guide. Now let me start off by saying that, I am not a gamer, I am one of those weird infosec guys who take security a bit to far. I have been a pentester for over 15 years, and a malware analysis for about 10 years, and I also work as a IT consultant. Now a lot of guides out there really only cover how to download and run one or two antivirus programs, but I want to show you guys how to do a bit of your own analysis, and some tools that you can use to get rid of malware that might be hidden deep within your system.

First of all lets talk about some viruses that are going around right now. One virus that is currently making news and terrifying people is the gameover zeus virus. Now gameover zeus uses a p2p ('peer to peer') encryption method, which makes it extremely difficult for analysis like myself to track down the exact location of the server that it is being used for this operation. Another nice little feature of this virus is the use of cryptolocker, which will encrypt all of the users documents and then it will hold it up for ransom, What this virus does is it saves the background image from cryptolocker and then it just changes your background and then it starts encrypting all of your documents. Now there are a few different types of keys that I would like to talk about. There are what are called public encryption keys, and private encryption keys. I don't really feel like going over what a public key vs a private key is, but if you would really like to learn more about these click on these links

Yah for Wikipedia! the site that pretty much gives away college degrees!

Now what are some of the defensive measures that we could use for such a virus, well the whole thing about this virus is to get you to pay money to them to send you the key to get back your data, well now I am not 100% sure if this is true or not but I recently saw a paper online saying that the rsa key is stored in this location that would allow you to use it, and allow you to get back your data.
> Application Data > Microsoft > Crypto > RSA. that is believed to be the location of where the key is stored, I might do some of my own research on this subject and find out for myself. But now lets talk about a real defensive measure for not getting rid of this virus, but for preventing it all together. The one thing that I recommend that every single person connected to the internet installs is this amazing program called CryptoPrevent, it was created by the author of D7, which if you haven't heard of, or haven't used yet I would highly recommend trying it out. What this does is it doesn't necessarily prevent you from being infected by the virus, it simply blocks the encryption part of the virus from happening, You can download it here
If you want anymore information on it click here
Now what will happen when you become infected is your background will still change, you might get the popup, but nothing will really happen other than that, run your basic antivirus software and change your background back to whatever, and you are done. Now in this day and age of viruses religious backups, and restore points are needed. Some people may think well I don't want all that extra crap on my computer taking up all that extra space. Well you don't to be honest, but if you have data that you can't afford to go missing, or being held up for ransom, you need to do backups and restore points. Now this is the way of removing cryptolocker and zeus from your computer if you are already infected. You will see that having a restore or a system backup will save your butt in the long run. If you want to learn how to remove it from an already infected system watch this video this is a really good video on how to remove the virus. But lets talk about how you may get infected by the gameover zeus virus. The virus spreads through email, kind of an old school method right? Well it uses old tricks but with new exploits. What the virus does is once it has infected a system that system then joins what is called a botnet, I won't cover what a botnet is, but once the computer joins this botnet it starts sending out emails to all of the contacts from that users email account. Now the scary part about this virus is that it sends an email to say someone like your friend, and the email will actually come from your email address, so when your friend receives the email they think oh it must be a picture of their dog, or their kid again. Well it sends out the email with an attachment that once the attachment is download it starts to infect the computer right away. The email may look as if it is coming from your bank, but really it isn't. Now enough about this virus, lets talk about preventing ourselves from becoming infected from any virus or malware in the first place. For the most part the old saying is true, any computer connected to the internet can become infected with a virus, and a lot of people think well I have antivirus software, and I keep everything updated,. Well all of those are good in practice but for some of the malware I expect to be coming in the very near future all of that won't matter. Now the first thing I would recommend doing is downloading something like firefox or Google Chrome, which I'm pretty sure most of us are using. This will add a very thin layer of security to your system, I mostly just prefer these two because of how much faster they roll out updates vs IE. Well now that we have our browser installed lets configure it and start installing a few extensions or apps. The first thing that I'm pretty sure a lot of you are already using is Adblock, adblock I don't use it just because I hate watching adds on youtube, I use it more so as a security measure of prevent things from being displayed on my screen that I may click by mistake. The next thing would be WOT, or web of trust, this is a great little app that allows users to kind of help protect each other, say that you visit a website and then you get some nasty virus from it. well you still got infected but you will be able to help your fellow WOT users from becoming infected by reporting it with this app, and other websites that people have had problems with for things like scams, fraud, malware, and adult content if you are a parent. it simply will say hey this website has been reported for blah blah blah, do you wish to proceed, so it won't loud anything from the website until you say yes if it gives you a red flag. Now there are 4 different colors that you will run into, the first color is green, the second color is yellow, the third is red, and the 4th is gray. Now green means that the website is fine other users haven't had any problems with it, yellow is some people have reported things about the website like scams, or bad advertisements, red just means don't go to that website lets just put it that way, and then gray is more like well we don't have any data on that website so we can't say if it is good or bad. So we covered some basic apps but I highly recommend this next part, and that is disabling JavaScript in your browser all together. Now in my opinion java just needs to be wiped off the face of this earth and replaced with something more secure, but I won't rant about it any further. Now a lot of people say well if I disable it I need to enable it every time I go to YouTube, or my email etc.. Well you only need to allow it once for that certain page, after that google chrome or whatever browser will say hey well allow this website to run java because we have a green flag, but for any other website it will say hey we need the users authorization before you can load your JavaScript. This may be annoying for the first week, but after those trusts start getting embedded into your system the more you use your browser, you may only add one or two websites to the list every week, and after that you probably will forget that you even had it disabled in the first place. Now lets talk about a few things that can help you raise your awareness. Now to someone like me finding something suspicious is fairly easy, but to others it can be extremely difficult, like I don't even use antivirus software on my own machine because I know how broken antivirus software is right now. But lets talk about creating awareness.

So for the first part of this I would like to talk about saying a lot of people ('mainly old less technical people') will find themselves pretty much agreeing to infecting themselves. Now I think a perfect example of this is my dad, he is probably would click on something that said hey click on this this fake link to a website with bikini babes and let us redirect you to a website that will give you a nice little JavaScript to exploit your system. Yeah he is one of those kinds of people. now this is where I believe adblock can come into play as a way to give a layer of protection. You can't click on an ad that never gets displayed right? You know back in 2003-2007 we had a lot of problems with popup ads saying hey grow your........ huge overnight, or hey you just won a free PS2. Those stupid scams/ads I am happy no longer really come up all that often since a lot of people understand IE is crap, and a lot of people have just been using chrome and firefox. Some ads are alright though
like as an example there are ads that companies pay other companies to display ads to certain users on websites and they get paid per click. Now a lot of people wounder like ('Hey how do they know that I like computer stuff, cat stuff, and books that interest me. Well they do this via your IP address now think of your IP address like a bubble for the first couple of weeks you may see little to no ads that are relevant to you or your searches, but as you start looking up maybe video cards, infosec education books, now you will start seeing ads related and targeted more towards you. Now your isp and google don't care about hiding your IP address from these big ad companies, because they get a crap loud of money from it. Now for those of you who still don't understand what it is that I am talking about think of your IP like a bubble with everything you search for frequently online. Like for example lets say you recently have had a terrible flu for the past week, and every day 4-5 times you would go to google and search ('how do I get rid of my flu') or (' Should I see the doctor if I have been sick for more than one week') now what will happen is since you type that in so many times you will start seeing ads for doctors or snake oil remedies, that claim that they can help you. But anyways lets create a bubble and show you how this Ip system works.Now let at this picture and notice how this system works


Now do you understand how this works?
I really love using things like proxies to fight off things like this, that is why I am a regular tor user. I won't go into detail now but I will later on. Now the bad ads might look something like Congratulations you have just won a $5000 gift card for amazon, click here and claim your prize now. So you click it you type in your information your email, your telephone number etc... nothing happens for a week.... Going into your gmail account Congrats! you now have 999999999 unread messages, well I guess my day is now delayed by about 5 hours now since I need to go through all of these. Now let me tell you guys a cool little trick to fixing this in about a minute or less. Just simply filter your email by people who you have sent emails to, this will vary and depending on what you use for your email. but just simply filter the ones that you have responded to, and select delete any other emails that are being filtered. Now I may have worded it wrong, so you may need to do some research of your own.

Okay for the next part I would like to start talking about some of the misconceptions that often happen with anti virus software. The first thing that I tell everyone is just because you have the best antivirus software in the world, your computer is still not fully protected. Like here is the best way that I can put this in such a way even less tech savvy people will get it. If you drive the worlds safest car and carelessly drive that car right into a wall at 60mph because you where I don't know sending a text message or looking up more dumb cat pictures, or eating? the worlds safest car is only as safe as the driver driving it, same goes for computers. Now yes the best av and the safest car would protect you better than say the worst car ever with like a 2 star safety rating, or a very cheap generic AV that doesn't work as well as others and is often outdated. Another thing that I think people do way to much simply think oh hey I update my computer all the time I don't need to worry about that kind of stuff. well sorry but you do. I believe that pretty much all operating systems and programs have a flaw, it all depends on how nasty that flaw is and what it can be used for, so your update may patch against that one exploit that most likely some script kiddie oversea used, but vs a elite hacker or a company that employs these cyber criminal gangs with an amazing amount of knowledge of programming and security and how to use their skills to break it.

Sorry for the delay in this guide, I now have some time again, I will add another section to this everyday until it is finished. @ the speed of 10 minutes of free time a day.

If you have any questions feel free to shoot me an email, I am always willing to help anyone with any virus problem big or small.