Re: Strange behaviour - some text and e-mails disappeared

On Sat, 24 Mar 2007 19:48:36 -0000, "Martin" <vdp3r@xxxxxxxxxxx>
cquirke (MVP Windows shell/user) wrote:

Scans done from within infected OS are non-exclusionary.
I guess I should clarify that, as it implies scans from outside an
infected OS are exclusionary, which isn't always the case!

From outside the OS, you can rely on the scanner detecting everything
it can detect (and missing everything it can't detect).

From inside the OS, a scanner may be unable to overcome malware that
is known to it, or may fail to find anything at all

Human hackers may not be limited to commonly-encountered tools

You have confirmed my suspicions and given authority to what I told him:
namely, that his system is compromised and that he could never be sure
it was rendered safe again.

This is always generally true, but with break-even between "just" wipe
and rebuild and clean the system formally being arguably similar.

It's particularly true here because of the human element that skews
the odds against formally cleaning the system. If resources permit,
I'd recommend "freezing" the old HD (literally, remove it and store it
in the safe) and rebuilding on a new hard drive, so that if problems
continue and you need forensics, you have preserved these.

I spoke to a hacker some months ago and he siad that some of the tools he
had were even resistent to reformatting of the hard drive, something I had
preciously heard regarding these post-theft programs that phone home.

There are four ways to appear to persist across a format:
- embed malware outside the file system, e.g. MBR
- seed the data set with malware, thus within restored backups
- infect off-board storage (e.g. USB sticks) and LAN systems
- re-assert primary infection via exploitable defects, etc.

The first is the one that comes to mind, but it's probably the least
likely method - not because malware can't be inserted into the MBR
(even from within NT on NTFS), but because it's very hard to create
useful functionality (especially network access) from that raw level
of code - everything has to be done by the code, with no recourse to
OS libraries or services, and that's hard work.

The easiest way is to watch for the "fixed" PC to re-appear on the
'net and then exploit it while it's still groping for patches. That's
easy if you have a fix on its IP address; less easy when this IP
address is randomly-assigned from a large ISP pool.

The other two methods are pretty easy too, thanks to poor OS design
that makes no attempt to maintain data hygiene, and that happily
autoruns newly-detected USB sticks.

Given the laptop is some 4 or 5 years old and running Windows 2000, I've
told my friend now's the time to invest in a new one and in the meantime
remember his present laptop is compromised.

He could do, tho laptops aren't cheap enough to be considered
disposable. He needs a firewall at least, as well as IE 6 SP1, and
both to be in place before going online or joining any network. This
wouldn't make him as safe as XP SP2 with IE 7, but he'd be about 90%
of the way there.

There's a care to be made by invalidating prior assumptions when the
PC is rebuilt; use non-default installation paths, relocate data sets,
change passwords, and kill those wretched admin shares!

Having said that, in the immediate short term I've suggested he puts in a
modem with a good hardware firewall if only in anticipation of his getting a
new laptop.

He should be behind a NAT router that's operating in NAT mode (i.e.
not dumbed-down to act as a "bridge". Dial-up's easier in that at
least with separate network adapters for Internet and LAN, he can
un-bind File and Print Sharing from the dial-up adapter and thus
Internet access. Finally - kill any WiFi, or if you have to use it,
go WPA(2) and change the encryption key (as the old one may have been
snooped by reading the router from the "owned" PC)

But I assume that even that would not give him total peace
of mind: would I be right in thinking that once his system is compromised by
malware, he has to assume that the malware might have the capability of
getting through a hardware firewall by deception no matter how carefully it
is set up, or am I stretching things a bit too far with that one?

Not so much malware, but an active and personal human hand behind the
malware. That's why keeping the previous HD is a good long-term hedge
(if you can keep it "pure' as potential court evidence, so much the
better) so your idea of "get a new system" has merit if it means the
old one can be retained as-is for forensics.

Windows has no clue for these sort of eventualities, so the effort of
extracting data from the infected system, and ensuring that it is free
of (infectable) code, is entirely up to you. The Windows "vision" is
to be so secure that the infected state does not arise, therefore
there is no need to plan for it or manage it.

Once again, my deepest thanks for your kindness in providing such detailed
replies.

It's a pleasure... I'm glad it's not me on the slab, I have to say
:-/


-- Risk Management is the clue that asks:
"Why do I keep open buckets of petrol next to all the
ashtrays in the lounge, when I don't even have a car?"
----------------------- ------ ---- --- -- - - - -
.

Quantcast