Re: hjkkj.tmp, hjkkj.ini
- From: "cquirke (MVP Windows shell/user)" <cquirkenews@xxxxxxxxxxxxxxx>
- Date: Tue, 18 Jul 2006 02:22:50 +0200
On 16 Jul 2006 20:33:52 -0700, shadow.demon@xxxxxxxxx wrote:
what the hell, spyware removal software is so hit and miss.
It shouldn't be.
Firstly, in order to speak meaningfully of "cleaning the PC" (or
keeping it clean) there has to be an effective edge between it and the
rest of the infosphere. You can't expect to clean the thing while
it's connected to the Internet or is dangling WiFi in the wind.
Malware can re-assert itself from outside, if there's no effective
edge between the PC and the infosphere - as applies when network
surfaces are exposed to the Internet, and have exploitable code
defects, or by-design safety failure (e.g. weak pwd + XP Pro + File &
Print Sharing + hidden admin shares).
If malware is running at the time you attempt to detect and clean it,
it is positioned so that it can hide, attack/disable/hijack detection
and cleaning tools, write itself back after they've "cleaned" it, or
take punitive action e.g. trash your data.
Many malware writers do not make use of such opportunities, but that
is not something to count on - so you do NOT want the malware running
at the time you are trying to find and remove it.
Malware has three ways to persist across Windows sessions:
1) By replacing or infecting existing code files
2) By explicitly integrating extra files, e.g. startup axis, etc.
3) By implicitly integrating extra files, e.g. internal exploits
"Safe Mode" is waved about as the easy way to avoid running the
malware when Windows starts, but it can't avoid (1), and XP is poorer
than Win9x at avoiding (2).
The best way to avoid all three methods is to:
a) Do not boot any code from the hard drive
b) Do not run any part of the startup axis
c) Use a simplified OS that is not full of internal risks
Google( Bart PE ) for a free tool that will build such a maintenance
OS that does not use Explorer as the shell, which helps with (c), and
does not boot any code off the hard drive, therefore meeting
requirements (a) and (b). At best, "Safe Mode" does half of (b),
while "Safe Mode Cmd Only" does more (b) and as much (c).
To detect (1), and intra-file infectors in particular, you need to not
boot the HD at all and you need to scan all files looking for
signatures of known malware.
That will miss things not known to the scanners, and to catch those,
you'd have to have tamper-proof checksum or MD5 info to check all code
files. In addition, that info would have to be complete (including
all wanted 3rd-party code) and up-to-date (taking all code updates
into account). Here you come up against the classic "backup
conundrum", i.e. how to scope out unwanted changes (malware infection)
while scoping in wanted changes (e.g. updates and new installs).
If code were boilerplate, you could use Time as the great X-axis, i.e.
make the info when all is installed and fall back all the way to this
initial state when looking for changes. But these days, code is
always full of defects that have to be fixed, so it's hard to tell
whether a change is "legit" (by patch) or caused by malware that gets
in because it's not recognised.
To detect (2), you can scan and inspect all known (and they *should*
all be known!) integration points. This is more than just the startup
axis, as it includes file type associations, persistent handlers,
shell integrations, device drivers, screen saver etc. Many of these
are duplicated across user accounts, including the one that Safe Mode
normally uses; in addition, "Safe" can be selectively "owned".
As at July 2006, there's little use made of (3). To detect (3), you'd
scan all material for known exploit signatures, and you'd pay
particular attention to the ADS that NTFS supports and hides from you.
Malware can persist through cleaning and be re-activated from hidden
stores, e.g. within email mailboxes, or after a System Restore that
faithfully restores the malware files plus the integration needed to
ensure they are active.
Malware can be restored with "data" backups, especially when the
system defaults to no awareness that incoming attachments and
downloads should NOT be dumped in "My Documents".
So no; it's not "hit and miss" (or should not be). Yes., there are
far too many integration points, with no single UI from which they can
be viewed. Yes, "Safe" mode isn't; it runs too many integration
points as well as being open to selective attack. Yes; XP comes with
no maintenance OS from which an infected system can be managed. And
sure, no signature-based av will find everything, especially when it
comes to primary malware push from web sites.
All of the above say little about the process of malware detection and
removal, and a great deal about how ill-equipped XP systems are when
it comes to this very common maintenance scenario.
------------ ----- --- -- - - - -Drugs are usually safe. Inject? (Y/n)
------------ ----- --- -- - - - -.
- References:
- hjkkj.tmp, hjkkj.ini
- From: shadow . demon
- Re: hjkkj.tmp, hjkkj.ini
- From: shadow . demon
- hjkkj.tmp, hjkkj.ini
- Prev by Date: Re: reinstall ...or just hope ?
- Next by Date: Re: reinstall ...or just hope ?
- Previous by thread: Re: hjkkj.tmp, hjkkj.ini
- Index(es):
Relevant Pages
|
