Windows XP Virus
in [Windows XP]
|
Prev: repair windows xp from a secondary instance of windows?
Next: Prevent users from saving music and pictures to their hard drives without folder redirection?
From: philo on 13 Mar 2010 05:25 PA Bear [MS MVP] wrote: > philo wrote: > <snip> >> About a year ago I repaired a machine that had been compromised. >> >> It had been used for on-line banking and credit card transactions >> and two accounts had been hacked. >> >> First thing I did was scan for root kits in all the places one would >> expect. >> >> Nothing found. >> >> After giving the machine a thorough scan... >> the root kit was found "hiding" in the restore volume! > > So what? That "restore volume" wasn't active & posed no threat unless > you or the user selected that particular Restore Point. > You missed the point entirely.. the root kit was able to "phone home" from within the restore volume. those Russian chaps are rather clever
From: PA Bear [MS MVP] on 13 Mar 2010 11:30 philo wrote: >> <snip> >>> About a year ago I repaired a machine that had been compromised. >>> >>> It had been used for on-line banking and credit card transactions >>> and two accounts had been hacked. >>> >>> First thing I did was scan for root kits in all the places one would >>> expect. >>> >>> Nothing found. >>> >>> After giving the machine a thorough scan... >>> the root kit was found "hiding" in the restore volume! >> >> So what? That "restore volume" wasn't active & posed no threat unless >> you or the user selected that particular Restore Point. > > You missed the point entirely.. > > the root kit was able to "phone home" > from within the restore volume. Sez who?
From: Daave on 13 Mar 2010 15:55 philo wrote: > PA Bear [MS MVP] wrote: >> philo wrote: >> <snip> >>> About a year ago I repaired a machine that had been compromised. >>> >>> It had been used for on-line banking and credit card transactions >>> and two accounts had been hacked. >>> >>> First thing I did was scan for root kits in all the places one would >>> expect. >>> >>> Nothing found. >>> >>> After giving the machine a thorough scan... >>> the root kit was found "hiding" in the restore volume! >> >> So what? That "restore volume" wasn't active & posed no threat >> unless you or the user selected that particular Restore Point. >> > > > > You missed the point entirely.. > > the root kit was able to "phone home" > > from within the restore volume. > > those Russian chaps are rather clever If the rootkit was phoing home, it was doing so from a location other than the restore volume. Just because you are unable to detect it doesn't mean it isn't there!
From: philo on 13 Mar 2010 16:46 Daave wrote: > philo wrote: >> PA Bear [MS MVP] wrote: >>> philo wrote: >>> <snip> >>>> About a year ago I repaired a machine that had been compromised. >>>> >>>> It had been used for on-line banking and credit card transactions >>>> and two accounts had been hacked. >>>> >>>> First thing I did was scan for root kits in all the places one would >>>> expect. >>>> >>>> Nothing found. >>>> >>>> After giving the machine a thorough scan... >>>> the root kit was found "hiding" in the restore volume! >>> So what? That "restore volume" wasn't active & posed no threat >>> unless you or the user selected that particular Restore Point. >>> >> >> >> You missed the point entirely.. >> >> the root kit was able to "phone home" >> >> from within the restore volume. >> >> those Russian chaps are rather clever > > If the rootkit was phoing home, it was doing so from a location other > than the restore volume. Just because you are unable to detect it > doesn't mean it isn't there! > > I'll answer the both of you here: Wrong
From: Daave on 13 Mar 2010 18:39
philo wrote: > Daave wrote: >> philo wrote: >>> PA Bear [MS MVP] wrote: >>>> philo wrote: >>>> <snip> >>>>> About a year ago I repaired a machine that had been compromised. >>>>> >>>>> It had been used for on-line banking and credit card transactions >>>>> and two accounts had been hacked. >>>>> >>>>> First thing I did was scan for root kits in all the places one >>>>> would expect. >>>>> >>>>> Nothing found. >>>>> >>>>> After giving the machine a thorough scan... >>>>> the root kit was found "hiding" in the restore volume! >>>> So what? That "restore volume" wasn't active & posed no threat >>>> unless you or the user selected that particular Restore Point. >>>> >>> >>> >>> You missed the point entirely.. >>> >>> the root kit was able to "phone home" >>> >>> from within the restore volume. >>> >>> those Russian chaps are rather clever >> >> If the rootkit was phoing home, it was doing so from a location other >> than the restore volume. Just because you are unable to detect it >> doesn't mean it isn't there! >> >> > > > I'll answer the both of you here: > > Wrong Unsubstantiated. It has already been established that certain rootkits are next-to-impossible to detect. The rootkit that you say was "hiding" in the restore point obviously wasn't hidden! However, the rootkit very likely remained in the system (the restore volume doesn't count unless you use SR, using that particular restore point), hidden from you. And your situation is not the only one. |