Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Microsoft
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: More along the lines of malware disinfection

from [pinowudi] Network Security [Permanent Link]
Subject: Re: More along the lines of malware disinfection
Date: Sun, 23 Mar 2008 00:26:36 -0400
>> Maybe that's leaving my computers as potential spam-bots, but what are the
>> chances of that? 1%? .01%? .0000000001%? What's an acceptable risk vs.
>> the cost of rebuilding from scratch?
>
> Do you have any numbers do base your calculation on? Unless you do, the
> risk may be 0.001% as well as 99.999%. Meaning there is no such thing as
> an "acceptable risk".

The number is about 30%. That's the approximate percentage of websites our organization comes across from normal user browsing that have some kind of redirect or hosting malicious exploits that will cause a standard user-level privilege to be violated and malicious code installed if that host does not have anti-virus software. Add AV and you're down to around 5% new or variant (lets call them 'unique') junk out there at any given time that will pwn a client.

SO, 5% of normal browsing on a blogger or news site or product site or whatever pwn the user process through MDAC, WMF, Real or some other magic and install a keylogger. These sites are usually reported within 24 hours of going active if they have noticeable market penetration. AV signature development takes about a day for dev and QA and a day for release. Add 24-72 hours for distro to clients depending on how often they are updating. Total time to the client cleansing itself after a threat appears, I'd say the average is around a week.

So, how many tax returns were filed this week before the signature becomes 50% effective across the client base? How many before 80%? Remember, this is for one particular threat. There are thousands (if not millions) out there and active right now. I'm to assume that making the claim that 5% of exposed clients in the next two weeks reporting their tax ID numbers, investment accounts, and return info to the IRS and siphoned off to personal info brokers is an acceptable risk? No way.


Ansgar -59cobalt- Wiechers wrote:
On 2008-03-20 John Lightfoot wrote:
I agree with Mike. 

Then you failed to understand the problem.

While it's true that you can never be absolutely certain that a system
is safe once it has been compromised by malware, if you're able to
identify the infection or at least the attack vector, chances are
pretty good that you can eliminate the problem and secure your system
without a total re-wipe. 

Correct. IF you can identify the infection vector AND the infection time
AND all modifications that were done afterwards. Then (and only then)
you an avoid re-installing the system.

I use antivirus software, a software firewall, Windows Defender and my
router to protect my home network, but occasionally my kids download a
questionable toolbar from a game site.


So? Don't give them admin privileges. Problem solved.

If I Google for a script to get rid of it, I feel quite confident that
the malware ended there.


This confidence is entirely unsubstantiated.

- Even though your tools identified the malware as "X", it may be a (yet
  unknown) variant "Xa", which is sufficiently different from malware
  "X" to render your script useless.
- In case malware "X" opened a backdoor (there are various ways to do
  that even through a firewall) or loaded additional code after being
  executed, your script may remove malware "X", but leave the additional
  malware "Y" untouched.
- Unless you know exactly how malware "X" works even auditing the script
  won't tell you whether it will actually remove the infection entirely.
- Unless you audit the script first, you may just have installed another
  malware by running it.
...

If the antivirus, antispyware, firewalls and logs don't turn up
anything, the 100% undetectable rootkit the malware installed doesn't
concern me very much, and if you're worried about a 100% undetectable
rootkit you should probably be worried about the 100% undetectable
0-day attack vector it's already used to install itself on your
computer.


Unless the tools you use have 100% detection rate (which they don't),
the rootkit doesn't need to be 100% undetectable.

What you and Mike keep ignoring is, that in one case there was an actual
infection vector, whereas in the other case there wasn't (no, your
hypthetical 0-day attack does not count unless you can show an actual
attack vector).

Maybe that's leaving my computers as potential spam-bots, but what are the
chances of that?  1%?  .01%?  .0000000001%?  What's an acceptable risk vs.
the cost of rebuilding from scratch?


Do you have any numbers do base your calculation on? Unless you do, the
risk may be 0.001% as well as 99.999%. Meaning there is no such thing as
an "acceptable risk".

Regards
Ansgar Wiechers

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  SecurityFocus Microsoft Newsletter #387, rkeith
Next by Date:  Re: More along the lines of malware disinfection, pinowudi
Previous by Thread:  Re: More along the lines of malware disinfection, Ansgar -59cobalt- Wiechers
Next by Thread:  Re: More along the lines of malware disinfection, pinowudi
Indexes:  [Date] [Thread] [Top] [All Lists]