Re: More along the lines of malware disinfection

"Mike Moratz-Coppins" <mike@xxxxxxxxxxxxxxxx> wrote:

Ansgar -59cobalt- Wiechers wrote:
Well, some of us just don't consider botnets acceptable. Apparently you
have a different opinion on that.

Neither do I. I just don't think it is necessary in a lot of cases to wipe everything out in order to get rid of a malware infection.

Sorry, I've got to disagree with you on this one. You should have backups of users' data files and should be able to scan those before restoring, but here's the thing- unless you reinstall that system, you do NOT know that it's no longer compromised. As a very simplified example, suppose a given piece of malware did, among other things, the following:

1. Sent keylogs via the user's e-mail client to an external address. Just once, even; say 24 hours after infection.
2. Sent the next round of keylogs to a text file buried in the directory structure on the computer, in an innocuously-named file. Let's say this one happens at 48 hours post-infection.
3. Sent a third round of keylogs via a port that gets opened at 72 hours post-infection.
4. Created a .cab file containing the next round of keylogs at 96 hours post-infection.
5. Repeated 1-4 for as long as the malware was resident on the computer, changing file names and locations (where applicable) with each run.
6. Searched for writeable files on the computer and modified each one of them (something as simple as adding a space or a CRLF or whatever) so as to change the last modified date on the files.

Now, after you run all of your various scanning tools, are you also looking at every single file to find each file that was created or modified after infection? Do you even know the actual infection date? If yes to both, are you looking at every single file? Do you know that the keylog content wasn't put into an existing file so as to avoid being noticed on a creation-date scan? Do you know whether or not the user's credentials have been captured many times over and sent to an outside location? Do you know whether or not part of the malware's function was to create an additional account on the computer after capturing your user's credentials (which are more likely than not to have excessive privileges on the local machine), store content in that new user's context, encrypt the content, export the keys and then delete the account? Do you know whether the malware has changed the Zone.Identifier file stream on an innocuous-looking file that's named after an existing file on the user's machine, but also includes simple functionality such as opening a connection to an Internet site and pulling down malicious content all over again? I can go on and on here, obviously.

This is a very *un*creative scenario, btw. However, based on what you've said on this list today, I'm betting that this scenario would have been successful on at least one of those machines that you didn't think needed to be reinstalled.

I am perfectly aware that malware with rootkit-style capabilities can render security tools useless, however I don't think I've yet seen a case where every technique/tool I use has come up with negative results when there are still symptoms of an infection.

Not all infections display symptoms, particularly to somebody who's returning the infected machine to the user and walking away. And we all know that users typically don't notice infections until they've become blatantly obvious and have run the machine into the ground from a performance perspective or are popping up pr0n windows all over the place (which smart malware wouldn't).

Of course, I haven't yet been called out because a customer hasn't noticed any symptoms of a system infection. I'm perfectly willing to accept the possibility that a "100% undetectable" rootkit has slipped by me at some point, after all, it could be on my system right now. It could have been on that customer's system when all they asked me to do was fix their printer problem.

Yes, it could. However, if you've been called in to fix an infected system, then your responsibility is to clean that system, not perform a "best effort based on what I know today" "cleaning".

Furthermore, I think if you take your point of view through to its logical conclusion, you should be reinstalling all of your systems (and any system you ever administrate) on an extremely regular basis. Good luck with that.

Please don't be offended by this, but I'm guessing you've not worked in enterprise environments. Regular reinstallation of systems is exceedingly common in large corporate environments. Hardware lifecycle alone may dictate this, but it's just as likely that it's a matter of course whenever a user's machine goes "wonky". I've worked with and for some of the largest companies in the world, and I've seen this in all of them. The only place I *don't* see regular reinstallation is in very small environments, such as my parents' home (actually, I take that back; I regularly reinstall my mother's machine whenever I visit my parents), or environments that are managed by people who probably shouldn't be managing them because they think they can "clean up" an infected machine rather than rebuilding it.


Relevant Pages

  • Five Steps to Ditching Malware
    ... but here are some practical ways to clean up ... Malware seems to be getting worse. ... Antivirus, WinDefender 2008, P Antispyware 09, WinPC Antivirus, ... removing an infection it has to see all the files and all the ...
  • Re: Virus? - Disable .EXE, .COM, .LNK and group policy.
    ... i.e. where all malware infections are within the ... infection with bad user behavior and proceed with punitive cleanup. ... you need to air-gap these from the students, ... If you have F&PS bound to TCP/IP and admin shares exposing all HD ...
  • Re: How safe are websites that require credit card info?
    ... How can malware find Ubuntu in the first place? ... Plus it has to install patches ... There is no indication that Ubuntu exists on the web. ... others that are the main entry points for infection. ...
  • Re: Infected with something - need some hekp please
    ... is/was/are my malware shields. ... Download and execute HiJack This! ... The previous rebuild was initiated by significant system upgrade - more memory, more disk (two now, two more in the ... not due to infection. ...
  • Re: Infected with something - need some hekp please
    ... is/was/are my malware shields. ... Download and execute HiJack This! ... The previous rebuild was initiated by significant system upgrade - more memory, more disk (two now, two more in the ... not due to infection. ...