Mission Impossible?

Microsoft: Recovery from malware is often difficult.

A Microsoft security official said businesses should consider investing in an automated process to wipe hard drives and reinstall operating systems as a practical way to recover from malware infestation.

"In some cases, there really is no way to recover without nuking the systems from orbit," said Mike Danseglio, program manager in the Security Solutions group at Microsoft, in a presentation at the InfoSec World conference here on April 3.

Offensive rootkits, which are used to hide malware programs and maintain an undetectable presence on an infected machine, have become the weapons of choice for virus and spyware writers. Because rootkits often use kernel hooks to avoid detection, Danseglio said IT administrators may never know if all traces of a rootkit have been successfully removed.

Danseglio said anti-virus software is getting better at detecting and removing the latest threats, but for some sophisticated forms of malware, he conceded that the cleanup process is "just way too hard," given that self-healing malware can actually detect that users are trying to get rid of it and simply reinstall itself. "If it doesnt crash your system or cause your system to freeze, how do you know its there?" Danseglio said.

He recommended using PepiMK Softwares Spybot-Search & Destroy, Bruce Cogswell and Mark Russinovichs RootkitRevealer and Microsofts Windows Defender—all free utilities that help with malware detection and cleanup.

Danseglio said malicious hackers are conducting targeted attacks that are "stealthy and effective" and warned that their for-profit motive means the attacks are much more serious than even the destructive network worms of the past. "[Attackers] dont want to write a worm that destroys your hardware. They want to assimilate your computers and use them to make money.

"At Microsoft, we are fielding 2,000 attacks per hour. We are a constant target, and you have to assume your Internet-facing service is also a big target," Danseglio said.

Danseglio said the success of social engineering attacks is a sign that the weakest link in malware defense is "human stupidity," for which "there really is no patch."

The most recent statistics from Microsofts anti-malware engineering team confirm Danseglios contention. In February, the companys free Malicious Software Removal Tool detected a social engineering worm called Win32/Alcan on more than 250,000 machines.

According to Danseglio, user education goes a long way to mitigate the threat from social engineering, but, he said, companies with high staff turnover may never recoup that investment.

"The easy way to deal with this is to think about prevention," he said.