Stefan
Sat Aug 06 20:02:36 CDT 2005
"Karl Levinson, mvp" <levinson_k@despammed.com> wrote:
>
> "Stefan Kanthak" <postmaster@1.0.0.127.in-addr.arpa> wrote in message
> news:%23PfZlLomFHA.2580@TK2MSFTNGP09.phx.gbl...
>
> > There's EXACTLY one thing to do: flatten and rebuild.
> > Any other proposal is truly bad advice, and lacks professionalism.
>
> I'm afraid I disagree.
Even in this case here? The OP wrote
| and about 23 viruses/backdoor trojens, etc.
As long as he's not able to perform the forensic inspection and can really
remove ALL the malware and undo ALL the changes made to the system to return
this into a trustworthy state what alternative does he have?
> > See
> >
http://www.microsoft.com/technet/community/columns/secmgmt/sm0504.mspx
>
> Sriley and Jesper say some good things and some wrong things. Saying that
> there is only one thing to do, "flatten," is BAD ADVICE for several reasons.
>
> Despite what they claim, flattening is NOT the only option. Maybe they
> meant that in their opinion, flattening is always the best option. This is
> not true either. They probably believe that flattening is the most reliable
> way to return to a trustworthy state, but I'm not sure this is true either.
> A newly flattened system built using flawed is 100% trustworthy for how
> long? 30 seconds? How long before you can no longer be 100% sure about its
> state? Is it worth doing all that work for such a small gain?
Flattening is the most reliable, and most often the fastest and efficient
option.
I don't know how much time the OP already spent with inspecting the compromised
system, but he was not (yet) able to remove even the "visible" malware!
> They're also wrong in that flattening is NOT a substitution for
> troubleshooting and investigating. Flattening wipes out the evidence of
> what it was you were infected with. If you just flatten, your newly
> installed system might be just as vulnerable to whatever it was, because
> you're just hoping that one of the hardening steps that you're trying on the
> new system will do the trick. A compromise always means there was a
> breakdown in the current security posture, and flattening does nothing to
> determine what it was.
Correct. For the savvy user^Wadministrator.
I but wrote especially for the case here: the OP doesn't seem to be able to
perform the necessary investigation. And since he already modified the system
he destroyed many traces. He didn't even bother to mention which Windows his
friend is using, which SP and hotfixes were installed, and all those nifty
details.
> I think Jesper and Sriley know and might agree with all this, and just
> forgot or neglected to mention this. Having heard them speak, I know they
> know that security is not about building an insurmountable fortress but in
> managing risk, e.g. comparing the cost of threats with the cost of various
> countermeasures, and not guarding a tortilla with a tank.
Correct.
Who of us will perform the threat analysis for OPs friend and rebuild the
system properly himself?
So I choose to give advice how to rebuild the system without danger of getting
compromised again.
> Nevertheless, we're now in a situation where flattening is recommended too
> often and without the necessary caveats.
>
> > * Install the current service pack and all security hotfixes BEFORE
> > connecting to the internet!
>
> Most home users are unable to do this, or it would take them years and a lot
> of headaches. For home computers, turning on the firewall before connecting
> to the Internet to download patches should be good enough.
IFF the OP would have written "it's Windows XP" I could have proposed too just
install, then activate the ICF and get SP2 plus patches.
He didn't, so I fell back to the secure option.
BTW: If it's not XP, where should he get a firewall?
> > * DON'T install a (third party) firewall; they are all crap and
> > create additional attack surface.
>
> Everything creates additional attack surfaces, including antivirus, web
> browser, email reader, etc. I will admit that host-based firewalls can have
> some gotchas, but many people, including myself, find third party firewalls
> to have more pros than cons. Host-based firewalls are used as an attack
> vector so rarely that I think it's hardly worth mentioning in most
> conversations.
I'm not afraid to disagree ;-)
Web browser and email client are NEEDED for browsing the web and reading mail,
but a firewall ain't. When I can setup my system without offering services ie.
opening ports to the internet what purpose has a firewall then? Right, none.
Unfortunately some of these toys open but ports: that's a no-no for "security"
software, not acceptable. The same goes for some of the anti-virus packages.
And 0 open ports to the internet present an attack surface of 0.
> > * If she has XP Pro: turn on SAFER a.k.a. Software Restriction Policies
> > and allow execution only from %SystemRoot% and %ProgramFiles% (and
> > remove .LNK from the list of executables).
>
> Not a bad idea for some environments that are prepared to evaluate and
> support it, but that could break some of the OP's software.
Yes, bad and poorly written software might break.
The OP will learn to distinguish between crappy software and those properly
written and supporting her system and avoid the former (I hope).
> > * Instruct her NOT to install any other program she might think to
> > be usefull. There's so much crap out there, and there's so much
> > crap/adware buried in P2P software like Kazaa.
>
> In other words, don't use your computer as a computer? I'd rather say, be
> careful in what you install and know the potential risks.
No. I don't know the purpose of her computer. The OP's friend does. If she
uses it to earn her living, then she'd REALLY avoid to install software not
necessary for her job. That's risk management: fewer programs installed,
fewer trouble.
> > With all these restrictions in place you don't need ANY of the toys
> > you mentioned. You should have learned now that they are (more or
> > less) useless, since they can NOT clean a compromised system, even
> > from "Safe Mode". Since you can't trust a compromised system you
> > must not rely on any result/output you get when running software
> > from it.
>
> Unless you suspect a root kit, the system state is probably being reliably
~~~~~~~~
> reported and scanned. The presence of spyware is almost universal and is
> not in itself evidence for us to suspect a root kit.
This probability is how small? The OP wrote he's a novice. Better be safe
than sorry.
> > Scan the compromised system from a clean system only,
> > either by putting the harddisk into another computer or by using a
> > bootable CD with WinPE or BartPE which lets you access the harddisk.
>
> Scanning from BartPE is a lot of effort for most users.
Really? Inserting a CD and booting it is lot of effort?
Building the CD can be a little effort, because you need another computer,
an XP CD, and probably an Internet connection. The OP but has this.
OK, get the Avast BART!CD from Alwil software... That's WinPE and a
virus scanner, a shell and some more tools.
> > They can't even protect a system, at least not to the extent their
> > vendors claim/state; it's an ongoing hide and seek: first comes the
> > malware, then the antivirus/antispy/anti* vendors REACT. They are
> > ALWAYS late.
>
> And that's OK. No security countermeasure is infalliable. Choosing only
> 100% infalliable security countermeasures is not always the right decision.
> I would argue that a system that only has 100% infalliable countermeasures
> on it would probably be a system with no countermeasures on it.
Many people but think "I'm protected by (insert your favourite here)" so no
virus/malware can hurt me, and wonder later when they get hurt. And they'll
get hurt if their only countermeasure are tools, not brain and caution too!
> > Use your head/brain, not a toy/tool. You can't rely on them!
> > And remember: a fool with a tool is still a fool.
>
> Brains are quite limited and unreliable as well. A mixture of brain and
> toy, acceptance of some risk, and accepting that compromises will happen, is
> usually preferable.
If they are aware of the shortcomings of the used tools: right.
> For all the hype and FUD, spyware / adware "infections"
> are usually not that big a deal.
Sorry, but look into your inbox: were does this awful lot of SPAM come
from? Infected PCs running Windows!
> The biggest problem with spyware / adware
> is that it sometimes takes an awful lot of work to remove them.
And before I do an awful lot of work on a system I don't know I flatten
it and install it from scratch, properly hardened from the very beginning.
> That's why I lean towards the solution that causes the least work.
What were the numbers the OP posted? Thousands.
> Flattening is a lot
> of work, and most home users are going to make a mistake that allows their
> system to become re-infected again at some point, rendering the flattening
> useless.
That's why I made the list here...
As precaution against the re-infection.
> Given that spyware / adware is probably going to get onto almost
> all home computers eventually, even a flattened system, they don't really
> count in my book as a compromise worthy of flattening.
I strongly disagree here: I don't take that as given. I've setup hundreds
of Windows PC in the last years, and none of them was compromised so that
flattening the system was needed. That's was the restricted user account
is good for: the system and the installed software are left intact, you
just need to erase the user profile and login again.
> I think you have to recognize that host-based firewalls and anti-spyware
> scanners are popular for a good reason: because they're usually better than
> not having them, whether the system is fully hardened or not. I agree with
> the validity of the points you bring up, but still feel the pros usually
> outweigh the cons.
Personal firewalls are (unfortunately) popular because many people believe
the industry that creates them.
I don't see any reason to use one, the systems that I setup don't open
ports to the internet.
Almost the same against anti-spyware: a system setup as described here is
not vulnerable, since the user ain't able to execute software from places
were he can write to (except for macros embedded into MS Office files;
but automatic macro execution is turned off).
> Your advice to consider non-administrator accounts as a countermeasure to
> spyware is a good suggestion that I agree with. I would note that future
> spyware will not necessarily be inhibited by this, and also some enterprise
> environments will find non-administrator accounts on Windows to be more
> trouble than they are worth.
What do you mean with this last remark? If it's (crappy) software that
only runs with administrative rights: sue their vendor, cut their payment
for not writing compliant software.
> > To the OP:
> >
> > * Get yourself a real name and a real email address.
> > At least I (and many others too) don't read anonymous/pseudonymous
> > cowards and address mungers, especially not those with completely
> > bogus addresses. Read
http://www.ietf.org/rfc/rfc1855.txt!
>
> I'm confused. Most of the posts here have invalid email addresses, because
> the MS web interface does that for you as a service. Most people here
> advise people NOT to post using their real unmunged email address. Either
> way, I can't see how it should matter much to us.
I don't read^Wsee posts from @discussions.microsoft.com, and I don't see
most of the posts with complete bogus addresses or without real name.
Cf.
http://support.microsoft.com/default.aspx?scid=fh;DE;NGnetikette
I consider MS use of invalid email addresses as offense against the
internet community. There are proven ways to post with valid addresses and
keep SPAM away. People who advice to munge addresses are (insert appropriate
insulting words here)...
Display names are for people, email addresses are for programs/machines.
As long as the latter can't "think" munging email addresses is insane and
breaks the possibility to communicate. I "respect" other peoples wish to be
left alone when they don't tell me their name or give an invalid address.
Stefan