Saturday, May 13, 2006
Where to look for malware traces in Windows
Roger Grimes, the Foundstone guy, put up a table from his upcoming book listing places malware can modify to hide itself or to do damage.
There are more than 180 of them.
Think that through. Suppose you're doing thorough incident response. Suppose you are so good that you can display, read, check, and correct every single one of those places in ten seconds (hah). Then an incident response would take 30 hours.
One feasible approach is to delete the malware's executables and fix problems like web search redirection which can keep going after removal, when you find symptoms of them.
The second approach, which Microsft now recommends, is the same advice Ripley had in _Aliens_: "I say we take off and nuke the entire site from orbit. It's the only way to be sure." Wipe the hard disk and reinstall from scratch.
|
There are more than 180 of them.
Think that through. Suppose you're doing thorough incident response. Suppose you are so good that you can display, read, check, and correct every single one of those places in ten seconds (hah). Then an incident response would take 30 hours.
One feasible approach is to delete the malware's executables and fix problems like web search redirection which can keep going after removal, when you find symptoms of them.
The second approach, which Microsft now recommends, is the same advice Ripley had in _Aliens_: "I say we take off and nuke the entire site from orbit. It's the only way to be sure." Wipe the hard disk and reinstall from scratch.
# posted by Frederick @ 3:56 PM Email to a friend:
Haloscan: they provide trackback