Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Microsoft
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: More along the lines of malware disinfection

from [Wayne S. Anderson] Network Security [Permanent Link]
Subject: RE: More along the lines of malware disinfection
Date: Tue, 18 Mar 2008 13:57:19 -0600 
You know, I want to point out to folks on this list that this is NOT an
either/or situation.  Much like any time we engage in computer forensics,
there are processes we can institute as security professionals that allow
for the removal of untrusted components via a clean install without complete
loss of data.

1) Recognize that a system is compromised if it is infected with anything
more than an embedded 'exploit'.  (E.g. Email comes through that has HTML or
something which is temporarily copied to a local cache when the email loads
in the application.  This is easy to fix.  Any true "virus" which infects
the host system at deeper than an individual application level is taboo.
Toast.)  

2) Jon's point about reliability here is very key to the discussion.  It is
COMPLETELY irresponsible to warrant to a customer that you can certify a
system safe after it has been infected with any manner of
control-compromising code that has gone undetected/untreated for a period of
time.  As an individual consumer, I may choose to take that risk so there is
an important distinction for the environment that you are asking this
question on.  On an enterprise level it is hard to imagine a small or medium
business where this risk is acceptable.

3) Institute a process for incident response and correction.  Whether you're
a small business, a vendor, whatever, have a process which you use for these
kinds of events.  

        3A) In my case, I choose to first image a system.  Load the drive on
a live system which does not boot from hard drive and instead boots from a
live CD and invokes an imaging application.  If you find later that there is
reason to investigate the old drive / old environment, you need to have a
high quality copy of the data to do your investigation on.  Don't
investigate on the original source.  

        3B) Then if you are in a situation where investigation is not
warranted and there is no need for preserving the original environment (no
criminal or civil reporting or case involved), wipe the original hard drive
with, at the very least, a format operation.

        3C) Install a clean OS. Use the original media, the original OS if
you need to.  Patch the OS.  Protect the OS with antivirus or whatever
endpoint measures you/yourcustomer/yourorganization uses.

        3D) Use the appropriate application to access the saved disk image
and restore files as necessary to the reconstructed environment, ensuring
that they must each past muster in an antivirus application or other
scanning environment.

Realize that security is the intelligent application of principles and
experience to maintain a balance between confidentiality, integrity, and
accessibility for yourself, your customer, or your organization.  Security
doesn't have to be "wipe and restart" OR "remove the malware and continue
using", there are other solutions out there.  It is important to recognize
that there are multiple possible approaches and you need to examine the
risks and benefits of your (hopefully standardized) approach to regularly
determine if it can be improved.

-W

Wayne S. Anderson
http://www.linkedin.com/in/wayneanderson

-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com] On
Behalf Of Jon R. Kibler
Sent: Tuesday, March 18, 2008 11:46 AM
To: Mike Moratz-Coppins
Cc: focus-ms@securityfocus.com
Subject: Re: More along the lines of malware disinfection

Mike Moratz-Coppins wrote:

When removing malware of one sort or another, 


<SNIP>

Hi,

IMHO, anytime, repeat ANYTIME, you have an infected box, it is < 0%
trustworthy. You can remove the malware, but how do you know that
you found everything? You don't. Especially if the malware is some
sort of downloader or spyware.

Infected system? Back up the data, and ONLY the data, then (to quote
Microsoft from RSA a couple of years ago) "Nuke it from space!".

Bottom line: It is impossible to give any reasonable assurance that
a box that was infected has been cleaned. Best solution: Never store
use data on a client system (so you have nothing to back up) and
simply reimage any suspect system (ZenWorks, Ghost, etc.). I have
some clients that reimage every desktop every weekend just for good
measure.

Jon Kibler
-- 
Jon R. Kibler
Chief Technical Officer
Advanced Systems Engineering Technology, Inc.
Charleston, SC  USA
o: 843-849-8214
m: 843-224-2494




==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: More along the lines of malware disinfection, Mike Moratz-Coppins
Next by Date:  Re: More along the lines of malware disinfection, Mike Moratz-Coppins
Previous by Thread:  RE: More along the lines of malware disinfection, Devin Ganger
Next by Thread:  Re: More along the lines of malware disinfection, Mike Moratz-Coppins
Indexes:  [Date] [Thread] [Top] [All Lists]