Security Basics mailing list archives

RE: computer with rootkit?

From: Dan Lynch <DLynch () placer ca gov>
Date: Thu, 29 Sep 2011 16:54:47 -0700

-----Original Message-----
From: Jamie Ivanov [mailto:jamie.ivanov () gmail com] 
Sent: Thursday, September 29, 2011 3:01 PM

Do what you will and I will continue reverse engineering and 
fixing them. Ignore the fact that they can be fixed and it's 
not that difficult for seasoned malware specialists. In the 
end, not my problem, but the companies I work for will 
continue to reap the benefits of my work. :)


You may have missed the point being made here. Unless you're being paid specifically to deconstruct malware, you're 
spending unnecessary time "repairing" machines that are more efficiently and effectively simply rebuilt. In a minority 
of cases, the infection is simple enough to remove quickly and with a fair amount of certainty. And in a minority of 
cases will it take hours to re-image, push patches, etc. 

Most companies of any size have a standard install image that can be dropped on a machine in a matter of minutes. Even 
downloading and burning the latest Hiren ISO takes longer than imaging a PC if your image is kept up to date. 

Further, Angar's earlier point still stands: without a complete baseline of the system, you CAN NOT remove a root kit 
and its associated malware with any certainty. Do you have MD5 hashes of every file? 

If there's nothing of value on the machine but a few docs and spreadsheets, recover them offline, scan them, and image 
the box.

Apparently I've stepped on some egos.


Hmmm. Your first post in this thread is maybe a little pompous, certainly antagonistic, and directly insulting to a 
number of other posters. Expect a bit of push back.


Dan Lynch, CISSP
Information Technology Analyst
County of Placer
Auburn, CA

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------

Current thread:

RE: computer with rootkit?, (continued)
- - - RE: computer with rootkit? Steven Marco (Modern Compliance Solutions) (Sep 29)
- Re: computer with rootkit? Jamie Ivanov (Sep 28)
- RE: computer with rootkit? Brian Rogalski (Sep 29)
  - Re: computer with rootkit? Jamie Ivanov (Sep 29)
    - Re[2]: computer with rootkit? Adam Pal (Sep 29)
    - Re: Re[2]: computer with rootkit? Jamie Ivanov (Sep 29)
    - RE: computer with rootkit? Dan Lynch (Sep 29)
    - Re: computer with rootkit? Jamie Ivanov (Sep 29)
    - RE: computer with rootkit? Joe DeMarco (Sep 29)
    - Re: computer with rootkit? Jamie Ivanov (Sep 29)
    - RE: computer with rootkit? Dan Lynch (Sep 30)
    - Re: computer with rootkit? Security (Sep 30)
    - Re: computer with rootkit? Jeff Stebelton (Sep 30)
    - Re: computer with rootkit? Ansgar Wiechers (Sep 29)
    - Re: computer with rootkit? Jamie Ivanov (Sep 29)
    - Re: computer with rootkit? Ansgar Wiechers (Sep 29)
    - RE: computer with rootkit? Mikesch, David A (Sep 30)
    - Re: computer with rootkit? Francois Yang (Sep 29)
    - Re: computer with rootkit? rogue5 (Sep 29)