E-Bitz's article on whether "System Restore" should be used or destroyed when cleaning an infected machine
reminds me of the other side of the debate - whether to clean at all.
Bitzie puts up a link to Jesper's article describing the more academic side of this debate, that says the only thing you can do with an infected machine is to flatten and pave (i.e. delete everything, wipe the drive, and reinstall a new operating system, applications, etc).
This is great advice in theory, and it certainly is the only way to 99.99% guarantee that you have a machine free from infection.
Woah, wait, did you just say "99.99%"? Shouldn't that be 100%?
No, because there's always the possibility of a BIOS-infecting virus - what, you think that only Award, Phoenix get to write BIOS code? There's PGP and Microsoft, who wouldn't be able to get efficient and reliable whole-disk encryption going without it.
Then there's the whole idea of the Virtual Rootkit, which emulates your installed OS from itself, so that even reinstalling from scratch won't wipe it out, because you're installing into a hosted environment, not the real PC.
So, maybe that's 99.5% guaranteed if you do the flatten and pave approach to virus recovery.
Oh, but maybe you bought your machine from an OEM - I bought a laptop from Compaq (more gripes about this later) recently, and its only option for system recovery is a recovery partition. Uh... who's to say I can't infect the recovery partition while I'm infecting the main body of the system?
Okay, let's reduce that to, oh, 98% guaranteed safe.
Then, of course, my computer is of no use without my data. Let's hope none of that is infected with macro viruses, buffer-overflows or other data-borne infections. The more recent (and therefore more useful) my backup, the more likely that it's going to contain litter created by the virus.
Better make that 95%.
Hmm... looks like we're heading for the same sort of recovery rate as if we just install a tool and try to remove the virus and its detritus.
Jesper can't be this wrong - I've met the man, and he's smart. Almost painfully so - you actually have to think while talking to him.
So I go back and I re-read the column. Carefully. Out loud (remind me to tell you about the tech-support teddy bear some day).
Here's the good part...
"You can’t trust any data copied from a compromised system. Once an attacker gets into a system, all the data on it may be modified. In the best-case scenario, copying data off a compromised system and putting it on a clean system will give you potentially untrustworthy data. In the worst-case scenario, you may actually have copied a back door hidden in the data."
"You may not be able to trust your latest backup. How can you tell when the original attack took place? The event logs cannot be trusted to tell you. Without that knowledge, your latest backup is useless. It may be a backup that includes all the back doors currently on the system."
Woah - Jesper's saying that you can't trust your backups... any backups, although he just mentions the latest one (as he says, "how can you tell when the original attack took place?").
What this article is really saying is that there is no way to make sure an infected system is clean, short of deleting all your applications and all your data, and typing the data back in by hand. As he says, it may be quicker to simply update your resume and leave.
I don't think Jesper hammered this point home clearly enough.
If you want a clean system, you have two choices:
- After discovering an infected machine, wipe the machine and lose all your applications, data, backups and do the same to any machines with which the infected one communicated or shared data.
- Don't get infected in the first place - patch when patches become available; protect against common routes of infection; run IPS (Intrusion Prevention Systems); be smart about what you do; run as administrator only when you absolutely can't avoid it.
The reality (and if you are a business computer user, I hope you already spotted this) is that at some point, the risk of possibly being infected is outweighed by the cost of the data and productivity loss that's caused by the flatten and pave.
So, the risk analysis view says that you do what you can to avoid getting infected, and when you detect an infection, you pick and choose very carefully what parts of your data you trust.