[ale] [OT] Databases of viruses/malware

David Tomaschik david at systemoverlord.com
Wed Mar 2 23:27:18 EST 2011


On 03/02/2011 10:01 PM, Ron Frazier wrote:
> Pat,
> 
> A valid question. The best way to fix a virus is never to catch one. 
> However, the post JD wrote which I replied to assumed a virus had been 
> detected and he was discussing how to get rid of it. I'll give you the 
> best answer I can. If I wipe the drive, and reinstall the system and non 
> infectable data files, then I would trust the computer. Then, I would do 
> routine virus scans, have live on the fly scanning active, and have data 
> execution protection on in the OS (if it's Windows) and the browser (if 
> it's IE). I would watch for anomalous events such as crashes, non 
> requested reboots, error messages, etc. I would watch for reports of odd 
> computer behavior from the users, missing or corrupt data, reports like 
> "I got this email from IT and clicked the link" or "what was that urgent 
> system maintenance thing yesterday (when there was none), etc. If I have 
> much probable cause at all, I'll reboot with a few different AV rescue 
> CD's and scan independent of the OS. For truly sensitive PC's and users, 
> I might wipe the drive and reinstall just based on probable cause alone. 
> Of course, I would immediately pursue and try to confirm any reports of 
> active viruses by the AV scanner.
> 
> To actually answer your question, there is no sure fire way to detect 
> these things. Just like organized criminals, the really good ones never 
> get caught. There are millions of users with infected computers who 
> don't even know it. The virus writers use the compromised PC's to join 
> bot nets, silently commit cyber terrorism, and steal confidential data 
> which is sold on the black market.
> 
> Security professionals feel free to jump in here.
> 
> Sincerely,
> 
> Ron
> 
> On 03/02/2011 09:08 PM, Pat Regan wrote:
>> On Wed, 02 Mar 2011 20:58:02 -0500
>> Ron Frazier<atllinuxenthinfo at c3energy.com>  wrote:
>>
>>    
>>> The problem is, you may never know if the remedy failed. If the virus
>>> returns in a mutated form, or in rootkit form, it may not show any
>>> evidence of it's presence until you boot another OS and scan again,
>>> which may be weeks or months or never. In my opinion, if a machine is
>>> compromised, the only way I can trust it again with confidential
>>> data, for sure, is to wipe the drive.
>>>      
>> How do you know when to stop trusting it again?  If it is hiding that
>> well then how did you find it in the first place? :)
>>
>> Pat
>>
>>    
> 


Ron has hit it right on the head.  He's kind of hinting at a topic
that's garnered a lot of attention lately, especially around the time of
Stuxnet.  "Advanced Persistent Threat" is a big InfoSec buzz word right
now, but really, it just means "an attacker with a lot of ways in that
you can't (easily) detect".

That being said, we really have made HUGE strides in information
security.  Unfortunately, so have the attackers.  By and large, for data
files to be infected, they need to have some sort of built-in scripting
capability (think macro viruses, or any of the dozens of Adobe Reader
PDF javascript vulnerabilities).  Lacking this, data is largely safe.
(This has become even more secure with the wide distribution of DEP.)

The short version of this is: wipe and reload is a much safer practice
than cleanup.  However, cleanup (particularly from a LiveCD/alternate
OS/etc.) remains a viable option for a substantial proportion of threats.



-- 
David Tomaschik, RHCE, LPIC-1, CLA
System Administrator/Open Source Advocate
OpenPGP: 0x5DEA789B
http://systemoverlord.com
david at systemoverlord.com


More information about the Ale mailing list