Couple of points that should be clarified here. Casual personal use of a computer is subject to the same conditions and considerations as dedicated, business use, for the same reasons and with the same or worse consequences. They are both connected to an increasingly hostile network, and the home user has the disadvantages of not having staff or technology dedicated to detection and prevention, or even monitoring and logging.
Spam-bots may not be a major concern for the typical home user as they are not feeling much of a hit because the attacker is simply using their PC resources to victimize others. Until they are so spyware laden that the system starts to under-perform. Consider the simple mass-mailer virus that is searching your customer's hard disk for credit card information, tax return files, personal correspondence of a, well, *personal* nature, surfing habits, use as a storage medium for the attackers kiddie-porn of choice, or other things that the user would prefer to not make public. Now this may have some relevance to the user whose system has been compromised. Potential real dollar and legal fee relevance. The simple "ha ha, gotcha" nuisance virus that you detect with your trusty anti-virus toolkit after it has been there for a day or three may actually be a downloader Trojan that has grabbed who knows what from who knows where, leading to the introduction of the as yet undetected mass-mailer. The mass-mailer may be stealthy (most are now) and may even be memory resident only, or load on a schedule and kill itself upon exchanging data with the mothership, so as to minimize its chances of being noticed and removed. If it is programmed with rootkit functionality, it may load before the operating system and simply not have to hide at all. With keylogging and screen scraping functionality, it could keep up to date on their latest doings with ease. What would it be worth to you for the attacker NOT to show the wife those pictures that Betty-Lou down the road just shared with you on You-Tube? Wouldn't the government be interested in your REAL taxable income? How far could an attacker exploit your ID with your SIN, budgeting spreadsheets, remote access to your workplace if you use VPN, bank account details, copy of tax returns, calendar showing birthdays, personal correspondence and even a copy of your Internet Favorites? Oh and that encryption program that you installed to hide all of those files? Well, the attacker has the password captured by the keylogger, and live access to the system through the backdoor shell that tells them when you are actively online... More and more, malware authors are moving to targeted attacks, where they research their victims, get to know who emails them, what sort of programs they are likely to be interested in, and provide a spoofed email or instant message from what appears to be a real-world employer, relative, friend or acquaintance that is in actuality a Trojan Horse program. The author is motivated by money, and spam generation is just one method that can earn them a dollar. It is not the only game in town. But not to worry, your Anti-Virus engine of choice catches all of those simple viruses that are used to download the more complex programs. AS LONG AS IT HAS A SIGNATURE FOR IT. Signatures are released well after at least someone has seen the damage. Should your customer be that person? Security is not something that can be applied in percentages. You are never 50% secure. You might measure your RISK with a percentage, but that is an exercise you will need to understand more fully to properly employ. Basically, if a system has been compromised, it is no longer under your (or your customer's) control. Simple viruses are not common these days. Attacks take place daily, and they are performed by motivated people. If you want to properly protect your customers, understand the motivation of the attacker, and then understand his methods of operation. You will eventually understand that the only way to protect a compromised system is to return it to a trusted state. Fdisk, format and start again. Ghost and other programs like it are cheap. Get the customer used to using one of them, or offer them a service to do it for them every second Wednesday of the month (after you patch their systems, of course, which is another service you should offer them). Educate them in why this is a good idea, ESPECIALLY for those poorly protected, seldom updated home PC's that connect them to the office on occasion. Oh, and if this sounds like scare tactics, marketing hype or just plain FUD, no, I no longer work for an Anti-Virus company. I am involved in internal Incident Response. I re-image my home systems on a regular schedule, compromised or not... Cheers, Mark -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ansgar -59cobalt- Wiechers Sent: Wednesday, March 19, 2008 4:33 PM To: [email protected] Subject: Re: More along the lines of malware disinfection On 2008-03-19 Mike Moratz-Coppins wrote: > Ansgar -59cobalt- Wiechers wrote: >> On 2008-03-18 Mike Moratz-Coppins wrote: >>> I should point out one factor which I think makes a large difference >>> in the approach that one might take in encountering a security issue - >>> the vast majority of my customers are home users who just casually use >>> their machine. >> >> You do realize that significant amounts of spam are deployed through >> zombified computers of exactly these "home users who just casually use >> their machine", don't you? > > Yes, I am aware of that. > >> [...] >>>> 2) Jon's point about reliability here is very key to the >>>> discussion. It is COMPLETELY irresponsible to warrant to a customer >>>> that you can certify a system safe after it has been infected with >>>> any manner of control-compromising code that has gone >>>> undetected/untreated for a period of time. >>> >>> Do you see this as applying in a joe average home user scenario? >> >> Even if he doesn't, I do. Unless you can determine without any doubt >> when and how the machine was compromised, and what exactly was >> altered afterwards, the only resonable and responsible way to deal >> with the problem is to backup the data and reinstall the machine. >> Period. > > Well, I guess we'll just agree to disagree then. I can't see how one > can make the distinction between "just a simple virus" and "a system > security compromise" Then you failed either to read or to understand what I wrote above. You can make the distinction if you are able to determine when and how the infection occurred, and what was altered afterwards. If you are not able to determine all of the above, you cannot make the distinction, and thus MUST assume the worst case. That's common sense, and I fail to see what so hard for you to understand about this. > considering if "just a simple virus" is allowed to infect a system, > then it may as well be a system security compromise, Ummm... yes? > and that (going by the logic that some people on this list are > employing), just removing "a simple virus" cannot possibly reassure > one that there isn't something more sinister lurking around the > system, then as soon as any form of malware is found, then the logic > of a lot of people on this list dictates that the computer must be > wiped and clean-installed. Unless you are able to determine what infected the system, when the infection occurred, and what was tampered with after the infection. Like I've said before. > I don't think (as far as the usual scenarios that my works takes me > to) that a wipe and new install is the appropriate thing to do most of > the time. Most of my reasons are practical-reality reasons, not "100% > security" reasons: > > 1 - Many customers have computers that it would be difficult to > perform an on-site reinstall on. For example, they might not have > any/all discs for the machine, they only have one machine, etc. And that makes leaving the machine a potential spam-bot acceptable how? > 2 - Many customers have families (or 'need' the machine on a > day-to-day basis) e.g. with the school kids doing their homework on > the machine, and so the machine disappearing for a few days for me to > do the installation with all the resources I have available at home > would be highly inconvenient for them. And that makes leaving the machine a potential spam-bot acceptable how? > 3 - Many customers have pirated copies of software that they're using > (e.g. MS Office), and as I have a policy of not installing pirated > software for customers, I'm then inconvencing them by wipe-installing > their machine and they don't have the CD for MSO anymore, for example. > Some customers might also have bought software online and not have the > product keys anymore because they deleted the e-mails containing those > product keys. And that makes leaving the machine a potential spam-bot acceptable how? > 4 - Some customers aren't so well off as other customers, and the cost > of doing a reinstall is somewhat more than my average bill for removing > malware. And that makes leaving the machine a potential spam-bot acceptable how? Fixing a car costs money, too. Do you actually believe that it's okay for people to drive around with malfunctioning brakes, just because they can't afford to get them fixed? > I'm sure that some of you will answer these scenarios along the lines > of "aww, diddums" to the customer and still insist that the need for > "100% security" overrides the needs of my customers, which is why I've > said that we should agree to disagree about this. Well, some of us just don't consider botnets acceptable. Apparently you have a different opinion on that. > At the end of the day, if a customer asks me to remove malware, I will > investigate manually (e.g. in the registry) for it, use virus/spyware > scans to help pin it down and any remaining traces of it, and check in > other ways (such as monitoring TCP/IP connections with netstat and > tcpview, filemon, regmon, spybot and rootkitrevealer, and even > watching the network activity light on the machine/router). I finish > the appointment when I am confident that the problem has been solved. And you actually believe that going through that whole procedure will cost you less time than reinstalling the box? Don't make me laugh. BTDT, and it takes considerable amounts of time to do it right. And even then you can't be sure you didn't miss something, because it's pretty hard, if not impossible, to prove the absence of something. > While there is a possibility that there could be "undetectable > malware" on the machine, I believe that, as a general policy, assuming > there is without any trace of evidence whatsoever is pure paranoia. *sigh* The evidence is there. The system was demonstrably infected, and unless you can prove that nothing else had been modified/installed/etc. you cannot rule out that possibility and thus MUST assume the worst case. That's not paranoia, but common sense. > There are situations where I have wipe-installed a machine because of > malware, but they're rare. There are also scenarios where I would act > differently from just trying to remove the malware - such as, if there > was evidence of a targeted attack on that particular machine/server/ > whatever then I might go for the wipe-install strategy as "the only > way to be sure", or say if I wasn't confident that I had removed the > problem completely, then I would suggest to the customer that a > wipe-install would be best. > > I also think if you resort to the wipe-install strategy as your > general answer to malware, then there is so much that you haven't > learnt about how malware tends to work on Windows, how it hides > itself, how it stops the admin from trying to remove it, and also > quite a few quirks of Windows. I'm not suggesting that I've learnt > all there is to learn on this topic either, but I have learnt quite a > few strategies in the time that I've been in business, and it can be > quite mentally stimulating work. I'd say most people who advised you to re-install the box have shown far deeper knowledge of Windows internals and computer security in general in their responses than you have. Apparently you don't even realize that a rootkit may very well render any of the tools you mentioned above useless (yes, including RootkitRevealer and the likes). You don't even seem to have understood why you should run a virus scan not from the live system, but from a system that's booted from some other medium (preferrably in a way that didn't involve even so much as touching the MBR and boot sectors of the potentially infected drive). Regards Ansgar Wiechers -- "All vulnerabilities deserve a public fear period prior to patches becoming available." --Jason Coombs on Bugtraq
