by Anonymous Coward writes:
on Friday June 29, 2018 @04:03AM (#56863988)
Security Program Manager, Microsoft Corporation
I Got Hacked, What Do I Do? https://technet.microsoft.com/en-us/library/cc700813.aspx
So the parent was modded up before, suddenly it gets modded down. Really slashdot moderation has been trashed recently. It's worth saying why this was the money post. The only post in the whole thread which really mattersL:
The key quote you have to follow is:
The only way to clean a compromised system is to flatten and rebuild. That’s right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications). Alternatively, you could of course work on your resume instead, but I don’t want to see you doing that.
But it's the bit before that which really matters:
You can’t clean a compromised system by using a virus scanner. To tell you the truth, a fully compromised system can’t be trusted. Even virus scanners must at some level rely on the system to not lie to them. If they ask whether a particular file is present, the attacker may simply have a tool in place that lies about it. Note that if you can guarantee that the only thing that compromised the system was a particular virus or worm and you know that this virus has no back doors associated with it, and the vulnerability used by the virus was not available remotely, then a virus scanner can be used to clean the system. For example, the vast majority of e-mail worms rely on a user opening an attachment. In this particular case, it is possible that the only infection on the system is the one that came from the attachment containing the worm. However, if the vulnerability used by the worm was available remotely without user action, then you can’t guarantee that the worm was the only thing that used that vulnerability. It is entirely possible that something else used the same vulnerability. In this case, you can’t just patch the system.
Below there are people proposing reverse engineering the malware and then, if you know what it does, you can clean it up by reversing that. However, one thing most malware does is open up to the network and let the malware authors do what they want, so even if you know what this malware does you don't know what all malware does. Anything more could have happened to your system.
Reinstall from original installation media and pray to god that your system's onboard firmware is not compromised.
Reinstall from original installation media and pray to god that your system's onboard firmware is not compromised.
Sadly today that last part is also very significant. Thanks to the mess of modern infrastructure like UEFI, everybody's device having embedded functionality that can be updated, and processors-within-processors, it's basically impossible to ever fully trust a system that has been compromised now, no matter how drastic your recovery procedures might be. Of course, for similar reasons it's also basically impossible to trust a system that you don't know has been compromised either. Security in modern tech is broken, and the tech industry and security services broke it.
But it's the bit before that which really matters:
You can’t clean a compromised system by using a virus scanner. To tell you the truth, a fully compromised system can’t be trusted. Even virus scanners must at some level rely on the system to not lie to them. If they ask whether a particular file is present, the attacker may simply have a tool in place that lies about it.
That why you don't try anything from within the compromised system. Either you try all your effort from a known clean bootdisk (CD, USB stick, etc), or even better, you disconnect the drive and connect it to a known clean machine.
A non compromised OS will not lie about what is on the disk of another system, even if that other (non-currently running system) happens to be compromised.
(The sole exception being malware like ransomware that encrypt your data. Then nobody except the hacker holding the decryption key can read that disk).
Reinstall from original installation media and pray to god that your system's onboard firmware is not compromised.
Well, the attack of firmware (UEFI) or "management chips" running their own firmware (Intel ME engine and co) is indeed an entirely different level of scary.
And given the almost total disappearance of socketed flashchips to hold these firmwares, any chance to recover from that becomes bleak.
Even virus scanners must at some level rely on the system to not lie to them.
Kaspersky provides a Live CD rescue disk. I have had luck with it in the past. But even with a live CD, you have to know a good deal about both the target system and the malware.
All great discoveries are made by mistake.
-- Young
Nuke & Pave (Score:0)
How about you *don't* go to their forum and instead format everything and start again.
Re: Nuke & Pave (Score:1)
Security Program Manager, Microsoft Corporation
I Got Hacked, What Do I Do?
https://technet.microsoft.com/en-us/library/cc700813.aspx
Re: Nuke & Pave (Score:5, Informative)
Security Program Manager, Microsoft Corporation
I Got Hacked, What Do I Do?
https://technet.microsoft.com/en-us/library/cc700813.aspx
So the parent was modded up before, suddenly it gets modded down. Really slashdot moderation has been trashed recently. It's worth saying why this was the money post. The only post in the whole thread which really mattersL:
The key quote you have to follow is:
But it's the bit before that which really matters:
Below there are people proposing reverse engineering the malware and then, if you know what it does, you can clean it up by reversing that. However, one thing most malware does is open up to the network and let the malware authors do what they want, so even if you know what this malware does you don't know what all malware does. Anything more could have happened to your system.
Reinstall from original installation media and pray to god that your system's onboard firmware is not compromised.
Re: Nuke & Pave (Score:5, Interesting)
Reinstall from original installation media and pray to god that your system's onboard firmware is not compromised.
Sadly today that last part is also very significant. Thanks to the mess of modern infrastructure like UEFI, everybody's device having embedded functionality that can be updated, and processors-within-processors, it's basically impossible to ever fully trust a system that has been compromised now, no matter how drastic your recovery procedures might be. Of course, for similar reasons it's also basically impossible to trust a system that you don't know has been compromised either. Security in modern tech is broken, and the tech industry and security services broke it.
Re: (Score:2)
What happened to bootdisks ?! (Score:4, Interesting)
But it's the bit before that which really matters:
That why you don't try anything from within the compromised system.
Either you try all your effort from a known clean bootdisk (CD, USB stick, etc),
or even better, you disconnect the drive and connect it to a known clean machine.
A non compromised OS will not lie about what is on the disk of another system, even if that other (non-currently running system) happens to be compromised.
(The sole exception being malware like ransomware that encrypt your data. Then nobody except the hacker holding the decryption key can read that disk).
Reinstall from original installation media and pray to god that your system's onboard firmware is not compromised.
Well, the attack of firmware (UEFI) or "management chips" running their own firmware (Intel ME engine and co) is indeed an entirely different level of scary.
And given the almost total disappearance of socketed flashchips to hold these firmwares, any chance to recover from that becomes bleak.
Re: (Score:2)
Kaspersky provides a Live CD rescue disk. I have had luck with it in the past. But even with a live CD, you have to know a good deal about both the target system and the malware.