[Infowarrior] - Microsoft Says Recovery from Malware Becoming Impossible

Richard Forno rforno at infowarrior.org
Tue Apr 4 13:38:38 EDT 2006


http://www.eweek.com/print_article2/0,1217,a=174915,00.asp
Microsoft Says Recovery from Malware Becoming Impossible
April 4, 2006
By  Ryan Naraine

LAKE BUENA VISTA, Fla.‹In a rare discussion on the severity of the Windows
malware scourge, a Microsoft security official said businesses should
consider investing in an automated process to wipe hard drives and reinstall
operating systems as a practical way to recover from malware infestation.
ADVERTISEMENT

"When you are dealing with rootkits and some advanced spyware programs, the
only solution is to rebuild from scratch. In some cases, there really is no
way to recover without nuking the systems from orbit," Mike Danseglio,
program manager in the Security Solutions group at Microsoft, said in a
presentation at the InfoSec World conference here.

Offensive rootkits, which are used hide malware programs and maintain an
undetectable presence on an infected machine, have become the weapon of
choice for virus and spyware writers and, because they often use kernel
hooks to avoid detection, Danseglio said IT administrators may never know if
all traces of a rootkit have been successfully removed.

He cited a recent instance where an unnamed branch of the U.S. government
struggled with malware infestations on more than 2,000 client machines. "In
that case, it was so severe that trying to recover was meaningless. They did
not have an automated process to wipe and rebuild the systems, so it became
a burden. They had to design a process real fast," Danseglio added.

Danseglio, who delivered two separate presentations at the conference‹one on
threats and countermeasures to defend against malware infestations in
Windows, and the other on the frightening world on Windows rootkits‹said
anti-virus software is getting better at detecting and removing the latest
threats, but for some sophisticated forms of malware, he conceded that the
cleanup process is "just way too hard."

Microsoft says stealth rootkits are bombarding Windows XP SP2 machines.
Click here to read more.

"We've seen the self-healing malware that actually detects that you're
trying to get rid of it. You remove it, and the next time you look in that
directory, it's sitting there. It can simply reinstall itself," he said.

"Detection is difficult, and remediation is often impossible," Danseglio
declared. "If it doesn't crash your system or cause your system to freeze,
how do you know it's there? The answer is you just don't know. Lots of
times, you never see the infection occur in real time, and you don't see the
malware lingering or running in the background."

He recommended using PepiMK Software's SpyBot Search & Destroy, Mark
Russinovich's RootkitRevealer and Microsoft's own Windows Defender, all free
utilities that help with malware detection and cleanup, and urged CIOs to
take a defense-in-depth approach to preventing infestations.

Are virtual machine rootkits the next big threat? Click here to read more.

Danseglio said malicious hackers are conducting targeted attacks that are
"stealthy and effective" and warned that the for-profit motive is much more
serious than even the destructive network worms of the past. "In 2006, the
attackers want to pay the rent. They don't want to write a worm that
destroys your hardware. They want to assimilate your computers and use them
to make money.

"At Microsoft, we are fielding 2,000 attacks per hour. We are a constant
target, and you have to assume your Internet-facing service is also a big
target," Danseglio said.

Danseglio said the success of social engineering attacks is a sign that the
weakest link in malware defense is "human stupidity."

"Social engineering is a very, very effective technique. We have statistics
that show significant infection rates for the social engineering malware.
Phishing is a major problem because there really is no patch for human
stupidity," he said.

Ziff Davis Media eSeminars invite: Is your enterprise network truly secure?
Join us April 11 at 4 p.m. ET as Akonix demonstrates best practices for
neutralizing threats and securing your network.

The most recent statistics from Microsoft's anti-malware engineering team
confirm Danseglio's contention. In February alone, the company's free
Malicious Software Removal Tool detected a social engineering worm called
Win32/Alcan on more than 250,000 unique machines.

According to Danseglio, user education goes a long way to mitigating the
threat from social engineering, but in companies where staff turnover is
high, he said a company may never recoup that investment.

"The easy way to deal with this is to think about prevention. Preventing an
infection is far easier than cleaning up," he said, urging enterprise
administrators to block known bad content using firewalls and proxy
filtering and to ensure security software regularly scans for infections.

Check out eWEEK.com's Security Center for the latest security news, reviews
and analysis. And for insights on security coverage around the Web, take a
look at eWEEK.com Security Center Editor Larry Seltzer's Weblog.




More information about the Infowarrior mailing list