Page 1 of 2

MS Says Malware Recovery Becoming Impossible

Posted: 2006-04-04 02:39pm
by Einhander Sn0m4n
It's Base Delta Zero Time!
POE News wrote:In a rare discussion on the severity of the Windows malware scourge, a Microsoft security official said businesses should consider investing in an automated process to wipe hard drives and reinstall operating systems as a practical way to recover from malware infestation.

"When you are dealing with rootkits and some advanced spyware programs, the only solution is to rebuild from scratch. In some cases, there really is no way to recover without nuking the systems from orbit," Mike Danseglio, program manager in the Security Solutions group at Microsoft, said in a presentation at the InfoSec World conference here.
Time for me to get on the ball about learning Linux, then teaching it to my housemates...

Posted: 2006-04-04 02:42pm
by Dalton
You know things are getting scary when the suits are quoting from "Aliens".

Posted: 2006-04-04 02:44pm
by brianeyci
I'm a paranoid fuck. If I could have everything on a USB drive (all my documents) and have my entire drive wipe itself out every single night and reinstall everything from scratch from a recovery CD, I'd do it. But it's too much hassle and I don't even have a CD or DVD drive on my laptop (no it's not an old laptop, it's an ultra-slim one and I have to plug it into my brother's computer and open it up... long story don't ask).

Brian

Posted: 2006-04-04 03:28pm
by Ypoknons
Me = 100GB harddrive with Acronis disk image on 250GB hard drive. It's not really pratical updating that every night so I backup my work folder on my ipod pretty much all the time. Makes for a useful mobile personal folder too.

Posted: 2006-04-04 03:29pm
by Admiral Valdemar
His advice is sound (I love that quote). But since I'm a Linux user now, this problem isn't something I care about anymore. I keep my XP partition clean for gaming, but all these viruses and malware apps. are redundant when they can't run on my system. Even if they could, I'm not dumb enough to run as root with random code.

MS needs to get a good plan together, because doing clean reinstallations is time consuming.

Posted: 2006-04-04 03:35pm
by phongn
Admiral Valdemar wrote:His advice is sound (I love that quote). But since I'm a Linux user now, this problem isn't something I care about anymore. I keep my XP partition clean for gaming, but all these viruses and malware apps. are redundant when they can't run on my system.
Be careful, Linux can easily become a target (hell, server-wise it is).
Even if they could, I'm not dumb enough to run as root with random code.
Alas, most people are. Some spyware programs don't require superuser access, anyways.
MS needs to get a good plan together, because doing clean reinstallations is time consuming.
Well, if you can reimage the system it isn't so bad (most companies have standardized images), just start dumping the data and do something else.

Posted: 2006-04-04 04:26pm
by Jalinth
Is Linux really that much more secure than windows, or is it just a much less tempting target due to the overwhelming # of people using windows.

Posted: 2006-04-04 04:36pm
by Zac Naloen
Jalinth wrote:Is Linux really that much more secure than windows, or is it just a much less tempting target due to the overwhelming # of people using windows.
its no more secure, some would argue its less so. Its just that attacking linux is no fun.

Posted: 2006-04-04 04:36pm
by Ace Pace
Jalinth wrote:Is Linux really that much more secure than windows, or is it just a much less tempting target due to the overwhelming # of people using windows.
One of the best advanteges is in Linux is apprently far easier to seperate modules you don't need and disable them, leaving less possible holes open.

Posted: 2006-04-04 06:47pm
by DaveJB
Also, any discerning Linux user will run a limited account, wheras 90% of Windows software forces you to use an administrator account if you want to actually do anything useful.

Posted: 2006-04-04 06:56pm
by Pu-239
phongn wrote:
Even if they could, I'm not dumb enough to run as root with random code.
Alas, most people are. Some spyware programs don't require superuser access, anyways.
One can do plenty of damage w/ malware on the user's data- system data is replacable anyway.

Posted: 2006-04-04 08:46pm
by Solauren
The obviously solution would be for Microsoft to rebuild WIndows from stratch, with the basic functionally that Windows 3.11 had, and then add on more from there, using a small team of programmers on a given section, and a given section is not allowed to talk with another (Media player can't be used to access web sites, etc)

It's the amount of freaking redunancy that causes the security holes

Posted: 2006-04-04 08:57pm
by EmperorMing
You could always runa virtual installation of winbloze or other favorite OS and let that get infected. Then blow it away and restore the virtual machine from a backuyp. Of course, that entails certian other issues that the average user does not want to deal with...

Posted: 2006-04-04 09:09pm
by phongn
Solauren wrote:The obviously solution would be for Microsoft to rebuild WIndows from stratch, with the basic functionally that Windows 3.11 had, and then add on more from there, using a small team of programmers on a given section, and a given section is not allowed to talk with another (Media player can't be used to access web sites, etc)
Surely you can't be serious.
It's the amount of freaking redunancy that causes the security holes
Uh, no. It may be poor design or poor programming, but it ain't redundancy.

Posted: 2006-04-04 09:11pm
by Einhander Sn0m4n
phongn wrote:
Solauren wrote:It's the amount of freaking redunancy that causes the security holes
Uh, no. It may be poor design or poor programming, but it ain't redundancy.
I think he means the integration and interconnectedness, allowing easy conduction of an attack from one vector to any other or the whole machine. That is the poor design right there.

Posted: 2006-04-04 09:20pm
by Vendetta
Jalinth wrote:Is Linux really that much more secure than windows, or is it just a much less tempting target due to the overwhelming # of people using windows.
Little from column A, little from column B.

Linux (and MacOS) have as many vulnerabilities to attack as Windows does, but due to the fact that they're not designed ass backwards, giving out root permissions to anyone who promises candy, it usually requires a little more determination and/or skill to actually exploit them.

If there is a determined switch in the malware community, you can expect some entertaining system collapses.

On the original topic, I agree with the guy from Microsoft. It's so easy for malware to embed itself so deep into Windows that nuking the install from orbit really is the only practical way of sorting the mess out.

Things would be immensely improved by not having a central system registry open to every Tom, Dick, and Harry as well. Program state information should be seperate from system state information, and programs should not have write access to system information.

Posted: 2006-04-04 09:21pm
by phongn
Einhander Sn0m4n wrote:I think he means the integration and interconnectedness, allowing easy conduction of an attack from one vector to any other or the whole machine. That is the poor design right there.
In and of itself that is not neccessarily bad - for example, KDE has a tightly-integrated and interconnected design yet is rather more secure than Windows.
Vendetta wrote:Linux (and MacOS) have as many vulnerabilities to attack as Windows does, but due to the fact that they're not designed ass backwards, giving out root permissions to anyone who promises candy, it usually requires a little more determination and/or skill to actually exploit them.
Fortunately, Vista will now create new accounts as user/limited-user by default. That is likely to break a lot of not-well-written software, however. Programs are still storing state information in their application directory and HKLM instead of %userprofile% and HKCU.
On the original topic, I agree with the guy from Microsoft. It's so easy for malware to embed itself so deep into Windows that nuking the install from orbit really is the only practical way of sorting the mess out.
IMHO, it'll still happen, except this time malware will come with explicit instructions to have the user type in the superuser password. If people want their Bonzai Buddy, they'll figure out a way :x
Things would be immensely improved by not having a central system registry open to every Tom, Dick, and Harry as well. Program state information should be seperate from system state information, and programs should not have write access to system information.
It is separate. HKCU is not HKLM ... but a lot of programmers use HKCU anyways. Microsoft is beginning to enforce these separations, but is encountering much backwards-compatibility resistance even six years after W2K's release.

Posted: 2006-04-04 09:39pm
by Vendetta
phongn wrote: IMHO, it'll still happen, except this time malware will come with explicit instructions to have the user type in the superuser password. If people want their Bonzai Buddy, they'll figure out a way :x
True.

There are, however, a significant contingent of computer owners out there who will take one look at a list of instructions that requires them to do anything more complicated than dribble on the keyboard and give up (either completely or to come and whinge at tech support because they can't make the magic box work.

Posted: 2006-04-04 10:31pm
by bilateralrope
Jalinth wrote:Is Linux really that much more secure than windows, or is it just a much less tempting target due to the overwhelming # of people using windows.
Even if linux gets to the same market share that windows has, it will not be with one disto, but with many different distros. For the most part, a vulnerability in one distro will not be present in most of the other distros.

Posted: 2006-04-05 12:06am
by Darth Wong
This is going to sound ironic since Microsoft gets blasted for integrating too much material into the OS, but one of Linux's security strengths is that a typical distro already includes virtually all the software you'll ever use. As a result, when you go to your vendor's security update site and click "updates", you'll bring up every single app on your machine to the latest patch level.

On a Windows box, you have to spend hours installing shit in order to make it work well, and then you have to keep those apps separately updated. Hell, even something as tightly bundled as Office has a completely separate Updates site.

Posted: 2006-04-05 12:55am
by Xon
The whole "nuke the site from orbit" is the only thing you can do one any system has been rootkitted.

This has been standard practice for *Nix admins for decades now.

Posted: 2006-04-05 01:35am
by Edi
As was already pointed out, the biggest problem is the end user, but the shitty security design in Windows isn't helping any.

I'm working at a computer repair and maintenance shop for the fourth week now, and I've gotten to see a lot of spyware in action. No rootkits yet, but even some of the standard malware is fucking annoying to completely remove because you need four to six separate programs to do it, more if you're only using freeware and/or trial versions of stuff. So the nuke from orbit option is often the fastest wayto do things. Especially if you're dealing with standard OEM packages you can reinstall from a recovery CD. The only problem that leaves is data recovery.

Personally, I keep all of my data on a separate partition from the OS, so even if I need to nuke the OS, I don't need to worry about much. All I'll have to do is back up my Thunderbird profile to save my emails (since that has been stuck on he C-drive since teh dark ages), press the big red button and reinstall. Putting all the apps, games and such back is always a pain, but at least I won't have lost anything permanently.

Edi

Posted: 2006-04-05 01:48am
by Einhander Sn0m4n
The only flaw in that plan, Edi, is the idiots who port over all their data before repartitioning an OEM install. Then there's the question as to whether reverting to OEM will also revert everything into one giant partition, destroying all data the user just went to such great lengths to try to save.

Posted: 2006-04-05 02:27am
by Darth Wong
I'm told Windows security will improve with the new iteration, but honestly, why did it have to take almost 13 years for Microsoft to finally talk about adding an "su"-like feature to their multi-user operating system? There are millions of WinNT, Win2k, and WinXP users out there who log in and surf the internet as Administrator because it's a huge pain in the ass to do it any other way. And it's not as if this couldn't have been anticipated; the people who designed the original NT codebase had extensive knowledge of UNIX and the basic design concept for a secure multi-user operating system.

Posted: 2006-04-05 02:40am
by Uraniun235
I'm not sure if it was introduced in Win2k or XP, but I know that in XP Pro you can right click an application and click "Run As...", bringing up a dialog box which allows you to run the program as whatever user you want it to (if you have the password, of course).