From: ~BD~ on
FromTheRafters wrote:
> "~BD~"<BoaterDave~no.spam~@hotmail.co.uk> wrote in message
> news:RoCdnRN8Ae0B1P_RnZ2dnUVZ8vGdnZ2d(a)bt.com...
>
> [...]
>
>> Btw, if you had physical access to a Windows machine, is there a
>> simple check you could carry out to quickly determine if the machine
>> had, indeed, been compromised? (other than scanning with anti-malware
>> programmes).
>
> Yes, but not very simple really. The problem is that you could *not*
> determine that it had *not* been compromised. Most malware is going to
> want to "do stuff" with the computing power it is stealing from you, if
> it does that stuff - you know the machine has been compromised.
>
> IOW, if it spews out malicious packets when you sufficiently emulate a
> networking environment for it (or use a "test network"), that's a pretty
> good indicator. However, If it doesn't do any obvious stuff, it doesn't
> mean anything at all.

Hmmmmm! :) Thanks for that. 'Ant' said quite simply, "no"!

I said - on another group:-

> I wonder how many realise that installing an anti-virus programme
> > *after* a machine has already been compromised might well give
> > comfort to the user ...... but provide absolutely NO protection from
> > malware!

Dustin Cook said in reply:-

"*That's not true, BD*. In fact, if the malware is known to the
antivirus app, there's a very good chance it can be removed without harm
to the system."

**

I'd also said:-

> > In other words, today's 'nasties' can (and do) protect themselves
> > when subjected to what they consider an attack! Bad news!

Dustin Cook responded:-

"They don't do anything "new" today that they couldn't do back in the
80s and 90s. "rootkit" on windows is another word for stealth, it just
sounds better in newsprint."

**

/I/ think *Dustin* is wrong. I believe that installing an anti-virus
programme on an already compromised machine is, in all probability, a
futile exercise.

I'd be interested to learn the views of others on this particular matter.

--
Dave


From: FromTheRafters on
"~BD~" <BoaterDave~no.spam~@hotmail.co.uk> wrote in message
news:35SdnQv8T-xdsvnRnZ2dnUVZ8mqdnZ2d(a)bt.com...
> FromTheRafters wrote:
>> "~BD~"<BoaterDave~no.spam~@hotmail.co.uk> wrote in message
>> news:RoCdnRN8Ae0B1P_RnZ2dnUVZ8vGdnZ2d(a)bt.com...
>>
>> [...]
>>
>>> Btw, if you had physical access to a Windows machine, is there a
>>> simple check you could carry out to quickly determine if the machine
>>> had, indeed, been compromised? (other than scanning with
>>> anti-malware
>>> programmes).
>>
>> Yes, but not very simple really. The problem is that you could *not*
>> determine that it had *not* been compromised. Most malware is going
>> to
>> want to "do stuff" with the computing power it is stealing from you,
>> if
>> it does that stuff - you know the machine has been compromised.
>>
>> IOW, if it spews out malicious packets when you sufficiently emulate
>> a
>> networking environment for it (or use a "test network"), that's a
>> pretty
>> good indicator. However, If it doesn't do any obvious stuff, it
>> doesn't
>> mean anything at all.
>
> Hmmmmm! :) Thanks for that. 'Ant' said quite simply, "no"!

He answered the question I think that you *meant* to ask.

"Is there a simple way to show a system is *not* compromised once you
have physical access to the machine aside from using antimalware
antivirus tools?" - and since absence of evidence is not evidence of
absence the answer is indeed no - even with AM/AV.

> I said - on another group:-
>
> > I wonder how many realise that installing an anti-virus programme
> > > *after* a machine has already been compromised might well give
> > > comfort to the user ...... but provide absolutely NO protection
> > > from
> > > malware!

True, it could be installed and be kept from accessing certain areas by
a rootkit.

> Dustin Cook said in reply:-
>
> "*That's not true, BD*. In fact, if the malware is known to the
> antivirus app, there's a very good chance it can be removed without
> harm to the system."

True, and the reason is that most of those apps will attempt to remove
known installed malware before it actually installs itself on the
machine. Many of them check for rootkits before allowing installation to
proceed. So, what Dustin said was true, but your eyes might have glazed
over when he wrote the word "known".

The Virus Description Language used to create the definitions to detect
and identify a malware item also includes clues as to how to go about
removing the identified malware.

> I'd also said:-
>
> > > In other words, today's 'nasties' can (and do) protect themselves
> > > when subjected to what they consider an attack! Bad news!
>
> Dustin Cook responded:-
>
> "They don't do anything "new" today that they couldn't do back in the
> 80s and 90s. "rootkit" on windows is another word for stealth, it just
> sounds better in newsprint."

True again, some actual viruses have in the past used some of the same
tricks that are essential to rootkit technology. The term "rootkit" is
just a renaming of these stealth methods that are used similarly to the
unix style tool replacement kits. That is to say that in addition to
stealing your computer power, they steal more in order to take measures
to hide that fact from the user (or admin, or even the system itself).

> /I/ think *Dustin* is wrong. I believe that installing an anti-virus
> programme on an already compromised machine is, in all probability, a
> futile exercise.

They used to say that you shouldn't install an AV on a compromised
machine.

Dustin didn't actually say otherwise, but he *did* say that known
malware would probably be removed without a problem when an attempt is
made to install the AV. My guess is that he considers the scan to be
part of the install process, and I believe it is these days.

> I'd be interested to learn the views of others on this particular
> matter.

Are you asking if flatten and rebuild is actually the *only* way to be
absolutely sure? Keep in mind that most people are content to be
'reasonably sure' after scanning their system and installing their AV
program. If reasonably sure isn't good enough for someone, I recommend a
robust back-up/restore method so that 'flatten and rebuild' does not
seem so daunting as it *does* provide better confidence.

Another thing, it would be important to know what you mean by
"compromised". Some malware is pretty lame, would it constitute a
compromise to you if it sent spam but had no command and control network
activity? Hell, sometimes all you need to do is hit the delete button to
send a malware to the bit bucket.


From: ~BD~ on
Dustin wrote:
> ~BD~<BoaterDave~no.spam~@hotmail.co.uk> wrote in
> news:KNSdnZ_Wh89i4PnRnZ2dnUVZ8ridnZ2d(a)bt.com:
>
>> Dustin wrote:
>>> ~BD~<BoaterDave~no.spam~@hotmail.co.uk> wrote in
>>> news:35SdnQv8T-xdsvnRnZ2dnUVZ8mqdnZ2d(a)bt.com:
>>>
>>>> /I/ think *Dustin* is wrong. *I believe that installing an
>>>> anti-virus programme on an already compromised machine is, in all
>>>> probability, a futile exercise*.
>>>
>>> LOL, you would certainly be in the minority if you think I was
>>> wrong in the advice I provided concerning malware.

[....]


What FTR actually said .....

"True, it could be installed and be kept from accessing certain areas by
a rootkit".

Do you *really* disagree with that?


From: Dustin on
~BD~ <BoaterDave~no.spam~@hotmail.co.uk> wrote in
news:ifCdnZBsxp-fPPjRnZ2dnUVZ8vadnZ2d(a)bt.com:

> Dustin wrote:
>> ~BD~<BoaterDave~no.spam~@hotmail.co.uk> wrote in
>> news:KNSdnZ_Wh89i4PnRnZ2dnUVZ8ridnZ2d(a)bt.com:
>>
>>> Dustin wrote:
>>>> ~BD~<BoaterDave~no.spam~@hotmail.co.uk> wrote in
>>>> news:35SdnQv8T-xdsvnRnZ2dnUVZ8mqdnZ2d(a)bt.com:
>>>>
>>>>> /I/ think *Dustin* is wrong. *I believe that installing an
>>>>> anti-virus programme on an already compromised machine is, in
>>>>> all probability, a futile exercise*.
>>>>
>>>> LOL, you would certainly be in the minority if you think I was
>>>> wrong in the advice I provided concerning malware.
>
> [....]
>
>
> What FTR actually said .....
>
> "True, it could be installed and be kept from accessing certain
> areas by a rootkit".

A rootkit still has to play by certain hardrules; nothing can be hidden
completely. Some in house developed tools for prior work with
malwarebytes are likely useful in such a scenario.

I didn't say I couldn't do it without any tools. I just said I wouldn't
provide details. And what would be the point in doing so anyway? You
wouldn't understand what I was writing about... and I'd just be
providing information to anyone interested in circumventing technology
rootkit style. While I don't feel it's information that they couldn't
acquire on their own, I see no real point in.. well, advancing the
technology ahead of schedule.

> Do you *really* disagree with that?

Of course not, a rootkit is nothing more than stealth; BD. However,
it's not foolproof. The old addage is this: "Whatever software can do,
software can undo."; That does *not* include crypto, however. Another
beast entirely.

To further on my post previous to you BD, Technology and the underlying
principles hasn't really changed that much. Computers are faster now,
sure; but they still follow the same laws if you will that the older
ones did. In the DOS days, TSR software could be what you would say is
a rootkit in the windows world; providing it was instructed to hide
folders from dir or windows explorer *g*.


--
"I like your Christ. I don't like your Christians. They are so unlike
your Christ." - author unknown.
From: FromTheRafters on
"Dustin" <bughunter.dustin(a)gmail.com> wrote in message
news:Xns9DD3B747B5F97HHI2948AJD832(a)no...

[...]

> The old addage is this: "Whatever software can do,
> software can undo."; That does *not* include crypto,
> however. Another beast entirely.

It can be sucessfully argued that it still holds even for crypto. The
thing is, the length of time required to do the undoing outlasts the
value of the retrieved information, so it wouldn't be worth it. In fact
the time scales involved in software reversing of long keylength crypto
may be greater than the age of the universe or perhaps even of its
future expected lifespan (whatever that might be) but I don't see how
that could ever be provable.