Re: More along the lines of malware disinfection

> "Mike Moratz-Coppins" <mike@mikeymike.org.uk> wrote:

> Ansgar -59cobalt- Wiechers wrote:
> > Well, some of us just don't consider botnets acceptable. Apparently you
> > have a different opinion on that.
>
> Neither do I.  I just don't think it is necessary in a lot of cases to 
> wipe everything out in order to get rid of a malware infection.

Sorry, I've got to disagree with you on this one. You should have backups of 
users' data files and should be able to scan those before restoring, but 
here's the thing- unless you reinstall that system, you do NOT know that 
it's no longer compromised. As a very simplified example, suppose a given 
piece of malware did, among other things, the following:

1. Sent keylogs via the user's e-mail client to an external address. Just 
once, even; say 24 hours after infection.
2. Sent the next round of keylogs to a text file buried in the directory 
structure on the computer, in an innocuously-named file. Let's say this one 
happens at 48 hours post-infection.
3. Sent a third round of keylogs via a port that gets opened at 72 hours 
post-infection.
4. Created a .cab file containing the next round of keylogs at 96 hours 
post-infection.
5. Repeated 1-4 for as long as the malware was resident on the computer, 
changing file names and locations (where applicable) with each run.
6. Searched for writeable files on the computer and modified each one of 
them (something as simple as adding a space or a CRLF or whatever) so as to 
change the last modified date on the files.

Now, after you run all of your various scanning tools, are you also looking 
at every single file to find each file that was created or modified after 
infection? Do you even know the actual infection date? If yes to both, are 
you looking at every single file? Do you know that the keylog content wasn't 
put into an existing file so as to avoid being noticed on a creation-date 
scan? Do you know whether or not the user's credentials have been captured 
many times over and sent to an outside location? Do you know whether or not 
part of the malware's function was to create an additional account on the 
computer after capturing your user's credentials (which are more likely than 
not to have excessive privileges on the local machine), store content in 
that new user's context, encrypt the content, export the keys and then 
delete the account? Do you know whether the malware has changed the 
Zone.Identifier file stream on an innocuous-looking file that's named after 
an existing file on the user's machine, but also includes simple 
functionality such as opening a connection to an Internet site and pulling 
down malicious content all over again? I can go on and on here, obviously.

This is a very *un*creative scenario, btw. However, based on what you've 
said on this list today, I'm betting that this scenario would have been 
successful on at least one of those machines that you didn't think needed to 
be reinstalled.
> I am perfectly aware that malware with rootkit-style capabilities can 
> render security tools useless, however I don't think I've yet seen a case 
> where every technique/tool I use has come up with negative results when 
> there are still symptoms of an infection.

Not all infections display symptoms, particularly to somebody who's 
returning the infected machine to the user and walking away. And we all know 
that users typically don't notice infections until they've become blatantly 
obvious and have run the machine into the ground from a performance 
perspective or are popping up pr0n windows all over the place (which smart 
malware wouldn't).

> Of course, I haven't yet been called out because a customer hasn't noticed 
> any symptoms of a system infection.  I'm perfectly willing to accept the 
> possibility that a "100% undetectable" rootkit has slipped by me at some 
> point, after all, it could be on my system right now.  It could have been 
> on that customer's system when all they asked me to do was fix their 
> printer problem.

Yes, it could. However, if you've been called in to fix an infected system, 
then your responsibility is to clean that system, not perform a "best effort 
based on what I know today" "cleaning".
> Furthermore, I think if you take your point of view through to its logical 
> conclusion, you should be reinstalling all of your systems (and any system 
> you ever administrate) on an extremely regular basis.  Good luck with 
> that.

Please don't be offended by this, but I'm guessing you've not worked in 
enterprise environments. Regular reinstallation of systems is exceedingly 
common in large corporate environments. Hardware lifecycle alone may dictate 
this, but it's just as likely that it's a matter of course whenever a user's 
machine goes "wonky". I've worked with and for some of the largest companies 
in the world, and I've seen this in all of them. The only place I *don't* 
see regular reinstallation is in very small environments, such as my 
parents' home (actually, I take that back; I regularly reinstall my mother's 
machine whenever I visit my parents), or environments that are managed by 
people who probably shouldn't be managing them because they think they can 
"clean up" an infected machine rather than rebuilding it.

Laura