"In some cases, there really is no way to recover without nuking the systems from orbit"

by Volker Weber

In a rare discussion about the severity of the Windows malware scourge, a Microsoft security official said businesses should consider investing in an automated process to wipe hard drives and reinstall operating systems as a practical way to recover from malware infestation.

More >

Comments

The problem isn't so much having to re-install the operating system -- though of course that's a pain in the ass, its having to remember and reinstall 10,000 software packages - some of which take forever.

Andrew Pollack, 2006-04-05

Well, if you have your system mirrored on a different drive it's somewhat bearable. Although I can't really imagine Windows beating a backed up Linux system that you just need to copy back and reinstall GRUB.

Philipp Sury, 2006-04-05

There is imaging software like Acronis TrueImage which makes it quite easy, it also offers incremental images in the background so that creating images is not too time-consuming. In the professional environment, you can use autoinstallation like Microsoft Remote Install Services. That requires of course that you package all your software as MSI package or that you use software distribution systems like SMS (systems management server) to get all the required software back on the box.
you can use images too, of course (ris should support that too) but if you don't want all boxes to be the same, e.g. because of licensed or special software it doesn't work out too well.

Thomas Muders, 2006-04-05

M$ got the point. It's somewhat the same with ... let's say ... hospitals. If you shoot everyone with a disease, the disease can't spread. No more HIV, no more cancer, no more anything. Easy, isn't it?

No irony found? Forget about it...

Ralf Stellmacher, 2006-04-05

"Acronis TrueImage, Microsoft Remote Install Services, MSI package, systems management server"

Against all these I throw any Linux LiveCD into the game.

1) Install Linux.
2) Use rsync daily to mirror your files.
3) Pandemonium breaks out.
4) Throw in LiveCD. Format partition(s). Use cp to copy your files back.
5) If necessary, chroot into your recovered installation and reinstall GRUB.
6) Continue your work.

For the recovery of a single computer I can't really see anything simpler. Did I mention it's free?

Philipp Sury, 2006-04-05

Philipp, we are not talking Linux nor single computers here.

Volker Weber, 2006-04-05

Standard advice at SANS for any compromised system is flatten and rebuild.

I agree with them.

If your security policies and supporting infrastructure are up to scratch then this should rarely be necessary. I for one have never had to restort to this on any system I control - which is not to say I never will of course.

This is why I back up my laptop (1st paragraph of comment 4)
- sorry Rich ;-)

Chris Linfoot, 2006-04-05

I’ve always referred to the method as “Scorched Earth” rather than “Nuking”. Any reinstallation of OS and software on a compromised machine is always preceded by a low level format of the hard disk. First, just to make sure that the “issue” is truly gone. Secondly, this confirms the hard disk is sound if it completes the format without any errors. Thirdly, and sadly more importantly, when using large drives over 131 GB with the NTFS file system, the drive will regain all it’s original efficiency (This is especially true for drives over 300 GB). This has something to do with the data density on the platter and the way NTFS marks and manages it. In problem environments, or just problem users (idiots), I have several hard disks stored, with known good images of multiple users stored on each hard disk. This reduces down time for the client, and maximizes my productivity.

Mark Holtrop, 2006-04-05

Old vowe.net archive pages

I explain difficult concepts in simple ways. For free, and for money. Clue procurement and bullshit detection.

vowe

Paypal vowe