lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <e92364c3041229062865863443@mail.gmail.com>
From: jftucker at gmail.com (James Tucker)
Subject: List of worm and trojan files

> > Assuming the attacker is competent, the only way to "clean" a deeply
> > compromised machine is to reformat the drive and start from scratch.
> > The truly paranoid will question whether just formatting the drive is
> > sufficient.

I would agree with this. W95.CIH was one such virus which formatting
the drive alone was not sufficient and managed to achieve allot of
damage due to its dormant nature.
(http://www.symantec.com/avcenter/venc/data/cih.html)

These types of virus are not very common.
 
> One of the definitions of insanity: "Doing the same thing and
> expecting a different result". Therefore, it's certifiably insane to
> reload the system (to the previous state) and expect it to not be
> reinfected. =)

I would agree with this too.

Common sense would surely suggest combining such things? ;-)
So maybe find out where the infection came from, then rebuild
preventing that next time.

As for the specific problem, many module based viruses may be hard to
find with systeminternals tools, more so for the less initiated than
for the experienced (without familiarity there's over 1000 modules to
look up, and that's just the common ones).

The best methods for native (non-rebuild) removal (in my experience)
are either a BartPE boot disk or a boot into [safe mode with command
prompt] (specifically with command prompt, we don't want to load
explorer) with access to a clean virus scanner (it is sometimes not
easy to get a clean virus scanner onto such a system, so BartPE is
better). In these modes it is hard for a virus to ensure that it is
loaded. In the case of BartPE nothing should be loaded from the hard
disk, and a virus would have to exploit the bios or some drive loader
(NTFS/USB/removable media initialisation) to load a module during
boot. Such things are unlikely at the moment.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ