Malware Removal

This document describes a particular abnormal system behavior in which standard applications such as FTP or SSH servers are offered from ports that are not the default port for these services.

Generally speaking, network applications have specific TCP/UDP port numbers reserved for them by Internet numbering authorities. For example, the registered ports for FTP are 20 and 21 while SSH is assigned 22. Unauthorized parties have been known to run these services on other ports for such purposes as the dissemination of copyrighted material or to launch further network attacks. Such malware is often included within the payload of more traditional Internet viruses and worms.

Non-Standard port detection methodology
NUIT uses a number of passive detection and data collection techniques from a wide variety of credible sources to determine when a host is compromised or participating in malicious behavior. False positives should be rare. The following are the types of alerts we are currently using:

• FTP Server on non-standard port - Host was observed sending FTP server control messages from some TCP port other than 21.
• SSH Server on non-standard port - Host was observed sending an SSH server string from some TCP port other than 22.

Cleaning a compromised system
Once a host is compromised with a worm, bot, spyware or other unwelcome activity, the entire system is then suspect. The only sure way to restore to a trustworthy configuration is to rebuild the system from known authentic media, such as the operating system installation CDs that came with the system. Unfortunately this is often extremely inconvenient for many end users. Removing only the malicious components and configuration is an acceptable, but often imperfect, alternative.

A number of vendors and sites provide tools and methods to clean a system that has been compromised and configured with a malicious worm. It is often best to use more than one tool or technique to increase the chances of having successfully removed all signs of an infection from a system. The following is a list of links to sites that provide free software tools that can be downloaded and run on an infected system:

• McAfee AVERT Stinger
• Symantec Removal Tools
• Spybot Search & Destroy

Important: Immediately after your system is believed to be clean again, you should change your passwords on any system you've used recently. This includes your NetID. You may also want to verify any financial activity in your name if you use your system to conduct business online.

• Keep your system and applications up-to-date.
• Be wary of any attachments, media, or software distributed to you online.