Microsoft Says Recovery From Malware Becoming Impossible
An anonymous reader wrote to mention an eWeek Story about Microsoft's assertion that PCs may no longer be able to recover from the most aggressive Malware. From the article: "[Danseglio] cited a recent instance where an unnamed branch of the U.S. government struggled with malware infestations on more than 2,000 client machines. 'In that case, it was so severe that trying to recover was meaningless. They did not have an automated process to wipe and rebuild the systems, so it became a burden. They had to design a process real fast,'."
'In that case, it was so severe that trying to recover was meaningless. They did not have an automated process to wipe and rebuild the systems, so it became a burden. They had to design a process real fast,'."
:-)
Ummmmm, how about switching?
Seriously though, NeXTstep certainly has a long history in certain TLA government agencies and OS X is beginning to make significant inroads there as well. In addition the timing is right for many businesses as the infrastructure costs to maintaining Windows are simply becoming too high.
And calling these recent instances is a joke. I was having to perform complete system wipes and reconstructions due to malware years ago which is why we have essentially completed a migration to OS X. We do have some windows systems still around, but they are hidden behind OS X machines and are run headless and without connection to the Internet. In fact, it's been interesting that those companies that deliver microscopes (electron, confocal and light) and such that are currently driven by Windows are asking their customers to simply not plug them into networks or the Internet, severely limiting their use. They of course have been suggesting sneakernet to move files and data around, but my solution is to network them all with a dedicated backbone behind a Mac mini that is now shipping with Gigabit Ethernet on board.
Visit Jonesblog and say hello.
because they often use kernel hooks to avoid detection
Um, how about making it possible to DISABLE ADDING KERNEL HOOKS? There should at least be a reliable way to get a list of all currently-running kernel hooks, if there's not already.
I see the first few comments suggesting a switch to Linux or Macintosh. At least where I work, in the educational sector, that's impossible. The time spent retraining faculty and staff alone would outweigh the security benefits, especially when you consider all the specialized software floating around that hasn't been ported (curse you, Department of Education).
That being said, we haven't had much trouble with malware, and we're mainly an XP Pro/2K shop. We don't allow our users to run as administrators--period. That includes techs. Those who need the ability to install stuff have a local account which is prohibited from actually logging into the computer and has no rights to the domain. Ever since we implemented that things have been pretty quiet. In the rare case when somebody's machine does go down we can take a ghost image for backup purposes (if they aren't storing stuff on the network), and then re-ghost with a clean image. Average turnaround time: two hours.
No statement is true, not even this one.
Why is there never any retaliation against the companies that produce this software? If someone overseas comes up with a way to play a DVD on his own computer then he's pursued endlessly. If someone puts out a warning about how Adobe's encryption is not so secure then they're drug over to the US for trial. But if someone writes malware that destroys thousands of computers, including government property, then absolutely nothing is done. It just seems a little odd to me.
This is just one more attempt to soften up the consumer marketplace, tenderize it like a NY strip steak, so that joe average will be ready to buy a new PC, capable of running Vista so they don't have to worry about malware anymore, thanks to those really nice folks at Microsoft. The longer that MS has to soften the marketplace with FUD and 'smoke and mirrors' about how they are going to eliminate malware etc. with Vista, the more likely that people will 'wait for' Vista to ship rather than switch to before 2010, when Vista actually does ship SP2 so that it works. MS always makes more money by selling an OS license with new hardware then they ever did selling just the OS. We all know how that works.. so look forward to more of this MMSF in the coming months from the superheros in Redmond....
Support NYCountryLawyer RIAA vs People
I wish that the industry would say this proper. A PC is a personal computer. That includes apple and most linux boxes. OTH, the PCs that are having problems are Windows based PCs. Basically, the press should be saying that it impossible to remove malware from windows.
I prefer the "u" in honour as it seems to be missing these days.
For some time it has been easier to wipe and reinstall rather than repair an infection, of course this is dependant on knowing where your data is to begin with - hint: this is why we have servers. A reinstall (automated of course) will take less than 2 hours and everything is guaranteed to be working properly afterward. Properly eradicating most spyware takes a lot longer than this and doesn't guarantee that you or the program/s you use have gotten everything. Why even take the risk of repairing a spyware infection?
On Windows boxes I still see many spyware infections on computers where the users don't even have administrative access. This includes the adding and changing of system services that users don't (read as shouldn't) have access to change as well as totally screwing over the Windows system restore which I might add helps malicious software coders than the users actually trying to restore system files. All this from surfing a malicious site in IE.
It really is impossible to trust an infected machine even after every effort has been made to remove the spyware. This is something every Microsoft admin I know has known for some time, this should be a non story except that it's about a government branch that had 2000 spyware infected client machines and no disaster recovery plan - heads should be rolling.
Formating doesn't come close to elimination real malware though. The boot sector isn't overwritten first of all unless you specify /s
Additionally, the malware could have virtualized your PC and whatever changes you make are to the virtual computer you are running on while the virus has real run of your hardware and resources. Even if that doesn't exist yet, one day it will because it is possible using software that is even freely available today, with some tweaks that bad people would only be too eager to implement.
Talk about the mother of all rootkits eh? Your computer would be like The Matrix, a virtual world where you think you are in charge but are really running a pawn cause you're pwn3d.
Oh You POS
I take care of a couple hundred machines and the FIRST thing I did when I was hired was to set up an automatic install. It's a pretty tiny investment when you think about it. I didn't even do the standard hard drive cloning, I did it the HARD way and scripted a full XP install, which then hooks into automatic application install after XP is done. This is BASIC stuff. I can't believe the outright negligence of an IT department that doesn't have some sort of restore process.
Free The Lapland Six!!!
http://www.whatiwore.com
What I wore, now with 100% more pool project!
Microsoft has screwed up for so long, in such a bad way, that now they can't even recommend using their operating system anymore?
Yes, I know I'm borderline troll, here, but lets look at the progress over the years here with Microsoft OSes:
1) DOS
Not much of an operating system. In fact, it does not meet my definition of an operating system. It started out as a purchased in house rip off of CPM or whatever, and IBM was conned into bundling it with their monopoly PC biz at the time. It took years to add features like memory management, disk caching, multi-tasking was a joke. Reliability was abysmal. Yuck. How did a company start from that?
2) Windows 1.0 - 3.x where x 1
Junk. Nobody used it, except towards the 3.x days, and even then people dropped to DOS much of the time.
3) Windows 3.1 and 3.11. Yes, this was the first viable product from the company, but barely. This came out in 1993. Yes, 1993. And it only then almost had the functionality of a Xerox Star from 1981.
4) NT 3.51. The first time I sat behind one of these, I was amazed. This was the first solid 32bit offering I used and it just felt solid and real. Same ugly interface for 3.1x, but this was a real operating system.
5) Windows 95. Its claim to fame was that Mac people called it MacOS from 1984. Honestly, it was their greatest achievement to date after conning their way with IBM. I was pleased when it came out. It had issues, but was OK for the time.
6) NT 4.0. Late to market, but OK. basically 3.51 with 95 UI and some other enhancements. decent for a small company or workstation I guess at the time.
7) Win 98. Better than 95, especially with OSR2 or whatever it was called. Introduced USB and plug and play, but neither worked well.
8) Win ME. No comment besides this was the alpha quality OS that was the beginning of the merge between DOS/Win to NT. Everybody knows this was junk.
9) Win2k Added stability for the first time to their systems. This is where they took a bad UI and started making it worse. Slow as a dog.
10) XP. Never really used it, but again, more stability, aside from the fact that the legacy support from bullet #1 is now an infectious target for malware, viruses, spyware, worms, trojans, you name it, if you don't want it, it will be on your newly installed computer in seconds without a firewall. Sometime after XP came out, MS took a week or two off of writing cutting edge code to get their security in gear. We all appreciate that, right?
11) Vista. Looks like a revamping of Win2k. Bad UI made worse, and will be slow as a dog. Nothing to see here, please move along.
What I noticed in typing this, is that MS is _always_ about 10 years behind where the progress should be. Its now 2006, and XP is a clowny looking thing from the mid 90s. I will say that they sure know how to sell stuff to people. They get an A++ for that, but innovation and quality have never been their forte.
How does the ordinary user do this?
I didn't have the foresight to make a Ghost image of my system from the factory. It's a DELL and the restore-to-factory-from-secret-hidden-partition doesn't work once I added a new partition to the drive (with Partition Magic).
So now it looks like I have to:
1. Make sure I have up to date backups of my data (always a good idea)
2. Purchase another copy of Windows even though I already paid for one
3. Dig through my records collecting all the keys to all my applications
4. Spend an entire day reinstalling Windows and all my applications. Anyone who says it only takes an hour to reinstall Windows must have a secret version I don't have access to. I have to babysit the install through ten reboots and many hours.
Is this the best way?!
What about after that? I can Ghost the Windows partition, but I'd still have to reinstall any applications installed after the Ghost was made. And it's no use putting the applications in another partition because the applications depend on cruft in the registry.
- For the complete works of Shakespeare: cat
making relying on backups far less useful (pointless, perhaps?). I've talked with people before about having Windows viruses that don't sap resources (at first) or kill the machine, but which quietly change data in files. Modify a "3" to a "7" in a few Excel files. Change meeting times in Outlook by 10 minutes here or there. Eventually, get more malicious and start changing other bits of data in files (mainly MS Office files for maximum compatibility/reach).
A good virus won't be found out for awhile, and without knowing when it infected the system, you won't easily be able to tell how far back to go in the backups to pull 'clean' files.
This would have a devastating effect on the trust people have in any part of the system. What good is 'rebuilding' the system if you can't trust the data backups either?
creation science book
The original point is that this causes genuine harm to every computer owner, including large wealthy corporations, as well as the government itself.
Most computers are actually used in a workplace, rather than at home.
Q: Why would Micro$oft say something like that?
A: Because they are about to release a new OS that will "solve" the problem.
Nah, they wouldn't do something like that.
In the land of the blind, the one-eyed man is king.
In the days before multi-sync monitors, you had to carefully match the refresh frequency of the video card to the refresh frequency of the monitor.
There was a virus that did change the refresh frequency and that caused the monitor to fail, sometimes with smoke.
- - - - - - - - - - -
I am a programmer. I am paid to produce syntax not grammar. Deal with it.
My missus and I both have an XP desktop each (amongst a few Linux boxes of mine). She's pretty regular with virus-scanning and spyware checkers, I'm totally paranoid and do regular checks on everything (Linux and Windows). Suffice it to say, going through this process one or twice a week, I never really find any problems - occasional suspect registry keys, odd dodgy cookie but probably put those down to over-zealous spyware programs.
Cue the visit from my sister one weekend, along with 13-year old niece and 11-year old nephew. Naturally, they navigate themselves to the XP desktops after asking for (and getting) permission from the missus to do so.
They're messing about on the PCs most of the day (cold Winter's day in England) and I occasionally look in on them - chatting with friends on MSN, playing the odd Flash game, looking at music sites (niece) and soccer and WWF wrestling sites (nephew). They seem to spend a lot of time in a chat site called something like "The Doll Palace" where they pick avatar characters and drag them to different rooms of the palace to chat - keeping an eye on them, just a lot of kids going "Cool", "Wow" and nattering about music, nothing suspect.
After they've gone home, I check the machines just to check they've been doing nothing suspect - nope, just kids being kids. Then I virus/spyware check both machines - three viruses (2 on one machine, 1 on the other) and about two dozen suspect spyware bits and pieces - I couldn't believe it, especially as one of the viruses needed a safe reboot of the PC, deleting a registry entry and then a couple of files.
God knows where they came from but I suspect a lot of this stuff is attached to seemingly innocent sites where kids flock to - "The Doll Palace" is definitely one I'd like to know more about...
Gentoo Linux - another day, another USE flag.
I believe security will be a huge problem for the industry for years and years and years
I think thats a pretty reasonable statement. Computer systems are very complex and subject to economic and human considerations. Mistakes will happen and compromises will be made in the interest of time and cost.
Lots of smart, clever and motivated people will be looking for mistakes and oversights in this system. They'll find ways to exploit it.
A lot of things, including a very secure operating system, are possible and even desirable. That doesn't mean that they are the solution that will be chosen in the kind of environment that we have. The solution that appears will probably be a sub-optimal but fairly effective use of the available resources.
At my workplace sometimes folks bring in their home PC's for me to clean off on my lunch break. A quick job pays a 6-pack of Mickey's. A longer job pays a 6-pack of Guinness. From those cleanup jobs I can vouch that the typical home user with an always-on DSL/cable Internet connection is in a world of hurt. I try to show folks how to Ghost their hard drive onto a DVD-R so that they can restore their system to a usable state rather than search through the haystack for all of the malware needles.
For example, the most recent cleanup I did entailed a laptop that had no antivirus software running on it. They did have a bundled AOL spyware app installed, but as far as I could tell it had never been run. I installed Avast! and Ad-aware from CD and ran full scans on the system. The result was over 300 virus and over 3,000 malware captures. Amazing that the computer could even launch an initial Windows Explorer session at all.
If things continue their downward spiral (i.e. - Microsoft dominance, widespread Internet exploits, monetary incentive for malware deployment, and foreign government turning a deaf ear on abuse reports) I would require that anyone with a Windows-based Internet-exposed PC have to earn an operator license. Much like someone would have to do to operate an automobile, motorcycle, ham radio, etc. This would include mandatory security training. And for God's sake, a brief explanation of imaging and recovering their hard drive in case they get hit with something later.
Seriously though, this scenario isn't viable. But perhaps virtualization technology offer a safe haven. Folks could just reboot their virtual image if they get slammed with something and get back to square one. Until the malware authors get one step ahead of that at least there would be some breathing room...
Microsoft's monopoly makes it pretty much the only company that can actually plan on getting away with selling a new product by saying:
Of course, you can also switch over to Linux today, which has enough of a separation between user and admin that rootkits are nontrivial to install, but we won't talk about that...____
Microsoft and Brazilian bikinis are about the only two products where you can get away with charging people hundreds of dollars for almost nothing -- Of course, I know which one I'd rather see my girlfriend use...
Free Software: Like love, it grows best when given away.
The whole account/priveliges issue on Windows is so convoluted as to be totally incomprehensible to the UNIX mind - I can't understand how the damn thing works!
"Me", "All My Mates", "Everyone Else In The World" and "If you're really good I'll let you run this as 'root'" is all I've ever needed to cover all the account bases...
Gentoo Linux - another day, another USE flag.
The problem with stupid people is the first thing they do is turn off the safety. The safety is there to prevent accidental discharge of the weapon. Stupid people thing to themselves "if I need to shoot something, this is only just going to get in my way" and proceed to turn it off.
...
You would be surprised at the number of people who end up shooting themselves with their own gun every year