Forgot your password?
typodupeerror

Microsoft Says Recovery From Malware Becoming Impossible 631

Posted by Zonk
from the angry-little-viruses dept.
An anonymous reader wrote to mention an eWeek Story about Microsoft's assertion that PCs may no longer be able to recover from the most aggressive Malware. From the article: "[Danseglio] cited a recent instance where an unnamed branch of the U.S. government struggled with malware infestations on more than 2,000 client machines. 'In that case, it was so severe that trying to recover was meaningless. They did not have an automated process to wipe and rebuild the systems, so it became a burden. They had to design a process real fast,'."
This discussion has been archived. No new comments can be posted.

Microsoft Says Recovery From Malware Becoming Impossible

Comments Filter:
  • It's time.... (Score:5, Interesting)

    by BWJones (18351) * on Tuesday April 04, 2006 @11:51AM (#15058536) Homepage Journal
    'In that case, it was so severe that trying to recover was meaningless. They did not have an automated process to wipe and rebuild the systems, so it became a burden. They had to design a process real fast,'."

    Ummmmm, how about switching [apple.com]? :-)

    Seriously though, NeXTstep certainly has a long history in certain TLA government agencies and OS X is beginning to make significant inroads there as well. In addition the timing [wsj.com] is right for many businesses as the infrastructure costs to maintaining Windows are simply becoming too high.

    And calling these recent instances is a joke. I was having to perform complete system wipes and reconstructions due to malware years ago which is why we have essentially completed a migration to OS X. We do have some windows systems still around, but they are hidden behind OS X machines and are run headless and without connection to the Internet. In fact, it's been interesting that those companies that deliver microscopes (electron, confocal and light) and such that are currently driven by Windows are asking their customers to simply not plug them into networks or the Internet, severely limiting their use. They of course have been suggesting sneakernet to move files and data around, but my solution is to network them all with a dedicated backbone behind a Mac mini that is now shipping with Gigabit Ethernet on board.

    • Re:It's time.... (Score:5, Insightful)

      by trolleymusic (938183) on Tuesday April 04, 2006 @11:56AM (#15058582) Homepage
      I'm a Mac user, and although I love OS X with all of my bits, I do think that if the same % population used it as currently uses windows, then there would be more serious problems with it.

      I'm sure it's much harder to get malware running on OS X, but if it becomes the platform most of your potential audience are using then malware developers will just try harder to make nasties for Mac.

      So, in this respect, sometimes I'm glad for Windows + IE - simply because I don't have to use it :D
      • by Anonymous Coward
        I'm a Mac user, and although I love OS X with all of my bits, I do think that if the same % population used it as currently uses windows, then there would be more serious problems with it.

        A Mac-user with common sense! This day will go down in Slashdot's annals* as the day that Mac-users are no longer a-priori considered completely gay. *wiping away tears of joy*

        * tee-hee, I said "annals"
        • A Mac-user with common sense!
          That's funny. The link for page 2 of TFA says this:
          Next Page: Human stupidity.
        • "A Mac-user with common sense!"

          It's not common sense. It's wrong.

          Microsoft is in a unique position. Because it has a virtual monopoly, Microsoft makes more money when its software has a lot of security vulnerabilities. For those who are ruled by money, morality has no force; "Maximizing Shareholder Value" is the way they live their lives.

          Microsoft makes more money if it pressures its programmers to work too fast, so that they are sloppy, and then releases buggy software. Many people are fascinated by computers, and easily accept the world that Microsoft has created for them.

          Here's a story about a Microsoft VP saying, "Oh, the next Windows operating system will be secure": "Safety and security is the overriding feature that most people will want to have Windows Vista for" [com.com].

          So, Microsoft is once again [microsoft.com] telling us "The next version of Windows will be the good one." Before, Microsoft said Windows XP was "Built to be Dependable".

          However, Vista will NOT include virus protection [arstechnica.com]. Jim Allchin, co-president of Microsoft's platform products and services division told CRN, an industry magazine [crn.com] this:

          CRN: In terms of security, how do you compare security in Vista vs. security in Windows XP SP2?

          Allchin: SP2 was a very good system but compared to Vista, it's night and day.

          CRN: Is there going to be antivirus in Vista?

          Allchin: No, there is not.

          CRN: Why?

          Allchin: It's a complicated answer as to why not.

          CRN: Was the decision based on technical concerns?

          Allchin: It wasn't technical.

          CRN: Will Vista resolve security problems once and for all?

          Allchin: I'm not going to claim perfection or near perfection, but I think we're unrivaled in the work we've done. I believe security will be a huge problem for the industry for years and years and years but this will change the landscape in a fairly dramatic way.

          Once again, Microsoft is taking advantage of the fact that most of its customers have little technical knowledge. Mr. Allchin said that "security will be a huge problem for the industry for years and years and years".

          Microsoft charges for OneCare Live [windowsonecare.com]. That's another way to make money. Make sloppy software, and then sell protection against the sloppiness.

          Note the emphasis on "beta testing" in Mr. Allchin's statements in the CRN interview. Someone said that Microsoft's motto is "The whole world is our beta tester."

          --
          Before, Saddam got Iraq oil profits and paid part to kill Iraqis. Now a few Americans get Iraq oil profits, and American citizens pay to kill Iraqis. Improvement?
          • I believe security will be a huge problem for the industry for years and years and years

            I think thats a pretty reasonable statement. Computer systems are very complex and subject to economic and human considerations. Mistakes will happen and compromises will be made in the interest of time and cost.

            Lots of smart, clever and motivated people will be looking for mistakes and oversights in this system. They'll find ways to exploit it.

            A lot of things, including a very secure operating system, are possible an
          • Yep. It's a backhanded sales tactic for Vista.

            Microsoft's monopoly makes it pretty much the only company that can actually plan on getting away with selling a new product by saying:

            Our current product is so slime-infested that, if you don't buy our new product (next year, or so), you'll never be able to get any usefull work done!

            Of course, you can also switch over to Linux today, which has enough of a separation between user and admin that rootkits are nontrivial to install, but we won't talk about th

            • Microsoft and Brazilian bikinis are about the only two products where you can get away with charging people hundreds of dollars for almost nothing -- Of course, I know which one I'd rather see my girlfriend use...

              Microsoft, I know. Furries get me going too.

          • Mod me into oblivion, please.

            But its really sad to see the Slashdot community to go from a can do, toaster modding bunch of creative tech junkies, into an Apple teet sucking, iPod praising pussies, sucking up Apples marketing crap and pretending it just the natural, uncommercialized evolution from Linux to a solid GUI. And everyone using Windows and a non Apple Ipod is missing something.

            Please, please pull that giant Apple marketing dildo out of your collective asses.

            Windows is not broken, OSX is not infall
      • Re:It's time.... (Score:4, Insightful)

        by networkBoy (774728) on Tuesday April 04, 2006 @12:10PM (#15058739) Homepage Journal
        Really, they had no way to wipe and restore on an automated process? Have they never heard of Ghost-EE? Multicasting?
        I use ghost on my PC, thus when I plan on installing new software I do so, play with it, am sure I like it, then:
        Restore latest clean system build image to machine,
        Install target application, ensure functionality,
        Create new latest clean system build image.
        I store all my non-temporary data on a server PC anyway, so this is an ideal solution. One that should work in any enterprise environment as well (assuming that there are only 3-4 different builds).
        -nB
      • Re:It's time.... (Score:4, Interesting)

        by kimvette (919543) on Tuesday April 04, 2006 @12:31PM (#15058953) Homepage Journal
        Aside from idiots who chmod -R 777 /, OS X would remain relatively easy to recover from malware were it to become widespread. YOu might have to delete $home in some cases but being basically a Unix variant, the system itself should be relatively immune from a system-wide infection.

        This presumes of course you don't log into OS X as admin or root on a regular basis, but only for *gasp* administrative tasks.

        I know of one company which continually gets rooted, but they INSIST on running as admin all the time, AND chmod -R 777 / -- why? because they don't LIKE security. They dislike the inconvenience of not sharing out / and having to drop files only in certain folders. *knock knock* McFly, anyone home? THey don't want their machines rooted, they're tired of seeing the mouse cursors move and applications being used if they happen to be there off-hours, and yet they refuse to take most basic precautions and take advantage of OS X's security architecture - instead they work to defeat it, intentionally so, and then blame IT folks because they can't solve the problem. They've gotten to the point where no mac-savvy people will do work for them, and if I know them well, it'd take a reformat/reinstall of EVERY box at this point to get their network cleaned up again.
      • Re:It's time.... (Score:3, Insightful)

        i'm a mac user too and i couldn't disagree more with you, even if i tried.

        i'm also a long time linux user (almost 10 years) and certified solaris administrator, and i can tell you exaclty _why_ a Unix or Unix look-a-like such as GNU/Linux are easiear than windows to clean and restore to a clean, working state: *NIXes are open.

        open in the sense that you know exactly where things are, what they do, when they do and how. thanks in part to the long tradition of storing configurations on well documented clear te
      • I think I saw this same post and response for the last 137 windows virus related stories. Does this mean there's a glitch in the matrix?
    • Re:It's time.... (Score:5, Informative)

      by superid (46543) on Tuesday April 04, 2006 @11:59AM (#15058627) Homepage
      Speaking unofficially from an "unnamed branch of the U.S. Government", we can't switch [navy.mil] as much as we'd like to. We are locked into Windows XP and we can only use the applications on the "gold disk". At least it's cheap, it only costs us $4,200 per year per low end laptop.

      • Re:It's time.... (Score:3, Interesting)

        by truthsearch (249536)
        Can't because someone at the top says you can't or can't because your apps are too dependant on XP? I guess I'm asking if it's a technical issue or a bureaucratic issue.
      • Re:It's time.... (Score:3, Informative)

        by bk_veggie (807894)
        Um, there is a STIG on securing MacOSX you know. As someone entrenched within that community, the Gold Disk and SRR are just tools, not the final requirement.
    • I think a switch would benefit them in the long term. The problem they are having is that when a massive amount of computers is infected with malware, there is no remote management solution that will clean all of the infected machines in a timely manner. Cleaning one box that is full of malware is hard, imagine 2000 networked machines. Thanks to things like apple remote desktop, and the management tools with OS X Server, managing an apple network is a dream, especially compared to the windows counterpart. S
    • With regard to scientific equipment: my experience (in a biotech firm) has been quite similar. Vendors did not want you to patch the OS, install ANY software (AV or otherwise), and advised against placing the devices on a network. However, biotech generally have a protocol that requires the backing up all the data [waters.com] that comes off the machine.

      However, lately, we see more and more vendors moving to Linux for instrumentation control. As a company, we now request non-Windows based control and data acquisition

      • Re:It's time.... (Score:3, Insightful)

        by shotfeel (235240)
        "With regard to scientific equipment: my experience (in a biotech firm) has been quite similar."

        Mine too. Too often once the software's written for a piece of equipment a company wants to sell, the software unit gets disbanded (what, you wanted support?). So then you're stuck with whatever OS was current at the time for the lifetime of the equipment. So we have setups costing 10's to 100's of thousands of dollars controlled by PCs running Win 95/98. It would be nice to have these connected to the network to
    • Re:It's time.... (Score:4, Insightful)

      by myxiplx (906307) on Tuesday April 04, 2006 @12:16PM (#15058797)
      Yeah, because it's so easy to replace the 20+ programs that form the core of our business, and data migration's so easy a baby could do it. Please, try responding to the point that's actually raised here instead of going on and on about migrating to alternative systems. Many companies are simply not in a position to migrate their entire network.

      Personally, I'd love to migrate us to Linux, but until I can replace CAD/CAM systems, accounting packages, design software, drawing packages, etc... that's simply not going to happen, and until it does happen I'm faced with the job of keeping our MS systems secure.

      We've found that preventing web based scripts from running has kept us virus free for nearly two years now, but even then we're expecting to be hit by something sooner or later. If you're running a Microsoft network, it's worth putting a few weeks aside to get RIS / Ghost working well. Right now we're looking to take things a step further by running all our clients off a set of blade servers running virtual machines. There are cost savings to be had with the ease of maintenance and disaster recovery suddenly becomes a whole lot simpler.
      • Re:It's time.... (Score:3, Interesting)

        by Technician (215283)
        Personally, I'd love to migrate us to Linux, but until I can replace CAD/CAM systems, accounting packages, design software, drawing packages, etc... that's simply not going to happen, and until it does happen I'm faced with the job of keeping our MS systems secure.


        I solved that problem. I have job specific machines. The days of a general purpose computer used for everything under the sun is over. Sure I have a machine for Turbo Tax, and other Windows specific applications.

        My web browsing machine is a Ubu
    • ... especially if you're using XP.

      There's a relatively inexpensive product for which you can purchase a license called 'WinINSTALL'. Not a lot of people seem to know about it for some reason, but the currently available version of the product makes it relatively painless to completely rebuild a PC's OS, complete with applications and various profile settings (shortcuts, your favorite background images, and so on).

      It doesn't have the pain associated with image solutions; you don't have to worry about re-ima
    • Re:It's time.... (Score:5, Informative)

      by nial-in-a-box (588883) on Tuesday April 04, 2006 @02:31PM (#15060225) Homepage
      Rootkits.

      Not removable. I don't care if you can remove them, what I do care about is time. If you have to fix a bunch of people every day, clawing around at the core system trying to find a hidden rootkit and remove all traces of it while not breaking anything worse than it already is will most likely take you far more time than backing up some data and doing a full reinstall.

      Basically, if you're using Internet Explorer and have not got a rootkit yet, you are either using good browsing practices or you do have one and won't admit it. I support 10,000+ students at a university, and we're doing at least one reinstall a day due to rootkit infection. These are mainly young women who are just using the internet like all their peers do; i.e., not looking at porn or searching for warez or cracks.

  • by ccady (569355) on Tuesday April 04, 2006 @11:52AM (#15058543) Journal
    Unrecoverable? What's wrong with FDISK?
  • Sony (Score:5, Insightful)

    by From A Far Away Land (930780) on Tuesday April 04, 2006 @11:54AM (#15058557) Homepage Journal
    Companies like Sony pushing rootkits onto unsuspecting customers is part of the trend toward stealth and aggressive rooting of machines. Once a serious worm that can spread quickly and hide deeply gets around, people will realize how serious an issue rootkits are.
  • by jacksonai (604950) <taladon@gmail.com> on Tuesday April 04, 2006 @11:54AM (#15058560)
    Ok, so why was there no diasaster recovery plan in the first place? Surely the thought of an uber virus wrecking Windows had to have been brought up at some kind of meeting? Those who fail to plan plan to fail. Plain & Simple

    --Taladon
  • Bet those were Windows machines that couldn't recover from the malware. Good thing thing MS spotted that problem. Now if only someone could fix it....
  • Ho Hum (Score:2, Funny)

    by Draegonis (953885) *
    The govt's "war" on "cyperspace" is sure going well!
  • This is news? (Score:5, Insightful)

    by pcgamez (40751) on Tuesday April 04, 2006 @11:55AM (#15058578)
    I think any of us that work on computer systems long ago figured out that the rebuilding of a system is far easier than trying to remove each piece of malware. Now, in cases where there is critical data on the machine then it would be worth it to try. The fact is, but the time we hear about the issue, it isn't a matter of removing one or two pieces, it is usually closer to 20 or 30.
    • Um, isn't their a far easier low-tech solution?

      When I had a hopelessly-hosed machine (at least for my level of expertise), I decided it was time to spoil myself with a bigger hard drive. Installed it, loaded windows, then connected the old one as a slave. Copied all the data I needed (stuff from c:\games and c:\music) that wasn't infected and lived happily ever after.
    • The news part is that the problem that has been known to many readers here for ages is being publicly acknowledged by Microsoft.
  • This is news? When a machine is compromised by an attacker, you take an image (so that you can do a postmortem analysis) and wipe the disks. Then you reinstall the OS and applications and restore user data from backups.

    Is this implying that there are people who don't do a complete rebuild after a system is compromised?

  • Heh (Score:3, Funny)

    by Moby Cock (771358) on Tuesday April 04, 2006 @11:56AM (#15058580) Homepage
    Finally! A real reason to upgrade to Vista.
  • Translation (Score:5, Insightful)

    by metamatic (202216) on Tuesday April 04, 2006 @11:57AM (#15058592) Homepage Journal
    "Everyone needs to buy a copy of Windows Vista, which will solve the malware problem."
  • Kernel hooks? (Score:5, Interesting)

    by tedhiltonhead (654502) on Tuesday April 04, 2006 @11:57AM (#15058596)
    because they often use kernel hooks to avoid detection

    Um, how about making it possible to DISABLE ADDING KERNEL HOOKS? There should at least be a reliable way to get a list of all currently-running kernel hooks, if there's not already.
    • Re:Kernel hooks? (Score:3, Insightful)

      by DaHat (247651)
      Sounds nice in theory... but what about those applications that legitimately require kernel hooks? You know... things like hardware and software drivers?

      Which is worse? Allowing virtually anything to hook into the kernel (provided the running user has the rights) and potentially opening it up to rootkitting... or a user accidentally disabling all 3rd party kernel hooks which caused their anti-virus program's filter driver to stop working and not detect a more run of the mill virus causing them much pain and
    • Re:Kernel hooks? (Score:3, Informative)

      by hackstraw (262471) *

      I just did a cursory search and found this:

          http://www.sysinternals.com/Utilities/RootkitRevea ler.html [sysinternals.com]

      The sysinternals guys seem to know Windows better than MS. Cool people to know if you are forced to use MS operating systems.

  • by Anonymous Brave Guy (457657) on Tuesday April 04, 2006 @11:57AM (#15058604)

    You could never recover a compromised system reliably anyway. Once someone's got through your security to a certain level, you can't trust anything - including security tools and diagnostic information - that runs at that level or above. For a typical desktop PC or office server, that basically means you can't trust anything left on the system.

    Any sort of virus removal or system clean-up after being cracked is just a calculated risk that the attack will have been completely removed, based on the fact that doing a complete rebuild of a system and restoring all the backed up data is expensive, and while not cleaning up 100% after an attack is potentially more expensive, the probability of this is low.

    And no, running Linux or MacOS X instead of Windows doesn't change this, despite the number of people flippantly suggesting these alternatives. I'd have told you this earlier and saved a dozen posts, but apparently it's been 4 minutes since I last successfully posted a comment, so I can't post another one yet... ;-)

    • by 99BottlesOfBeerInMyF (813746) on Tuesday April 04, 2006 @12:19PM (#15058836)

      You could never recover a compromised system reliably anyway. Once someone's got through your security to a certain level, you can't trust anything - including security tools and diagnostic information - that runs at that level or above. For a typical desktop PC or office server, that basically means you can't trust anything left on the system.

      Actually, this not completely true. You just run your tools on another machine known to be uncompromised. Also, there are hardware level recovery systems that will restore to a known, clean state.

      And no, running Linux or MacOS X instead of Windows doesn't change this, despite the number of people flippantly suggesting these alternatives.

      Running OS X is somewhat beneficial since it is less susceptible to malware due to architectural choices and lesser attention from malware authors. Just not being Windows can be a great help, practically speaking. Also, all OS X machines can be put into Firewire target mode, facilitating easy recovery of data from compromised systems with greatly reduced risk of infection.

      Running Linux can make an even bigger difference. Since Linux supports virtualization technologies, mandatory access schemes, and the like you can not only reliably recover data, but be fairly confident that once a escalation vector is detected and patched, the data from that particular machine will not cause a new machine to be re-infected. This means you can say with reasonable certainty that there will be zero data loss as a result of wiping a machine and the process can be automated.

      This is, of course, on top of the greatly increased security that can be obtained by using certain, secure Linux distributions. Arguing that SELinux or OS X won't make a difference, even though both contain functionality designed to do just that, is simply incorrect. (Note, before someone gets uppity, I am not equating the level of security provided by SELinux with OS X.)

  • Thin Clients (Score:5, Insightful)

    by Citizen of Earth (569446) on Tuesday April 04, 2006 @11:57AM (#15058606)
    the U.S. government struggled with malware infestations on more than 2,000 client machines. 'In that case, it was so severe that trying to recover was meaningless.

    Whereas, if they had been using thin clients with no local storage, the only recovery action would have been on the server. And if they had been running non-Windows on the server, they wouldn't have had these infestations in the first place. A full-blown Windows PC on every desktop in an enterprise is just an expensive welfare program for MCSE types.
    • Re:Thin Clients (Score:5, Informative)

      by DrVomact (726065) on Tuesday April 04, 2006 @02:13PM (#15060043) Journal
      I couldn't agree more. I look around my workplace (the software development group of a large healthcare firm), and see thousands of PCs, each subtly different from the other, that have to be individually maintained by our not-too-bright IT staff. They run an OS that was never designed for collaborative use, has never had true "multi-user" capability, and barely manages to do something remotely like multitasking.

      I compare this to the environment I enjoyed in the early 90s: diskless Sun workstations connected to Unix servers (Convexen), and I long for the good old days. Heck, I had a PC at home--but it was for play; the real computers were at work, and I knew it. The OS had been designed from the ground up as a multi-user collaborative environment, with a simple, sensible and reasonably effective security scheme. Thanks to my .profile and my private cache of scripts and macros, I could personalize my X Windows and command line environment to my heart's content.

      Yes, there were some drawbacks. Sometimes, response was sluggish--who started that damn compile at three in the afternoon? And of course, if the server went down, everyone was SOL. I think the first concern could be addressed by the much faster processors of today (and some judicious load-balancing). Our networks have gotten much faster and more efficient, so I don't think response time would be much of a problem. As far as downtime, it has to be at least a wash--and when a large mob bearing torches and pitchforks descends on IT, they tend to get problems fixed with amazing alacrity.

      Balancing the two environments, today's seems to be the obvious loser. Why are companies throwing billions down the Wintel rathole each year when they could have efficient centralized servers running a real collaborative OS? How did this happen?

      I think I know part of the answer. The first signs of the Great Fall came when a few managers bought PCs so they could run MS Office applications--primarily spreadsheets at first, then--oh wonder of wonders--PowerPoint and Word. But now management found that they had been sundered from their underlings, who were working in a completely different environment from theirs. Incompatibility reared its head: You had to buy one set of apps for the PHBs, and another for the geeks. Worse, underlings could not read communications sent to them in Word format by their bosses, and they could not produce beautiful PowerPoint presentations on demand. They could--alas--only do their jobs. Management found this Wasteful and Inefficient, so they decreed that henceforth, everyone shall use computers just like theirs, running an operating system just as powerful and capable as theirs. And so now we live in compatibility Hell.

  • Fools... (Score:3, Interesting)

    by chazzf (188092) <cfulton&deepthought,org> on Tuesday April 04, 2006 @11:58AM (#15058607) Homepage Journal
    I see the first few comments suggesting a switch to Linux or Macintosh. At least where I work, in the educational sector, that's impossible. The time spent retraining faculty and staff alone would outweigh the security benefits, especially when you consider all the specialized software floating around that hasn't been ported (curse you, Department of Education).

    That being said, we haven't had much trouble with malware, and we're mainly an XP Pro/2K shop. We don't allow our users to run as administrators--period. That includes techs. Those who need the ability to install stuff have a local account which is prohibited from actually logging into the computer and has no rights to the domain. Ever since we implemented that things have been pretty quiet. In the rare case when somebody's machine does go down we can take a ghost image for backup purposes (if they aren't storing stuff on the network), and then re-ghost with a clean image. Average turnaround time: two hours.
    • Re:Fools... (Score:4, Insightful)

      by xdroop (4039) on Tuesday April 04, 2006 @12:42PM (#15059065) Homepage Journal
      I see the first few comments suggesting a switch to Linux or Macintosh. At least where I work, in the educational sector, that's impossible. The time spent retraining faculty and staff alone would outweigh the security benefits, especially when you consider all the specialized software floating around that hasn't been ported (curse you, Department of Education).
      Nothing is impossible.

      It's a gamble. Building the new system represents a cost (in time and labor if nothing else). Retraining staff is a cost. Finding new apps, or secure work-arounds for existing apps, represents another cost. Dealing with the transition (helpdesk, troubleshooting, whining users, fixing incompletely transitioned apps) represents yet another cost.

      On the balance side is the cost of a security breech which (insert your company's worst nightmare here). Or the cost of denying all your users all your computers for a period of time while things are all rebuilt. Of course it isn't guaranteed that either doomsday scenario is going to happen; simultaneously, it isn't guaranteed that either doomsday scenario is going to be limited to a single incident.

      It's called risk management.

      Put another way: is it worth taking a known, calculable, solid kick in the nuts to mitigate the risk that you might be repeatedly shot in the arm, chest, or head?

      What is your business worth?

    • Re:Fools... (Score:5, Interesting)

      by Syberghost (10557) <syberghost AT syberghost DOT com> on Tuesday April 04, 2006 @12:43PM (#15059075) Homepage
      I see the first few comments suggesting a switch to Linux or Macintosh. At least where I work, in the educational sector, that's impossible.

      Wouldn't matter anyway. Best practices for recovering from UNIX intrusion have always been to wipe the disks, reinstall the OS, and recover the last known-good backup. Nothing has changed here but Microsoft's attitude; they're starting to grow up a little.

      (sniff). I remember when they were knee-high.
    • Re:Fools... (Score:3, Insightful)

      by Herkum01 (592704)

      At least where I work, in the educational sector, that's impossible. The time spent retraining faculty and staff alone would outweigh the security benefits

      Translation: I never have the time to do it right, but I always have the time to fix it!

    • Retraining? (Score:3, Insightful)

      by matt me (850665)
      When people discuss the costs of *retraining* to use linux they're implying they've already trained their staff once before to use Windows. In many cases this isn't true - most users can't use Windows in the sense one can use Linux. Most windows users never add hardware, uninstall software, change the registry, edit a config file, update a package, etc... basic system tasks, but just click blindly in front them towards the light, or else they wouldn't shout "i've deleted the internet" , or get infected with
    • Re:Fools... (Score:3, Informative)

      by smoker2 (750216)

      The time spent retraining faculty and staff alone would outweigh the security benefits, especially when you consider all the specialized software floating around that hasn't been ported (curse you, Department of Education).

      It always makes me laugh - retraining people to click things on a screen. It makes me laugh even harder when these people are supposed to be *educators* .

      What's wrong with giving people a set of printed manuals and a linux partition and informing them that they will be expected to be u

  • by gcauthon (714964) * on Tuesday April 04, 2006 @11:58AM (#15058614)
    Why is there never any retaliation against the companies that produce this software? If someone overseas comes up with a way to play a DVD on his own computer then he's pursued endlessly. If someone puts out a warning about how Adobe's encryption is not so secure then they're drug over to the US for trial. But if someone writes malware that destroys thousands of computers, including government property, then absolutely nothing is done. It just seems a little odd to me.
    • by aussersterne (212916) on Tuesday April 04, 2006 @12:14PM (#15058777) Homepage
      Artifacts of modernity/capitalism. Institutions and corporations are more human than are their human constituents. Inter-institutional and inter-corporate grappling is seen in a darwinistic way -- nature dictates that they "survive" or "compete" on the open market and this is seen as ultimately most beneficial for society. Once the dogma begins to flow its banks, however, any contradiction or interference in the macro-ecosystem of political economics by individuals humans begins to be seen as parasitic, something "unnatural" to the process that interferes in the evolutionary process that governs institutions and corporations.

      Don't ever let yourself think that it isn't purely ideological because it is, it's the same philosophy that guides the IMF and Bush's conquest of the Middle East.

      One more result is the belief that malware from companies/organizations = marketplace should decide, and that's good, while malware from individuals = individual must be punished for causing (seen to be parasitic) difficulties for aforementioned companies/organizations.
    • >If someone puts out a warning about how Adobe's encryption is not so secure then they're drug over to the US for trial.

      Are you referring to the Skylarov case? If so, you're off. First, he cracked the encryption; he didn't just issue a warning. Second, he was not dragged to the US for trial. He went to the US of his own free will and was arrested in the US.

      I'm not saying whether Skylarov's actions were justified or not, but your version of the events is not correct.

    • by jcr (53032) <jcr@NoSPAM.mac.com> on Tuesday April 04, 2006 @01:06PM (#15059348) Journal
      Why is there never any retaliation against the companies that produce this software?

      Probably because the license agreement guarantees NOTHING, in great big capital letters. They exclude all warranties, including the statutory implied warranty of fitness for a particular purpose.

      Software is sold on a "if it sucks, you lose" basis.

      -jcr
    • Why is there never any retaliation against the companies that produce this software?

      Years ago a friend was following another car down the interstate at a high rate of speed. A cop pulled up behind them and turned on his flashers. My buddy hit the brakes; the other guy hit the gas. The cop pulled my buddy over and wrote him a ticket. Buddy asked cop why he didn't go after the other guy, who was obviously avoiding arrest. Cop's reply: I was only going to be able to get one of you and you were the easiest.

      La

    • Why is there never any retaliation against the companies that produce this software?

      Or it could be in the cases you cited, what was done was done very publicly, so the person responsible was easy to find. Now if you know who is responsible for the malware in question, why don't you let the FBI know and see what happens?

      Its no odder than the fact that I got a speeding ticket when I sped past an unmarked police car, but they haven't found the person who broke several windshields in the neighborhood a while ba
  • They did not have an automated process to wipe and rebuild the systems, so it became a burden. They had to design a process real fast,

    "Quick, bob, run to the store and get Ghost..."
  • And this process was named... "LINUX" !
  • Wow. Really? (Score:4, Informative)

    by HaloZero (610207) <protodeka@gmai l . c om> on Tuesday April 04, 2006 @12:00PM (#15058634) Homepage
    The EDS solution (while EDS isn't the best organization, this solution is highly effective in malware prone environments); GigE to the console, unified desktop system. You have three or four builds of different machines (Laptop, High-performance desktop, 'Information worker' desktop, kiosk) with an imaged pushed every night. Users data is stored nonlocally, in mapped network drives. Expensive to implement? Sure. Cost savings in the long run? You betcha! Plus, the helpdesk ends up with LEGITIMATE user issues, not 'Wah, I don't want to read the onscreen directions, you do it!'.
  • In an effort to eliminate fraud, waste and abuse, the government has suffered from a wasteful lack of process that has abused the taxpayers. These dangers with malware exist precisely because most of the time the people making the decisions are not those at a low enough level to actually see and understand it. This is a very good example [reason.com] of how management assumed so much power over the practical implementation of policy that those who were trying to actually do the grunt work couldn't do anything, and were
  • by zappepcs (820751) on Tuesday April 04, 2006 @12:01PM (#15058642) Journal
    This is just one more attempt to soften up the consumer marketplace, tenderize it like a NY strip steak, so that joe average will be ready to buy a new PC, capable of running Vista so they don't have to worry about malware anymore, thanks to those really nice folks at Microsoft. The longer that MS has to soften the marketplace with FUD and 'smoke and mirrors' about how they are going to eliminate malware etc. with Vista, the more likely that people will 'wait for' Vista to ship rather than switch to before 2010, when Vista actually does ship SP2 so that it works. MS always makes more money by selling an OS license with new hardware then they ever did selling just the OS. We all know how that works.. so look forward to more of this MMSF in the coming months from the superheros in Redmond....
  • All the anti-unix/linux guys were saying that all the important stuff is in their home folder anyway, so it didn't matter if malware/viruses could only attack the home folder, because that's all that matters. Now we know why, It's nice to not have to worry about reinstalling the operating system because of malware, or formatting the entire hard drive. At the very worst, we'd have to back up important stuff, wipe out the home dir, and put the documents back in.
  • PC vs. Windows (Score:5, Interesting)

    by WindBourne (631190) on Tuesday April 04, 2006 @12:02PM (#15058656) Journal
    I wish that the industry would say this proper. A PC is a personal computer. That includes apple and most linux boxes. OTH, the PCs that are having problems are Windows based PCs. Basically, the press should be saying that it impossible to remove malware from windows.
  • let's all simultaneously cheer:

    "Microsoft"!!!

    Seriously now, the situation gets worse by the minute. Yesterday I run lavasoft's adware, spybot search & destroy, symantec antivirus and sysinternals rootkit detector. I found several problems, and I run behind a firewall. The rootkit detector found many hidden APIs.

    For how long, Microsoft?
  • Is this really news? seems to me it is a lot like saying, MS says the sky is blue.

    There is so much malware out there that bypasses antivirus and spyware checkers, case in point when I used to use windows (I moved to Gentoo/Solaris 10 about 3 months ago) I was running ClamAV, and Norton AV, additionally I had 2 spyware checkers, all these products updated every night.

    One morning I executed a crack program (I know but I was half asleep, oh and before people start complaining that I shouldn't use the crack, I
  • Obvious (Score:3, Interesting)

    by John the Kiwi (653757) <kiwiNO@SPAMjohnthekiwi.com> on Tuesday April 04, 2006 @12:06PM (#15058710) Homepage
    For some time it has been easier to wipe and reinstall rather than repair an infection, of course this is dependant on knowing where your data is to begin with - hint: this is why we have servers. A reinstall (automated of course) will take less than 2 hours and everything is guaranteed to be working properly afterward. Properly eradicating most spyware takes a lot longer than this and doesn't guarantee that you or the program/s you use have gotten everything. Why even take the risk of repairing a spyware infection?

    On Windows boxes I still see many spyware infections on computers where the users don't even have administrative access. This includes the adding and changing of system services that users don't (read as shouldn't) have access to change as well as totally screwing over the Windows system restore which I might add helps malicious software coders than the users actually trying to restore system files. All this from surfing a malicious site in IE.

    It really is impossible to trust an infected machine even after every effort has been made to remove the spyware. This is something every Microsoft admin I know has known for some time, this should be a non story except that it's about a government branch that had 2000 spyware infected client machines and no disaster recovery plan - heads should be rolling.

    • Re:Obvious (Score:3, Interesting)

      by dodongo (412749)
      You know, every damn time I sit down to fix a nice, rich malware infestation anymore, I think to myself "Should I just suggest we wipe the drive and move along?"...

      And the answer is really simple: Windows simply refuses to make it easy to partition a drive so that data is over THERE ---> and only the OS is on this parition. Yes, I know you can do it. But you try explaining to home users who are terrified of any sort of change on their computer that their documents are on the D: drive. And no, they d
  • by dtjohnson (102237) on Tuesday April 04, 2006 @12:09PM (#15058729)
    ...it sounds like rootkits are becoming a BIG problem at Microsoft:

    "When you are dealing with rootkits and some advanced spyware programs, the only solution is to rebuild from scratch. In some cases, there really is no way to recover without nuking the systems from orbit," Mike Danseglio, program manager in the Security Solutions group at Microsoft, said in a presentation at the InfoSec World conference here."

    Now those sound like the words of someone who has 'been there and done that' more than a few times. If Microsoft is having those kinds of problems with the hardware, software, and expertise they have at their disposal, imagine the kinds of problem that 'Sam's Plumbing and Heating Co.' is having.
  • by mytec (686565) * on Tuesday April 04, 2006 @12:17PM (#15058808) Journal

    When a *nix box gets rooted, generally standard practice says that you rebuild the box. I'm unsure if this is the case with Windows rootings. That is just the way it is.

    Malware wants to be "sticky". I'm surprised it has taken this long to become truly difficult if not downright impossible to remove.

    What I wonder is if people will just tolerate the unremovable malware instead of the frustration and/or time of reinstalling the OS and applications and getting everything just right all over again. It's one thing for system administrators and geeks to reinstall. It another thing entirely for the average user to have full/incremental backups or cloned drives or some set of procedures for reinstallation.

    This is definitely an interesting situation.

  • by swschrad (312009) on Tuesday April 04, 2006 @12:18PM (#15058821) Homepage Journal
    the guys who with XP-SP1 tried to isolate everybody who had a common serial number?

    MS has finally awakened and smells the coffee.

    but I have no cup for them any more.
  • Boot from CD (Score:3, Insightful)

    by Nom du Keyboard (633989) on Tuesday April 04, 2006 @12:18PM (#15058823)
    I'm coming to the point where I feel that the core Windows environment needs to be booted from CD, or some other read-only media that can't be altered. Yes, additional drivers and installed programs will need to boot from the hard drive, however, a Safe Boot option to run your virus scan from as part of the read-only boot could then be used to much more easy remove the malware.
  • by hoggoth (414195) on Tuesday April 04, 2006 @12:33PM (#15058971) Journal
    How does the ordinary user do this?

    I didn't have the foresight to make a Ghost image of my system from the factory. It's a DELL and the restore-to-factory-from-secret-hidden-partition doesn't work once I added a new partition to the drive (with Partition Magic).
    So now it looks like I have to:
    1. Make sure I have up to date backups of my data (always a good idea)
    2. Purchase another copy of Windows even though I already paid for one
    3. Dig through my records collecting all the keys to all my applications
    4. Spend an entire day reinstalling Windows and all my applications. Anyone who says it only takes an hour to reinstall Windows must have a secret version I don't have access to. I have to babysit the install through ten reboots and many hours.

    Is this the best way?!

    What about after that? I can Ghost the Windows partition, but I'd still have to reinstall any applications installed after the Ghost was made. And it's no use putting the applications in another partition because the applications depend on cruft in the registry.

  • by mgkimsal2 (200677) on Tuesday April 04, 2006 @12:52PM (#15059174) Homepage
    making relying on backups far less useful (pointless, perhaps?). I've talked with people before about having Windows viruses that don't sap resources (at first) or kill the machine, but which quietly change data in files. Modify a "3" to a "7" in a few Excel files. Change meeting times in Outlook by 10 minutes here or there. Eventually, get more malicious and start changing other bits of data in files (mainly MS Office files for maximum compatibility/reach).

    A good virus won't be found out for awhile, and without knowing when it infected the system, you won't easily be able to tell how far back to go in the backups to pull 'clean' files.

    This would have a devastating effect on the trust people have in any part of the system. What good is 'rebuilding' the system if you can't trust the data backups either?
  • by gregarican (694358) on Tuesday April 04, 2006 @03:25PM (#15060714) Homepage
    At my workplace sometimes folks bring in their home PC's for me to clean off on my lunch break. A quick job pays a 6-pack of Mickey's. A longer job pays a 6-pack of Guinness. From those cleanup jobs I can vouch that the typical home user with an always-on DSL/cable Internet connection is in a world of hurt. I try to show folks how to Ghost their hard drive onto a DVD-R so that they can restore their system to a usable state rather than search through the haystack for all of the malware needles.

    For example, the most recent cleanup I did entailed a laptop that had no antivirus software running on it. They did have a bundled AOL spyware app installed, but as far as I could tell it had never been run. I installed Avast! and Ad-aware from CD and ran full scans on the system. The result was over 300 virus and over 3,000 malware captures. Amazing that the computer could even launch an initial Windows Explorer session at all.

    If things continue their downward spiral (i.e. - Microsoft dominance, widespread Internet exploits, monetary incentive for malware deployment, and foreign government turning a deaf ear on abuse reports) I would require that anyone with a Windows-based Internet-exposed PC have to earn an operator license. Much like someone would have to do to operate an automobile, motorcycle, ham radio, etc. This would include mandatory security training. And for God's sake, a brief explanation of imaging and recovering their hard drive in case they get hit with something later.

    Seriously though, this scenario isn't viable. But perhaps virtualization technology offer a safe haven. Folks could just reboot their virtual image if they get slammed with something and get back to square one. Until the malware authors get one step ahead of that at least there would be some breathing room...

"Those who will be able to conquer software will be able to conquer the world." -- Tadahiro Sekimoto, president, NEC Corp.

Working...