On Fri, 29 Jun 2007 11:10:02 -0700, Dharmesh
I have observed that, if some one installs a spy software without us knowing
on our computer, its not possible to detect those softwares, as they run on
stealth mode.
That's the effect, though it's a bit more complicated than "Stealth=1"
Did microsoft think on this matter, as this is a biggest threat to a user if
he/she does not know that some one has installed a spy software on their
computer.
No, they don't seem to have thought it through in the required depth.
The notion is still "Windows is so secure, it won't get infected if
you Do The Right Things. There's no need to worry about how to clean
infected PCs, when they won't ever get infected. If they do, 'just'
wipe and rebuild; that's the only way out".
Even when it should be manifestly obvious that PCs do get infected,
and users are not going to 'just' wipe and rebuild every time they
think they may be infected. Even when bot-netted Windows PCs carry
95% of the world's spam, the clue is... not there.
The problem is much larger than the PCs that are infected, if you
cannot even reliably determine whether a PC *is* infeced. It enlarges
every PC that *may* be infected; must all of these 'just' be wiped and
re-installed, too? How about malware that causes no signs to suggest
its presence, as most are designed to do? Should we wipe *all* PCs
every now and then, just in case? That's the absurd end-point.
does microsoft have any solution for this kind of scenerio where a user can
detect this kind of softwares if they are running on their computer.
Only semi-assed tips like "try from Safe Mode" (and then if you point
out that Safe Mode isn't safe because it also runs 3rd-party
integrations, they say "oh it was never intended to be malware-safe").
You can try using rootkit detectors that look for "live" behavior,
which is like poking a stick at a shape to see if it's a tiger, but...
I dunno... it's obvious to me that whatever software runs first, has
the opportunity to smite down anything that tries to run later to
attack it. After all, would you rather be in the warplane taxiing to
take off, or the warplane above dropping bombs? Would you rather be
the crook in the shadows with gun drawn, or the homeowner shining in
torch from a backlit doorway? Get a ^%$n clue, I'd say.
In Win9x, it was OK because you could always boot DOS mode off a
diskette, and run a DOS av from there.
But you can't do that for an OS that forces you to use NTFS, installed
on a HD that is over 137G in size.
What to use as a maintenance OS, from which to operate on your
installation "under anaesthetic" (no embedded malware code running)?
In XP, the emerged standard is Bart PE, an independent development
offered free that works well, but requires the user to have done quite
a bit of how-to research, downloading, etc.
In Vista, MS does at last open up WinPE 2.0 availability to users who
aren't huge OEMs or corporate IT gods; in fact, it's built into your
Vista DVD (if you got one, i.e. weren't a victim of the same big OEMs
for which WinPE was crafted for).
The trouble is, WinPE's been restricted for years of Bart development,
so no-one's written much to work with it. The original WinPE team are
late to the party, still thinking along "WinPE is for Pre-Install OS
setup" tramlines. So getting av tools to work from it is not as easy
as Bart, plus there's no equivalent to the RunScanner plugin for Bart
that allows registry-aware tools to operate as if the HD's inactive
registry hives are in effect. In fact, WinPE lacks Bart's
well-documented mechanisms for plugging in tools.
if yes than pls let me know as i am a victim of this scenerio. and lots of
private informations have been stolen which has caused me a huge damage in my
business.
Nasty. The first things I'd do, is:
- disconnect your PC off all networks and switch it off
- get a spare HD or two
- image the entire HD to one of these HDs
- lock up the original HD in a safe
- try to get "legal wrap" around all of the above (evidence)
- rebuild the system on the 2nd spare HD
- patch and protect this before putting it online
- the 3rd HD is for casual forensic workup
- always clone this 3rd HD before doing anything with it
- keep the original as court evidence
I am using Vista Ultimate which is marketed as the most secured operating
system.
Yeah - aren't they all? It may even be true, until the attacks start.
Then again, an OS that gets "owned" 5% of the time instead of 15% of
the time, isn't safe enough if you're one of the 5%.
-------------------- ----- ---- --- -- - - - -
Running Windows-based av to kill active malware is like striking
a match to see if what you are standing in is water or petrol.
