Win32 Virus Removal

LEGAL LIMBO

BERLIN : There is so much more that anti-virus companies could do to help protect the world if their hands weren't tied up in laws that stem from a physical world. Many epidemics could be averted or solved, but doing so would land the saviours in trouble as such acts would be illegal and considered attacks themselves under the status quo.

Vitaly Kamluk from Kaspersky Great Japan says he could do so much more to save the world if he wasn’t bound by red tape.

Vitaly Kamluk, Chief Security Expert at Great (global research and analysis team) Japan, heads a small team of researchers working on the really big threats, huge global epidemics or seriously encrypted Trojans that are brand new and require more time for analysis.

One recent discovery was when Great Japan analysed a new automated infection system that involved a number of zero-day exploits and server scripts to form a self-supporting system. Infection was totally autonomous and did not require human intervention.

The system works by grabbing FTP username and passwords and then it uploads malicious links to the server so that other users accessing it will have their machines compromised too. The server will build new servers and the existing server will still have visitors. The growth is thus exponential.

In 28 hours, even if the site was cleaned, it would come back and re-infect the site. The compromised servers can be used for a variety of crimes from proxies to hosting other websites. All in all, the whole scene was very well coordinated.

As usual, it was impossible to identify the criminal behind the site. Later, Kamluk explained how one ISP had managed to locate the command and control centre of a botnet of 53,000 machines. In theory, it would have been simple to inject a command into the network for it to self-destruct and remove itself. However, those machines do not belong to Kaspersky or to the ISP and doing so would be interpreted as illegal access and hence they could do nothing.

Servers, with their increased bandwidth, are much more of a target than home PCs, often with one server equal to 100 PCs in terms of capacity. One botnet, Gumblar, had 22,000 servers, enough to cripple major Internet infrastructure.

Kamluk and his team analysed the Gumblar code and found it had a backdoor. They were able to find a way to get in through the backdoor and hijack the command and control program and order the network to self-remove itself. Cleaning the 22,000 machines would have taken just minutes, but again, Kaspersky could not act as none of the machines belonged to it and doing so would be illegal in most countries.

One thing that Kaspersky has been able to do under current laws is set up a server to wait for it to be infected, then while the infection is taking place, researchers can learn where the command and control signals are coming from in real time. However, this is only a small part of the solution. Infection takes seconds and locating and contacting the owner of the server used to infect the machine can take days days or even weeks. Most compromised machines do not have log files as the criminals want to hide their tracks.

Through the use of fake servers as targets, it is technically possible to attack and even crash the attacking sever, but again this would be illegal.

"But despite all these limitations, we have one success story," he announced.

Two years ago, the there was a malware called Shadowbot. The Dutch police contacted Kaspersky asking them to help clean out the botnet. Kaspersky declined as they did not want to risk entering others' machines and the legal consequences, but it did put up a webpage with instructions on how to remove it and create a removal tool for the process.

The Dutch police got a warrant and used the botnet itself to redirect the browsers of all the infected PCs to this page so they could download the patch.

Was this legal? What if the PCs were outside the Netherlands? Kamluk said it was a big risk ad nobody complained, but declined to comment further and said that the police should be approached with this question.

"This was the first time in the industry where police used botnet resources for mitigation from within, and it worked very well," he said.

Kamluk said that on balance, the laws were hindering rather than helping the good guys and aiding the criminals. With better laws, Kaspersky could disinfect hundreds of thousands of infected desktops in minutes. It could prevent attacks like Cornflickr. It could hijack command and control centres to find the location and identity of the system owner of Gumblar and it could build fake targets to protect the Internet.

"Yes, we could, but unfortunately, we can't."