Virus-Hunting Knoppix Gives Windows Machines the Once Over

By Carla Schroder | Aug 3, 2004 | Print this Page
http://www.enterprisenetworkingplanet.com/netsecur/article.php/3389801/VirusHunting-Knoppix-Gives-Windows-Machines-the-Once-Over.htm

Before we get into the fun stuff, let's talk a bit about the changed nature of spam and viruses. Organized crime has discovered the wonderful benefits of spam. I'll wager that most spam these days is not about selling products at all, but identity theft. Oh, I imagine that a few legitimate pr0n purveyors are still spamming their wares, but the real money is not in discounted drugs, or super cheap software, or low mortgage rates, or bogus college degrees, or anti-virus software, or online "security audits," or free credit cards, or enhanced body parts, or guaranteed real estate investing, or beat the casinos, or lose weight magically. No, it's all about getting hold of your personal information: name, credit card numbers, Social Security number, date of birth, and anything else they can glom.

In the interests of fairness, and simple security measures, I should point out that it is not Microsoft's fault that the world of full of rotten sociopaths and lazy, careless users.
And of course phishes are spewing forth at an all-time high volume. And why not? They work. Again, the goal is identity theft. This article says spam accounts for 82% of all email volume. And the real story is buried in the second-to-last paragraph:
"Virus writers began teaming up with spammers last year, and so far it's been a dangerous combination. Virus writers send out malicious code that infects computers and opens a back door in the machine. A hacker then can use that back door to remotely control the computer, sending out more viruses, Denial of Service attacks or millions of pieces of spam."

Spam + Virus + Windows = Mass Contagion
Well I don't know about you, but I think that's pretty darned alarming. (Of course you faithful Crossnodes readers knew about this yummy new trend early last year; see Resources.) And the other bit that's important to keep in mind is those are compromised Windows PCs being exploited with ridiculous ease. Not Mac, not OS/2, not Amiga, not Linux, not Unix, not the BSDs, not Solaris or SunOS, not BeOS, not even DOS.

How many owned Windows boxen infest the planet, spewing forth contagion 24x7 on fat cable and DSL pipes? I've seen numbers from 400,000 to millions. Who can say? But we can sure see the results in our inboxes, and the effect on the Internet. How many times has Microsoft promised to make security a priority? Let me count the ways:

I wish I still had those amusing Microsoft press releases going back to 1997, where they solemnly promise to make security a priority. Here is one that promises "state-of-the-art security innovations" for Internet Explorer 4.0. I guess the later versions had other priorities.

In the interests of fairness, and simple security measures, I should point out that it is not Microsoft's fault that the world of full of rotten sociopaths and lazy, careless users. Get a grip, folks - don't use Outlook, Outlook Express, or Internet Explorer; that takes care of 90% of your Windows security problems right there. Use Eudora, Pegasus, the Bat, Opera Mail, or Mozilla Mail. For Web browsers, use Opera, Mozilla, or Netscape. Sheesh, they're free! What's the problem?

Continued on page 2: Using Knoppix to Hunt the Bugs

Continued From Page 1

Virus Scanning With Knoppix
Well OK, ranting is fun and cathartic, but it doesn't solve problems. Knoppix, the live Linux on a bootable CD, is proving to be the most innovative, useful Linux distribution there is. Starting with Knoppix 3.4, you can use it as a portable, cross-platform virus scanner. The advantages of this are many:

  • You are working from a guaranteed clean operating system, which being on a non-writable disk, is impossible to compromise
  • Because you must power down the PC to boot Knoppix, any memory-resident nasties are evicted
  • It is free, so you can burn masses of disks, and go on a virus-scanning spree

Scanning a Windows system with Knoppix before you install something like Symantec or MacAfee means you'll be scanning with the latest virus updates. Most commercial AV products can do a pre-installation scan from the installation disks, but they are months or more out-of-date.

How To Do A Virus Scan With Knoppix
Boot up the system with Knoppix 3.4. The default keyboard layout is in German, so English speakers might want to use this boot command:

knoppix lang=us

Hit F2 or F3 to see all the boot-time command options; Knoppix supports a number of languages, and a large number of boot configurations.

When Knoppix is booted, select KNOPPIX -> utilities -> install software. This brings up a menu; check "f-prot."

After f-prot is installed, select KNOPPIX -> Extra Software -> f-prot. This brings up the f-prot menu; the first thing you want to do is 4. "Online Update."

After the new virus definitions are downloaded, select partitions or directories to scan. Yes, you can select Windows partitions too. Knoppix automatically mounts all partitions on your system, so you can easily select the ones you want. Hit the "scan" button, and go find something to do, because it can take awhile. When it's finished, you'll see a report showing the results of the scan. This method only runs a scan, it does not remove viruses.

Disinfecting Windows With f-prot
What should you do if f-prot finds infected files on a Windows system? If the filesystem is NTFS, f-prot cannot disinfect the system, because write support for NTFS in Linux is not reliable, so you don't even want to try. You'll need an AV product made for Windows.

You can scan and clean up a Windows FAT16/32 partition, by running f-prot from the command line instead of the graphical menu. First, make sure the partition is mounted read/write; simply right-click on the icon for the drive, which is on your Knoppix desktop, and left-click Actions -> Change read/write mode.

Next, open a command shell and run this command, naming of course the partition you want scanned:

$ f-prot -disinf -list  /mnt/hda1

The -list option shows the scan's progress, and the -disinf option will disinfect the system. And that's all there is to it. If f-prot encounters something it cannot clean up, it should be able to quarantine it.

f-prot has a Windows edition for $29, and very liberal licensing terms for home users- it covers all your home computers. There is also a free Linux workstation edition; sure, we can mock and abuse Microsoft all we want to, but all it takes is one evil genius to write a lethal Linux exploit, and hordes of happy script kiddies to distribute it all over the planet in a heartbeat.

Many thanks to Fabian Franz for creating the f-prot installer for Knoppix. Mr. Franz is a Knoppix developer.

Resources