RE: More along the lines of malware disinfection

They are both connected to an increasingly hostile network

This is a great point. Spyware etc is dollar driven as someone else pointed
out and the spy/malware does appear to be getting better at remaining hidden
and sometimes no longer has 'symptoms' (in the traditional 'slow your
machine down and do weirdness' manner) because the code behind it is
increasingly well written and able to survive for longer within a
functioning OS.

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx]
On Behalf Of Mark Brunner
Sent: Thursday, March 20, 2008 9:21 AM
To: 'Ansgar -59cobalt- Wiechers'; focus-ms@xxxxxxxxxxxxxxxxx
Subject: RE: More along the lines of malware disinfection

Couple of points that should be clarified here. Casual personal use of a
computer is subject to the same conditions and considerations as
dedicated,
business use, for the same reasons and with the same or worse
consequences.
They are both connected to an increasingly hostile network, and the home
user has the disadvantages of not having staff or technology dedicated to
detection and prevention, or even monitoring and logging.

Spam-bots may not be a major concern for the typical home user as they
are
not feeling much of a hit because the attacker is simply using their PC
resources to victimize others. Until they are so spyware laden that the
system starts to under-perform. Consider the simple mass-mailer virus
that
is searching your customer's hard disk for credit card information, tax
return files, personal correspondence of a, well, *personal* nature,
surfing
habits, use as a storage medium for the attackers kiddie-porn of choice,
or
other things that the user would prefer to not make public.

Now this may have some relevance to the user whose system has been
compromised. Potential real dollar and legal fee relevance. The simple
"ha
ha, gotcha" nuisance virus that you detect with your trusty anti-virus
toolkit after it has been there for a day or three may actually be a
downloader Trojan that has grabbed who knows what from who knows where,
leading to the introduction of the as yet undetected mass-mailer. The
mass-mailer may be stealthy (most are now) and may even be memory
resident
only, or load on a schedule and kill itself upon exchanging data with the
mothership, so as to minimize its chances of being noticed and removed.
If
it is programmed with rootkit functionality, it may load before the
operating system and simply not have to hide at all.

With keylogging and screen scraping functionality, it could keep up to
date
on their latest doings with ease. What would it be worth to you for the
attacker NOT to show the wife those pictures that Betty-Lou down the road
just shared with you on You-Tube? Wouldn't the government be interested
in
your REAL taxable income? How far could an attacker exploit your ID with
your SIN, budgeting spreadsheets, remote access to your workplace if you
use
VPN, bank account details, copy of tax returns, calendar showing
birthdays,
personal correspondence and even a copy of your Internet Favorites? Oh
and
that encryption program that you installed to hide all of those files?
Well, the attacker has the password captured by the keylogger, and live
access to the system through the backdoor shell that tells them when you
are
actively online...

More and more, malware authors are moving to targeted attacks, where they
research their victims, get to know who emails them, what sort of
programs
they are likely to be interested in, and provide a spoofed email or
instant
message from what appears to be a real-world employer, relative, friend
or
acquaintance that is in actuality a Trojan Horse program. The author is
motivated by money, and spam generation is just one method that can earn
them a dollar. It is not the only game in town.

But not to worry, your Anti-Virus engine of choice catches all of those
simple viruses that are used to download the more complex programs. AS
LONG
AS IT HAS A SIGNATURE FOR IT. Signatures are released well after at
least
someone has seen the damage. Should your customer be that person?

Security is not something that can be applied in percentages. You are
never
50% secure. You might measure your RISK with a percentage, but that is
an
exercise you will need to understand more fully to properly employ.
Basically, if a system has been compromised, it is no longer under your
(or
your customer's) control. Simple viruses are not common these days.
Attacks take place daily, and they are performed by motivated people. If
you want to properly protect your customers, understand the motivation of
the attacker, and then understand his methods of operation. You will
eventually understand that the only way to protect a compromised system
is
to return it to a trusted state. Fdisk, format and start again.

Ghost and other programs like it are cheap. Get the customer used to
using
one of them, or offer them a service to do it for them every second
Wednesday of the month (after you patch their systems, of course, which
is
another service you should offer them). Educate them in why this is a
good
idea, ESPECIALLY for those poorly protected, seldom updated home PC's
that
connect them to the office on occasion.

Oh, and if this sounds like scare tactics, marketing hype or just plain
FUD,
no, I no longer work for an Anti-Virus company. I am involved in
internal
Incident Response. I re-image my home systems on a regular schedule,
compromised or not...

Cheers,
Mark

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx]
On
Behalf Of Ansgar -59cobalt- Wiechers
Sent: Wednesday, March 19, 2008 4:33 PM
To: focus-ms@xxxxxxxxxxxxxxxxx
Subject: Re: More along the lines of malware disinfection

On 2008-03-19 Mike Moratz-Coppins wrote:
Ansgar -59cobalt- Wiechers wrote:
On 2008-03-18 Mike Moratz-Coppins wrote:
I should point out one factor which I think makes a large difference
in the approach that one might take in encountering a security issue
-
the vast majority of my customers are home users who just casually
use
their machine.

You do realize that significant amounts of spam are deployed through
zombified computers of exactly these "home users who just casually use
their machine", don't you?

Yes, I am aware of that.

[...]
2) Jon's point about reliability here is very key to the
discussion. It is COMPLETELY irresponsible to warrant to a customer
that you can certify a system safe after it has been infected with
any manner of control-compromising code that has gone
undetected/untreated for a period of time.

Do you see this as applying in a joe average home user scenario?

Even if he doesn't, I do. Unless you can determine without any doubt
when and how the machine was compromised, and what exactly was
altered afterwards, the only resonable and responsible way to deal
with the problem is to backup the data and reinstall the machine.
Period.

Well, I guess we'll just agree to disagree then. I can't see how one
can make the distinction between "just a simple virus" and "a system
security compromise"

Then you failed either to read or to understand what I wrote above. You
can make the distinction if you are able to determine when and how the
infection occurred, and what was altered afterwards.

If you are not able to determine all of the above, you cannot make the
distinction, and thus MUST assume the worst case. That's common sense,
and I fail to see what so hard for you to understand about this.

considering if "just a simple virus" is allowed to infect a system,
then it may as well be a system security compromise,

Ummm... yes?

and that (going by the logic that some people on this list are
employing), just removing "a simple virus" cannot possibly reassure
one that there isn't something more sinister lurking around the
system, then as soon as any form of malware is found, then the logic
of a lot of people on this list dictates that the computer must be
wiped and clean-installed.

Unless you are able to determine what infected the system, when the
infection occurred, and what was tampered with after the infection. Like
I've said before.

I don't think (as far as the usual scenarios that my works takes me
to) that a wipe and new install is the appropriate thing to do most of
the time. Most of my reasons are practical-reality reasons, not "100%
security" reasons:

1 - Many customers have computers that it would be difficult to
perform an on-site reinstall on. For example, they might not have
any/all discs for the machine, they only have one machine, etc.

And that makes leaving the machine a potential spam-bot acceptable how?

2 - Many customers have families (or 'need' the machine on a
day-to-day basis) e.g. with the school kids doing their homework on
the machine, and so the machine disappearing for a few days for me to
do the installation with all the resources I have available at home
would be highly inconvenient for them.

And that makes leaving the machine a potential spam-bot acceptable how?

3 - Many customers have pirated copies of software that they're using
(e.g. MS Office), and as I have a policy of not installing pirated
software for customers, I'm then inconvencing them by wipe-installing
their machine and they don't have the CD for MSO anymore, for example.
Some customers might also have bought software online and not have the
product keys anymore because they deleted the e-mails containing those
product keys.

And that makes leaving the machine a potential spam-bot acceptable how?

4 - Some customers aren't so well off as other customers, and the cost
of doing a reinstall is somewhat more than my average bill for removing
malware.

And that makes leaving the machine a potential spam-bot acceptable how?

Fixing a car costs money, too. Do you actually believe that it's okay
for people to drive around with malfunctioning brakes, just because they
can't afford to get them fixed?

I'm sure that some of you will answer these scenarios along the lines
of "aww, diddums" to the customer and still insist that the need for
"100% security" overrides the needs of my customers, which is why I've
said that we should agree to disagree about this.

Well, some of us just don't consider botnets acceptable. Apparently you
have a different opinion on that.

At the end of the day, if a customer asks me to remove malware, I will
investigate manually (e.g. in the registry) for it, use virus/spyware
scans to help pin it down and any remaining traces of it, and check in
other ways (such as monitoring TCP/IP connections with netstat and
tcpview, filemon, regmon, spybot and rootkitrevealer, and even
watching the network activity light on the machine/router). I finish
the appointment when I am confident that the problem has been solved.

And you actually believe that going through that whole procedure will
cost you less time than reinstalling the box? Don't make me laugh. BTDT,
and it takes considerable amounts of time to do it right. And even then
you can't be sure you didn't miss something, because it's pretty hard,
if not impossible, to prove the absence of something.

While there is a possibility that there could be "undetectable
malware" on the machine, I believe that, as a general policy, assuming
there is without any trace of evidence whatsoever is pure paranoia.

*sigh*

The evidence is there. The system was demonstrably infected, and unless
you can prove that nothing else had been modified/installed/etc. you
cannot rule out that possibility and thus MUST assume the worst case.
That's not paranoia, but common sense.

There are situations where I have wipe-installed a machine because of
malware, but they're rare. There are also scenarios where I would act
differently from just trying to remove the malware - such as, if there
was evidence of a targeted attack on that particular machine/server/
whatever then I might go for the wipe-install strategy as "the only
way to be sure", or say if I wasn't confident that I had removed the
problem completely, then I would suggest to the customer that a
wipe-install would be best.

I also think if you resort to the wipe-install strategy as your
general answer to malware, then there is so much that you haven't
learnt about how malware tends to work on Windows, how it hides
itself, how it stops the admin from trying to remove it, and also
quite a few quirks of Windows. I'm not suggesting that I've learnt
all there is to learn on this topic either, but I have learnt quite a
few strategies in the time that I've been in business, and it can be
quite mentally stimulating work.

I'd say most people who advised you to re-install the box have shown far
deeper knowledge of Windows internals and computer security in general
in their responses than you have. Apparently you don't even realize that
a rootkit may very well render any of the tools you mentioned above
useless (yes, including RootkitRevealer and the likes). You don't even
seem to have understood why you should run a virus scan not from the
live system, but from a system that's booted from some other medium
(preferrably in a way that didn't involve even so much as touching the
MBR and boot sectors of the potentially infected drive).

Regards
Ansgar Wiechers
--
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq