Re: Strange behaviour - some text and e-mails disappeared

cquirke (MVP Windows shell/user) wrote:
On Fri, 23 Mar 2007 14:54:34 +0200, "cquirke (MVP Windows shell/user)"
On Wed, 21 Mar 2007 21:03:43 -0000, "Martin" <vdp3r@xxxxxxxxxxx>

Quite. Scans done from within infected OS are non-exclusionary.

I guess I should clarify that, as it implies scans from outside an
infected OS are exclusionary, which isn't always the case!

From outside the OS, you can rely on the scanner detecting everything
it can detect (and missing everything it can't detect). My using
multiple scanners, you can reduce the % of missed stuff, pushing it
towards exclusion until the odds are prolly similar to the chances of
a wiped-and-rebuilt PC staying clean when reconnected to the world.

From inside the OS, a scanner may be unable to overcome malware that
is known to it, or may fail to find anything at all if an active
malware manages to disable or confound it. Malware A that it could
normally handle in its sleep may be protected as a side-effect of
malware B, so even past experience may not be reliable.

The risks increase when you go from attempted detection to attempted
removal. The short straw in the pack might be a malware that reacts
punitively when it detects such attempts, killing the system or data.

This "poison pill" outcome is less likely today, not because there are
factors making it more difficult for malware to hatch a destructive
payload, but because most malware activity is directed to financial
ends. There may be as many traditional "virus" malcontents, but
swamped by the quick-buckers, or there may be fewer malcontents now
that at least some have become contented (paid) malware coders.


Malware will be missed by scanners if:
- it's not considered malware by the scanner vendor
- it's not known to the scanner vendor, either because:
- it's too new
- it is not widely circulated
- the malware vendor hasn't yet figured how to detect it

If you're scanning formally, then the above are the only reasons
malware will be missed, but these reasons can account for a lot of
stuff, especially when there is a human element involved.

The best way to counter the "too new" problem is to keep the system
isolated (off all networks, including the various wireless accesses)
for as many days as you can afford, then formally scan it whilst still
in this isolated state.

That means no online scanners, else an old and detectable malware may
win a race with the online scanner by finding and downloading a "too
new" replacement for itself before the online scanner finds and fixes
it. The active malware has one big highway to the outside world that
is easy to find; the online scanner's trudging through files and
processes one at a time ("Is it Aaron? No, Is it Aardvark? No. Is
it Abby? No..."). I know where I'd place my bets.

Human hackers may not be limited to commonly-encountered off-the-peg
tools that are known to malware vendors. Then can use specialist or
custom tools (or just a common tool that's been kinked and
recompiled), and they can use legit software to do what's needed..

They won't be bothered about licensing (as if anyone's going to get
bust for "illegal use", it will be you, as it's on your system). Some
scanning tools will alert on such software, but many won't.



-------------------- ----- ---- --- -- - - - -
Running Windows-based av to kill active malware is like striking
a match to see if what you are standing in is water or petrol.
-------------------- ----- ---- --- -- - - - -

One final question.

Firstly, sincere thanks for the considerable time and effort you have
invested in replying in such depth to my question. You have confirmed my
suspicions and given authority to what I told him: namely, that his system
is compromised and that he could never be sure it was rendered safe again.
I spoke to a hacker some months ago and he siad that some of the tools he
had were even resistent to reformatting of the hard drive, something I had
preciously heard regarding these post-theft programs that phone home.

Given the laptop is some 4 or 5 years old and running Windows 2000, I've
told my friend now's the time to invest in a new one and in the meantime
remember his present laptop is compromised.

Having said that, in the immediate short term I've suggested he puts in a
modem with a good hardware firewall if only in anticipation of his getting a
new laptop. But I assume that even that would not give him total peace
of mind: would I be right in thinking that once his system is compromised by
malware, he has to assume that the malware might have the capability of
getting through a hardware firewall by deception no matter how carefully it
is set up, or am I stretching things a bit too far with that one?

Once again, my deepest thanks for your kindness in providing such detailed
replies.

Martin


.

Quantcast