Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Compromised system - why reinstall?


  • Please log in to reply
4 replies to this topic

#1 TwinHeadedEagle

TwinHeadedEagle

  • Security Colleague
  • 352 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Serbia
  • Local time:02:37 PM

Posted 09 April 2013 - 04:49 PM

I saw in few topics that you recommend to reinstall once compromised system, so i wish to ask why is reinstall recommended solution? Sorry if asked before...

 

Firstly, how you describe compromised system (I assume, compromised by malware)?

- compromised by malware that instert one file (for example %appdata% location) and corresponding reg entry --- Fake AV

- middle severe malware (install process/driver, little harder to remove), for example Conficker that has advanced spreading tehniques

- top malware (zero access, necurs, tdss), that shuts down few important services, mess with drivers, install hidden partition etc.

 

It is not always the case that malware use exploit and sneak by undetected, infecting the system. In majority of cases, user is one that open the doors, clicking on unknow links, using infected usb drive etc.

 

Final word, majority of viruses are able to completely remove and to restore system like it was, so I am asking why you recommend reistall? Thanks...



BC AdBot (Login to Remove)

 


#2 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:37 PM

Posted 10 April 2013 - 04:48 AM

Final word, majority of viruses are able to completely remove and to restore system like it was, so I am asking why you recommend reinstall?

Hello -

A reinstall is only a last option for any problem, and not offered unless discussed with the person first.

Quite often the person can not be bothered going through several days of malware removal procedures.

 

The first option given is always to use all known methods of cleaning, but many people just will not stay the length required.

You must note that a reinstall is NEVER the first option given, but always the last option given -

 

The Experts in the Malware Removal area hate to reinstall, but prefer to always rip all malware out of any system

 

Thank you for the question -



#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,388 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:37 AM

Posted 10 April 2013 - 06:59 AM

There are no guarantees or shortcuts when it comes to malware removal, especially when dealing with backdoor Trojans, Botnets, IRCBots and rootkits. These types of infections are dangerous because they not only compromise system integrity, they have the ability to download even more malicious files. Rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. They are used by backdoor Trojans to conceal its presence (hide from view) in order to prevent detection of an attacker's software and make removal more difficult. Remote attackers use backdoors as a means of accessing and taking control of a computer that bypasses security mechanisms. This exploit allows them to steal sensitive information like passwords, personal and financial data which is then sent back to the hacker.

Security vendors that claim to be able to remove rootkits and backdoor Trojans cannot guarantee that all traces of the malware will be removed as they may not find all the remnants or correct all the damage. This means infections will vary and some will cause more harm to your system than others.

That's why many experts in the security community believe that once infected with such malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

Whenever a system has been compromised by a backdoor payload, it is impossible to know if or how much the backdoor has been used to affect your system...There are only a few ways to return a compromised system to a confident security configuration. These include:
Reimaging the system
Restoring the entire system using a full system backup from before the backdoor infection
Reformatting and reinstalling the system


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 TwinHeadedEagle

TwinHeadedEagle
  • Topic Starter

  • Security Colleague
  • 352 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Serbia
  • Local time:02:37 PM

Posted 10 April 2013 - 08:57 AM

Thanks for detailed explanation, I got the point :)

 

I am big opponent of reinstall too, and I always like to try to fix and if it is easier to reinstall than to try to fix, then in this case reintall is better solution :)


Edited by TwinHeadedEagle, 10 April 2013 - 08:57 AM.


#5 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:37 PM

Posted 11 April 2013 - 02:25 PM

I make full disk backups, and in case of a problem/infection, I restore the latest backup.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users