Prev: malware changing router settings
Next: TDSSosvd.dat TR/Agent.439 was found
From: Wolf K on 13 Aug 2010 19:02
On 13/08/2010 18:43, FromTheRafters wrote:
> "Dustin"<bughunter.dustin(a)gmail.com> wrote in message
> news:Xns9DD3B747B5F97HHI2948AJD832(a)no...
>
> [...]
>
>> The old addage is this: "Whatever software can do,
>> software can undo."; That does *not* include crypto,
>> however. Another beast entirely.
>
> It can be sucessfully argued that it still holds even for crypto. The
> thing is, the length of time required to do the undoing outlasts the
> value of the retrieved information, so it wouldn't be worth it. In fact
> the time scales involved in software reversing of long keylength crypto
> may be greater than the age of the universe or perhaps even of its
> future expected lifespan (whatever that might be) but I don't see how
> that could ever be provable.

Read up on the relevant math. You won't be able to imagine the orders of
magnitude involved, but you will be able to understand the notation. ;-)

cheers,
wolf k.
From: FromTheRafters on 13 Aug 2010 19:09
"~BD~" <BoaterDave~no.spam~@hotmail.co.uk> wrote in message
news:ifCdnZBsxp-fPPjRnZ2dnUVZ8vadnZ2d(a)bt.com...
> Dustin wrote:
>> ~BD~<BoaterDave~no.spam~@hotmail.co.uk> wrote in
>> news:KNSdnZ_Wh89i4PnRnZ2dnUVZ8ridnZ2d(a)bt.com:
>>
>>> Dustin wrote:
>>>> ~BD~<BoaterDave~no.spam~@hotmail.co.uk> wrote in
>>>> news:35SdnQv8T-xdsvnRnZ2dnUVZ8mqdnZ2d(a)bt.com:
>>>>
>>>>> /I/ think *Dustin* is wrong. *I believe that installing an
>>>>> anti-virus programme on an already compromised machine is, in all
>>>>> probability, a futile exercise*.
>>>>
>>>> LOL, you would certainly be in the minority if you think I was
>>>> wrong in the advice I provided concerning malware.
>
> [....]
>
>
> What FTR actually said .....
>
> "True, it could be installed and be kept from accessing certain areas
> by a rootkit".
>
> Do you *really* disagree with that?

One thing you are apparently not getting the significance of is that the
"installation software" for the proposed AV that you want to install on
the "compromised" machine likely has its own detection software for
known malware (including some rootkits) *and* rootkit detection software
that alerts to inconsistancies in what is presented through APIs to the
other tools due to filter drivers and the like.

It may be impossible to install such AV programs on a "compromised"
machine, if the preinstallation detection software is aware of, yet not
capable of removing detected malicious activity - it may tell you that
you need to address the other issue before attempting to install that
software (I'm not aware of this actually happening though).

The most likely scenario is that the installation goes off smoothly
without a hitch on *most* compromised machines (removing the compromise
in the process) - which, I believe, is Dustin's point.


From: David H. Lipman on 13 Aug 2010 19:29
From: "FromTheRafters" <erratic(a)nomail.afraid.org>

| "~BD~" <BoaterDave~no.spam~@hotmail.co.uk> wrote in message
| news:ifCdnZBsxp-fPPjRnZ2dnUVZ8vadnZ2d(a)bt.com...
>> Dustin wrote:
>>> ~BD~<BoaterDave~no.spam~@hotmail.co.uk> wrote in
>>> news:KNSdnZ_Wh89i4PnRnZ2dnUVZ8ridnZ2d(a)bt.com:

>>>> Dustin wrote:
>>>>> ~BD~<BoaterDave~no.spam~@hotmail.co.uk> wrote in
>>>>> news:35SdnQv8T-xdsvnRnZ2dnUVZ8mqdnZ2d(a)bt.com:

>>>>>> /I/ think *Dustin* is wrong. *I believe that installing an
>>>>>> anti-virus programme on an already compromised machine is, in all
>>>>>> probability, a futile exercise*.

>>>>> LOL, you would certainly be in the minority if you think I was
>>>>> wrong in the advice I provided concerning malware.

>> [....]


>> What FTR actually said .....

>> "True, it could be installed and be kept from accessing certain areas
>> by a rootkit".

>> Do you *really* disagree with that?

| One thing you are apparently not getting the significance of is that the
| "installation software" for the proposed AV that you want to install on
| the "compromised" machine likely has its own detection software for
| known malware (including some rootkits) *and* rootkit detection software
| that alerts to inconsistancies in what is presented through APIs to the
| other tools due to filter drivers and the like.

| It may be impossible to install such AV programs on a "compromised"
| machine, if the preinstallation detection software is aware of, yet not
| capable of removing detected malicious activity - it may tell you that
| you need to address the other issue before attempting to install that
| software (I'm not aware of this actually happening though).

| The most likely scenario is that the installation goes off smoothly
| without a hitch on *most* compromised machines (removing the compromise
| in the process) - which, I believe, is Dustin's point.


That a case of an in situ installation of a fully installed AV soloution.

That's not the case of of the hard disk being removed and placed within a surrogate.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp


From: Dustin on 13 Aug 2010 19:30
"FromTheRafters" <erratic(a)nomail.afraid.org> wrote in
news:i44jam$47j$1(a)news.eternal-september.org:

> "~BD~" <BoaterDave~no.spam~@hotmail.co.uk> wrote in message
> news:ifCdnZBsxp-fPPjRnZ2dnUVZ8vadnZ2d(a)bt.com...
>> Dustin wrote:
>>> ~BD~<BoaterDave~no.spam~@hotmail.co.uk> wrote in
>>> news:KNSdnZ_Wh89i4PnRnZ2dnUVZ8ridnZ2d(a)bt.com:
>>>
>>>> Dustin wrote:
>>>>> ~BD~<BoaterDave~no.spam~@hotmail.co.uk> wrote in
>>>>> news:35SdnQv8T-xdsvnRnZ2dnUVZ8mqdnZ2d(a)bt.com:
>>>>>
>>>>>> /I/ think *Dustin* is wrong. *I believe that installing an
>>>>>> anti-virus programme on an already compromised machine is, in
>>>>>> all probability, a futile exercise*.
>>>>>
>>>>> LOL, you would certainly be in the minority if you think I was
>>>>> wrong in the advice I provided concerning malware.
>>
>> [....]
>>
>>
>> What FTR actually said .....
>>
>> "True, it could be installed and be kept from accessing certain
>> areas by a rootkit".
>>
>> Do you *really* disagree with that?
>
> One thing you are apparently not getting the significance of is that
> the "installation software" for the proposed AV that you want to
> install on the "compromised" machine likely has its own detection
> software for known malware (including some rootkits) *and* rootkit
> detection software that alerts to inconsistancies in what is
> presented through APIs to the other tools due to filter drivers and
> the like.
>
> It may be impossible to install such AV programs on a "compromised"
> machine, if the preinstallation detection software is aware of, yet
> not capable of removing detected malicious activity - it may tell
> you that you need to address the other issue before attempting to
> install that software (I'm not aware of this actually happening
> though).
>
> The most likely scenario is that the installation goes off smoothly
> without a hitch on *most* compromised machines (removing the
> compromise in the process) - which, I believe, is Dustin's point.
>
>
>

Nicely put, FTR..


--
"I like your Christ. I don't like your Christians. They are so unlike
your Christ." - author unknown.
From: Dustin on 13 Aug 2010 19:31
"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in
news:i44kh0011hs(a)news2.newsguy.com:

> From: "FromTheRafters" <erratic(a)nomail.afraid.org>
>
>| "~BD~" <BoaterDave~no.spam~@hotmail.co.uk> wrote in message
>| news:ifCdnZBsxp-fPPjRnZ2dnUVZ8vadnZ2d(a)bt.com...
>>> Dustin wrote:
>>>> ~BD~<BoaterDave~no.spam~@hotmail.co.uk> wrote in
>>>> news:KNSdnZ_Wh89i4PnRnZ2dnUVZ8ridnZ2d(a)bt.com:
>
>>>>> Dustin wrote:
>>>>>> ~BD~<BoaterDave~no.spam~@hotmail.co.uk> wrote in
>>>>>> news:35SdnQv8T-xdsvnRnZ2dnUVZ8mqdnZ2d(a)bt.com:
>
>>>>>>> /I/ think *Dustin* is wrong. *I believe that installing an
>>>>>>> anti-virus programme on an already compromised machine is, in
>>>>>>> all probability, a futile exercise*.
>
>>>>>> LOL, you would certainly be in the minority if you think I was
>>>>>> wrong in the advice I provided concerning malware.
>
>>> [....]
>
>
>>> What FTR actually said .....
>
>>> "True, it could be installed and be kept from accessing certain
>>> areas by a rootkit".
>
>>> Do you *really* disagree with that?
>
>| One thing you are apparently not getting the significance of is
>| that the "installation software" for the proposed AV that you want
>| to install on the "compromised" machine likely has its own
>| detection software for known malware (including some rootkits)
>| *and* rootkit detection software that alerts to inconsistancies in
>| what is presented through APIs to the other tools due to filter
>| drivers and the like.
>
>| It may be impossible to install such AV programs on a "compromised"
>| machine, if the preinstallation detection software is aware of, yet
>| not capable of removing detected malicious activity - it may tell
>| you that you need to address the other issue before attempting to
>| install that software (I'm not aware of this actually happening
>| though).
>
>| The most likely scenario is that the installation goes off smoothly
>| without a hitch on *most* compromised machines (removing the
>| compromise in the process) - which, I believe, is Dustin's point.
>
>
> That a case of an in situ installation of a fully installed AV
> soloution.
>
> That's not the case of of the hard disk being removed and placed
> within a surrogate.

Well, once you remove the host drive and take the suspect bad host out
of the equisation, it does make life easier for hunting malware. :P




--
"I like your Christ. I don't like your Christians. They are so unlike
your Christ." - author unknown.
First  |  Prev  | 
Pages: 1 2 3 4 5
Prev: malware changing router settings
Next: TDSSosvd.dat TR/Agent.439 was found