Microsoft Says Recovery from Malware Becoming Impossible

cy

Flashaholic
Joined
Dec 20, 2003
Messages
8,186
Location
USA
Microsoft Says Recovery from Malware Becoming Impossible

"Offensive rootkits, which are used hide malware programs and maintain an undetectable presence on an infected machine, have become the weapon of choice for virus and spyware writers and, because they often use kernel hooks to avoid detection, Danseglio said IT administrators may never know if all traces of a rootkit have been successfully removed.

He cited a recent instance where an unnamed branch of the U.S. government struggled with malware infestations on more than 2,000 client machines. "In that case, it was so severe that trying to recover was meaningless. They did not have an automated process to wipe and rebuild the systems, so it became a burden. They had to design a process real fast," Danseglio added."

http://www.eweek.com/article2/0,1895,1945808,00.asp

Microsoft: Stealth Rootkits Are Bombarding XP SP2 Boxes

"More than 20 percent of all malware removed from Windows XP SP2 (Service Pack 2) systems are stealth rootkits, according to senior official in Microsoft Corp.'s security unit."

http://www.eweek.com/article2/0,1895,1896605,00.asp
 

ACMarina

Flashlight Enthusiast
Joined
Sep 10, 2004
Messages
3,119
Location
Brookston, IN
Just formatted TWO systems in the past week to take care of some nasties. Anymore it's just easier that way..
 

gadget_lover

Flashaholic
Joined
Oct 7, 2003
Messages
7,148
Location
Near Silicon Valley (too near)
This is not new. I have had dozens of managers try to tell me that it's OK to bring in an un-vetted contractor for a week as a temporary administrator. All I have to do is change teh password, they say!

The truth is, once an unscrupulous has unrestricted access to your computer, you have very few ways of verifying that a root kit was not installed without going through some very involved verifications.

More and more, people look to quick rebuild from "known good sources" as a way to combat an intrusion. The problem is obvious (to the paranoid among us) in that how do you know your backup copy was not compromised?

I may have to reinstall my wife's OS. She used IE for the last week. Now it's slowing downdowndowndown.

Sigh.
 

zespectre

Flashlight Enthusiast
Joined
May 21, 2005
Messages
2,197
Location
Lost in NY
Here's an ad with a better description
http://www.mcsx.co.uk/shop/hd-data-recovery-card.htm

However you can do the same thing with just software (I use Acronis True Image). I have it set to make a regular (weekly) image of my system and keep it on a backup drive and every now and then I duplicate that Image onto removable media (DVD discs).

The big trick (for me) is to remember to create an image (usually takes about 15 minutes) BEFORE I go and do any experimenting or install some beta software!
 

TinderBox (UK)

Flashlight Enthusiast
Joined
Jan 14, 2006
Messages
3,488
Location
England, United Kingdom
why dont microsoft intergrate the windows software into a chip, the price of flash memory is getting really cheap now.

any system changes would be saved to the HDD.

then with a click of a switch you could be back to an default version of windows.

all you would have to do is re-install your applications and your done.

regards.
 

ABTOMAT

Flashlight Enthusiast
Joined
Jan 9, 2004
Messages
2,873
Location
MA, USA
As you guys say, in many cases it's easier to just reformat and reinstall everything. Unless a client has stuff on the computer that can't be copied or replaced, no sense in wasting all day long chasing after bytes. Another thing for people to realize is that if something says "click here", for the love of God don't do it. Users who don't download lots of stuff or visit lots of "questionable" sites almost never get hit, IMHO.

I've been meaning to make a Ghost image of my main PC, but I change hardware so much there's no point.
 

cy

Flashaholic
Joined
Dec 20, 2003
Messages
8,186
Location
USA
I'd like to buy an LEDsystems card, if anyone can verify this works.

thanks,
 

TinderBox (UK)

Flashlight Enthusiast
Joined
Jan 14, 2006
Messages
3,488
Location
England, United Kingdom
we had the same problem with bios chips a few years ago, until they put an write enable jumper on the motherboard.

I would like to see the hackers get round that.

regards.
 

bwaites

Flashlight Enthusiast
Joined
Nov 27, 2003
Messages
5,035
Location
Central Washington State
I'm barely functional at this, but if you kept a hard drive with your OS and programs on it apart from your system, could you not then wipe your system drive and re-install from that hard drive?

I realize that everytime you install a new program, you would have to also install it on the second drive.

Bill
 

zespectre

Flashlight Enthusiast
Joined
May 21, 2005
Messages
2,197
Location
Lost in NY
bwaites said:
I'm barely functional at this, but if you kept a hard drive with your OS and programs on it apart from your system, could you not then wipe your system drive and re-install from that hard drive?

I realize that everytime you install a new program, you would have to also install it on the second drive.

Bill

That's what you do with imaging software. Imaging software (like Acronis) makes an exact duplicate of your drive including all the settings and such (unlike a "backup" software that just backs up data but doesn't inclued system information like settings and preferences).
 

357

Flashlight Enthusiast
Joined
Jan 15, 2004
Messages
1,951
Location
usa
I don't understand what rootkit is....can someone explain the technical meaning of rootkit?
 

TinderBox (UK)

Flashlight Enthusiast
Joined
Jan 14, 2006
Messages
3,488
Location
England, United Kingdom
Definitions of Rootkit on the Web:

[size=-1]<li>A hacker security tool that captures passwords and message traffic to and from a computer. A collection of tools that allows a hacker to provide a backdoor into a system, collect information on other systems on the network, mask the fact that the system is compromised, and much more. Rootkit is a classic example of Trojan Horse software. Rootkit is available for a wide range of operating systems.
www.tecrime.com/0gloss.htm[/size][size=-1]<li>A set of programs used to hack into a system and gain administrative-level access. Once a program has gained access, it can be used to monitor traffic and keystrokes; create a backdoor into the system for the hacker's use; alter log files; attack other machines on the network; and alter existing system tools to circumvent detection. Rootkits are an extreme form of System Modification Software. http://www.antispywarecoalition.org/
www.wetstonetech.com/page/page/1972572.htm[/size][size=-1]<li>A root kit is a set of tools used by an intruder after cracking a computer system. These tools can help the attacker maintain his or her access to the system and use it for malicious purposes. Root kits exist for a variety of operating systems such as Linux, Solaris, and versions of Microsoft Windows.
en.wikipedia.org/wiki/Rootkit[/size]
regards.
 

357

Flashlight Enthusiast
Joined
Jan 15, 2004
Messages
1,951
Location
usa
That sounds like a nasty little program. I wonder if its illegal for Hackers to use this?

I can see instances where corporate or government should use this...but should be illegal for hackers I feel.
 

EVOeight

Newly Enlightened
Joined
Dec 12, 2005
Messages
117
I do have a copy of an "OS on CD". You boot from the CD and it loads the OS (XP w/SP2). It will boot a computer with no hard drive at all. The downside is that you cannot install ANYTHING because the CD is read-only. Every time I want to add a program or change anything, I have to burn a new image. It is completely virus proof though, worse case just reboot...
 

Empath

Flashaholic
Joined
Nov 11, 2001
Messages
8,508
Location
Oregon
357 said:
That sounds like a nasty little program. I wonder if its illegal for Hackers to use this?

I can see instances where corporate or government should use this...but should be illegal for hackers I feel.

There is no instance that would make it acceptable for corporate or government to do it. A government, with a court order or whatever the particular country's legal system requires, have plenty of ways of getting information without damaging peoples computers. Those in positions of responsibility in corporations, like Sony, should spend a significant time in prison just as the hackers involved in such criminal behavior.

Legitimate appearing corporate compromise of a computer installation are a bigger threat than the hackers.
 

gadget_lover

Flashaholic
Joined
Oct 7, 2003
Messages
7,148
Location
Near Silicon Valley (too near)
The primary aspect of a rootkit as opposed to a simple virus is that it integrates into the operating system (or bios) in such a way that the system can't check itself. The very programs that you use to do a scan are altered so that they lie about being compromised.

The jumper protected bios has cut back on bios attacks, but not all PCs have a protected bios. I imagine that I'm not the only one who has (at some time) forgotten to re-protect the bios.

Making a backup copy of your disk works pretty well, unless that program gets popular enough to be targetted.

Daniel
 
Top