Windows XP Virus
in [Windows XP]
|
Prev: repair windows xp from a secondary instance of windows?
Next: Prevent users from saving music and pictures to their hard drives without folder redirection?
From: glee on 13 Mar 2010 19:18 "Daave" <daave(a)example.com> wrote in message news:Osej4ZwwKHA.4532(a)TK2MSFTNGP05.phx.gbl... > philo wrote: >> Daave wrote: >>> philo wrote: >>>> PA Bear [MS MVP] wrote: >>>>> philo wrote: >>>>> <snip> >>>>>> About a year ago I repaired a machine that had been compromised. >>>>>> >>>>>> It had been used for on-line banking and credit card transactions >>>>>> and two accounts had been hacked. >>>>>> >>>>>> First thing I did was scan for root kits in all the places one >>>>>> would expect. >>>>>> >>>>>> Nothing found. >>>>>> >>>>>> After giving the machine a thorough scan... >>>>>> the root kit was found "hiding" in the restore volume! >>>>> So what? That "restore volume" wasn't active & posed no threat >>>>> unless you or the user selected that particular Restore Point. >>>>> >>>> >>>> >>>> You missed the point entirely.. >>>> >>>> the root kit was able to "phone home" >>>> >>>> from within the restore volume. >>>> >>>> those Russian chaps are rather clever >>> >>> If the rootkit was phoing home, it was doing so from a location >>> other >>> than the restore volume. Just because you are unable to detect it >>> doesn't mean it isn't there! >>> >>> >> >> >> I'll answer the both of you here: >> >> Wrong > > Unsubstantiated. > > It has already been established that certain rootkits are > next-to-impossible to detect. > > The rootkit that you say was "hiding" in the restore point obviously > wasn't hidden! However, the rootkit very likely remained in the system > (the restore volume doesn't count unless you use SR, using that > particular restore point), hidden from you. And your situation is not > the only one. Exactly. The only reason the rootkit can be detected in the restore points IS because it is INACTIVE. The whole mode of operation of a root kit (especially recent ones) is to be undetectable from within Windows. Current root kits will not be detected by root kit scanners that run from within Windows. Often a file will be detected as the root kit because it was put there as a decoy by the root kit. Current root kits infect system files and are literally undetectable unless a scan is done from outside Windows (while Windows is not booted, IOW). -- Glen Ventura, MS MVP Oct. 2002 - Sept. 2009 A+ http://dts-l.net/
From: Daave on 13 Mar 2010 19:20 glee wrote: > "Daave" <daave(a)example.com> wrote in message > news:Osej4ZwwKHA.4532(a)TK2MSFTNGP05.phx.gbl... >> philo wrote: >>> Daave wrote: >>>> philo wrote: >>>>> PA Bear [MS MVP] wrote: >>>>>> philo wrote: >>>>>> <snip> >>>>>>> About a year ago I repaired a machine that had been compromised. >>>>>>> >>>>>>> It had been used for on-line banking and credit card >>>>>>> transactions and two accounts had been hacked. >>>>>>> >>>>>>> First thing I did was scan for root kits in all the places one >>>>>>> would expect. >>>>>>> >>>>>>> Nothing found. >>>>>>> >>>>>>> After giving the machine a thorough scan... >>>>>>> the root kit was found "hiding" in the restore volume! >>>>>> So what? That "restore volume" wasn't active & posed no threat >>>>>> unless you or the user selected that particular Restore Point. >>>>>> >>>>> >>>>> >>>>> You missed the point entirely.. >>>>> >>>>> the root kit was able to "phone home" >>>>> >>>>> from within the restore volume. >>>>> >>>>> those Russian chaps are rather clever >>>> >>>> If the rootkit was phoing home, it was doing so from a location >>>> other >>>> than the restore volume. Just because you are unable to detect it >>>> doesn't mean it isn't there! >>>> >>>> >>> >>> >>> I'll answer the both of you here: >>> >>> Wrong >> >> Unsubstantiated. >> >> It has already been established that certain rootkits are >> next-to-impossible to detect. >> >> The rootkit that you say was "hiding" in the restore point obviously >> wasn't hidden! However, the rootkit very likely remained in the >> system (the restore volume doesn't count unless you use SR, using >> that particular restore point), hidden from you. And your situation >> is not the only one. > > Exactly. The only reason the rootkit can be detected in the restore > points IS because it is INACTIVE. The whole mode of operation of a > root kit (especially recent ones) is to be undetectable from within > Windows. Current root kits will not be detected by root kit scanners > that run from within Windows. Often a file will be detected as the > root kit because it was put there as a decoy by the root kit. Current > root kits infect system files and are literally undetectable > unless a scan is done from outside Windows (while Windows is not > booted, IOW). Very good explanation!
From: philo on 13 Mar 2010 22:59 Daave wrote: > philo wrote: >> Daave wrote: >>> philo wrote: >>>> PA Bear [MS MVP] wrote: >>>>> philo wrote: >>>>> <snip> >>>>>> About a year ago I repaired a machine that had been compromised. >>>>>> >>>>>> It had been used for on-line banking and credit card transactions >>>>>> and two accounts had been hacked. >>>>>> >>>>>> First thing I did was scan for root kits in all the places one >>>>>> would expect. >>>>>> >>>>>> Nothing found. >>>>>> >>>>>> After giving the machine a thorough scan... >>>>>> the root kit was found "hiding" in the restore volume! >>>>> So what? That "restore volume" wasn't active & posed no threat >>>>> unless you or the user selected that particular Restore Point. >>>>> >>>> >>>> You missed the point entirely.. >>>> >>>> the root kit was able to "phone home" >>>> >>>> from within the restore volume. >>>> >>>> those Russian chaps are rather clever >>> If the rootkit was phoing home, it was doing so from a location other >>> than the restore volume. Just because you are unable to detect it >>> doesn't mean it isn't there! >>> >>> >> >> I'll answer the both of you here: >> >> Wrong > > Unsubstantiated. > > It has already been established that certain rootkits are > next-to-impossible to detect. > > The rootkit that you say was "hiding" in the restore point obviously > wasn't hidden! However, the rootkit very likely remained in the system > (the restore volume doesn't count unless you use SR, using that > particular restore point), hidden from you. And your situation is not > the only one. > > I used the word "hiding" as I needed to scan the drive from another system to detect it. The rootkit was designed to operate from within the restore volume. It's people such as you who think their machines are secure that are vulnerable to the hackers Ignorance is bliss as they say.. dream on.
From: glee on 14 Mar 2010 00:05 "philo" <philo(a)privacy.net> wrote in message news:ucqdnVpQZICtwgHWnZ2dnUVZ_tOdnZ2d(a)ntd.net... > Daave wrote: >> philo wrote: >>> Daave wrote: >>>> philo wrote: >>>>> PA Bear [MS MVP] wrote: >>>>>> philo wrote: >>>>>> <snip> >>>>>>> About a year ago I repaired a machine that had been compromised. >>>>>>> >>>>>>> It had been used for on-line banking and credit card >>>>>>> transactions >>>>>>> and two accounts had been hacked. >>>>>>> >>>>>>> First thing I did was scan for root kits in all the places one >>>>>>> would expect. >>>>>>> >>>>>>> Nothing found. >>>>>>> >>>>>>> After giving the machine a thorough scan... >>>>>>> the root kit was found "hiding" in the restore volume! >>>>>> So what? That "restore volume" wasn't active & posed no threat >>>>>> unless you or the user selected that particular Restore Point. >>>>>> >>>>> >>>>> You missed the point entirely.. >>>>> >>>>> the root kit was able to "phone home" >>>>> >>>>> from within the restore volume. >>>>> >>>>> those Russian chaps are rather clever >>>> If the rootkit was phoing home, it was doing so from a location >>>> other >>>> than the restore volume. Just because you are unable to detect it >>>> doesn't mean it isn't there! >>>> >>>> >>> >>> I'll answer the both of you here: >>> >>> Wrong >> >> Unsubstantiated. >> >> It has already been established that certain rootkits are >> next-to-impossible to detect. >> >> The rootkit that you say was "hiding" in the restore point obviously >> wasn't hidden! However, the rootkit very likely remained in the >> system (the restore volume doesn't count unless you use SR, using >> that particular restore point), hidden from you. And your situation >> is not the only one. > > I used the word "hiding" > as I needed to scan the drive from another system to detect it. > > The rootkit was designed to operate from within the restore volume. > > It's people such as you who think their machines are secure > that are vulnerable to the hackers > > Ignorance is bliss as they say.. > dream on. Oh really? Name the rootkit that you claim was active and running from inside a restore point. Name it, please....because everyone working for every anti-malware company and every malware removal forum in existence around the world would love to know which rootkit can do this...there is no documentation anywhere that such a rootkit exists or is even possible. -- Glen Ventura, MS MVP Oct. 2002 - Sept. 2009 A+ http://dts-l.net/
From: Daave on 14 Mar 2010 00:42
philo wrote: > Daave wrote: >> philo wrote: >>> Daave wrote: >>>> philo wrote: >>>>> PA Bear [MS MVP] wrote: >>>>>> philo wrote: >>>>>> <snip> >>>>>>> About a year ago I repaired a machine that had been compromised. >>>>>>> >>>>>>> It had been used for on-line banking and credit card >>>>>>> transactions and two accounts had been hacked. >>>>>>> >>>>>>> First thing I did was scan for root kits in all the places one >>>>>>> would expect. >>>>>>> >>>>>>> Nothing found. >>>>>>> >>>>>>> After giving the machine a thorough scan... >>>>>>> the root kit was found "hiding" in the restore volume! >>>>>> So what? That "restore volume" wasn't active & posed no threat >>>>>> unless you or the user selected that particular Restore Point. >>>>>> >>>>> >>>>> You missed the point entirely.. >>>>> >>>>> the root kit was able to "phone home" >>>>> >>>>> from within the restore volume. >>>>> >>>>> those Russian chaps are rather clever >>>> If the rootkit was phoing home, it was doing so from a location >>>> other than the restore volume. Just because you are unable to >>>> detect it doesn't mean it isn't there! >>>> >>>> >>> >>> I'll answer the both of you here: >>> >>> Wrong >> >> Unsubstantiated. >> >> It has already been established that certain rootkits are >> next-to-impossible to detect. >> >> The rootkit that you say was "hiding" in the restore point obviously >> wasn't hidden! However, the rootkit very likely remained in the >> system (the restore volume doesn't count unless you use SR, using >> that particular restore point), hidden from you. And your situation >> is not the only one. >> >> > > I used the word "hiding" > as I needed to scan the drive from another system to detect it. > > The rootkit was designed to operate from within the restore volume. Please provide documentation. |