>> Maybe that's leaving my computers as potential spam-bots, but what
are the
>> chances of that? 1%? .01%? .0000000001%? What's an acceptable
risk vs.
>> the cost of rebuilding from scratch?
>
> Do you have any numbers do base your calculation on? Unless you do, the
> risk may be 0.001% as well as 99.999%. Meaning there is no such thing as
> an "acceptable risk".

The number is about 30%. That's the approximate percentage of websites
our organization comes across from normal user browsing that have some
kind of redirect or hosting malicious exploits that will cause a
standard user-level privilege to be violated and malicious code
installed if that host does not have anti-virus software. Add AV and
you're down to around 5% new or variant (lets call them 'unique') junk
out there at any given time that will pwn a client.

SO, 5% of normal browsing on a blogger or news site or product site or
whatever pwn the user process through MDAC, WMF, Real or some other
magic and install a keylogger. These sites are usually reported within
24 hours of going active if they have noticeable market penetration. AV
signature development takes about a day for dev and QA and a day for
release. Add 24-72 hours for distro to clients depending on how often
they are updating. Total time to the client cleansing itself after a
threat appears, I'd say the average is around a week.

So, how many tax returns were filed this week before the signature
becomes 50% effective across the client base? How many before 80%?
Remember, this is for one particular threat. There are thousands (if
not millions) out there and active right now. I'm to assume that making
the claim that 5% of exposed clients in the next two weeks reporting
their tax ID numbers, investment accounts, and return info to the IRS
and siphoned off to personal info brokers is an acceptable risk? No way.

Ansgar -59cobalt- Wiechers wrote:
> On 2008-03-20 John Lightfoot wrote:
>> I agree with Mike.
>
> Then you failed to understand the problem.
>
>> While it's true that you can never be absolutely certain that a system
>> is safe once it has been compromised by malware, if you're able to
>> identify the infection or at least the attack vector, chances are
>> pretty good that you can eliminate the problem and secure your system
>> without a total re-wipe.
>
> Correct. IF you can identify the infection vector AND the infection time
> AND all modifications that were done afterwards. Then (and only then)
> you an avoid re-installing the system.
>
>> I use antivirus software, a software firewall, Windows Defender and my
>> router to protect my home network, but occasionally my kids download a
>> questionable toolbar from a game site.
>
> So? Don't give them admin privileges. Problem solved.
>
>> If I Google for a script to get rid of it, I feel quite confident that
>> the malware ended there.
>
> This confidence is entirely unsubstantiated.
>
> - Even though your tools identified the malware as "X", it may be a (yet
> unknown) variant "Xa", which is sufficiently different from malware
> "X" to render your script useless.
> - In case malware "X" opened a backdoor (there are various ways to do
> that even through a firewall) or loaded additional code after being
> executed, your script may remove malware "X", but leave the additional
> malware "Y" untouched.
> - Unless you know exactly how malware "X" works even auditing the script
> won't tell you whether it will actually remove the infection entirely.
> - Unless you audit the script first, you may just have installed another
> malware by running it.
> ...
>
>> If the antivirus, antispyware, firewalls and logs don't turn up
>> anything, the 100% undetectable rootkit the malware installed doesn't
>> concern me very much, and if you're worried about a 100% undetectable
>> rootkit you should probably be worried about the 100% undetectable
>> 0-day attack vector it's already used to install itself on your
>> computer.
>
> Unless the tools you use have 100% detection rate (which they don't),
> the rootkit doesn't need to be 100% undetectable.
>
> What you and Mike keep ignoring is, that in one case there was an actual
> infection vector, whereas in the other case there wasn't (no, your
> hypthetical 0-day attack does not count unless you can show an actual
> attack vector).
>
>> Maybe that's leaving my computers as potential spam-bots, but what are the
>> chances of that? 1%? .01%? .0000000001%? What's an acceptable risk vs.
>> the cost of rebuilding from scratch?
>
> Do you have any numbers do base your calculation on? Unless you do, the
> risk may be 0.001% as well as 99.999%. Meaning there is no such thing as
> an "acceptable risk".
>
> Regards
> Ansgar Wiechers

[ reply ]