|
Posted by Martin on March 27, 2007, 5:57 am
If you were Registered and logged in, you could reply and use other advanced thread options
Once again the sincerest of thanks - the effort and length you have gone to
are greatly appreciated and the detail and explanations are valued greatly.
Martin
cquirke (MVP Windows shell/user) wrote:
>> cquirke (MVP Windows shell/user) wrote:
>
>>> Scans done from within infected OS are non-exclusionary.
>>> I guess I should clarify that, as it implies scans from outside an
>>> infected OS are exclusionary, which isn't always the case!
>
>>> From outside the OS, you can rely on the scanner detecting
>>> everything it can detect (and missing everything it can't detect).
>
>>> From inside the OS, a scanner may be unable to overcome malware that
>>> is known to it, or may fail to find anything at all
>
>>> Human hackers may not be limited to commonly-encountered tools
>
>> You have confirmed my suspicions and given authority to what I told
>> him: namely, that his system is compromised and that he could never
>> be sure
>> it was rendered safe again.
>
> This is always generally true, but with break-even between "just" wipe
> and rebuild and clean the system formally being arguably similar.
>
> It's particularly true here because of the human element that skews
> the odds against formally cleaning the system. If resources permit,
> I'd recommend "freezing" the old HD (literally, remove it and store it
> in the safe) and rebuilding on a new hard drive, so that if problems
> continue and you need forensics, you have preserved these.
>
>> I spoke to a hacker some months ago and he siad that some of the
>> tools he had were even resistent to reformatting of the hard drive,
>> something I had preciously heard regarding these post-theft programs
>> that phone home.
>
> There are four ways to appear to persist across a format:
> - embed malware outside the file system, e.g. MBR
> - seed the data set with malware, thus within restored backups
> - infect off-board storage (e.g. USB sticks) and LAN systems
> - re-assert primary infection via exploitable defects, etc.
>
> The first is the one that comes to mind, but it's probably the least
> likely method - not because malware can't be inserted into the MBR
> (even from within NT on NTFS), but because it's very hard to create
> useful functionality (especially network access) from that raw level
> of code - everything has to be done by the code, with no recourse to
> OS libraries or services, and that's hard work.
>
> The easiest way is to watch for the "fixed" PC to re-appear on the
> 'net and then exploit it while it's still groping for patches. That's
> easy if you have a fix on its IP address; less easy when this IP
> address is randomly-assigned from a large ISP pool.
>
> The other two methods are pretty easy too, thanks to poor OS design
> that makes no attempt to maintain data hygiene, and that happily
> autoruns newly-detected USB sticks.
>
>> Given the laptop is some 4 or 5 years old and running Windows 2000,
>> I've told my friend now's the time to invest in a new one and in the
>> meantime remember his present laptop is compromised.
>
> He could do, tho laptops aren't cheap enough to be considered
> disposable. He needs a firewall at least, as well as IE 6 SP1, and
> both to be in place before going online or joining any network. This
> wouldn't make him as safe as XP SP2 with IE 7, but he'd be about 90%
> of the way there.
>
> There's a care to be made by invalidating prior assumptions when the
> PC is rebuilt; use non-default installation paths, relocate data sets,
> change passwords, and kill those wretched admin shares!
>
>> Having said that, in the immediate short term I've suggested he puts
>> in a modem with a good hardware firewall if only in anticipation of
>> his getting a new laptop.
>
> He should be behind a NAT router that's operating in NAT mode (i.e.
> not dumbed-down to act as a "bridge". Dial-up's easier in that at
> least with separate network adapters for Internet and LAN, he can
> un-bind File and Print Sharing from the dial-up adapter and thus
> Internet access. Finally - kill any WiFi, or if you have to use it,
> go WPA(2) and change the encryption key (as the old one may have been
> snooped by reading the router from the "owned" PC)
>
>> But I assume that even that would not give him total peace
>> of mind: would I be right in thinking that once his system is
>> compromised by malware, he has to assume that the malware might have
>> the capability of getting through a hardware firewall by deception
>> no matter how carefully it is set up, or am I stretching things a
>> bit too far with that one?
>
> Not so much malware, but an active and personal human hand behind the
> malware. That's why keeping the previous HD is a good long-term hedge
> (if you can keep it "pure' as potential court evidence, so much the
> better) so your idea of "get a new system" has merit if it means the
> old one can be retained as-is for forensics.
>
> Windows has no clue for these sort of eventualities, so the effort of
> extracting data from the infected system, and ensuring that it is free
> of (infectable) code, is entirely up to you. The Windows "vision" is
> to be so secure that the infected state does not arise, therefore
> there is no need to plan for it or manage it.
>
>> Once again, my deepest thanks for your kindness in providing such
>> detailed replies.
>
> It's a pleasure... I'm glad it's not me on the slab, I have to say
> :-/
>
>
>> -- Risk Management is the clue that asks:
> "Why do I keep open buckets of petrol next to all the
> ashtrays in the lounge, when I don't even have a car?"
>> ----------------------- ------ ---- --- -- - - - -
| 
XML site map