From: Dustin on
~BD~ <BoaterDave~no.spam~@hotmail.co.uk> wrote in
news:toGdnU4lcMazdsjRnZ2dnUVZ8hidnZ2d(a)bt.com:

> John Slade wrote:
>> On 8/1/2010 8:24 AM, Dustin wrote:
>>> John Slade<hhitman86(a)pacbell.net> wrote in
>>> news:i32s10$653$1(a)news.eternal-september.org:
>>>
>>>> On 7/31/2010 4:21 PM, Dustin wrote:
>>>>> John Slade<hhitman86(a)pacbell.net> wrote in
>>>>> news:L0p4o.32466$OU6.4877(a)newsfe20.iad:
>>>>>
>>>>>> On 7/29/2010 1:40 PM, David H. Lipman wrote:
>>>>>>> From: "John Slade"<hhitman86(a)pacbell.net>
>>>>>>>
>>>>>>> | On 7/29/2010 3:24 AM, David H. Lipman wrote:
>>>>>>>>> From: "John Slade"<hhitman86(a)pacbell.net>
>>>>>>>
>>>>>>>>> | On 7/27/2010 11:17 PM, RJK wrote:
>>>>>>>
>>>>
>>>>>
>>>>>> You should know there is malware out there that will
>>>>>> trash the registry and it's backup. It will require some sort
>>>>>> of reinstall to get the system back working. I found it very
>>>>>> rare that I need to do a full reformat and reinstall because of
>>>>>> malware. Some malware will also corrupt system files and when
>>>>>> you remove them with scanners, it will make the installation
>>>>>> unbootable. This is yet another reason professionals will make
>>>>>> a backup if possible before removing infections.
>>>>>
>>>>> What software do you use for the backup?
>>>>
>>>> I will either use Acronis' or Paragon's backup software
>>>> depending on the situation.
>>>>
>>>>> Are you storing the backup on
>>>>> read only media or a hard drive that could fail for any reason?
>>>>
>>>> You mean WORM(Write Once/Read Many) media don't you? That
>>>> media can fail also. No media is perfect. I store the backup on
>>>> business or enterprise grade HDs and will transfer to other
>>>> media if the customer wants that backup. If it's a large backup
>>>> they will have to pay me for it. Tell me what software and
>>>> hardware would you use to backup your customer's HD before you
>>>> start removing malware?
>>>
>>> I haven't heard the acronym WORM in years... Damn, you have been
>>> around a long time. :) I was thinking of cd-r or perhaps dvd-r
>>> material.
>>
>> It would be OK for DVD-R if the backup is small. But swapping 20 or
>> more DVDs is a pain.
>>
>>>
>>> It depends. When I was working at a computer shop; I'd either use
>>> norton ghost corp edition or the hardware drive cloning device we
>>> had at the time.
>>
>> I rarely use Ghost these days, it used to be the only thing I ever
>> used.
>>
>>
>>> I really didn't see much point in cloning a malware drive
>>> for malware removal; I wasn't stupid enough to trash my backups of
>>> the registry or important files. besides, I wrote several
>>> utilities to assist me in verifying various windows dll/exe files
>>> were still intact and okay for reuse.
>>>
>>
>> Yea that's good for you, but when you're working for someone else
>> and they have important data they want to save, I will backup. Most
>> of the time the customer doesn't have a backup. A lot of times the
>> customer has a HD that's five or six years old and they really need
>> a backup done. Then there are the times when I'm working for a
>> young person and they don't want a backup they just want the drive
>> wiped and they want the OS installed.
>>
>>> We would typically reserve cloning drives for hardware failure
>>> signs. Although, a customer could have us clone a drive for a
>>> malware issue if they so desired. By default, we always copied
>>> docs, favorites, emails etc before doing anything... But, you
>>> know, different places have different policies.
>>
>> I work mostly with home users and small businesses and a lot of
>> times they have personal stuff they want to save. So I'll do a
>> quick backup of that data and then I'll do the full backup.
>> Sometimes they just want a reinstall. There are times when they
>> tell me not to backup because the data isn't important. In David's
>> response he seems worried about saving data so I wondered why he
>> wouldn't backup.
>>
>>>
>>> Why do you spend the additional time to clone an entire drive for
>>> a malware removal job?
>>
>> It doesn't take that long most of the time and it's a lot safer for
>> the user's data. In most cases it actually takes longer to install,
>> upgrade and reinstall software for the customer. Most of the time I
>> backup less than 150GB.
>>
>>>
>>>>>
>>>>>> I know there are a lot of fly-by-night computer repair
>>>>>> people who are just there to do a quick fix and get paid, I
>>>>>> find myself cleaning up after a lot of them.
>>>>>
>>>>> I've encountered a few of those in my time as well.... I enjoy
>>>>> the work they provide me tho.
>>>>
>>>> Me too. I especially get a kick out of the ones who don't
>>>> do backups and leave various screws out.
>>>
>>> Or, use the wrong screws and strip one of the drives :)
>>>
>>>>> Tell me something, John, as a PROFESSIONAL, have
>>>>> you written any of the tools you use for cleanup; or do you use
>>>>> the work others have written, such as myself, David lipman and
>>>>> many others?
>>>>>
>>>>
>>>> For the record, I'm not trying to get into some pissing
>>>> contest. I was just making a suggestion as to how to fix the
>>>> problem laid out in the OP.
>>>
>>> I understand. It just seemed as if you were being a wiseass
>>> towards David, from my POV. I didn't personally see any need in
>>> doing that. We can all be professional and civil here.
>>
>> David was being a wiseass himself and I can understand why he
>> didn't respond. He seemed worried about losing data by simply
>> removing the system restore points so I naturally wondered why, a
>> backup can solve this problem. I guess he realized it was a good
>> idea so then he got snippy.
>>
>>>
>>>> I use software others have written. I'm not a software
>>>> engineer. I'm a professional computer repair person. I find that
>>>> competence in one profession such as software engineering
>>>> doesn't translate into something else like tech support. I've
>>>> been repairing computers for close to 25 years and have learned
>>>> a lot. One thing I've learned is a backup saves a lot of trouble
>>>> and allows for different approaches to be tried.
>>>
>>> Well, a backup is a good way of having an escape route should
>>> something go wrong. :) From a software aspect tho, I haven't
>>> really encountered much malware that would justify the time I
>>> spent on imaging the drive first. I wasn't in charge of billing
>>> tho, so that may have played a part in that.
>>
>> I don't work for any company I work freelance. Like I said most
>> backups are small and usually take from 20 minutes to a couple of
>> hours. I don't charge by the hour I charge by the job.
>>
>>>
>>>> So tell me what products have you and David Lipman
>>>> written and where can I check them out?
>>>
>>> I've written all kinds of old utility style apps, as you've been
>>> around so long you might know a few of them.. Cmoscon, encode,
>>> delock, and various others. If your into crypto/security, you
>>> might even know the old dos file/freespace wiping app called NuKE
>>> and/or possibly CryptX.
>>>
>>
>> I've heard of some of those.
>>
>>> In more recent times, I developed an antimalware scanner (that's
>>> why I found your description on how they worked amusing. hehehe)
>>> called BugHunter. I did a stint as a malware researcher for an app
>>> called Malwarebytes antimalware..
>>>
>>
>> I don't know why you would find it funny because a virus writer
>> will use anything to hide a virus. What smarter way is to hide them
>> in each and every folder in "system volume information"? I do
>> believe that what the system had was a variant of the Virtumonde
>> trojan. If you did research on malware then you know virus writers
>> will take existing malware and modify it. I found one thing to be
>> true in the world of malware, NOBODY knows everything about every
>> malware variant out there. You can believe me or not, it doesn't
>> matter.
>>
>> John
>
> You do appreciate that Dustin Cook was once a virus writer himself,
> don't you, John?

Does it matter that much, BD? Do you feel I haven't been honest with
the fellow and so you need to remind persons of that aspect?

> There is school of thought that suggests that once a computer has
> been compromised, one can never be *certain* that it is clean - and
> that it is always best to re-install the operating system ...... on
> a formatted hard disk, wiping out all partitions first.

That school of thought does exist, yes. I don't subscribe to it tho.



--
"I like your Christ. I don't like your Christians. They are so unlike
your Christ." - author unknown.
From: David H. Lipman on
From: "Dustin" <bughunter.dustin(a)gmail.com>



| That school of thought does exist, yes. I don't subscribe to it tho.


It does exist. However first you perform a Cost Benefit Analysis (CBA).


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp


From: "FromTheRafters" erratic on
"~BD~" <BoaterDave~no.spam~@hotmail.co.uk> wrote in message
news:toGdnUklcMbUccjRnZ2dnUVZ8hgAAAAA(a)bt.com...
> ~BD~ forgot to add the link showing support for his view!
>
> http://technet.microsoft.com/en-us/library/cc512587.aspx

He added a qualifier here:

"If you have a system that has been completely compromised, the only thing
you can do is to flatten the system (reformat the system disk) and rebuild
it from scratch (reinstall Windows and your applications)."

I can agree with that. The thing is, what do you consider to be a compromise
and what do you consider to be a complete compromise?

If I discover a downloader downloaded some adware, I might just remove the
adware. If it downloaded some various and sundry other malware then the
"unknown" factor becomes prevalent - and flatten and rebuild becomes the
best route. A known trojan application for fake-AV scareware probably
doesn't require such drastic measures. If I figure the ingress vector was a,
since patched, vulnerability exploit worm, I wouldn't just automatically
assume that hackers have also used that exploits zero-day window to increase
the "unknown" factor - I would just address the worm.

Not that he's wrong, a healthy paranoia is a good security asset. The value
of the protected resource figures in heavily as well.


From: John Slade on
On 8/1/2010 2:46 PM, ~BD~ wrote:
> John Slade wrote:
>> On 8/1/2010 8:24 AM, Dustin wrote:
>>> John Slade<hhitman86(a)pacbell.net> wrote in
>>> news:i32s10$653$1(a)news.eternal-september.org:
>>>
>>>> On 7/31/2010 4:21 PM, Dustin wrote:
>>>>> John Slade<hhitman86(a)pacbell.net> wrote in
>>>>> news:L0p4o.32466$OU6.4877(a)newsfe20.iad:
>>>>>
>>>>>> On 7/29/2010 1:40 PM, David H. Lipman wrote:
>>>>>>> From: "John Slade"<hhitman86(a)pacbell.net>
>>>>>>>
>>>>>>> | On 7/29/2010 3:24 AM, David H. Lipman wrote:
>>>>>>>>> From: "John Slade"<hhitman86(a)pacbell.net>
>>>>>>>
>>>>>>>>> | On 7/27/2010 11:17 PM, RJK wrote:
>>>>>>>
>>>>
>>>>>
>
>>> In more recent times, I developed an antimalware scanner (that's why I
>>> found your description on how they worked amusing. hehehe) called
>>> BugHunter. I did a stint as a malware researcher for an app called
>>> Malwarebytes antimalware..
>>>
>>
>> I don't know why you would find it funny because a virus writer will use
>> anything to hide a virus. What smarter way is to hide them in each and
>> every folder in "system volume information"? I do believe that what the
>> system had was a variant of the Virtumonde trojan. If you did research
>> on malware then you know virus writers will take existing malware and
>> modify it. I found one thing to be true in the world of malware, NOBODY
>> knows everything about every malware variant out there. You can believe
>> me or not, it doesn't matter.
>>
>> John
>
> You do appreciate that Dustin Cook was once a virus writer himself,
> don't you, John?
>

I didn't know Dustin Cook existed until he responded for
you. But I've been reading some in alt.comp.viruses and I find
it well...interesting... If he wrote viruses then he more than
anyone should know that what I said happened is indeed possible.

> There is school of thought that suggests that once a computer has been
> compromised, one can never be *certain* that it is clean - and that it
> is always best to re-install the operating system ...... on a formatted
> hard disk, wiping out all partitions first.

That school of thought is pretty common but I've found
that the vast majority of infected systems can be saved without
reformatting and installing. It all depends on what the malware
is and how much damage has been done. If formatting every
infected HD at the sign of malware, very little data would be
saved unless you backup important data.

>
> I'm just a user - but that's how I think too! ;-)
>

I'm a user and I find that backups save me a lot of
trouble. I know my HD will fail. As a repair tech, I know my
customer's HD will fail so I backup. Some of my customers want
to save the data so I backup before I remove malware. Some don't
care and ask me to format and install.

I've been reading some in alt.comp.virus and it's pretty
amusing.... I'm starting to understand more and more why I'm
getting the responses I'm getting... ;)

John

From: John Slade on
On 8/1/2010 3:04 PM, Dustin wrote:
> John Slade<hhitman86(a)pacbell.net> wrote in
> news:ILj5o.44119$4B7.2363(a)newsfe16.iad:
>
>> On 8/1/2010 8:24 AM, Dustin wrote:
>>> John Slade<hhitman86(a)pacbell.net> wrote in
>>> news:i32s10$653$1(a)news.eternal-september.org:
>>>
>>>> On 7/31/2010 4:21 PM, Dustin wrote:
>>>>> John Slade<hhitman86(a)pacbell.net> wrote in
>>>>> news:L0p4o.32466$OU6.4877(a)newsfe20.iad:
>>>>>
>>>>>> On 7/29/2010 1:40 PM, David H. Lipman wrote:
>>>>>>> From: "John Slade"<hhitman86(a)pacbell.net>
>>>>>>>
>>>>>>> | On 7/29/2010 3:24 AM, David H. Lipman wrote:
>>>>>>>>> From: "John Slade"<hhitman86(a)pacbell.net>
>>>>>>>
>>>>>>>>> | On 7/27/2010 11:17 PM, RJK wrote:
>>>>>>>
>>>>
>>>>>
>>>>>> You should know there is malware out there that will
>>>>>> trash the registry and it's backup. It will require some sort of
>>>>>> reinstall to get the system back working. I found it very rare
>>>>>> that I need to do a full reformat and reinstall because of
>>>>>> malware. Some malware will also corrupt system files and when
>>>>>> you remove them with scanners, it will make the installation
>>>>>> unbootable. This is yet another reason professionals will make a
>>>>>> backup if possible before removing infections.
>>>>>
>>>>> What software do you use for the backup?
>>>>
>>>> I will either use Acronis' or Paragon's backup software
>>>> depending on the situation.
>>>>
>>>>> Are you storing the backup on
>>>>> read only media or a hard drive that could fail for any reason?
>>>>
>>>> You mean WORM(Write Once/Read Many) media don't you? That
>>>> media can fail also. No media is perfect. I store the backup on
>>>> business or enterprise grade HDs and will transfer to other
>>>> media if the customer wants that backup. If it's a large backup
>>>> they will have to pay me for it. Tell me what software and
>>>> hardware would you use to backup your customer's HD before you
>>>> start removing malware?
>>>
>>> I haven't heard the acronym WORM in years... Damn, you have been
>>> around a long time. :) I was thinking of cd-r or perhaps dvd-r
>>> material.
>>
>> It would be OK for DVD-R if the backup is small. But
>> swapping 20 or more DVDs is a pain.
>>
>>>
>>> It depends. When I was working at a computer shop; I'd either use
>>> norton ghost corp edition or the hardware drive cloning device we
>>> had at the time.
>>
>> I rarely use Ghost these days, it used to be the only
>> thing I ever used.
>>
>>
>>> I really didn't see much point in cloning a malware drive
>>> for malware removal; I wasn't stupid enough to trash my backups of
>>> the registry or important files. besides, I wrote several utilities
>>> to assist me in verifying various windows dll/exe files were still
>>> intact and okay for reuse.
>>>
>>
>> Yea that's good for you, but when you're working for
>> someone else and they have important data they want to save, I
>> will backup. Most of the time the customer doesn't have a
>> backup. A lot of times the customer has a HD that's five or six
>> years old and they really need a backup done. Then there are the
>> times when I'm working for a young person and they don't want a
>> backup they just want the drive wiped and they want the OS
>> installed.
>
> Theres your odd attitude again. What makes you think I wasn't working
> for someone else when I did those things? Obviously since I didn't own
> the shop, I was working for someone else.

Well you made it sound like you were doing it for yourself.

>
> Btw, What certifications do you presently hold? I'm just lowly
> A+/network+ (back when that stupid thing was still considered worth the
> paper it's printed on). Are you MCSE?
>

I took courses and wound up teaching an A+ class. A+ is a
good place to start for someone looking to get certified for
work at some company that requires that cert. I view the MCSE
certification as pretty much a money making scam. I look at MCSE
certifications as a joke in many cases because some courses just
teach people how to pass the certification test. I took a long
MSCE certification course but I never needed to be certified as
I went into business for myself. I found most of the things
covered was knowledge I already had. I also found that many MSCE
"certified" people don't know a lot. Well they do know how to
pass that test!

I don't need any of those certifications, it's a waste of
money.


>>> We would typically reserve cloning drives for hardware failure
>>> signs. Although, a customer could have us clone a drive for a
>>> malware issue if they so desired. By default, we always copied
>>> docs, favorites, emails etc before doing anything... But, you know,
>>> different places have different policies.
>>
>> I work mostly with home users and small businesses and a
>> lot of times they have personal stuff they want to save. So I'll
>> do a quick backup of that data and then I'll do the full backup.
>> Sometimes they just want a reinstall. There are times when they
>> tell me not to backup because the data isn't important. In
>> David's response he seems worried about saving data so I
>> wondered why he wouldn't backup.
>
> I see. It's the corp customers who can be.. a bit, on the anal side at
> times. At the end of the day tho, you do whatever customer wants.
>
>>>
>>> Why do you spend the additional time to clone an entire drive for a
>>> malware removal job?
>>
>> It doesn't take that long most of the time and it's a lot
>> safer for the user's data. In most cases it actually takes
>> longer to install, upgrade and reinstall software for the
>> customer. Most of the time I backup less than 150GB.
>
> I'm just wondering what you mean by safer for the users data then I
> guess. If it's a malware issue, the users data itself shouldn't be
> affected much if at all; it's the applications and little.. extras that
> may be of concern.

It's not JUST the malware issue, I already explained that
often HDs I work on are pretty old. Also when you start cleaning
files the system may not boot, data may be destroyed. There are
lots of reasons to backup and that's what I learned over the years.

>
>>> I understand. It just seemed as if you were being a wiseass towards
>>> David, from my POV. I didn't personally see any need in doing that.
>>> We can all be professional and civil here.
>>
>> David was being a wiseass himself and I can understand why
>> he didn't respond. He seemed worried about losing data by simply
>> removing the system restore points so I naturally wondered why,
>> a backup can solve this problem. I guess he realized it was a
>> good idea so then he got snippy.
>
> Well, along with potentially good dlls you might want to use to avoid
> having to reinstall; comes several stages of the systems registry
> hives. All valuable if your into recovering the system, as opposed to
> wiping and starting over. I see no reason to obliterate the restore
> points right away; They still contain potentially useful data to me.
>

You may or may not have to delete restore points. It
depends on the particular malware.

> What seperates some professionals from others is the ability to restore
> the system without resorting to wiping and reloading as really, anybody
> could do that. In many cases, not all, but many, you don't have to wipe
> and reload the entire system to get rid of the malware.

Yea that's why I find making a backup allows me to make a
mistake if removing the malware causes the installation to be
trashed and it does happen.

>
> Could you imagine, reloading the system to get rid of antivirusxp2010?
> You'd agree, that would be an incompetent action to take?

I've removed that particular infection before and didn't
need to reinstall anything.


>>>
>>>> So tell me what products have you and David Lipman
>>>> written and where can I check them out?
>>>
>>> I've written all kinds of old utility style apps, as you've been
>>> around so long you might know a few of them.. Cmoscon, encode,
>>> delock, and various others. If your into crypto/security, you might
>>> even know the old dos file/freespace wiping app called NuKE and/or
>>> possibly CryptX.
>>>
>>
>> I've heard of some of those.
>>
>>> In more recent times, I developed an antimalware scanner (that's
>>> why I found your description on how they worked amusing. hehehe)
>>> called BugHunter. I did a stint as a malware researcher for an app
>>> called Malwarebytes antimalware..
>>>
>>
>> I don't know why you would find it funny because a
>> virus writer will use anything to hide a virus. What smarter way
>> is to hide them in each and every folder in "system volume
>> information"? I do believe that what the system had was a
>> variant of the Virtumonde trojan. If you did research on malware
>> then you know virus writers will take existing malware and
>> modify it. I found one thing to be true in the world of malware,
>> NOBODY knows everything about every malware variant out there.
>> You can believe me or not, it doesn't matter.
>
> Well, I found it funny from the point of view of a former virus writer
> turned whitehat. Does that make any sense to you?

>
> Why would I spend the time to hide a virus in a folder, when I could
> choose files? You could just delete me if I stored myself in a folder
> in a binary format alone. If I reside in your files instead, I'm alot
> harder to deal with.

Well you could chose particular files in the restore
point folders, you could tell it to create a restore point and
infect the system files. The advantage is the malware scanner
will not clean it because it's a read only folder by default.

>
> It's entirely possible the individual does have a virut varient, I
> haven't seen the sample to confirm or deny that. Based only on what Ant
> has written up about it tho, doesn't seem to indicate virut; but
> something possibly forked from the same original codebase.
>

All I remember is that the many restore points were all
infected with the same malware. Restore points that were there
before the malware was installed by the user. The malware was in
some pirated software that was installed a couple of days before
I was called.

John