On 2008-03-20 John Lightfoot wrote:
> I agree with Mike.

Then you failed to understand the problem.

> While it's true that you can never be absolutely certain that a system
> is safe once it has been compromised by malware, if you're able to
> identify the infection or at least the attack vector, chances are
> pretty good that you can eliminate the problem and secure your system
> without a total re-wipe.

Correct. IF you can identify the infection vector AND the infection time
AND all modifications that were done afterwards. Then (and only then)
you an avoid re-installing the system.

> I use antivirus software, a software firewall, Windows Defender and my
> router to protect my home network, but occasionally my kids download a
> questionable toolbar from a game site.

So? Don't give them admin privileges. Problem solved.

> If I Google for a script to get rid of it, I feel quite confident that
> the malware ended there.

This confidence is entirely unsubstantiated.

- Even though your tools identified the malware as "X", it may be a (yet
unknown) variant "Xa", which is sufficiently different from malware
"X" to render your script useless.
- In case malware "X" opened a backdoor (there are various ways to do
that even through a firewall) or loaded additional code after being
executed, your script may remove malware "X", but leave the additional
malware "Y" untouched.
- Unless you know exactly how malware "X" works even auditing the script
won't tell you whether it will actually remove the infection entirely.
- Unless you audit the script first, you may just have installed another
malware by running it.
...

> If the antivirus, antispyware, firewalls and logs don't turn up
> anything, the 100% undetectable rootkit the malware installed doesn't
> concern me very much, and if you're worried about a 100% undetectable
> rootkit you should probably be worried about the 100% undetectable
> 0-day attack vector it's already used to install itself on your
> computer.

Unless the tools you use have 100% detection rate (which they don't),
the rootkit doesn't need to be 100% undetectable.

What you and Mike keep ignoring is, that in one case there was an actual
infection vector, whereas in the other case there wasn't (no, your
hypthetical 0-day attack does not count unless you can show an actual
attack vector).

> Maybe that's leaving my computers as potential spam-bots, but what are the
> chances of that? 1%? .01%? .0000000001%? What's an acceptable risk vs.
> the cost of rebuilding from scratch?

Do you have any numbers do base your calculation on? Unless you do, the
risk may be 0.001% as well as 99.999%. Meaning there is no such thing as
an "acceptable risk".

Regards
Ansgar Wiechers
--
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq

[ reply ]