When malware runs wild!
April 4, 2006 1:46 PM   Subscribe

"In some cases, there really is no way to recover without nuking the systems from orbit." -- Mike Danseglio, program manager in the Security Solutions group at Microsoft
posted by Steven C. Den Beste (43 comments total)

You know, I'm really glad I uploaded this image to a photohosting account.
posted by keswick at 1:49 PM on April 4, 2006

So much for my "This thread is useless without pics" pic.
posted by knave at 1:54 PM on April 4, 2006

I've been saying this for years. Windows is a nasty system infestation. *rimshot*

I'll be here all week. Try the fish.

More seriously: these guys are JUST NOW figuring this out? Once a system has been compromised, the ONLY way to be certain it's clean is to totally rebuild it. And with the advent of ACPI viruses, even that may not be enough.... the fundamental hardware may be infected in a way that is difficult or impossbile to even detect, much less eradicate.

It's entirely possible, in the not too distant future, that a bad virus infection may require the purchase of a new computer, at least for awhile.
posted by Malor at 1:55 PM on April 4, 2006

Good thing they've made Windows so effortless to reinstall in recent versions. It's so much easier without the ineffectual copy protection that ties every install to the hardware.

oh gee wait i am posting from the future. ColdFusion!
posted by sonofsamiam at 1:56 PM on April 4, 2006

*trying to think of a joke that involves Windows, Trekkies and pole dancers.

posted by adamgreenfield at 1:56 PM on April 4, 2006

/me steals keswick's image for future use
posted by Fezboy! at 2:04 PM on April 4, 2006

Actually, I can think of a new consumer OS model emerging from this.

Each company takes the original Windows OS image and then derives a company base image (which includes their own applications)

Then, on a periodic basis:
1) The raw OS is refreshed and applications are reloaded fom the derived base image. this happens automatically, on a weekend.
2) User application files (e.g. doc files, text, powerpoint, mail) are kept on a storage server managed by IT. This is a really "stupid" storage server. IT regularly checks the files for application file viruses.

With the right model, you can make this fairly efficient. Many companies already have stuff like this where users are given a "virtual OS" but applications are actually run off managed servers.
posted by vacapinta at 2:09 PM on April 4, 2006

vacapinta: this is how we do it now. (4600+ users)
posted by Gungho at 2:12 PM on April 4, 2006

Yep. I know a company that also does it that way too. I guess my point, not clearly made, was whether these traditionally corporate practices will filter down more to the consumer world.

That is, this not an issue for well-managed corporate environments (I would not include the govt. example in that article as being one) who are always on the forefront of firewall protections, network security policies and managed software versioning.

This is an issue for the consumer who doesnt have sophisticated protections. And, just like the firewall went from obscure corporate thing to something sold by Norton on a CD, perhaps its time now for Base Images and separation of user data to make its way down to the shelves too.
posted by vacapinta at 2:19 PM on April 4, 2006

posted by Armitage Shanks at 2:20 PM on April 4, 2006

...businesses should consider investing in an automated process to wipe hard drives and reinstall operating systems...

Good luck with that approach for individuals. Every time I've had to reinstall my licensed copy of XP on my same home machine, I have to call up MSFT and ask them pretty please won't you please let me install the software I paid for just one more time, please. And they say, "Hey asshole, how many times are you going to install this product that you purchased legitimately? Maybe you should give us more money to continue using that software you already paid us for, huh?"
posted by Gamblor at 2:22 PM on April 4, 2006

posted by felix at 2:31 PM on April 4, 2006

Armitage, I respectfully submit that the pole dancers would move significantly closer to the trekkies -- within snuggling range, perhaps -- if the trekkies were also people who made a huge pile of money making Windows, and spent it freely and often.

Also, occasionally trekkies peer at pole dancers through windows...
posted by davejay at 2:33 PM on April 4, 2006

[laughing out loud at felix's image modification]
posted by davejay at 2:33 PM on April 4, 2006

Bill to Pole Dancer: Resistance is futile, cause there's a di-polar capacitor in my pants.

*bouncer throws Bill through Windows*
posted by It's Raining Florence Henderson at 2:36 PM on April 4, 2006

Metafilter - Next Page: Human stupidity.
posted by lalochezia at 2:52 PM on April 4, 2006

It’s funny because it’s an Aliens reference.
posted by Smedleyman at 2:58 PM on April 4, 2006

...unless, wait, microsoft doesn’t actually have LEO capability...and nukes?
posted by Smedleyman at 2:59 PM on April 4, 2006

Armitage: Thanks for that concrete visualization of the situation at hand. I am in your debt, sir.

Felix: Yessssssssssssss. Your modification is especially accurate for large values of cluelessness.
posted by adamgreenfield at 3:02 PM on April 4, 2006

posted by sonofsamiam at 3:03 PM on April 4, 2006

Many companies already have stuff like this where users are given a "virtual OS" but applications are actually run off managed servers.

... so, after thirty years, we're back to dumb terminals?

/gives his PowerBook a hug.
posted by docgonzo at 3:04 PM on April 4, 2006

The one pole-dancer I know is a huge trekkie and .. a Mac user.
posted by knave at 3:11 PM on April 4, 2006

(She showed up in Star Fleet uniform on Halloween in 7th grade.)
posted by knave at 3:12 PM on April 4, 2006

posted by influx at 3:36 PM on April 4, 2006

Heh, reinstalling is standard procedure for corporate/institutional environments with a deployed/supported system count of about, oh, 5 or 10 or more computers.

This is why RIS and Ghost/GhostCast/Ghost server are so popular.

Sure, I could go all wizard on some malware-munged box, I could do regedits, DLL replacements, spyware and virus scans. I could spend hours and hours all day doing this on dozens of laptops.

Or I could spend hours and hours manually re-installing the OS, applications, drivers and utilities, and spend more time configuring everything properly for each system.

I could also tear out my own beating heart with a fork, lightly toast it with a soldering iron and eat it in a sandwich.

Instead I spend 10-45 minutes doing a data backup, re-image from a Ghost server and a data restore. It kills malware, corrupted registries, restores system files, preps the disk, just about everything - and as a bonus - it eliminates unsupported and unauthorized user-installed software like Yahoo! Messenger, AIM, Kazaa, Limewire and much worse. Like Comet Cursor and all things Gator or GAIM - which are still around and still being installed. Guh.

SMS and autoupdate takes care of the rest.

I don't even really remember what doing a raw install is like. Fuck that shit. Screw system restore. Disk/partition images are the way to go.
posted by loquacious at 3:43 PM on April 4, 2006

Without tuning this into a bash Microsoft comment, i honestly have to ask, At what point is the convenience of compatibility outweighed by the amount of other crap you have to do just to use the system?

My house is pretty neutral in the OS wars; we have Macs, Windows and *nix/ bsd machines all happily interconnected, but when the point comes where i am having to reinstall on a regular basis (read as: more than once a year), i'm going to seriously re-evaluate the usefulness of that system.

i can't be alone in this? Can i?
posted by quin at 4:15 PM on April 4, 2006

loquacious: GAIM? The gtk AIM client? Why's that in with Comet Cursor and Gator?

quin: I've often asked myself that same question. I think my preference would be to abandon backwards compatibility altogether with each major release. For corporate users of course that's not an option, which is a shame.

Another solution might be to have "compatibility modes", where you can use older stuff but only be explicitly turning it on at the expense of possibly losing newer features. For the vast majority of cases, the crappy, buggy old code would be disabled. There's probably a reason why this is infeasible though.
posted by joegester at 4:32 PM on April 4, 2006

Quin. I hear you. The problem is when your STUCK. I got no choice but to have XP machinesat my business.

We have 15 systems at our office. All Apple OSX but for 4 XP laptops and 1 XP Desktops (and 1 Win2003 Server box). Guess which ones soak up 85% of my time. The XP systems. Every week it's something. From smartcard and driver conflicts to malware. Everyweek. And the real problem is the entire user support infrastructure for XP is a nightmare accross the board.

I have to have them. That's what burns me.

The Apple systems I hardly touch. The OSX Server takes care of itself. And I can find solutions to problem in minutes instead of days like with the XP machines. Reading post like this one really depress me. These MS guys, like Mike Danseglio, just couldn't give a crap.
posted by tkchrist at 4:32 PM on April 4, 2006

This thread needs more Venn diagrams.
posted by Pontius Pilate at 4:45 PM on April 4, 2006

loquacious: GAIM?

Sorry, GAIN. Bastards.
posted by loquacious at 5:23 PM on April 4, 2006

You know, I'm really glad I uploaded this image to a photohosting account.

Banned for [IMG-TIMELINE]!
posted by stavrosthewonderchicken at 5:32 PM on April 4, 2006

posted by felix at 5:38 PM on April 4, 2006

I always chuckle when i read about people having massive problems with windows XP. I have a copy of xp that has been going strong for 5 years now. It's a home version too, which i hate, but hey if it aint broke don't fix it.

Also any one with 2,000 computers on a system who does not also have a copy of ghost and a relatively recent image is smoking crack. We use network storage space mixed with automated ghosting for 1,000 plus lab machines on campus. Every user is STRONGLY encouraged to buy a university laptop. We have images for all of those that IBM kindly installs before shipping, and we of course update them regularly as well.

In fact we often just replace a laptop hardrive with a new one, and send the user on the way. Total service time, roughly 15 minutes. Beyond that we force bind all user data to the non os partition. If they install some file sharing and hoze their computer, well not our problem.

At any rate vista is looking sexy, and all of the mac neophytes out there are just getting back at 15 years of name calling. In some ways I hope that mac gets a solid grip on the market, there were 2 viruses for macs last year. I would expect some more this year.


Ye old mighty mac might have a better os, but they didn't switch to intel for the processor. It was the pci express support for nicer graphics, and they still don't have any sli.

posted by sourbrew at 5:45 PM on April 4, 2006

sourbrew, the high-end G5 macs have PCI Express.
posted by Malor at 6:18 PM on April 4, 2006

Oh. GAIN makes much more sense.
posted by joegester at 6:25 PM on April 4, 2006

"Aliens" is my favorite movie.
posted by Brainy at 6:54 PM on April 4, 2006

So they do, can't find an sli option, but with support for the fx quadro i suppose thats not really an issue.

I built my current machine, a 3500+ 64 bit athalon, gig of ram, 2 6600 gt's and a 74 gig raptor drive for like 1500 last year though, and the power macs start at 2,000 at the moment. Granted i lust after a mac lcd.
posted by sourbrew at 7:08 PM on April 4, 2006

*trying to think of a joke that involves Windows, Trekkies and pole dancers.


Oh come on, there must be some Polish dancers out there who use Windows and are into Star Trek.
posted by Zinger at 7:30 PM on April 4, 2006

Danseglio said the success of social engineering attacks is a sign that the weakest link in malware defense is "human stupidity."

I would actually contend that the weakest link in malware defense is highhanded bastards like Danseglio calling the average computer user a "stupid human." This guy represents the company that makes our software, and he's calling us stupid! Talk about insult to injury. What a smeghead. Not everybody can be a techie. I'm a techie, and even *I* know that.

From my experience, there are two types of computer users -

1) People who are automatically skeptical of anything on the internet.
2) People who don't yet fit into the first category, and have to learn the hard way. These are the people who automatically click "yes" on every dialog box.

The answer is education. Not insults.
posted by Afroblanco at 8:16 PM on April 4, 2006

2) People who don't yet fit into the first category, and have to learn the hard way. These are the people who automatically click "yes" on every dialog box.

Exactly, because they're trained to by the Windows way. I've even accidently clicked the wrong thing when doing smaller/low level installs with too many windows open. "Doh. That was a frickin' popup you dumbass, not a dialog box."

Catagory 2b would possibly have to be those that find shiny things like Comet Cursor, "free" games and Weatherbug irresistable.
posted by loquacious at 10:09 PM on April 4, 2006

He was talking about rootkits not virii or other malware. It's not like there have ever been any *nix systems that have been rooted. Oh wait.....that is where the root part of root kit came from. Hmmmm.

Nuking when someone gets root on your system isn't just a smart Windows strategy. It is a smart strategy for any system that gets compromised in this way.
posted by srboisvert at 12:22 AM on April 5, 2006

srboisvert: the trouble with Windows is that it's part of the culture for Winboxen to run logged on as root, all the time, by default. Which means that any stupid piece of drive-by-installing crapware can get root without even trying. Which means that Winboxen are disproportionately represented among systems requiring regular annihilation electrotherapy.

I work in primary schools. Most of what we run is, of course, Educational Software. Most of that is insanely expensive to buy decent numbers of licences for, and doesn't have any kind of license server; so of course the schools just buy a handful of copies on CD and put them in the library. Classroom teachers get the physical CD's out of the library when they want to run this stuff. I'm not allowed to put installation images on the server for fear of breaching licence conditions, so I can't fiddle and tweak it; what we run is the default install of what comes off the shelf.

Which means I can't lock down our workstations, because until it's extensively fiddled about with, most of this stuff won't even run unless it has write access to the Windows directory. That's just the Windows culture.

Which means regular nuking from orbit is the only thing to do. Especially given that some of these ES vendors actually bundle adware in the stuff they *sell* you!

loquacious: I use the Trinity Rescue Kit live CD for all my imaging work instead of Ghost. Images are just .gz files on a Windows share somewhere; I don't need anything special installed on the server. We don't have thousands of workstations, so I can live without multicasting. Also, because I get to specify the target device on the command line, the general drift to SATA drives hasn't caused me any grief at all; I understand it's a major driver for Ghost upgrades.

I'm slowly educating my users about the wisdom of searching for FOSS that can do what they want before plunking down dollars on yet another piece of restrictively licenced cheeseware, but it's a long haul. At least using a FOSS tool to fix the inevitable damage makes me feel like I'm getting *somewhere*.
posted by flabdablet at 6:10 AM on April 5, 2006

loquacious, that's exactly what I do. Reimaging is the only sane solution.
posted by lyam at 6:11 AM on April 5, 2006

« Older The Vomit Was The Key   |   I haven't read the Book of Job yet, but I'm about... Newer »

This thread has been archived and is closed to new comments