Welcome to RCF - WHF

Nightrider · Sep 25, 2004

Microsoft Says Recovery from Malware Becoming Impossible

LAKE BUENA VISTA, Fla.—In a rare discussion about the severity of the Windows malware scourge, a Microsoft security official said businesses should consider investing in an automated process to wipe hard drives and reinstall operating systems as a practical way to recover from malware infestation.

"When you are dealing with rootkits and some advanced spyware programs, the only solution is to rebuild from scratch. In some cases, there really is no way to recover without nuking the systems from orbit," Mike Danseglio, program manager in the Security Solutions group at Microsoft, said in a presentation at the InfoSec World conference here.

Offensive rootkits, which are used hide malware programs and maintain an undetectable presence on an infected machine, have become the weapon of choice for virus and spyware writers and, because they often use kernel hooks to avoid detection, Danseglio said IT administrators may never know if all traces of a rootkit have been successfully removed.

He cited a recent instance where an unnamed branch of the U.S. government struggled with malware infestations on more than 2,000 client machines. "In that case, it was so severe that trying to recover was meaningless. They did not have an automated process to wipe and rebuild the systems, so it became a burden. They had to design a process real fast," Danseglio added.

Danseglio, who delivered two separate presentations at the conference—one on threats and countermeasures to defend against malware infestations in Windows, and the other on the frightening world on Windows rootkits—said anti-virus software is getting better at detecting and removing the latest threats, but for some sophisticated forms of malware, he conceded that the cleanup process is "just way too hard."

Microsoft says stealth rootkits are bombarding Windows XP SP2 machines..

"We've seen the self-healing malware that actually detects that you're trying to get rid of it. You remove it, and the next time you look in that directory, it's sitting there. It can simply reinstall itself," he said.

"Detection is difficult, and remediation is often impossible," Danseglio declared. "If it doesn't crash your system or cause your system to freeze, how do you know it's there? The answer is you just don't know. Lots of times, you never see the infection occur in real time, and you don't see the malware lingering or running in the background."

More...

KeeKee · Mar 20, 2006

Hummmm I know if malware gets thru on my system I don't fight it just wipe and go. I thought I jsut wasn't smart enough to get the stuff out in less than 3 months.

bigR · Oct 14, 2004

rb2d2 · Sep 25, 2004

fishead · Feb 09, 2005

rb, what is WK2?

Thats why I like to nuc my pc everyone once in awhile, I had a feeling this was going on. Hp puts one in and this white icon shows itself every 2 minutes to take snapshots of my pc, and I don't like it.

Backup, backup, backup! I do this twice a month.

rb2d2 · Sep 25, 2004

Fishead, W2K is Windows 2000. I can load it and reload it all I want and don't have to answer to anyone. LOL

sunny