I agree with Mike.
While it's true that you can never be absolutely certain that a system is
safe once it has been compromised by malware, if you're able to identify the
infection or at least the attack vector, chances are pretty good that you
can eliminate the problem and secure your system without a total re-wipe.
I use antivirus software, a software firewall, Windows Defender and my
router to protect my home network, but occasionally my kids download a
questionable toolbar from a game site. If I Google for a script to get rid
of it, I feel quite confident that the malware ended there. If the
antivirus, antispyware, firewalls and logs don't turn up anything, the 100%
undetectable rootkit the malware installed doesn't concern me very much, and
if you're worried about a 100% undetectable rootkit you should probably be
worried about the 100% undetectable 0-day attack vector it's already used to
install itself on your computer.
Maybe that's leaving my computers as potential spam-bots, but what are the
chances of that? 1%? .01%? .0000000001%? What's an acceptable risk vs.
the cost of rebuilding from scratch?
-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com] On
Behalf Of Mike Moratz-Coppins
Sent: Wednesday, March 19, 2008 4:13 PM
To: focus-ms@securityfocus.com
Subject: Re: More along the lines of malware disinfection
Ansgar -59cobalt- Wiechers wrote:
Well, some of us just don't consider botnets acceptable. Apparently you
have a different opinion on that.
Neither do I. I just don't think it is necessary in a lot of cases to
wipe everything out in order to get rid of a malware infection.
I am perfectly aware that malware with rootkit-style capabilities can
render security tools useless, however I don't think I've yet seen a
case where every technique/tool I use has come up with negative results
when there are still symptoms of an infection.
Of course, I haven't yet been called out because a customer hasn't
noticed any symptoms of a system infection. I'm perfectly willing to
accept the possibility that a "100% undetectable" rootkit has slipped by
me at some point, after all, it could be on my system right now. It
could have been on that customer's system when all they asked me to do
was fix their printer problem.
Furthermore, I think if you take your point of view through to its
logical conclusion, you should be reinstalling all of your systems (and
any system you ever administrate) on an extremely regular basis. Good
luck with that.
--
Mike Moratz-Coppins
mike@mikeymike.org.uk
http://www.mikeymike.org.uk/
