Viruses to format or not to format...
There is usually a fine line between the time and effort it takes to get rid of a virus through manual removal and scanning and a complete format and reinstall. This article discusses additional considerations when it comes to the decision to remove or reformat.
The upfront nature of malware makes us focus on such things as the depth of the infection, how it got there in the first place, and level of difficulty of the removal. However the PRIMARY question should be "What is the primary use of the computer?" and should be asked of ALL USERS of that system.
The following and related questions should be asked once a nasty malware or backdoor is discovered:
1. What is the computer used for?
2. Is there any confidential information about patients, customers, clients, employees on the coupter or accessible through the computer (through a VPN or ICS)?
3. Do you have personal banking or personal information on the computer?
Other considerations:
1. Legal liability for a computer that is not fully secure.
2. The cost of replacing missing Windows XP and MS Office CDs, and getting an MSCE to come in for 3 hours to do the re-install and apply all the critical updates, is trivial compared with the potential cost of a multi-million dollar lawsuit for breach of trust if confidential client or patient information is disclosed.
3. Anti-virus vendors, because they are in competition, and because they charge money for their products, are highly reluctant to recommend re-formatting and re-installing. Vendor A is afraid to recommend re-formatting if vendor B claims just running his tool will clean the system.
4. It is important to prevent further infections that suspect new malware be copied and submitted to the anti-malware vendors before systems are cleaned.
Malware variety:
1. Rootkit, backdoor, allows arbitrary code to be exectured, or remote access trojan are big red flags.
2. If the computer was connected to the Internet for a long time with the backdoor installed, or if the malware used ICQ to actively contact hackers, then it is more likely the backdoor was used. Therefore there is a high risk if re-formatting and re-installing is not done.
3. If the backdoor merely opens a port to listen the risk is slightly lower.
4. If the backdoor merely opens a port to listen and the computer was behind a working firewall or NAT router, then the risk of the backdoor being used is greatly reduced. Therefore there is probably a much lower risk if re-formatting and re-installing is not done.
5. Most search hijackers and pop-up producing adware contain a capability for the maker to automatically update them and to add additional adware. In other words, most of them install backdoors of some sort.
6. Search hijacks and popup producing adware do not typically require reformat but there is still a risk.
From the May 5, 2004 Handler's Diary on SANS's ISC:
quote:
A reader asked why we recommend a complete rebuild of systems infected with 'sasser', given that 'sasser' is rather benign and easy to clean. The problem with 'sasser' is that it is an indicator exploit. The fact that you are infected with 'sasser' indicated that you where vulnerable to the LSASS exploit. Before sasser, a large number of bot variants exploited this vulnerability. We find that many systems infected with 'sasser' are infected with one or more bots in addition to 'sasser'. Each day, we receive several distinct 'bot' samples. Anti virus signatures are typically not able to keep up with all versions, and many 'bots' include specific code to plant backdoors, disable firewalls and anti virus products, or to add additional system accounts. Antivirus software is not able to reliable detect and clean all these bots. As a result, it is impossible to tell if any of these bots is left on your system. Only a through (and costly) forensics analysis by a trained specialist will provide some comfort. As a result: If you are infected by 'sasser', try to rebuild your system from scratch. For detailed instructions on setting up a new system safely, see »www.sans.org/rr/papers/index.php?id=1298 (Windows XP: Surviving the first day). If you are acquiring a new system, assume it is not yet patched and use extreme care the first time you connect it to the network. And from CERT, the other main source of professional advise on handling viruses and trojans: »www.cert.org/tech_tips/win-UNIX-···ise.html quote:
Install a clean version of your operating system Keep in mind that if a machine is compromised, anything on that system could have been modified, including the kernel, binaries, data-files, running processes, and memory. In general, the only way to trust that a machine is free from backdoors and intruder modifications is to reinstall the operating system from the distribution media and install all of the security patches before connecting back to the network. Merely determining and fixing the vulnerability that was used to initially compromise this machine may not be enough. We encourage you to restore your system using known clean binaries. In order to put the machine into a known state, you should re-install the operating system using the original distribution media. Based on the above answers plus the nature of ALL the malware found plus any direct access of the hacker on the computer we can formulate whether or not to reformat. The reformat option should ALWAYS be considered in all infection cases. "The experts at CERT and SANS don't think an on-site team of certified trained and experienced professionals can reliably clean a system that has had a backdoor installed, up to the standards of everyday commercial and institutional use. So how can one expect to do that long distance?" (dslreports) The reformat process: Some Re-installation Notes: * All data is Backed-up before re-formatting the computer's hard drive. This includes address books, documents, music, settings, saved games, and anything else not obsolete. The re-format process will wipe the computer's hard drive clean, destroying all data and programs. * PCs are made so they can be reformatted. But sometimes, especially with major brand-name computers, there are special procedures that require reading the manual, visiting the manufacturer's website, or, if the manufacturer has gone out of business, searching on www.google.com. Some computers have the BIOS or re-installation software in small partitions on the hard drive. * Some computers require special drivers which are downloadable from the computer manufacturer's or vendor's website or device manufacturer's website. An uninfected computer is used to download these files to diskettes or a CD, and print out the installation instructions, in advance. * The CDs, diskettes, and Internet addresses are gathered to re-install the software. * Any programs you will need to secure the computer prior to re-formatting are downloaded on an uninfected computer. * Physical unpluging of the computer from the Internet before re-formatting. until protected by a firewall * An unpatched computer without proper firewall protection can be infected within seconds of being connected to the Internet. The computer must be protected by a hardware firewall, NAT router, or a software firewall before plugging it back in to the internet or you can be infected in a few seconds. * When installing from a Windows XP SP2 CD, the installation will default to having the Windows XP SP2 Firewall activated, so the hazard is greatly reduced. With earlier service packs of Windows XP and earlier versions of Windows, the firewall must be turned on manually. * Assistance on re-installing operating systems is available from the FAQs on the "Links" pull-down menu here: BBR Microsoft Forum *Windows Update run to install all service packs and critical updates, and to update your anti-virus and other security products, before using the computer to do anything else.
A reader asked why we recommend a complete rebuild of systems infected with 'sasser', given that 'sasser' is rather benign and easy to clean. The problem with 'sasser' is that it is an indicator exploit. The fact that you are infected with 'sasser' indicated that you where vulnerable to the LSASS exploit. Before sasser, a large number of bot variants exploited this vulnerability. We find that many systems infected with 'sasser' are infected with one or more bots in addition to 'sasser'. Each day, we receive several distinct 'bot' samples. Anti virus signatures are typically not able to keep up with all versions, and many 'bots' include specific code to plant backdoors, disable firewalls and anti virus products, or to add additional system accounts. Antivirus software is not able to reliable detect and clean all these bots. As a result, it is impossible to tell if any of these bots is left on your system. Only a through (and costly) forensics analysis by a trained specialist will provide some comfort. As a result: If you are infected by 'sasser', try to rebuild your system from scratch. For detailed instructions on setting up a new system safely, see »www.sans.org/rr/papers/index.php?id=1298 (Windows XP: Surviving the first day). If you are acquiring a new system, assume it is not yet patched and use extreme care the first time you connect it to the network. And from CERT, the other main source of professional advise on handling viruses and trojans: »www.cert.org/tech_tips/win-UNIX-···ise.html quote:
Install a clean version of your operating system Keep in mind that if a machine is compromised, anything on that system could have been modified, including the kernel, binaries, data-files, running processes, and memory. In general, the only way to trust that a machine is free from backdoors and intruder modifications is to reinstall the operating system from the distribution media and install all of the security patches before connecting back to the network. Merely determining and fixing the vulnerability that was used to initially compromise this machine may not be enough. We encourage you to restore your system using known clean binaries. In order to put the machine into a known state, you should re-install the operating system using the original distribution media. Based on the above answers plus the nature of ALL the malware found plus any direct access of the hacker on the computer we can formulate whether or not to reformat. The reformat option should ALWAYS be considered in all infection cases. "The experts at CERT and SANS don't think an on-site team of certified trained and experienced professionals can reliably clean a system that has had a backdoor installed, up to the standards of everyday commercial and institutional use. So how can one expect to do that long distance?" (dslreports) The reformat process: Some Re-installation Notes: * All data is Backed-up before re-formatting the computer's hard drive. This includes address books, documents, music, settings, saved games, and anything else not obsolete. The re-format process will wipe the computer's hard drive clean, destroying all data and programs. * PCs are made so they can be reformatted. But sometimes, especially with major brand-name computers, there are special procedures that require reading the manual, visiting the manufacturer's website, or, if the manufacturer has gone out of business, searching on www.google.com. Some computers have the BIOS or re-installation software in small partitions on the hard drive. * Some computers require special drivers which are downloadable from the computer manufacturer's or vendor's website or device manufacturer's website. An uninfected computer is used to download these files to diskettes or a CD, and print out the installation instructions, in advance. * The CDs, diskettes, and Internet addresses are gathered to re-install the software. * Any programs you will need to secure the computer prior to re-formatting are downloaded on an uninfected computer. * Physical unpluging of the computer from the Internet before re-formatting. until protected by a firewall * An unpatched computer without proper firewall protection can be infected within seconds of being connected to the Internet. The computer must be protected by a hardware firewall, NAT router, or a software firewall before plugging it back in to the internet or you can be infected in a few seconds. * When installing from a Windows XP SP2 CD, the installation will default to having the Windows XP SP2 Firewall activated, so the hazard is greatly reduced. With earlier service packs of Windows XP and earlier versions of Windows, the firewall must be turned on manually. * Assistance on re-installing operating systems is available from the FAQs on the "Links" pull-down menu here: BBR Microsoft Forum *Windows Update run to install all service packs and critical updates, and to update your anti-virus and other security products, before using the computer to do anything else.
NewYork Times aritcle Terminating spyware with extreme prejudice: http://www.nytimes.com/2004/12/30/technology/circuits/30hard.html?pagewanted=2&_r=1 Reference: http://www.dslreports.com/faq/10063The decision to reformat will ultimately be made by the user not the technician.