Most of us the worked on computers for a living have run across many
compromised computers with many different types of malware.
As people post with compromised machines we direct them to all of the
tools that we know about in an effort to help them regain use of their
machines in a malware free mode, or at least enough access to backup
their documents and files to restore later.
What is really at question is the ability of the current tools we have
to clean 100% of the malware 100% of the time in the current and future
environment for a givem machine at a given instant.
[snip]
So after reading all of the replies in this thread, ignoring a response
from one lunatic, it appears that we're all on the same page when it
comes to ensuring a clean machine - a Wipe/Rinstall is the only proper
method to ensure a clean machine 100% of the time.
So this begs the next question:
As responsible (I hope) technical types, with security and data
integrity in mind at all times, other than getting a clients/home users
machine to a point that we/they can salvage files, why do we give them
the impression that their machines are clean when we ourselves know that
they might not be clean?
If you take the typical poster here, some unknown person asking for help
with a compromised machine. We get a "little" information, pull more
info out of them, but we have no idea as to the extent of the compromise
of their computers. We take a "best guess" approach to get them back to
a usable state, but, is "usable" what we should really be doing? If it
was your relative (one that you liked a lot) with the compromised
machine, wouldn't you just flatten their system after salvaging their
documents and then rebuild it from scratch?
99% of the time we have no idea what the posters computer is used for,
what personal data they might have on it, what financial data might be
on it, what business data might be on it.... I know it's a hassle for
the client/home user to flatten/rebuild their computer, but, considering
all of the unknowns, the security of their data, shouldn't we be
encouraging the flattening of their systems as the proper method to
clean a unknown system?
This has nothing to do with skills of the tech, it has to do with the
value of the data on the compromised machine, that in Usenet we don't
really know what the posters actual situation is, how many other things
have compromised their machine that they don't know about, and we don't
know about the undetected malware on their machines.
Let me give an example: Granny buys a computer, her 40 year old son
spec's it out and set it up (a brand XYZ computer). He does all the
stuff that the vendor required, then connects her to a Cable Modem.
Granny goes out to POGO.COM and plays some games, visits some websites,
starts noticing pop-ups, goes to one site that says it can clean her
system.... Now she gets an email from a friend that asks her to run this
program to clean a virus they may have sent her.... lots of normal stuff
over the next days. Granny loads AOL IM on her computer to keep in touch
with her grandkids and some of them send her links in IM chats - she
follows the links thinking her GK would only send her good links...
Granny posts that she's seeing funny things and follows the directions
of all that post in reply to her problem, system, after several
interactions appears to be clean.
What Granny didn't tell us is that she processes the accounting for 4
companies using QuickBooks and lots of Excel spreadsheets, has SSN,
account numbers, etc... in those sheets and in a QB setup for each
company. She also manages her retirement stocks online now that she can
get to them.....
Weeks later she's back posting that the problems are back, that
something got into her computer and used the account information and
drained her funds..... Oh, and she had to switch ISP's because the first
one disabled her service because her machine was spamming the Net due to
a virus on her machine...
With the above in mind, she should have been told to get a NAT Router
(at least), quality Commercial AV protection, setup and run as a Limited
User, use an alternative browser - you know, all the things we tell our
own Granny to do.... We should have also told her to get out the restore
disks and reinstall, even if it means calling her lame son or a
technician, since there are always things we're not going to know about
some anonymous posters situation.