> "Mike Moratz-Coppins" <mike (at) mikeymike.org (dot) uk [email concealed]> wrote:

> Ansgar -59cobalt- Wiechers wrote:
>> Well, some of us just don't consider botnets acceptable. Apparently you
>> have a different opinion on that.
>
> Neither do I. I just don't think it is necessary in a lot of cases to
> wipe everything out in order to get rid of a malware infection.

Sorry, I've got to disagree with you on this one. You should have backups of
users' data files and should be able to scan those before restoring, but
here's the thing- unless you reinstall that system, you do NOT know that
it's no longer compromised. As a very simplified example, suppose a given
piece of malware did, among other things, the following:

1. Sent keylogs via the user's e-mail client to an external address. Just
once, even; say 24 hours after infection.
2. Sent the next round of keylogs to a text file buried in the directory
structure on the computer, in an innocuously-named file. Let's say this one
happens at 48 hours post-infection.
3. Sent a third round of keylogs via a port that gets opened at 72 hours
post-infection.
4. Created a .cab file containing the next round of keylogs at 96 hours
post-infection.
5. Repeated 1-4 for as long as the malware was resident on the computer,
changing file names and locations (where applicable) with each run.
6. Searched for writeable files on the computer and modified each one of
them (something as simple as adding a space or a CRLF or whatever) so as to
change the last modified date on the files.

Now, after you run all of your various scanning tools, are you also looking
at every single file to find each file that was created or modified after
infection? Do you even know the actual infection date? If yes to both, are
you looking at every single file? Do you know that the keylog content wasn't
put into an existing file so as to avoid being noticed on a creation-date
scan? Do you know whether or not the user's credentials have been captured
many times over and sent to an outside location? Do you know whether or not
part of the malware's function was to create an additional account on the
computer after capturing your user's credentials (which are more likely than
not to have excessive privileges on the local machine), store content in
that new user's context, encrypt the content, export the keys and then
delete the account? Do you know whether the malware has changed the
Zone.Identifier file stream on an innocuous-looking file that's named after
an existing file on the user's machine, but also includes simple
functionality such as opening a connection to an Internet site and pulling
down malicious content all over again? I can go on and on here, obviously.

This is a very *un*creative scenario, btw. However, based on what you've
said on this list today, I'm betting that this scenario would have been
successful on at least one of those machines that you didn't think needed to
be reinstalled.
>
> I am perfectly aware that malware with rootkit-style capabilities can
> render security tools useless, however I don't think I've yet seen a case
> where every technique/tool I use has come up with negative results when
> there are still symptoms of an infection.

Not all infections display symptoms, particularly to somebody who's
returning the infected machine to the user and walking away. And we all know
that users typically don't notice infections until they've become blatantly
obvious and have run the machine into the ground from a performance
perspective or are popping up pr0n windows all over the place (which smart
malware wouldn't).

>
> Of course, I haven't yet been called out because a customer hasn't noticed
> any symptoms of a system infection. I'm perfectly willing to accept the
> possibility that a "100% undetectable" rootkit has slipped by me at some
> point, after all, it could be on my system right now. It could have been
> on that customer's system when all they asked me to do was fix their
> printer problem.

Yes, it could. However, if you've been called in to fix an infected system,
then your responsibility is to clean that system, not perform a "best effort
based on what I know today" "cleaning".
>
> Furthermore, I think if you take your point of view through to its logical
> conclusion, you should be reinstalling all of your systems (and any system
> you ever administrate) on an extremely regular basis. Good luck with
> that.

Please don't be offended by this, but I'm guessing you've not worked in
enterprise environments. Regular reinstallation of systems is exceedingly
common in large corporate environments. Hardware lifecycle alone may dictate
this, but it's just as likely that it's a matter of course whenever a user's
machine goes "wonky". I've worked with and for some of the largest companies
in the world, and I've seen this in all of them. The only place I *don't*
see regular reinstallation is in very small environments, such as my
parents' home (actually, I take that back; I regularly reinstall my mother's
machine whenever I visit my parents), or environments that are managed by
people who probably shouldn't be managing them because they think they can
"clean up" an infected machine rather than rebuilding it.

Laura

[ reply ]