On 2008-03-20 John Lightfoot wrote: > I agree with Mike. Then you failed to understand the problem.
> While it's true that you can never be absolutely certain that a system > is safe once it has been compromised by malware, if you're able to > identify the infection or at least the attack vector, chances are > pretty good that you can eliminate the problem and secure your system > without a total re-wipe. Correct. IF you can identify the infection vector AND the infection time AND all modifications that were done afterwards. Then (and only then) you an avoid re-installing the system. > I use antivirus software, a software firewall, Windows Defender and my > router to protect my home network, but occasionally my kids download a > questionable toolbar from a game site. So? Don't give them admin privileges. Problem solved. > If I Google for a script to get rid of it, I feel quite confident that > the malware ended there. This confidence is entirely unsubstantiated. - Even though your tools identified the malware as "X", it may be a (yet unknown) variant "Xa", which is sufficiently different from malware "X" to render your script useless. - In case malware "X" opened a backdoor (there are various ways to do that even through a firewall) or loaded additional code after being executed, your script may remove malware "X", but leave the additional malware "Y" untouched. - Unless you know exactly how malware "X" works even auditing the script won't tell you whether it will actually remove the infection entirely. - Unless you audit the script first, you may just have installed another malware by running it. ... > If the antivirus, antispyware, firewalls and logs don't turn up > anything, the 100% undetectable rootkit the malware installed doesn't > concern me very much, and if you're worried about a 100% undetectable > rootkit you should probably be worried about the 100% undetectable > 0-day attack vector it's already used to install itself on your > computer. Unless the tools you use have 100% detection rate (which they don't), the rootkit doesn't need to be 100% undetectable. What you and Mike keep ignoring is, that in one case there was an actual infection vector, whereas in the other case there wasn't (no, your hypthetical 0-day attack does not count unless you can show an actual attack vector). > Maybe that's leaving my computers as potential spam-bots, but what are the > chances of that? 1%? .01%? .0000000001%? What's an acceptable risk vs. > the cost of rebuilding from scratch? Do you have any numbers do base your calculation on? Unless you do, the risk may be 0.001% as well as 99.999%. Meaning there is no such thing as an "acceptable risk". Regards Ansgar Wiechers -- "All vulnerabilities deserve a public fear period prior to patches becoming available." --Jason Coombs on Bugtraq
