In WWII, we learned important lessons... and unfortunately, we also learned the wrong lessons.
Many countries - instead of learning to fight evil, they learned that fighting is evil. That kind of pacifism is lethal to a country. Fighting evil is a noble cause and must be done.
With respect, shouldn't that be the first step?
The first step of moving on, yes. I would agree - but due to many factors it is not practical for many users.
We're like Doctors in many respects - we can make all the recommendations we want, but the patient is going to do whatever they are going to do.
And referring to trustworthy backups - when the remote management software has been in place for x number of months, and it has been backed up, restoring the machine while doing virus scans profits you nothing if you are not looking for 'rogue' management tools.
I'm not talking about hackers that run botnets - yes, they use rootkits. Never at any point have I stated that rootkits are obsolete or no longer used. What I am saying, and what I have said quite clearly, is that some criminals that want to obtain and maintain access to a corporate network are using remote network admin software. So, be on the lookout for it. That is all.
I'm working on that right now - I'm on the SBA Information Security Task Force - determining what really are the best practices out there. It's an all but impossible task.
No, I have not flown out to respond for many years now. I do travel in state and neighboring states quite a bit, but for the most part there are enough good people in each market with sufficient capabilities.
Midnight_Falcon - did you not notice that I put the word (old) AFTER Dameware NT? It is less common now, but did the issue just go away? No, they have updated their software.
The point I wish to make, and have done, is that many hackers do not leave rootkits behind. They simply set themselves up as rogue network administrators within your network.
I am quite familiar with "enumerating badness".
This is only done as part of a clean-up effort.
If management tools are running where they should not be, I want to know about it.
"Enumerating badness" is precisely what is required when you are hunting down an intrusion. It is not the best policy to take when defending one.
The overarching lesson I've learned in all these years is that a secure network is a well managed network. If you do not actively manage your network - there are plenty of criminals that would be happy to manage it for you.
Like Kevin Mandia, I too clean up these messes professionally. Cleaning these things up starts with the data gathering and analysis, virus scans, offline analysis - and more that are not mentioned.
The MOST important thing that ANY admin should know is that the true professional hackers do not use rootkits. They will use exploits to gain their foothold, but rather than install a rootkit, they will install remote network admin utilities, such as Dameware NT utilities (old), or more recently I've seen LabTech Software.
From www.labtechsoftware.com
IT Systems Management Software providing a leading remote monitoring and management (RMM) solution for Managed Service Providers (MSP) and IT...
This software is great for Managed Service Providers - it also is a dream come true for cyber-criminals as it provides a backdoor into networks using signed code that will not appear on any antivirus, anti-malware or anti-rootkit scan. It can sit dormant for years, get backed up, and restored. Even if you do run anti-virus scans on your backups prior to restoring them - as one commenter stated above - it would be of no use.
So, when I am gathering the data dump, what I do is look for ALL network management tools, and I have created scripts that search for these.
*****
Google this: C:\WINDOWS\LTSVC\LTSVC.exe Hijackthis
You will find examples of people who have run Hijackthis on their computer and posted the log online - the common complaint is that they keep getting reinfected and cannot figure out how. They've run {insert virus tools here} a number of times and cannot figure it out. They usually resort to reinstalling the OS.
*****
Anyhow - gathering up all the logs from every device on the network, linking how they went from machine-to-machine, enumerating lists of installed software on each machine, and also performing offline analysis of drives, searching for any file/directory modifications based upon time stamp. It is FAR more involved, but it is the only way to enumerate the intrusion.
Removal must be done all at once. Either cut the network access of all the devices, then remove, or write a custom removal script and schedule it as a task to have everything be done at precisely the same moment.
I then have custom IDS signatures that look for any unauthorized Remote Management & Monitoring software.
You'll never hear the real reason why in the main-stream media, because they support the Occupy Wall Street, but there is a very clear reason why the Feds stepped in and shut this down.
What you may not have heard about is that on Friday, there was an assassination attempt on Obama. Haven't heard about it? Well, someone shot an AK-47 at the white house, and he's been at large until today, when they finally caught him and now the story is coming to light. Apparently, this guy went to the White House straight from the OWS encampment.
Wow - interesting. Federal Govt. security clearances are free here (Australia) or at least free to the applicant themselves.
Here in America, if you are going to work for the agency directly, there are no direct costs for the security clearance. So no difference there. The key here is that if you are a private contractor, that contractor must bear those costs directly themselves, and they must recoup all those costs in billable hours.
It is EXTREMELY expensive to do work for the Federal Government - first, most these high-paying jobs require a security clearance, which costs (depending on the level of clearance) ~$25,000 to get, and $15,000 per year to maintain. Then, when you are flying for a government project, you ALWAYS have to purchase fully refundable tickets, which means you pay 2x-4x the price you pay anywhere else - because the project you're working on will ALWAYS get rescheduled at the last moment.
Government is hopelessly dysfunctional, every project takes 2-10x longer than it should... yet if it weren't for the contractors, nothing would get done. At least a contractor can leave agency A, and go to agency B while A tries to figure out what the heck is going on.
Joel
That would be traveling back in time... You can go back in time to life as it was 50 years ago - just travel down south.
And that is my point! Efficiency cannot be mandated - and the auto makers have NOT been dragging their feet. There is only so much energy that can be extracted from a gallon of gasoline. European cars get "Better" gas mileage because the UK (imperial) gallon is 20% more volume than the US Gallon.
1 US Gal = 3.78L
1 UK Gal = 4.54L
So obviously, European cars will get better fuel efficiency for 2 reasons. 1, the larger gallon size makes it look better and 2, EUROPEAN CARS USE DIESEL and DIESEL is BANNED FROM US CARS.
Why aren't the Chinese making these 100mpg cars? America no longer dominates the auto industry the way it did... so this must be a GLOBAL conspiracy?
Why doesn't Obama require Intel to release the 10 GHz Chip? Apparently the only thing stopping progress is there isn't any legislation mandating it, right? So why stop at 60mpg? Why not 1000 mpg? We should also mandate flying cars and a PONY for EVERYONE!!!
What is up with this imaginary thinking?
Do people really believe everything they think?
I have a set of lab servers I use for hacking and testing exploits.
The two domain controllers are "Hindenburg" and "Titanic". The domain is "going.down"
Marriage is the triumph of imagination over intelligence. Second marriage is the triumph of hope over experience.
