Recovery from malware? Don't even think about it!
04 Apr 2006 08:12 PM / Filed in: I.T.
eWeek has a very interesting article on what Microsoft thinks of malware and what shall its customers do in case of infection. Let's get down to the conclusion: once you get infected, Microsoft thinks that it becomes impossible to recover. So they are advising their customers to investigate in automated processes to wipe the hard drives of the infected machines and reinstall everything.
Sound advice but how to exclude the infection vector from the reinstallation process while keeping the operating system and the applications running smoothly? Or do we just reinstall and protect our machines with Holy Water(tm) until the Patch Day if there is a patch in the first place then wait at least 15 days to check that the patch doesn't break business before deploying it?
Oh you said user education? Good, let's see how the average user will cope with stuff such as ActiveX controls, Browser Helper Objects, DCOM and such. Don't get me wrong. User education is very important but it ain't no magic bullet, particularly if the system and applications they are using are screwed. For instance, what do we teach to users regarding the latest Internet Explorer 0day? We tell them once more to stop using Internet Explorer and use FireFox? C'mon! Think about it. Will we end up with a huge list of "applications : alternatives" couples and switch to this or that whenever a vulnerability shows up? Don't you think something smells really really bad here?
According to eWeek, Mike Danseglio, program manager in the Security Solutions group at Microsoft said:
"Detection is difficult, and remediation is often impossible," Danseglio declared. "If it doesn't crash your system or cause your system to freeze, how do you know it's there? The answer is you just don't know. Lots of times, you never see the infection occur in real time, and you don't see the malware lingering or running in the background."
100% true. So what does Microsoft do about it? Is this an externality to them? Does it impact in any way shareholder's value?
And about targeted attacks:
Danseglio said malicious hackers are conducting targeted attacks that are "stealthy and effective" and warned that the for-profit motive is much more serious than even the destructive network worms of the past.
So much for penetrate&patch.
But the software is not the only one to blame here:
"Social engineering is a very, very effective technique. We have statistics that show significant infection rates for the social engineering malware. Phishing is a major problem because there really is no patch for human stupidity," he said.
So far, so bad. Microsoft won't do anything really significant about it as long as this doesn't significantly impact shareholder's value. Every advice M. Danseglio gave incurs investments from the customers. No news, it's an externality for Microsoft.
Sound advice but how to exclude the infection vector from the reinstallation process while keeping the operating system and the applications running smoothly? Or do we just reinstall and protect our machines with Holy Water(tm) until the Patch Day if there is a patch in the first place then wait at least 15 days to check that the patch doesn't break business before deploying it?
Oh you said user education? Good, let's see how the average user will cope with stuff such as ActiveX controls, Browser Helper Objects, DCOM and such. Don't get me wrong. User education is very important but it ain't no magic bullet, particularly if the system and applications they are using are screwed. For instance, what do we teach to users regarding the latest Internet Explorer 0day? We tell them once more to stop using Internet Explorer and use FireFox? C'mon! Think about it. Will we end up with a huge list of "applications : alternatives" couples and switch to this or that whenever a vulnerability shows up? Don't you think something smells really really bad here?
According to eWeek, Mike Danseglio, program manager in the Security Solutions group at Microsoft said:
"Detection is difficult, and remediation is often impossible," Danseglio declared. "If it doesn't crash your system or cause your system to freeze, how do you know it's there? The answer is you just don't know. Lots of times, you never see the infection occur in real time, and you don't see the malware lingering or running in the background."
100% true. So what does Microsoft do about it? Is this an externality to them? Does it impact in any way shareholder's value?
And about targeted attacks:
Danseglio said malicious hackers are conducting targeted attacks that are "stealthy and effective" and warned that the for-profit motive is much more serious than even the destructive network worms of the past.
So much for penetrate&patch.
But the software is not the only one to blame here:
"Social engineering is a very, very effective technique. We have statistics that show significant infection rates for the social engineering malware. Phishing is a major problem because there really is no patch for human stupidity," he said.
So far, so bad. Microsoft won't do anything really significant about it as long as this doesn't significantly impact shareholder's value. Every advice M. Danseglio gave incurs investments from the customers. No news, it's an externality for Microsoft.