Malware detection and removal

Automagically

ClamAV

Install with:

$ sudo apt-get install clamav clamav-daemon

Check it has been installed:

$ clamscan --version

To update the signatures, first stop the clamav-freshclam service:

$ sudo systemctl stop clamav-freshclam

The actual update:

$ sudo freshclam

Restart the clamav-freshclam service:

$ sudo systemctl start clamav-freshclam

Make a first run with

  • --infected: prints only infected files

  • --remove: removes infected files

  • --recursive: all the subdirectories in the directory will be scanned

$ clamscan --infected --remove --recursive [absolute/path/to/directory/to/start/scan]

For example, scan your whole system by running the following command:

$ sudo clamscan --infected --recursive --remove /

ClamTK

ClamTK is a Graphical User Interface for ClamAV software program.

$ sudo apt-get install clamtk

Start it with

$ clamtk
Unable to read preferences! No such file or directory
note: (re)creating prefs file.

Beautiful. Add your preferences. And keep the signatures updated.

Manually

Basic checks

  • Check /etc/passwd for new accounts. Especially new accounts you don’t recognise with a UID less than 500 are very suspicious. If a new account with a UID of 0 is in the list, definitely check it out. Also look for orphaned files, indicators of an account that has been deleted (may take a while): $ sudo find / -nouser -print

  • Take a look at your processes with ps -aux, htop or pstree for unusual processes.

  • Boot the machine from a known safe live-CD image and scan for suspicious files with a rootkit scanner.

  • Check crontab, it may be that the keylogger is relaunched regularly when it is shut off or if the system reboots.

  • Look at the email streams. When programs start sending email by using another IP than your email server (if you have one), it might be something fishy. It can of course also be legitimate. Also consider that a keylogger might just log in to your email server with valid credentials and email from there.

Check for keylogger

A trick to try if a keylogger is present:

  • Type a random unique string on your keyboard in the live running machine.

  • Reboot the machine from a known LiveCD or LiveUsb and grep for that string.

  • Find out where the string is stored, and you may have the temp file of the keylogger.

  • Check the folder it is in, and check the folders upward in the tree.

Remove

  • There’s no general recipe. The detection steps above, at best give clues for (further research into) what to remove where. Try DuckDuckGo to access the wisdoms on the internet.

  • If your system has been infected by an unknown trojan, reinstall. To make this experience an enjoyable event if and when it happens, reinstall from the regular backups made on an external disk.

  • If a VM was infected, revert to an earlier snapshot that you think was clean or import an earlier exported .ova of it. This will probably not help if the host was reached, of course.

Fail

It is possible for malware to persist across a re-format and re-install, if it is sufficiently ingenious and sophisticated: if for example, it can persist in the BIOS, in the firmware for peripherals (some hardware devices have firmware that can be updated, and thus could be updated with malicious firmware), or with a virus infecting data files on removable storage or on your backups.

However, most malware doesn’t do anything quite this nasty. Therefore, while there are no guarantees, re-formatting and re-installing should get rid of almost all malware you’re likely to encounter in the wild.