|
Posted by Martin on March 24, 2007, 3:48 pm
If you were Registered and logged in, you could reply and use other advanced thread options
> On Fri, 23 Mar 2007 14:54:34 +0200, "cquirke (MVP Windows shell/user)"
>
>> Quite. Scans done from within infected OS are non-exclusionary.
>
> I guess I should clarify that, as it implies scans from outside an
> infected OS are exclusionary, which isn't always the case!
>
> From outside the OS, you can rely on the scanner detecting everything
> it can detect (and missing everything it can't detect). My using
> multiple scanners, you can reduce the % of missed stuff, pushing it
> towards exclusion until the odds are prolly similar to the chances of
> a wiped-and-rebuilt PC staying clean when reconnected to the world.
>
> From inside the OS, a scanner may be unable to overcome malware that
> is known to it, or may fail to find anything at all if an active
> malware manages to disable or confound it. Malware A that it could
> normally handle in its sleep may be protected as a side-effect of
> malware B, so even past experience may not be reliable.
>
> The risks increase when you go from attempted detection to attempted
> removal. The short straw in the pack might be a malware that reacts
> punitively when it detects such attempts, killing the system or data.
>
> This "poison pill" outcome is less likely today, not because there are
> factors making it more difficult for malware to hatch a destructive
> payload, but because most malware activity is directed to financial
> ends. There may be as many traditional "virus" malcontents, but
> swamped by the quick-buckers, or there may be fewer malcontents now
> that at least some have become contented (paid) malware coders.
>
>
> Malware will be missed by scanners if:
> - it's not considered malware by the scanner vendor
> - it's not known to the scanner vendor, either because:
> - it's too new
> - it is not widely circulated
> - the malware vendor hasn't yet figured how to detect it
>
> If you're scanning formally, then the above are the only reasons
> malware will be missed, but these reasons can account for a lot of
> stuff, especially when there is a human element involved.
>
> The best way to counter the "too new" problem is to keep the system
> isolated (off all networks, including the various wireless accesses)
> for as many days as you can afford, then formally scan it whilst still
> in this isolated state.
>
> That means no online scanners, else an old and detectable malware may
> win a race with the online scanner by finding and downloading a "too
> new" replacement for itself before the online scanner finds and fixes
> it. The active malware has one big highway to the outside world that
> is easy to find; the online scanner's trudging through files and
> processes one at a time ("Is it Aaron? No, Is it Aardvark? No. Is
> it Abby? No..."). I know where I'd place my bets.
>
> Human hackers may not be limited to commonly-encountered off-the-peg
> tools that are known to malware vendors. Then can use specialist or
> custom tools (or just a common tool that's been kinked and
> recompiled), and they can use legit software to do what's needed..
>
> They won't be bothered about licensing (as if anyone's going to get
> bust for "illegal use", it will be you, as it's on your system). Some
> scanning tools will alert on such software, but many won't.
>
>
>
>> -------------------- ----- ---- --- -- - - - -
> Running Windows-based av to kill active malware is like striking
> a match to see if what you are standing in is water or petrol.
>> -------------------- ----- ---- --- -- - - - -
One final question.
Firstly, sincere thanks for the considerable time and effort you have
invested in replying in such depth to my question. You have confirmed my
suspicions and given authority to what I told him: namely, that his system
is compromised and that he could never be sure it was rendered safe again.
I spoke to a hacker some months ago and he siad that some of the tools he
had were even resistent to reformatting of the hard drive, something I had
preciously heard regarding these post-theft programs that phone home.
Given the laptop is some 4 or 5 years old and running Windows 2000, I've
told my friend now's the time to invest in a new one and in the meantime
remember his present laptop is compromised.
Having said that, in the immediate short term I've suggested he puts in a
modem with a good hardware firewall if only in anticipation of his getting a
new laptop. But I assume that even that would not give him total peace
of mind: would I be right in thinking that once his system is compromised by
malware, he has to assume that the malware might have the capability of
getting through a hardware firewall by deception no matter how carefully it
is set up, or am I stretching things a bit too far with that one?
Once again, my deepest thanks for your kindness in providing such detailed
replies.
Martin
| 
XML site map