Re: Software Registry: is "Advanced INF" legit Explorer?

From: Alun Jones (alun_at_texis.invalid)
Date: 10/11/05 

Date: Mon, 10 Oct 2005 15:33:06 -0700

"Volker Birk" <bumens@dingens.org> wrote in message
news:434a17fc@news.uni-ulm.de...
> Alun Jones <alun@texis.invalid> wrote:
>> The only 100% guaranteed(*) method of malware removal, it would seem,
>> requires the destruction of your data as well as your installation.
>
> No.

You are willing to say that data never carries code that will later infect a
system? Wow, I wasn't aware we had advanced that far in computer security.
I must have been asleep for a long time.

I was assuming that some of the document-based viruses you refer to below
may be present in some of the documents that comprise the user's data.
Perhaps you have a means of discerning data from virus and separating them
that isn't the "virus cleaner" you are arguing is a bad idea. If you do, I
hope you are selling it - you will make a fortune with a virus cleaning
method that doesn't involve virus cleaning.

>> If you're paying any kind of attention at all, you'll note that there are
>> lots of ways to detect opportunistic infections - infected machines don't
>> tend to stay infected if someone is trying to clean them up.
>
> Oh, yes, unfortunately usually they do. If you remove a malware with a
> backdoor, for example, then it's very likely that there is a second
> malware already running on your system. And this malware usually the
> virus scanner does not detect.
>
> This is what backdoors are for.

Given that malware doesn't go through the same sort of architectural and
implementation review as many applications do, it's redundant to say
"malware with a backdoor" - assume that they all have back-doors. The good
news is that even the secondary infection, tertiary, etc are eventually
added to the repertoire of virus scanners.

>> "Flatten and reinstall" is only appropriate in an environment (such as an
>> enterprise) where you have good data retention, analysis and recovery
>> procedures in place.
>
> No. For many cases, it's just the only chance not to be a zombie for
> distributed attacks, not to be a store for kiddy-pr0n, to own your box
> again and not being 0wn3D.

You seem to think that these are primary concerns for most users. No, sadly
most users are interested in turning on the computer, running their
applications, and accessing their data. If a malware does not noticeably
interfere with that, you can guarantee that the user will not care to fix
the infection. A sense of social responsibility is not high on most
people's list of common virtues.

Most users will only remove viruses (anything from "clean" up to "flatten
and reinstall") under two conditions:
1. The virus has adversely affected their ability to use the computer. It's
overwriting data, or it's slowing their system down.
2. They have been denied access to some resource because of the virus on
their system (this is really 1.1, but it's frequently the enterprise case,
whereas 1 is more frequently the home user case).

>> You also neglected to address the point that "flatten and reinstall"
>> merely
>> provides a clean operating system for exactly the same infection to take
>> hold once again - if you do not close the hole it used (either
>> technological
>> or human), it, or something like it, will come in through that hole
>> again.
>
> After installation, of course the box has to be hardened.

If you don't know where it was soft, how do you do that? Guess? Simply
download and apply "patch-du-jour"?

>> And if you didn't scan your system to detect the malware, how do you know
>> that you've closed the hole that was used?
>
> Malware can come from three main sources with a hardened Windows-PC:
>
> - Outlook Express
> - Internet Explorer
> - Documents, which are using a type of application infection

Wow, I use all three of those on a regular basis. I haven't had any malware
infest my PC. Clearly, these are not as dangerous as at first believed.
Obviously there's something different between me, and the guy who gets
infected.

> The first two one should avoid. For fighting the third one, one should
> avoid all "penis enlargements" and "banking software, which makes you
> rich".

Ah - here we are, here's the difference. I don't fall for any of those.
Clearly, though, that's not because of any of your three primary infection
routes being absent, it's because my _behaviour_ is different from those
that get infected. While many worms have been successful in exploiting
technological vulnerabilities, it still seems to be the sociological
vulnerabilities that are the most successfully abused.

> Afterwards, there is a rest of risk. And this rest one should fight with
> keeping all applications up to date, which are used directly for communi-
> cation in the Internet, and which are used indirectly - for received
> documents, including music, video, Office documents and so on. And a virus
> scanner can help. It does not solve the problem, but it can help.

A virus scanner is clearly part of the solution. It would be nice if
aggressive law enforcement were another part of the solution, but currently
too many virus authors are given minor slaps on the wrist and then get a
comfy job with a press-hungry "security" company.

[Word to the wise - an attacker needs only to find one hole, once. A
defender must find every hole, all the time. Attackers do not automatically
make good defenders, because the mind-set is different. Attackers consider
depth of penetration more than breadth of attack; defenders think breadth of
coverage more than depth of protection.]

> There is no way to be 100% secure - but there is a way to be so highly
> secure, that never or only after some years one has to face an infection
> with a Windows box.

Security is a process. It's a mindset. It's what you do in order to stay
uninfected.

> And then one should have a backup.

Abso-darn-lutely.

But how do you prevent yourself from backing up, and restoring the malware?

Alun.
~~~~

Relevant Pages

  • Re: $899
    ... I just don't know how they get them but they do, and shitty virus scanners like Macaffee do nothing to stop the carnage. ... they're not as targeted due to the lower potential of infection. ... That's another funny thing about this particular person's computer, after they had clicked on the "online virus scanner" and infected themselves with enough malware, IE became inoperable, so they started using firefox until of course it also became unusable. ... It will need an XP reinstall not a system restore, the malware will have wormed it's self into the system restore facility in XP. ...
    (alt.2600)
  • Re: RFC: virus handling
    ... > the virus or the test conducted. ... English speakers where the malware in question was not forged from some ... > their infection and should thereafter be disconnected entirely or ... Connect to open wireless network. ...
    (Bugtraq)
  • Re: Firewall Advice **Mailman
    ... You are several of the lucky ones to catch the malware. ... your system in busy passing out the virus to other ... Sometime later someone sends the infection code to the antivirus ... system when the cracker entered your system after you were infected. ...
    (comp.security.firewalls)
  • Re: Trojan istsvc virus
    ... If subsequent scans for malware show that the virus is not present then it ... problems persist after a malware infection a user will need to reinstall the ... and keeping current with critical updates from Windows Updates. ...
    (microsoft.public.win2000.security)
  • Re: AIDS
    ... virus, but only "markers" that can be generated by totally non-viral ... PMID: 9126268 ... No test of tests for any infection or any other medical condition ... molecular clone from a patient with primary infection. ...
    (sci.med.nutrition)