Security Watch

Malware: Is Cleaning Enough?

The only good solution to malware is a complete OS reinstall, says Microsoft.

• By Russ Cooper
• 05/01/2006

Well, let's be honest: This is nothing new. Once a system has been compromised, it is, and always has been, extremely difficult to determine all of the components the malware has installed. It becomes even harder the longer the malware has been in place, due to the nature of today's bots, which often contain automatic updating or add-in mechanisms.

The question now becomes whether or not you can trust your AV program's report on whether it can remove the malware it has discovered. The safest bet is no, but in reality it greatly depends on the malware that's been found. AV companies are good at determining what all a particular variant may do to a given victim, and usually state it in their descriptions. Problems arise, however, when they apply a generic description to a variant they identify but haven't previously seen firsthand.

In the end, you need to decide for yourself on a case-by-case basis. Regardless, it's time to dust off your old back-up policies and make sure you have a way to do a complete restore on any machine in your network.

Human Factors
The U.S. Department of Justice (DoJ) reported that 3.1 percent of households in the United States suffered some form of identity theft during a six-month period in 2004. Identity theft was qualified by unauthorized use or attempted use of an existing credit card, other existing accounts such as a checking account, or misuse of personal information to obtain new accounts or loans, or to commit other crimes.

Almost half of all reported identity thefts were abuses of existing credit cards, with more than half of the remaining thefts occurring due to abuse of other existing accounts. Misuse of personal information, which I personally consider closer to the true definition of identity theft, occurred in only 15 percent of the victimized households, or 0.5 percent of all U.S. households.

Not surprisingly, the most likely victims were in the 18 to 24 age range, made $75,000 or more and lived in urban areas. Conversely, only 30 percent of victims noticed missing money or unfamiliar charges, and less than 25 percent were contacted by a credit bureau. This suggests that the criminals were either trying to stay under the radar, or were unaware of the extent to which their victims could have been robbed.

Read the DoJ's report here (PDF).

According to a recent Wall Street Journal story (WSJ.com ID required to read), corporate concerns over the impact of emerging Internet technologies, including security, may limit their adoption.

The story focuses on instant messaging, third-party Web-based e-mail and Skype. While fear of the overuse, or abuse, of bandwidth is mentioned as a concern, the primary motivation behind corporations' lack of adoption is previous security breach experiences with these technologies, such as worms via IM. Skype is noted due to the inability to determine what is being carried, leading to potential issues with regulators.

Nothing really new in this story -- it merely restates the obvious problems and concerns that corporations have faced all along. It is interesting to note that in response to the criticism, some of the vendors made it seem that they believe corporations are confused over their products instead of being focused on legitimate issues. Not really putting a best foot forward in an attempt of quelling concerns.

Governance
Verizon had a class action suit brought against it by customers who were annoyed in 2004 after Verizon implemented a massive blocklist to prevent spam. That blocklist was so broad that it effectively stopped their customers from receiving e-mail from certain countries -- and in some cases, regions. Verizon settled the case, giving affected DSL customers who apply a one-time payout of $49 for their inconvenience.

While there's no doubt that such a massive blocklist was overkill and, equally, that the stated remarks Verizon support apparently gave some customers was inappropriate ("If it's really important, you should use a phone rather than e-mail."), some protection may be necessary for ISPs who are at least attempting to stem the tide of badness afflicting their customers. The lawyers in this class action suit seem to be the only winners (reaping $1.4 million for their efforts).