Security Incidents mailing list archives
Re: They got me!!!
From: Valdis.Kletnieks () vt edu
Date: Thu, 06 Apr 2006 12:26:14 -0400
On Thu, 06 Apr 2006 08:17:30 MDT, lucretias said:
I would disagree with all of Susan's assumptions. Why should you rebuild if your simply infected?
Tell me - are you willing to bet being totally 0wned again if you guess wrong on "simply infected"?
How someone could also determine you have a rootkit installed with no analysis and the shakey details you posted I'm not certain either.
Again, even the shaky details we have, indicate a situation with a high likelyhood of a rootkit being present. Proceeding as if one is present is much safer than assuming that there isn't one.
Assuming it was bad surfing is also a bad assumption. It's highly likely that the infection was either from email or a downloaded and installed piece of software.
My money goes on a drive-by fruiting that used one of the currently known unpatched IE vulnerabilities. Anybody who goes to the length of installing fingerprint scanners will most likely have drilled into the kids: "No clicky-click the 'oooh shiny'!! Or *else*".
A simple clean up would do the trick. Then clean the infections. I have yet to meet an infection I couldn't clean.
You willing to bet the machine's security on "the A/V id'ed it as W32-foobar, and Symantec says it alters 5 registry keys, so it can't possibly be a variant that alters 6"? Or maybe it's not W32-foobar *at all* - but some unknown malware that includes deactivated chunks of W32-foobar just to delude you into thinking that since you removed all the pieces of W32-foobar, that the machine is in fact clean? You might want to consider whether "I have yet to meet an infection that I didn't convince myself was fully cleaned" is being more truthful. Did you dig out and sanitize 100% of every infection? or just 100% of what you found?
Attachment:
_bin
Description:
Current thread:
- They got me!!! pentesticle (Apr 05)
- Re: They got me!!! Ivan . (Apr 05)
- Re: They got me!!! Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] (Apr 05)
- Re: They got me!!! Dude VanWinkle (Apr 06)
- RE: They got me!!! lucretias (Apr 06)
- Re: They got me!!! Eliah Kagan (Apr 06)
- Re: They got me!!! Valdis . Kletnieks (Apr 06)
- RE: They got me!!! David Gillett (Apr 06)
- RE: They got me!!! Terry Vernon (Apr 06)
- Re: They got me!!! l00t3r (Apr 06)
- Re: They got me!!! Jamie Riden (Apr 06)
- Re: They got me!!! l00t3r (Apr 06)
- Re: They got me!!! Colin Copley (Apr 06)
- <Possible follow-ups>
- RE: They got me!!! Levenglick, Jeff (Apr 06)
- Re: Re: They got me!!! john . fellers (Apr 06)
- Re: Re: They got me!!! pentesticle (Apr 06)
- RE: Re: They got me!!! Levenglick, Jeff (Apr 06)
- Re: Re: They got me!!! Eliah Kagan (Apr 06)