Cleaning malware while travelling: A case study

I have been on the road for the past few months and using plenty of Internet Cafes for all my digital endeavours. As I result the USB sticks I use to save my pictures, documents etc while I travel have been infected with all sorts of malware.

Malware that is obvious is the least dangerous kind. It means its creators are not organised or skilled enough. The truly worrisome malware is invisible. You don´t know you have it, but it quietly monitors all your actions.

So I was intrigued when my USB stick started displaying typical silly malware behaviour. The folder icons in Windows changed – they were not “shortcuts to folders”, but really they pointed to executables somewhere deep in System32 that would do its nastiness and then show you the contents of the intended folder. Other than that, everything looked normal.

Well, it was obvious malware was there and the USB stick was infected. Antivirus software installed in public Internet Cafe PCs could not detect or clean it, so I had the pleasure of doing it manually. Here is how:

1. Get a system you can trust not to lie to you – to show you the absolute truth and nothing but the truth. A pristine Linux installation does just that, and unless you happen to have a netbook with Linux installed with you while travelling, creating a bootable Ubuntu Linux CD or USB stick is your best bet. The computers I had access to were ancient and could not boot (start) from a USB stick, so I had to create a bootable Ubuntu CD following the steps detailed at http://www.ubuntu.com/download/ubuntu/download
2. Now you are using a computer you can trust. Plug in the infected USB stick. You will probably see all sorts of new files there, stuff you haven´t put there. Delete it one by one. In my case I had filenames starting with “._”, others starting with dot-space, all sorts of tricks that will make files harder to view and control in Windows or Macintosh machines. After you have deleted all files that don´t belong to you, check for an autorun.inf that tries to execute the malware when the USB is connected to a computer. If it´s there, either edit out the malware items or simply delete it (which is what I did).
3. Next, I had a surprise waiting for me as I connected the now clean USB stick to a Windows computer – I could still not see my original folders! The reason is that the malware had hidden the folders by changing their attributes to /system and /hidden – so Windows Explorer does not display them by default. This can be corrected from a Command Prompt (Start -> Run -> cmd) by changing directories onto the USB stick and using the “attrib” command. My original folders were “pics”, “stuff”, “maps”, “portable”, “truecrypt”  etc so I issued the following commands to mark them as NOT hidden and NOT system folders:

• attrib -H -S /D /S pics
• attrib -H -S /D /S stuff
• attrib -H -S /D /S maps
• attrib -H -S /D /S portable
• attrib -H -S /D /S truecrypt

Et voila! All was visible, usable and normal again.

Goodbye silly piece of malware!

How I managed to donate to OpenStreetMap

Using Internet cafe computers while travelling can be a proper nightmare. I know of people who got so fed up with fighting to clean their USB sticks from viruses all the time that they bought a netbook to use while travelling.

As I have been travelling by bicycle for a few months now, I am very careful about what I carry. Weight and space is at a premium. So I have tried as hard as possible to keep myself from buying a netbook to avoid using Internet Cafes. I am well aware of the risks I am taking, but for the time being I am still finding using Internet Cafes borderline worthwhile. It also helps that my trip will finish in less than 2 months so by this point the investment in a new netbook is just not worth it.

So I use Internet Cafes around Chile and Bolivia. I have seen a couple of well maintained machines (the pinnacle of which are the Ubuntu machines in Rancagua´s bus terminal!), but the overwhelming majority of them is in an appalling state. Illegal copies of Windows XP, not receiving updates, with illegal copies of antivirus software not receiving updates, etc etc… all wrong. Using such machines feels like digging with your bare hands in a patch of mud right after you have seen a flock of sheep relieve themselves on it.

Such a machine gave my USB stick a virus that hid my folders and replaced them with executables. It replaced folder icons with its own shortcuts to ensure you were tricked into executing it with your current privileges every time you wanted to access a folder on the USB stick.

Tricking the user into executing script by double-clicking on a "folder" icon

The antivirus software of public machines proved useless – it did not even detect anything. I had no idea what this virus (call it malware, call it trojan, I don´t really care exactly what genre it falls in) actually does. But I will assume the worst. It eavesdrops on my every keystroke, steals my passwords, my credit card information etc.

As it happens I really wanted to donate some money to the OpenStreetMap Hardware Upgrade Fund, but I didn´t want to jeopardise my credit card information. I needed to use a computer I could trust not to steal my credit card information. Here is how I created one:

1. I found a computer with what seemed like a decent Internet connection with Mozilla Firefox installed. On Firefox, I installed my favourite download manager as an extension – DownThemAll!. Great, I can now make massive downloads easily.
2. I downloaded the latest Ubuntu ISO file with DownThemAll. It´s a large file (700MB) so a download manager is necessary – otherwise you run the risk of the download hiccuping and getting corrupted if the network link goes down for a few seconds. It can also be faster to use DownThemAll, as it downloads multiple segments of the file at the same time.  After a couple of hours I had an Ubuntu ISO file on the (probably infected with malware) computer I was using.
3. I then created a bootable Ubuntu USB drive following the instructions on http://www.ubuntu.com/download/ubuntu/download . Unfortunately this did not help my cause because the public computers I could reboot and attempt to boot from USB where so old that they did not support booting from USB! (we are talking 2003-era hardware, not exactly top-end for its time either…) So my only remaining option was to burn the ISO to a CD. I bought a blank CD and burned the ISO on it, and then booted one of the computers I had access to with the CD.
4. Success! I was now booted into an operating system I could trust not to be infected, since Windows viruses on the computer cannot jump into the Ubuntu Linux environment started from a CD. I was able to simply open a web browser and provide my credit card information for my OSM donation in confidence.

So there you have it. If you are travelling and concerned about your passwords or other sensitive information (and you should!) this is a method of getting a system you can trust. It does suppose that you have access to a computer you are allowed to restart and boot from removable media, but hotel/cafes around Chile seem to be quite laissez-faire about allowing people to restart their computers.