[ale] [OT] Databases of viruses/malware

Greg Freemyer greg.freemyer at gmail.com
Wed Mar 2 22:44:50 EST 2011


This is an awful long thread to not even mention:

Malware factories usable by techno-phobes.

The resulting 10's of thousands of unique zero day attacks per day!!

Rootkits are last decade.  Zero day attacks work better and are easy to create.

Standalone boot cd's are useless against a zero day.

Go Linux!

Greg

On 3/2/11, Ron Frazier <atllinuxenthinfo at c3energy.com> wrote:
> Pat,
>
> A valid question. The best way to fix a virus is never to catch one.
> However, the post JD wrote which I replied to assumed a virus had been
> detected and he was discussing how to get rid of it. I'll give you the
> best answer I can. If I wipe the drive, and reinstall the system and non
> infectable data files, then I would trust the computer. Then, I would do
> routine virus scans, have live on the fly scanning active, and have data
> execution protection on in the OS (if it's Windows) and the browser (if
> it's IE). I would watch for anomalous events such as crashes, non
> requested reboots, error messages, etc. I would watch for reports of odd
> computer behavior from the users, missing or corrupt data, reports like
> "I got this email from IT and clicked the link" or "what was that urgent
> system maintenance thing yesterday (when there was none), etc. If I have
> much probable cause at all, I'll reboot with a few different AV rescue
> CD's and scan independent of the OS. For truly sensitive PC's and users,
> I might wipe the drive and reinstall just based on probable cause alone.
> Of course, I would immediately pursue and try to confirm any reports of
> active viruses by the AV scanner.
>
> To actually answer your question, there is no sure fire way to detect
> these things. Just like organized criminals, the really good ones never
> get caught. There are millions of users with infected computers who
> don't even know it. The virus writers use the compromised PC's to join
> bot nets, silently commit cyber terrorism, and steal confidential data
> which is sold on the black market.
>
> Security professionals feel free to jump in here.
>
> Sincerely,
>
> Ron
>
> On 03/02/2011 09:08 PM, Pat Regan wrote:
>> On Wed, 02 Mar 2011 20:58:02 -0500
>> Ron Frazier<atllinuxenthinfo at c3energy.com>  wrote:
>>
>>
>>> The problem is, you may never know if the remedy failed. If the virus
>>> returns in a mutated form, or in rootkit form, it may not show any
>>> evidence of it's presence until you boot another OS and scan again,
>>> which may be weeks or months or never. In my opinion, if a machine is
>>> compromised, the only way I can trust it again with confidential
>>> data, for sure, is to wipe the drive.
>>>
>> How do you know when to stop trusting it again?  If it is hiding that
>> well then how did you find it in the first place? :)
>>
>> Pat
>>
>>
>
> --
>
> (PS - If you email me and don't get a quick response, you might want to
> call on the phone.  I get about 300 emails per day from alternate energy
> mailing lists and such.  I don't always see new messages very quickly.)
>
> Ron Frazier
>
> 770-205-9422 (O)   Leave a message.
> linuxdude AT c3energy.com
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>

-- 
Sent from my mobile device

Greg Freemyer
Head of EDD Tape Extraction and Processing team
Litigation Triage Solutions Specialist
http://www.linkedin.com/in/gregfreemyer
CNN/TruTV Aired Forensic Imaging Demo -
   http://insession.blogs.cnn.com/2010/03/23/how-computer-evidence-gets-retrieved/

The Norcross Group
The Intersection of Evidence & Technology
http://www.norcrossgroup.com


More information about the Ale mailing list