On Sun, 8 Jan 2006 14:19:38 -0700, "Wesley Vogel"
I agree use online scanners to check, not remove, unless removal can be done
in Normal Mode.
My take on online scanners is that they are unsafe to use from within
an infected OS. If you think about why, it should be obvious.
I do see value in online scanners, but only where you are not trying
to scan the whole system (i.e. you upload a particular file to be
scanned), and/or are not running the infected installation.
For an example of the latter, you might dropthe infected HD into a
clean XP system as a second HD, then scan the HD from the uninfected
OS using an on-line scanner. Safety rests on the malware notbeing
auto-run by the host OS, especially given this OS is writable.
A stronger approach is to use a read-only OS to host the process, such
as Bart PE CDR boot. That works without having to pull out the HD,
but it's not easy keeping Bart patched up, and Bart has no firewall,
so what you gain in read-only protection, you lose in possible direct
network exploitability. Tricky call.
If you access an online scanner in Safe Mode with Networking you're liable
to get even more crap than what you're trying to remove.
For the same reason as Bart can be infected, i.e. resident defences
are not running, plus you're still running the infected OS - and when
it comes to malware, "Safe Mode" isn't (safe enough).
On Sunday, 30 January, 2005 I tried Safe Mode with Networking and made
notes, that's how I know when I tried it.
ZoneAlarm (ver: 3.7.211.0) didn't start and AVG7 didn't start.
By design, Safe Mode suppresses many integration points. In this
case, that suppression has knocked out the av and the firewall.
Unfortunately, Safe Mode still allows other integrations, any of which
can be used by the malware you are after. Hence, "Safe Mode Isn't".
Safe Mode with Networking might be fine if all you are accessing is *your*
network.
....and that network is not infected.
Earlier, I asserted that online scanning was unfit for use from an
infected system. Do I have to explain why? I will, anyway...
When you run an infected installation normally, it's almost certain
the malware is running too. This is less certain in Safe Mode, but
you cannot assume this degree of safety.
Malware can re-direct Internet access (specifically, domain name
resolution) in active and passive ways, i.e. either by patching into
the process andaltering what happens, or by setting values in HOSTS to
statically re-direct access. The latter effect may persist even if
the malware is not running in Safe Mode.
Malware can often intercept known defense tools and URLs when these
are running, aside from the DNS thing.
When you run an online scan, you are allowing the web site to drop and
run code on your system, while you are connected to that site. That
means your defenses against that site are quite low. Not only that,
but you expect the process to scan the inside of every file on the
system - which is an unrivalled data-fishing opportunity. In what
other context would you sit quietly by while all files are inspected?
So posing as an "online scanning site" is unrivalled SE, too.
So a malware could re-direct access to that site to a look-alike site
that may indeed "scan your files" using a pattern-matching engine -
but the patterns sought may be passwords, CC and SN numbers,
demographic info, etrading history, email addresses to spam, in short
anything required for profiling and/or identity theft.
And instead of "cleaning the malware" from files and registry, this
process could break down defenses and settings, and drop new malware
into place - perhaps something brand-new and hand-crafted, so that
resident av wouldn't detect it - given that this is a live web site
that can be updated in real time, way ahead of av updates.
Are the dots joined yet?
---------- ----- ---- --- -- - - - -
Don't pay malware vendors - boycott Sony
