Cleaning a Compromised (Windows) System

[~BD~]

Does anyone agree with this article?
***********************************

So, you didn’t patch the system and it got hacked. What to do? Well,
let’s see:

You can’t clean a compromised system by patching it. Patching only
removes the vulnerability. Upon getting into your system, the attacker
probably ensured that there were several other ways to get back in.

You can’t clean a compromised system by removing the back doors. You can
never guarantee that you found all the back doors the attacker put in.
The fact that you can’t find any more may only mean you don’t know where
to look, or that the system is so compromised that what you are seeing
is not actually what is there.

You can’t clean a compromised system by using some “vulnerability
remover.” Let’s say you had a system hit by Blaster. A number of vendors
(including Microsoft) published vulnerability removers for Blaster. Can
you trust a system that had Blaster after the tool is run? I wouldn’t.
If the system was vulnerable to Blaster, it was also vulnerable to a
number of other attacks. Can you guarantee that none of those have been
run against it? I didn’t think so.

You can’t clean a compromised system by using a virus scanner. To tell
you the truth, a fully compromised system can’t be trusted. Even virus
scanners must at some level rely on the system to not lie to them. If
they ask whether a particular file is present, the attacker may simply
have a tool in place that lies about it. Note that if you can guarantee
that the only thing that compromised the system was a particular virus
or worm and you know that this virus has no back doors associated with
it, and the vulnerability used by the virus was not available remotely,
then a virus scanner can be used to clean the system. For example, the
vast majority of e-mail worms rely on a user opening an attachment. In
this particular case, it is possible that the only infection on the
system is the one that came from the attachment containing the worm.
However, if the vulnerability used by the worm was available remotely
without user action, then you can’t guarantee that the worm was the only
thing that used that vulnerability. It is entirely possible that
something else used the same vulnerability. In this case, you can’t just
patch the system.

You can’t clean a compromised system by reinstalling the operating
system over the existing installation. Again, the attacker may very well
have tools in place that tell the installer lies. If that happens, the
installer may not actually remove the compromised files. In addition,
the attacker may also have put back doors in non-operating system
components.

You can’t trust any data copied from a compromised system. Once an
attacker gets into a system, all the data on it may be modified. In the
best-case scenario, copying data off a compromised system and putting it
on a clean system will give you potentially untrustworthy data. In the
worst-case scenario, you may actually have copied a back door hidden in
the data.

You can’t trust the event logs on a compromised system. Upon gaining
full access to a system, it is simple for an attacker to modify the
event logs on that system to cover any tracks. If you rely on the event
logs to tell you what has been done to your system, you may just be
reading what the attacker wants you to read.

You may not be able to trust your latest backup. How can you tell when
the original attack took place? The event logs cannot be trusted to tell
you. Without that knowledge, your latest backup is useless. It may be a
backup that includes all the back doors currently on the system.

The only way to clean a compromised system is to flatten and rebuild.
That’s right. If you have a system that has been completely compromised,
the only thing you can do is to flatten the system (reformat the system
disk) and rebuild it from scratch (reinstall Windows and your
applications). Alternatively, you could of course work on your resume
instead, but I don’t want to see you doing that.

This list makes patching look not so bad, yes? We may hate patches, but
the alternative is decidedly worse.

Ref: http://technet.microsoft.com/en-gb/l.../cc512587.aspx

Jesper M. Johansson, Ph.D., CISSP, MCSE, MCP+I

Security Program Manager
Microsoft Corporation

[Mike Easter]

~BD~ wrote:
> Does anyone agree with this article?

"The only way to clean a compromised system is to flatten and rebuild."

That article was written in 2004 May.

One of my favorite sites to send people for help in cleaning up has this
'preliminary' information to consider before trying to clean:

<q> Before deciding whether your computer needs cleaning or
reformatting, You need to ask yourself some very serious questions.

Do you use your computer for any of the following? Online
banking/Business purposes/storing sensitive or very personal information?

If the answer to any of those questions is yes, then you should
immediately disconnect your computer from the net and do a complete
format and reinstall. </q>

http://www.techspot.com/vb/menu28.html Virus and Malware Removal

That techspot advice was posted about 3 years ago.

The problem is that when many people report some kind of 'contamination'
of their system which their spyware tool has alerted them about and
sanitized, they don't know whether they have been alerted to and
cleansed of significant infestation, infection, or cookies.



--
Mike Easter

[~BD~]

Mike Easter wrote:
> ~BD~ wrote:
>> Does anyone agree with this article?
>
> "The only way to clean a compromised system is to flatten and rebuild."
>
> That article was written in 2004 May.
>
> One of my favorite sites to send people for help in cleaning up has this
> 'preliminary' information to consider before trying to clean:
>
> <q> Before deciding whether your computer needs cleaning or
> reformatting, You need to ask yourself some very serious questions.
>
> Do you use your computer for any of the following? Online
> banking/Business purposes/storing sensitive or very personal information?
>
> If the answer to any of those questions is yes, then you should
> immediately disconnect your computer from the net and do a complete
> format and reinstall. </q>

I agree with those sentiments!

> http://www.techspot.com/vb/menu28.html Virus and Malware Removal
>
> That techspot advice was posted about 3 years ago.
>
> The problem is that when many people report some kind of 'contamination'
> of their system which their spyware tool has alerted them about and
> sanitized, they don't know whether they have been alerted to and
> cleansed of significant infestation, infection, or cookies.
>
>
>
How right you are in that last paragraph, Mike!

I've bookmarked 'techspot' for future exploration.

Although I have purchased Acronis True image (and have used it) I'm not
100% sure that simply restoring an image will *always* defeat a truly
compromised machine!

Thanks for your post!

D.

[Mike Easter]

~BD~ wrote:
> Mike Easter wrote:

>> http://www.techspot.com/vb/menu28.html Virus and Malware Removal

> I've bookmarked 'techspot' for future exploration.

There are a number of similar sites, but I think that one does a good
job of vetting its helpers and keeping a fairly rigorous structure to
their strategy and requirements for the participation of the affected user.

> Although I have purchased Acronis True image (and have used it) I'm not
> 100% sure that simply restoring an image will *always* defeat a truly
> compromised machine!

Let's don't use fuzzy concepts because they are too difficult to discuss
because the fuzz is undefined.

You are trying to talk about what is or is not good enough to fix 'a
truly compromised machine' without defining one specific compromised
machine.

If there were one specific compromised machine, we would be talking
about specifically what was and what was *not* wrong with it.


--
Mike Easter

[David H. Lipman]

From: "~BD~" <~BD~@nomail.afraid.com>

The word is compromised.
Being infected does not necessarily mean the platform has been compromised.

--
Dave
Multi-AV Scanning Tool - http://www.pctipp.ch/downloads/dl/35905.asp

[~BD~]

David H. Lipman wrote:
> From: "~BD~"<~BD~@nomail.afraid.com>
>
> The word is compromised.
> Being infected does not necessarily mean the platform has been compromised.
>

If one needs to resort to utilising David H Lipman's "Multi-AV Scanning
Tool" would one's machine have merely been 'infected' or would it have
been 'compromised'?

[Beauregard T. Shagnasty]

The FUD-Spreader named ~BD~ wrote:

> David H. Lipman wrote:
>> From: "~BD~"<~BD~@nomail.afraid.com>
>>> [6-yr-old copyrighted material was snipped by Mr Lipman]
>>
>> The word is compromised.
>> Being infected does not necessarily mean the platform has been compromised.
>
> If one needs to resort to utilising David H Lipman's "Multi-AV Scanning
> Tool" would one's machine have merely been 'infected' or would it have
> been 'compromised'?

One's machine would not be affected at all, and you know it. Can you
ever post anything without attempting to provoke someone? Other than
that woman, of course.

--
-bts
-In a broadband world, you are just a dialup

[~BD~]

Beauregard T. Shagnasty wrote:
> The FUD-Spreader named ~BD~ wrote:

Provocation?

>> David H. Lipman wrote:
>>> From: "~BD~"<~BD~@nomail.afraid.com>
>>>> [6-yr-old copyrighted material was snipped by Mr Lipman]

Provocation?

>>> The word is compromised.
>>> Being infected does not necessarily mean the platform has been compromised.

Now was *that* provocative, or what!

>> If one needs to resort to utilising David H Lipman's "Multi-AV Scanning
>> Tool" would one's machine have merely been 'infected' or would it have
>> been 'compromised'?
>
> One's machine would not be affected at all, and you know it. Can you
> ever post anything without attempting to provoke someone? Other than
> that woman, of course.
>

Maybe it's because you are an American that you cannot understand
English 'as she is wrote', eh? Perhaps a simple misunderstanding?

No-one (except me! I have tried it out! <smile>) would use Mr Lipman's
tool _in anger_ *unless* their computer had been /either/ infected *or*
compromised, would they?

It was a *serious* question (OK - with an undertone, I concede!)

Now then, have you been snooping and disrupting play on Scorched-Earth
using a different nym? You are more than welcome to join in as BTS!

[Beauregard T. Shagnasty]

~BD~ wrote:

> Beauregard T. Shagnasty wrote:
>> The FUD-Spreader named ~BD~ wrote:
>
> Provocation?

No. Truth.
<snip>

> It was a *serious* question (OK - with an undertone, I concede!)

Always an undertone. Always.

> Now then, have you been snooping and disrupting play on Scorched-Earth
> using a different nym? You are more than welcome to join in as BTS!
>

No.

--
-bts
-Four wheels carry the body; two wheels move the soul