Re: idea

[Rich Kulawiec <rsk () gsp org>]

On Sat, Jan 03, 2009 at 04:27:03PM -0700, Ben Li wrote:
> It would be great to have that as a problem, since that means the AV app 
> is running on the infected machine. If I can get my resolver on to the 
> infected machine, I can also get an AV app on to the machine. 

None of which matters.

A compromised machine is enemy territory.  It no longer belongs to
its putative owner, and everything it does from that point forward
is done at the pleasure of its new owners. [1]  Nothing it does
can be trusted.

So it doesn't matter how clever you (or anyone else) are with AV apps
and resolvers and DNSSEC and everything else.  You cannot overcome this
no matter what you do, because you cannot guarantee that the system is
actually executing the instructions you intend it to execute.  (Note that
it's quite capable of doing one thing and claiming to do another. [2])

You can *hope* it's executing the instructions you want it to,
but "hope" is a poor security strategy.

There is only one fix for this: wipe and reinstall.

---Rsk

[1] I use the plural because systems which are leased out in bulk might
have a succession of new owners.

[2] I think it's only a matter of time until malware takes advantage
of virtualization technology to create an instance of the host OS
and sandbox the former owner into it, while maintaining control
of the "real" OS.  "But my machine isn't infected" the former owner
will say, and in a virtual sense, he/she will be correct.  This is
yet another reason why wipe-and-reboot-from-known-good-media is essential.
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.