Slashdot Mirror


Microsoft Says Recovery From Malware Becoming Impossible

An anonymous reader wrote to mention an eWeek Story about Microsoft's assertion that PCs may no longer be able to recover from the most aggressive Malware. From the article: "[Danseglio] cited a recent instance where an unnamed branch of the U.S. government struggled with malware infestations on more than 2,000 client machines. 'In that case, it was so severe that trying to recover was meaningless. They did not have an automated process to wipe and rebuild the systems, so it became a burden. They had to design a process real fast,'."

22 of 631 comments (clear)

  1. It's time.... by BWJones · · Score: 5, Interesting

    'In that case, it was so severe that trying to recover was meaningless. They did not have an automated process to wipe and rebuild the systems, so it became a burden. They had to design a process real fast,'."

    Ummmmm, how about switching? :-)

    Seriously though, NeXTstep certainly has a long history in certain TLA government agencies and OS X is beginning to make significant inroads there as well. In addition the timing is right for many businesses as the infrastructure costs to maintaining Windows are simply becoming too high.

    And calling these recent instances is a joke. I was having to perform complete system wipes and reconstructions due to malware years ago which is why we have essentially completed a migration to OS X. We do have some windows systems still around, but they are hidden behind OS X machines and are run headless and without connection to the Internet. In fact, it's been interesting that those companies that deliver microscopes (electron, confocal and light) and such that are currently driven by Windows are asking their customers to simply not plug them into networks or the Internet, severely limiting their use. They of course have been suggesting sneakernet to move files and data around, but my solution is to network them all with a dedicated backbone behind a Mac mini that is now shipping with Gigabit Ethernet on board.

    --
    Visit Jonesblog and say hello.
    1. Re:It's time.... by trolleymusic · · Score: 5, Insightful

      I'm a Mac user, and although I love OS X with all of my bits, I do think that if the same % population used it as currently uses windows, then there would be more serious problems with it.

      I'm sure it's much harder to get malware running on OS X, but if it becomes the platform most of your potential audience are using then malware developers will just try harder to make nasties for Mac.

      So, in this respect, sometimes I'm glad for Windows + IE - simply because I don't have to use it :D

      --
      "damnit, trolley I want in your signature." - Elburrito
    2. Re:It's time.... by superid · · Score: 4, Informative

      Speaking unofficially from an "unnamed branch of the U.S. Government", we can't switch as much as we'd like to. We are locked into Windows XP and we can only use the applications on the "gold disk". At least it's cheap, it only costs us $4,200 per year per low end laptop.

    3. Re:It's time.... by myxiplx · · Score: 4, Insightful

      Yeah, because it's so easy to replace the 20+ programs that form the core of our business, and data migration's so easy a baby could do it. Please, try responding to the point that's actually raised here instead of going on and on about migrating to alternative systems. Many companies are simply not in a position to migrate their entire network.

      Personally, I'd love to migrate us to Linux, but until I can replace CAD/CAM systems, accounting packages, design software, drawing packages, etc... that's simply not going to happen, and until it does happen I'm faced with the job of keeping our MS systems secure.

      We've found that preventing web based scripts from running has kept us virus free for nearly two years now, but even then we're expecting to be hit by something sooner or later. If you're running a Microsoft network, it's worth putting a few weeks aside to get RIS / Ghost working well. Right now we're looking to take things a step further by running all our clients off a set of blade servers running virtual machines. There are cost savings to be had with the ease of maintenance and disaster recovery suddenly becomes a whole lot simpler.

    4. Re:It's time.... by 0racle · · Score: 4, Insightful

      The usual rebuttal, Apache vs. IIS, doesn't apply to anything but Apache and IIS

      Well if one of the best analogies is dismissed as not relevant because they aren't the same as OS's, wouldn't the idea that OS X would have the same problems as Windows also be dismissed because OS X is not the same as Windows? There is either a relation between poor security and popularity or their isn't.

      --
      "I use a Mac because I'm just better than you are."
    5. Re:It's time.... by nial-in-a-box · · Score: 4, Informative
      Rootkits.

      Not removable. I don't care if you can remove them, what I do care about is time. If you have to fix a bunch of people every day, clawing around at the core system trying to find a hidden rootkit and remove all traces of it while not breaking anything worse than it already is will most likely take you far more time than backing up some data and doing a full reinstall.

      Basically, if you're using Internet Explorer and have not got a rootkit yet, you are either using good browsing practices or you do have one and won't admit it. I support 10,000+ students at a university, and we're doing at least one reinstall a day due to rootkit infection. These are mainly young women who are just using the internet like all their peers do; i.e., not looking at porn or searching for warez or cracks.

      --
      I am feeling fat and sassy
  2. Unrecoverable? by ccady · · Score: 4, Funny

    Unrecoverable? What's wrong with FDISK?

    --
    J'aime mieux les méchants que les imbéciles, parce qu'ils se reposent. -- Alexandre Dumas
  3. Sony by From+A+Far+Away+Land · · Score: 5, Insightful

    Companies like Sony pushing rootkits onto unsuspecting customers is part of the trend toward stealth and aggressive rooting of machines. Once a serious worm that can spread quickly and hide deeply gets around, people will realize how serious an issue rootkits are.

  4. This is news? by pcgamez · · Score: 4, Insightful

    I think any of us that work on computer systems long ago figured out that the rebuilding of a system is far easier than trying to remove each piece of malware. Now, in cases where there is critical data on the machine then it would be worth it to try. The fact is, but the time we hear about the issue, it isn't a matter of removing one or two pieces, it is usually closer to 20 or 30.

  5. Translation by metamatic · · Score: 5, Insightful

    "Everyone needs to buy a copy of Windows Vista, which will solve the malware problem."

    --
    GCHQ Quantum Insert installed. If only our tongues were made of glass, how much more careful we would be when we speak
  6. Kernel hooks? by tedhiltonhead · · Score: 4, Interesting

    because they often use kernel hooks to avoid detection

    Um, how about making it possible to DISABLE ADDING KERNEL HOOKS? There should at least be a reliable way to get a list of all currently-running kernel hooks, if there's not already.

  7. But you never could... by Anonymous+Brave+Guy · · Score: 4, Insightful

    You could never recover a compromised system reliably anyway. Once someone's got through your security to a certain level, you can't trust anything - including security tools and diagnostic information - that runs at that level or above. For a typical desktop PC or office server, that basically means you can't trust anything left on the system.

    Any sort of virus removal or system clean-up after being cracked is just a calculated risk that the attack will have been completely removed, based on the fact that doing a complete rebuild of a system and restoring all the backed up data is expensive, and while not cleaning up 100% after an attack is potentially more expensive, the probability of this is low.

    And no, running Linux or MacOS X instead of Windows doesn't change this, despite the number of people flippantly suggesting these alternatives. I'd have told you this earlier and saved a dozen posts, but apparently it's been 4 minutes since I last successfully posted a comment, so I can't post another one yet... ;-)

    --
    If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
    1. Re:But you never could... by 99BottlesOfBeerInMyF · · Score: 4, Informative

      You could never recover a compromised system reliably anyway. Once someone's got through your security to a certain level, you can't trust anything - including security tools and diagnostic information - that runs at that level or above. For a typical desktop PC or office server, that basically means you can't trust anything left on the system.

      Actually, this not completely true. You just run your tools on another machine known to be uncompromised. Also, there are hardware level recovery systems that will restore to a known, clean state.

      And no, running Linux or MacOS X instead of Windows doesn't change this, despite the number of people flippantly suggesting these alternatives.

      Running OS X is somewhat beneficial since it is less susceptible to malware due to architectural choices and lesser attention from malware authors. Just not being Windows can be a great help, practically speaking. Also, all OS X machines can be put into Firewire target mode, facilitating easy recovery of data from compromised systems with greatly reduced risk of infection.

      Running Linux can make an even bigger difference. Since Linux supports virtualization technologies, mandatory access schemes, and the like you can not only reliably recover data, but be fairly confident that once a escalation vector is detected and patched, the data from that particular machine will not cause a new machine to be re-infected. This means you can say with reasonable certainty that there will be zero data loss as a result of wiping a machine and the process can be automated.

      This is, of course, on top of the greatly increased security that can be obtained by using certain, secure Linux distributions. Arguing that SELinux or OS X won't make a difference, even though both contain functionality designed to do just that, is simply incorrect. (Note, before someone gets uppity, I am not equating the level of security provided by SELinux with OS X.)

  8. Thin Clients by Citizen+of+Earth · · Score: 5, Insightful

    the U.S. government struggled with malware infestations on more than 2,000 client machines. 'In that case, it was so severe that trying to recover was meaningless.

    Whereas, if they had been using thin clients with no local storage, the only recovery action would have been on the server. And if they had been running non-Windows on the server, they wouldn't have had these infestations in the first place. A full-blown Windows PC on every desktop in an enterprise is just an expensive welfare program for MCSE types.

    1. Re:Thin Clients by DrVomact · · Score: 5, Informative
      I couldn't agree more. I look around my workplace (the software development group of a large healthcare firm), and see thousands of PCs, each subtly different from the other, that have to be individually maintained by our not-too-bright IT staff. They run an OS that was never designed for collaborative use, has never had true "multi-user" capability, and barely manages to do something remotely like multitasking.

      I compare this to the environment I enjoyed in the early 90s: diskless Sun workstations connected to Unix servers (Convexen), and I long for the good old days. Heck, I had a PC at home--but it was for play; the real computers were at work, and I knew it. The OS had been designed from the ground up as a multi-user collaborative environment, with a simple, sensible and reasonably effective security scheme. Thanks to my .profile and my private cache of scripts and macros, I could personalize my X Windows and command line environment to my heart's content.

      Yes, there were some drawbacks. Sometimes, response was sluggish--who started that damn compile at three in the afternoon? And of course, if the server went down, everyone was SOL. I think the first concern could be addressed by the much faster processors of today (and some judicious load-balancing). Our networks have gotten much faster and more efficient, so I don't think response time would be much of a problem. As far as downtime, it has to be at least a wash--and when a large mob bearing torches and pitchforks descends on IT, they tend to get problems fixed with amazing alacrity.

      Balancing the two environments, today's seems to be the obvious loser. Why are companies throwing billions down the Wintel rathole each year when they could have efficient centralized servers running a real collaborative OS? How did this happen?

      I think I know part of the answer. The first signs of the Great Fall came when a few managers bought PCs so they could run MS Office applications--primarily spreadsheets at first, then--oh wonder of wonders--PowerPoint and Word. But now management found that they had been sundered from their underlings, who were working in a completely different environment from theirs. Incompatibility reared its head: You had to buy one set of apps for the PHBs, and another for the geeks. Worse, underlings could not read communications sent to them in Word format by their bosses, and they could not produce beautiful PowerPoint presentations on demand. They could--alas--only do their jobs. Management found this Wasteful and Inefficient, so they decreed that henceforth, everyone shall use computers just like theirs, running an operating system just as powerful and capable as theirs. And so now we live in compatibility Hell.

      --
      Great men are almost always bad men--Lord Acton's Corollary
  9. So they just lick their wounds and move on? by gcauthon · · Score: 5, Interesting

    Why is there never any retaliation against the companies that produce this software? If someone overseas comes up with a way to play a DVD on his own computer then he's pursued endlessly. If someone puts out a warning about how Adobe's encryption is not so secure then they're drug over to the US for trial. But if someone writes malware that destroys thousands of computers, including government property, then absolutely nothing is done. It just seems a little odd to me.

  10. MMSF (more Microsoft FUD)(TM) by zappepcs · · Score: 4, Interesting

    This is just one more attempt to soften up the consumer marketplace, tenderize it like a NY strip steak, so that joe average will be ready to buy a new PC, capable of running Vista so they don't have to worry about malware anymore, thanks to those really nice folks at Microsoft. The longer that MS has to soften the marketplace with FUD and 'smoke and mirrors' about how they are going to eliminate malware etc. with Vista, the more likely that people will 'wait for' Vista to ship rather than switch to before 2010, when Vista actually does ship SP2 so that it works. MS always makes more money by selling an OS license with new hardware then they ever did selling just the OS. We all know how that works.. so look forward to more of this MMSF in the coming months from the superheros in Redmond....

  11. PC vs. Windows by WindBourne · · Score: 4, Interesting

    I wish that the industry would say this proper. A PC is a personal computer. That includes apple and most linux boxes. OTH, the PCs that are having problems are Windows based PCs. Basically, the press should be saying that it impossible to remove malware from windows.

    --
    I prefer the "u" in honour as it seems to be missing these days.
  12. Re:Format C: = The Matrix by From+A+Far+Away+Land · · Score: 4, Interesting

    Formating doesn't come close to elimination real malware though. The boot sector isn't overwritten first of all unless you specify /s
    Additionally, the malware could have virtualized your PC and whatever changes you make are to the virtual computer you are running on while the virus has real run of your hardware and resources. Even if that doesn't exist yet, one day it will because it is possible using software that is even freely available today, with some tweaks that bad people would only be too eager to implement.
    Talk about the mother of all rootkits eh? Your computer would be like The Matrix, a virtual world where you think you are in charge but are really running a pawn cause you're pwn3d.

  13. Re:Fools... by Syberghost · · Score: 4, Interesting

    I see the first few comments suggesting a switch to Linux or Macintosh. At least where I work, in the educational sector, that's impossible.

    Wouldn't matter anyway. Best practices for recovering from UNIX intrusion have always been to wipe the disks, reinstall the OS, and recover the last known-good backup. Nothing has changed here but Microsoft's attitude; they're starting to grow up a little.

    (sniff). I remember when they were knee-high.

  14. Re:What Do You Expect? by shotfeel · · Score: 4, Funny

    Please tell what such an "alternative operating system" is?

    Vista, of course. It has Trusted Computing, so I know I'll never have to worry about security again.

  15. It's not common sense. It's wrong. by Futurepower(R) · · Score: 5, Insightful

    "A Mac-user with common sense!"

    It's not common sense. It's wrong.

    Microsoft is in a unique position. Because it has a virtual monopoly, Microsoft makes more money when its software has a lot of security vulnerabilities. For those who are ruled by money, morality has no force; "Maximizing Shareholder Value" is the way they live their lives.

    Microsoft makes more money if it pressures its programmers to work too fast, so that they are sloppy, and then releases buggy software. Many people are fascinated by computers, and easily accept the world that Microsoft has created for them.

    Here's a story about a Microsoft VP saying, "Oh, the next Windows operating system will be secure": "Safety and security is the overriding feature that most people will want to have Windows Vista for" .

    So, Microsoft is once again telling us "The next version of Windows will be the good one." Before, Microsoft said Windows XP was "Built to be Dependable".

    However, Vista will NOT include virus protection. Jim Allchin, co-president of Microsoft's platform products and services division told CRN, an industry magazine this:

    CRN: In terms of security, how do you compare security in Vista vs. security in Windows XP SP2?

    Allchin: SP2 was a very good system but compared to Vista, it's night and day.

    CRN: Is there going to be antivirus in Vista?

    Allchin: No, there is not.

    CRN: Why?

    Allchin: It's a complicated answer as to why not.

    CRN: Was the decision based on technical concerns?

    Allchin: It wasn't technical.

    CRN: Will Vista resolve security problems once and for all?

    Allchin: I'm not going to claim perfection or near perfection, but I think we're unrivaled in the work we've done. I believe security will be a huge problem for the industry for years and years and years but this will change the landscape in a fairly dramatic way.

    Once again, Microsoft is taking advantage of the fact that most of its customers have little technical knowledge. Mr. Allchin said that "security will be a huge problem for the industry for years and years and years".

    Microsoft charges for OneCare Live. That's another way to make money. Make sloppy software, and then sell protection against the sloppiness.

    Note the emphasis on "beta testing" in Mr. Allchin's statements in the CRN interview. Someone said that Microsoft's motto is "The whole world is our beta tester."

    --
    Before, Saddam got Iraq oil profits and paid part to kill Iraqis. Now a few Americans get Iraq oil profits, and American citizens pay to kill Iraqis. Improvement?