Microsoft Says Recovery From Malware Becoming Impossible 631
An anonymous reader wrote to mention an eWeek Story about Microsoft's assertion that PCs may no longer be able to recover from the most aggressive Malware. From the article: "[Danseglio] cited a recent instance where an unnamed branch of the U.S. government struggled with malware infestations on more than 2,000 client machines. 'In that case, it was so severe that trying to recover was meaningless. They did not have an automated process to wipe and rebuild the systems, so it became a burden. They had to design a process real fast,'."
Re:Format C: (Score:3, Informative)
Re:It's time.... (Score:5, Informative)
Wow. Really? (Score:4, Informative)
Re:It's time.... (Score:3, Informative)
With regard to scientific equipment: my experience (in a biotech firm) has been quite similar. Vendors did not want you to patch the OS, install ANY software (AV or otherwise), and advised against placing the devices on a network. However, biotech generally have a protocol that requires the backing up all the data [waters.com] that comes off the machine.
However, lately, we see more and more vendors moving to Linux for instrumentation control. As a company, we now request non-Windows based control and data acquisition systems (most are Linux, but we've got Mac, Solaris, and IRIX). In general, we've found these to be more robust with fewer software and data-acquisition glitches. All of our newer mass-specs have Linux-based instrumentation systems, as do our gel-imagers and such.
You are right, though, in that reimaging Windows systems is SOP most places. The company I work for now does a "refresh" on a biannual schedule whether you need it or not, and just about any time anything strange happens on your machine. Company policy dictates that useful information be stored on a shared drive and not locally -- that way, reimaging is a minor inconvenience.
Funny, we don't have a similar policy for non-Windows systems. Of course, about 45% of our desktops run Windows and 100% of our desktop support guys are MSCEs.
Re:So they just lick their wounds and move on? (Score:3, Informative)
Are you referring to the Skylarov case? If so, you're off. First, he cracked the encryption; he didn't just issue a warning. Second, he was not dragged to the US for trial. He went to the US of his own free will and was arrested in the US.
I'm not saying whether Skylarov's actions were justified or not, but your version of the events is not correct.
Re:But you never could... (Score:5, Informative)
You could never recover a compromised system reliably anyway. Once someone's got through your security to a certain level, you can't trust anything - including security tools and diagnostic information - that runs at that level or above. For a typical desktop PC or office server, that basically means you can't trust anything left on the system.
Actually, this not completely true. You just run your tools on another machine known to be uncompromised. Also, there are hardware level recovery systems that will restore to a known, clean state.
And no, running Linux or MacOS X instead of Windows doesn't change this, despite the number of people flippantly suggesting these alternatives.
Running OS X is somewhat beneficial since it is less susceptible to malware due to architectural choices and lesser attention from malware authors. Just not being Windows can be a great help, practically speaking. Also, all OS X machines can be put into Firewire target mode, facilitating easy recovery of data from compromised systems with greatly reduced risk of infection.
Running Linux can make an even bigger difference. Since Linux supports virtualization technologies, mandatory access schemes, and the like you can not only reliably recover data, but be fairly confident that once a escalation vector is detected and patched, the data from that particular machine will not cause a new machine to be re-infected. This means you can say with reasonable certainty that there will be zero data loss as a result of wiping a machine and the process can be automated.
This is, of course, on top of the greatly increased security that can be obtained by using certain, secure Linux distributions. Arguing that SELinux or OS X won't make a difference, even though both contain functionality designed to do just that, is simply incorrect. (Note, before someone gets uppity, I am not equating the level of security provided by SELinux with OS X.)
A solution (Score:2, Informative)
We used a Windows domain and DFS to ensure the users did not lose their data when rebuilding a machine. We then sent an OS image to the system remotely and remotely installed all the software on the system. We would regularly update our image to include all security patches. This was also complemented by a Windows Update Server to push security patches to deployed systems. This was complimented by antivirus and safer policies enforced on the systems. The system also scaled well to several thousand computers.
This may seem like a lot of work, but there are several turn key solutions to do this. (e.g. we used altiris). In addition, the work we did upfront saved us an immense amount of time later on. We were able to reinstall the software on hundreds of computers in 30 minutes. Every now and then we would get a straggler but dealing with 2 or 3 stragglers is much easier than trying to fix or reinstall all the computers by hand. It also allowed us to recover from major virus-related disasters. It wouldn't be difficult to fix 2000 computers and have time to enjoy lunch. (If you are wondering where the bandwidth comes from, we multicast.)
Re:Kernel hooks? (Score:3, Informative)
I just did a cursory search and found this:
http://www.sysinternals.com/Utilities/RootkitReve
The sysinternals guys seem to know Windows better than MS. Cool people to know if you are forced to use MS operating systems.
Re:It's time.... (Score:3, Informative)
Rebuilding PCs isn't that bad... (Score:3, Informative)
There's a relatively inexpensive product for which you can purchase a license called 'WinINSTALL'. Not a lot of people seem to know about it for some reason, but the currently available version of the product makes it relatively painless to completely rebuild a PC's OS, complete with applications and various profile settings (shortcuts, your favorite background images, and so on).
It doesn't have the pain associated with image solutions; you don't have to worry about re-imaging your machines every time you change the software that you want installed on the boxes (although you do have to deal with setting up the software packages, which can be a little bit of a pain, depending on what you're installing, and how friendly your vendors have been towards corporate environments). You can even reset the employee's PC from you own PC, without having to visit their box. It just needs to be turned on.
It doesn't require you have some incredible mondo-server to make it run; you can use pretty much any Windows 2000 or better machine. Certainly, any of the machines being cranked out today can handle WinINSTALL. Hell, I've seen it work on circa-1999 machines without issue (I think that's about 500Mhz Pentiums with 64 megs of RAM). It's slow on such machines, but it seemed to work.
It's also likely to be around for a while; the product was first introduced to the Windows market back when Windows 3.11 was popular, maybe even before then. It used to win a lot of awards, but I think it just fell off everyone's radar over the years.
You can find more information about it here:
http://www.ondemandsoftware.com/ [ondemandsoftware.com]
This is a product designed to deal with problems like this.
Re:Fools... (Score:3, Informative)
What's wrong with giving people a set of printed manuals and a linux partition and informing them that they will be expected to be up to speed on the new system in $x months ? No-ones asking them to contribute to kernel development !
On the other hand, it was a major problem to work out how to use that brand new piece of software called iTunes wasn't it !</sarcasm>
Where I come from (the past obviously), a tradesman is responsible for his own tools/knowledge. These days it seems to be that no-one has either the time, or the inclination to improve their own skill set.
Excuses, excuses ...
Re:Thin Clients (Score:5, Informative)
I compare this to the environment I enjoyed in the early 90s: diskless Sun workstations connected to Unix servers (Convexen), and I long for the good old days. Heck, I had a PC at home--but it was for play; the real computers were at work, and I knew it. The OS had been designed from the ground up as a multi-user collaborative environment, with a simple, sensible and reasonably effective security scheme. Thanks to my .profile and my private cache of scripts and macros, I could personalize my X Windows and command line environment to my heart's content.
Yes, there were some drawbacks. Sometimes, response was sluggish--who started that damn compile at three in the afternoon? And of course, if the server went down, everyone was SOL. I think the first concern could be addressed by the much faster processors of today (and some judicious load-balancing). Our networks have gotten much faster and more efficient, so I don't think response time would be much of a problem. As far as downtime, it has to be at least a wash--and when a large mob bearing torches and pitchforks descends on IT, they tend to get problems fixed with amazing alacrity.
Balancing the two environments, today's seems to be the obvious loser. Why are companies throwing billions down the Wintel rathole each year when they could have efficient centralized servers running a real collaborative OS? How did this happen?
I think I know part of the answer. The first signs of the Great Fall came when a few managers bought PCs so they could run MS Office applications--primarily spreadsheets at first, then--oh wonder of wonders--PowerPoint and Word. But now management found that they had been sundered from their underlings, who were working in a completely different environment from theirs. Incompatibility reared its head: You had to buy one set of apps for the PHBs, and another for the geeks. Worse, underlings could not read communications sent to them in Word format by their bosses, and they could not produce beautiful PowerPoint presentations on demand. They could--alas--only do their jobs. Management found this Wasteful and Inefficient, so they decreed that henceforth, everyone shall use computers just like theirs, running an operating system just as powerful and capable as theirs. And so now we live in compatibility Hell.
Re:It's time.... (Score:5, Informative)
Not removable. I don't care if you can remove them, what I do care about is time. If you have to fix a bunch of people every day, clawing around at the core system trying to find a hidden rootkit and remove all traces of it while not breaking anything worse than it already is will most likely take you far more time than backing up some data and doing a full reinstall.
Basically, if you're using Internet Explorer and have not got a rootkit yet, you are either using good browsing practices or you do have one and won't admit it. I support 10,000+ students at a university, and we're doing at least one reinstall a day due to rootkit infection. These are mainly young women who are just using the internet like all their peers do; i.e., not looking at porn or searching for warez or cracks.
Re:It's time.... (Score:3, Informative)
There's a war on. Shouldn't someone in your procurement chain be facing a court martial?
Why? Just because we've invaded some pissant country doesn't really change things. We haven't actually been at war for 60 years.