dranfu

Now that was funny

Have you tried reading all of the help files for Cain and Able? Read at least the Wikipedia entry on rainbow tables? Do you understand what a hashed password is? If not, the first step is educating yourself on these things. There is no such thing as becoming a great programmer, or hacker, or anything without doing a lot of reading and educating. If you're really interested in knowing how to use a tool, the first thing you should do is read the help file. Not trying to be funny, but this is sage advice. Nothing happens overnight.

We'll the other part of the argument is, if you simply just re-install every time you have a problem, you'll never learn what it is that's making you vulnerable in the first place. If you don't bother to learn about the malware infecting you, then how can you better protect your assets. If you keep reinstalling the same image, with the same vulnerabilities, you keep getting infected. A little time spent actually identifying vulnerabilities can pay off huge in the future, even if you decide to do a fresh install afterwards, which sometimes you must. Therefore, you may not need to spend 3hrs x so many re installs per month (3hrs x 10 per month? = 30hrs a month x 12 months? == 360hrs? That's 9 days of work lost. In a large organization, it may be much more than that. That's productive time lost. Why do that when you can simply clean and inspect the users system while they are at lunch, and have no down time. As an example, an AT&T dial up RAS server was recently infected with Conficker. Each time our users would connect, our Enterprise AV would warn that it found conficker. We had to alert AT&T to their infected system. This lasted for a few days until it finally stopped. Now how is it that this giant corporation would allow themselves to be infected (no patching obviously), for three days with conficker, which was talked about damn near everyday on every tech blog in the world. They obviously weren't bothering with trying to find out why they were vulnerable, not just specific vulnerabilities, but the environment that allowed it. A lot can be learned from analyzing an infection. Reinstalling is not the only solution, and its not always the right one. But sometimes it is. Just my opinion, of course :)

To each his own, of course. And I have pushed repeatedly for more imaging of users computers, but no, we do not have every users drive imaged. But you bring up an interesting contradiction. If you are simply ghosting all your computers, how do you know, without doing a thorough analysis of the data on the computer, that your images aren't infected. As I'm sure you know, you could have a logic bomb hidden on your computer that only starts truly infecting after some specified counter runs out. How do YOU know that your images aren't corrupt. Perhaps as you keep reinstalling the same images, you keep installing the same malware each time you load the image, then later you notice the virus pop up again, and then you reformat, and then you load another infected image. And now you are in an infinite loop of discovery, reformat, and reload/reinfect. My point being, there is a time to analyze the system deeply, and a time to simply reformat. But if you are relying solely on images, how can you be sure that the image is clean? Just because you were never aware of any viruses on the system at the time you Ghosted it? the argument can go both ways.

:D

I agree, that it is impossible to determine, with 100% certainty, that a machine is no longer compromised once it has been compromised. But, using the same logic, how can I be 100% sure that my OS did not come pre-packaged with a root kit, if the CD was produced outside the US or Europe? How can I be sure that my mechanic really fixed my car just because it drives better? How can I be sure my wife isn't cheating just because she says she loves me? Honestly, there are no absolutes in life. On a mission critical server, or on any machine where absolute confidentiality was demanded, I might have to reformat, but for most everyday situations, its overkill. And now to answer your question specifically. If a machine was, let's say, compromised by some variant of virtumonde, then I would look for BHO objects, DLL injection, search with an ADS scanner, yada, yada, yada. Eventually, once I had searched through the virtumonde dll's and located all its resources, I would finish up by performing probably 3 or four full scans, all with live CD's while the HD is not running. I would perform some packet captures and watch traffic carefully, scan with a port scanner or maybe just run netstat -a -b to determine if any processes have any strange ports open. Make sure no DNS poisoning of any kind has taken place. Look in run once entries, user32.dll injection, yada, yada. And after that, I'd call it a day. Why? Because the likelihood that I'm still infected is pretty low. Most malware is going to show at least some sign of infection, even if its a spam bot that's trying to push as much spam every one second of every hour(trying not to be noticed), that is enough for me to get suspicious and start looking deeper. But who can realistically take the time to reformat every time they get infected with every little piece of malware. On mission critical stuff, and on machines that demand absolute confidentiality, then yes, I would reformat. I would also take my backed up files and scan them with as many AV's as I could before putting them on the new machine. I might replace all my backed up files on a FAT32 file system first, just to make sure that no ADS's might still be lingering in some of those files, but I'm not going to do that every time some mid level manager downloads virtumonde from smilingpuppyscreensavers.com.

Also, you should use an ADS scanner (Alternate Data Stream) to search for files hidden within files. Some malware take advantage of ADS's to hide files. Streams, by sys internals, and LADS, by...some dude, I forgot his name, are decent tools. Streams allows you to delete ADS's without deleting the file, if that's what you need. Neither tools can find a locked stream, unfortunately, so a good programmer can still fool 99% of anti virus/scanning tools.

No such thing as an undeletable browser hijack. In fact, there is no such thing as an undeletable malware or file of any kind. What you need to do is scan your computer with a live CD--while the hard disk is not running and the OS on your hard disk is inactive. Here are some good ones: Ultimate Boot CD (for linux or windows), Bit Defender Rescue CD. Also, learn how to use Autoruns and Process Explorer by Sys Internals. I clean malware and search for intrusions by malware all day at work, and most can be eliminated using sys internal tools and a good live CD. It's not the BHO object that's got the problem in this case, it's the user who needs to step his game up :) P.S. Hijack this, while a good tool when it first came out, is now obsolete. There I said it, and you all know its true.