Microsoft Says Recovery From Malware Becoming Impossible
An anonymous reader wrote to mention an eWeek Story about Microsoft's assertion that PCs may no longer be able to recover from the most aggressive Malware. From the article: "[Danseglio] cited a recent instance where an unnamed branch of the U.S. government struggled with malware infestations on more than 2,000 client machines. 'In that case, it was so severe that trying to recover was meaningless. They did not have an automated process to wipe and rebuild the systems, so it became a burden. They had to design a process real fast,'."
'In that case, it was so severe that trying to recover was meaningless. They did not have an automated process to wipe and rebuild the systems, so it became a burden. They had to design a process real fast,'."
:-)
Ummmmm, how about switching?
Seriously though, NeXTstep certainly has a long history in certain TLA government agencies and OS X is beginning to make significant inroads there as well. In addition the timing is right for many businesses as the infrastructure costs to maintaining Windows are simply becoming too high.
And calling these recent instances is a joke. I was having to perform complete system wipes and reconstructions due to malware years ago which is why we have essentially completed a migration to OS X. We do have some windows systems still around, but they are hidden behind OS X machines and are run headless and without connection to the Internet. In fact, it's been interesting that those companies that deliver microscopes (electron, confocal and light) and such that are currently driven by Windows are asking their customers to simply not plug them into networks or the Internet, severely limiting their use. They of course have been suggesting sneakernet to move files and data around, but my solution is to network them all with a dedicated backbone behind a Mac mini that is now shipping with Gigabit Ethernet on board.
Visit Jonesblog and say hello.
Unrecoverable? What's wrong with FDISK?
J'aime mieux les méchants que les imbéciles, parce qu'ils se reposent. -- Alexandre Dumas
Companies like Sony pushing rootkits onto unsuspecting customers is part of the trend toward stealth and aggressive rooting of machines. Once a serious worm that can spread quickly and hide deeply gets around, people will realize how serious an issue rootkits are.
Oh You POS
Ok, so why was there no diasaster recovery plan in the first place? Surely the thought of an uber virus wrecking Windows had to have been brought up at some kind of meeting? Those who fail to plan plan to fail. Plain & Simple
--Taladon
Like Sweepstakes? Try out my service @ http://www.yourpowersweeps.com -- Free 21 day trial, no cc needed.
I think any of us that work on computer systems long ago figured out that the rebuilding of a system is far easier than trying to remove each piece of malware. Now, in cases where there is critical data on the machine then it would be worth it to try. The fact is, but the time we hear about the issue, it isn't a matter of removing one or two pieces, it is usually closer to 20 or 30.
"Everyone needs to buy a copy of Windows Vista, which will solve the malware problem."
GCHQ Quantum Insert installed. If only our tongues were made of glass, how much more careful we would be when we speak
because they often use kernel hooks to avoid detection
Um, how about making it possible to DISABLE ADDING KERNEL HOOKS? There should at least be a reliable way to get a list of all currently-running kernel hooks, if there's not already.
Actually, no. MBR viruses and systems with multiple partitions sometimes cannot be guarenteed virus free without wiping all partition tables via fdisk or a low level format. Back in the day, I remember a virus named NYB that stuck around beyond fdisk on scsi drives. The only way to get rid of it was an actual low level format.
Like Sweepstakes? Try out my service @ http://www.yourpowersweeps.com -- Free 21 day trial, no cc needed.
You could never recover a compromised system reliably anyway. Once someone's got through your security to a certain level, you can't trust anything - including security tools and diagnostic information - that runs at that level or above. For a typical desktop PC or office server, that basically means you can't trust anything left on the system.
Any sort of virus removal or system clean-up after being cracked is just a calculated risk that the attack will have been completely removed, based on the fact that doing a complete rebuild of a system and restoring all the backed up data is expensive, and while not cleaning up 100% after an attack is potentially more expensive, the probability of this is low.
And no, running Linux or MacOS X instead of Windows doesn't change this, despite the number of people flippantly suggesting these alternatives. I'd have told you this earlier and saved a dozen posts, but apparently it's been 4 minutes since I last successfully posted a comment, so I can't post another one yet... ;-)
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
the U.S. government struggled with malware infestations on more than 2,000 client machines. 'In that case, it was so severe that trying to recover was meaningless.
Whereas, if they had been using thin clients with no local storage, the only recovery action would have been on the server. And if they had been running non-Windows on the server, they wouldn't have had these infestations in the first place. A full-blown Windows PC on every desktop in an enterprise is just an expensive welfare program for MCSE types.
Why is there never any retaliation against the companies that produce this software? If someone overseas comes up with a way to play a DVD on his own computer then he's pursued endlessly. If someone puts out a warning about how Adobe's encryption is not so secure then they're drug over to the US for trial. But if someone writes malware that destroys thousands of computers, including government property, then absolutely nothing is done. It just seems a little odd to me.
The EDS solution (while EDS isn't the best organization, this solution is highly effective in malware prone environments); GigE to the console, unified desktop system. You have three or four builds of different machines (Laptop, High-performance desktop, 'Information worker' desktop, kiosk) with an imaged pushed every night. Users data is stored nonlocally, in mapped network drives. Expensive to implement? Sure. Cost savings in the long run? You betcha! Plus, the helpdesk ends up with LEGITIMATE user issues, not 'Wah, I don't want to read the onscreen directions, you do it!'.
Informatus Technologicus
This is just one more attempt to soften up the consumer marketplace, tenderize it like a NY strip steak, so that joe average will be ready to buy a new PC, capable of running Vista so they don't have to worry about malware anymore, thanks to those really nice folks at Microsoft. The longer that MS has to soften the marketplace with FUD and 'smoke and mirrors' about how they are going to eliminate malware etc. with Vista, the more likely that people will 'wait for' Vista to ship rather than switch to before 2010, when Vista actually does ship SP2 so that it works. MS always makes more money by selling an OS license with new hardware then they ever did selling just the OS. We all know how that works.. so look forward to more of this MMSF in the coming months from the superheros in Redmond....
Support NYCountryLawyer RIAA vs People
I wish that the industry would say this proper. A PC is a personal computer. That includes apple and most linux boxes. OTH, the PCs that are having problems are Windows based PCs. Basically, the press should be saying that it impossible to remove malware from windows.
I prefer the "u" in honour as it seems to be missing these days.
Formating doesn't come close to elimination real malware though. The boot sector isn't overwritten first of all unless you specify /s
Additionally, the malware could have virtualized your PC and whatever changes you make are to the virtual computer you are running on while the virus has real run of your hardware and resources. Even if that doesn't exist yet, one day it will because it is possible using software that is even freely available today, with some tweaks that bad people would only be too eager to implement.
Talk about the mother of all rootkits eh? Your computer would be like The Matrix, a virtual world where you think you are in charge but are really running a pawn cause you're pwn3d.
Oh You POS
When a *nix box gets rooted, generally standard practice says that you rebuild the box. I'm unsure if this is the case with Windows rootings. That is just the way it is.
Malware wants to be "sticky". I'm surprised it has taken this long to become truly difficult if not downright impossible to remove.
What I wonder is if people will just tolerate the unremovable malware instead of the frustration and/or time of reinstalling the OS and applications and getting everything just right all over again. It's one thing for system administrators and geeks to reinstall. It another thing entirely for the average user to have full/incremental backups or cloned drives or some set of procedures for reinstallation.
This is definitely an interesting situation.
How does the ordinary user do this?
I didn't have the foresight to make a Ghost image of my system from the factory. It's a DELL and the restore-to-factory-from-secret-hidden-partition doesn't work once I added a new partition to the drive (with Partition Magic).
So now it looks like I have to:
1. Make sure I have up to date backups of my data (always a good idea)
2. Purchase another copy of Windows even though I already paid for one
3. Dig through my records collecting all the keys to all my applications
4. Spend an entire day reinstalling Windows and all my applications. Anyone who says it only takes an hour to reinstall Windows must have a secret version I don't have access to. I have to babysit the install through ten reboots and many hours.
Is this the best way?!
What about after that? I can Ghost the Windows partition, but I'd still have to reinstall any applications installed after the Ghost was made. And it's no use putting the applications in another partition because the applications depend on cruft in the registry.
- For the complete works of Shakespeare: cat
It's a gamble. Building the new system represents a cost (in time and labor if nothing else). Retraining staff is a cost. Finding new apps, or secure work-arounds for existing apps, represents another cost. Dealing with the transition (helpdesk, troubleshooting, whining users, fixing incompletely transitioned apps) represents yet another cost.
On the balance side is the cost of a security breech which (insert your company's worst nightmare here). Or the cost of denying all your users all your computers for a period of time while things are all rebuilt. Of course it isn't guaranteed that either doomsday scenario is going to happen; simultaneously, it isn't guaranteed that either doomsday scenario is going to be limited to a single incident.
It's called risk management.
Put another way: is it worth taking a known, calculable, solid kick in the nuts to mitigate the risk that you might be repeatedly shot in the arm, chest, or head?
What is your business worth?
you should read everything on the internet as if it had "but I'm probably talking out of my ass" appended to it.
I see the first few comments suggesting a switch to Linux or Macintosh. At least where I work, in the educational sector, that's impossible.
Wouldn't matter anyway. Best practices for recovering from UNIX intrusion have always been to wipe the disks, reinstall the OS, and recover the last known-good backup. Nothing has changed here but Microsoft's attitude; they're starting to grow up a little.
(sniff). I remember when they were knee-high.
Please tell what such an "alternative operating system" is?
Vista, of course. It has Trusted Computing, so I know I'll never have to worry about security again.
"A Mac-user with common sense!"
It's not common sense. It's wrong.
Microsoft is in a unique position. Because it has a virtual monopoly, Microsoft makes more money when its software has a lot of security vulnerabilities. For those who are ruled by money, morality has no force; "Maximizing Shareholder Value" is the way they live their lives.
Microsoft makes more money if it pressures its programmers to work too fast, so that they are sloppy, and then releases buggy software. Many people are fascinated by computers, and easily accept the world that Microsoft has created for them.
Here's a story about a Microsoft VP saying, "Oh, the next Windows operating system will be secure": "Safety and security is the overriding feature that most people will want to have Windows Vista for" .
So, Microsoft is once again telling us "The next version of Windows will be the good one." Before, Microsoft said Windows XP was "Built to be Dependable".
However, Vista will NOT include virus protection. Jim Allchin, co-president of Microsoft's platform products and services division told CRN, an industry magazine this:
CRN: In terms of security, how do you compare security in Vista vs. security in Windows XP SP2?
Allchin: SP2 was a very good system but compared to Vista, it's night and day.
CRN: Is there going to be antivirus in Vista?
Allchin: No, there is not.
CRN: Why?
Allchin: It's a complicated answer as to why not.
CRN: Was the decision based on technical concerns?
Allchin: It wasn't technical.
CRN: Will Vista resolve security problems once and for all?
Allchin: I'm not going to claim perfection or near perfection, but I think we're unrivaled in the work we've done. I believe security will be a huge problem for the industry for years and years and years but this will change the landscape in a fairly dramatic way.
Once again, Microsoft is taking advantage of the fact that most of its customers have little technical knowledge. Mr. Allchin said that "security will be a huge problem for the industry for years and years and years".
Microsoft charges for OneCare Live. That's another way to make money. Make sloppy software, and then sell protection against the sloppiness.
Note the emphasis on "beta testing" in Mr. Allchin's statements in the CRN interview. Someone said that Microsoft's motto is "The whole world is our beta tester."
--
Before, Saddam got Iraq oil profits and paid part to kill Iraqis. Now a few Americans get Iraq oil profits, and American citizens pay to kill Iraqis. Improvement?