By Ryan Naraine
April 4, 2006
LAKE BUENA VISTA, Fla. - In a rare discussion about the severity of
the Windows malware scourge, a Microsoft security official said
businesses should consider investing in an automated process to wipe
hard drives and reinstall operating systems as a practical way to
recover from malware infestation.
"When you are dealing with rootkits and some advanced spyware
programs, the only solution is to rebuild from scratch. In some cases,
there really is no way to recover without nuking the systems from
orbit," Mike Danseglio, program manager in the Security Solutions
group at Microsoft, said in a presentation at the InfoSec World
Offensive rootkits, which are used hide malware programs and maintain
an undetectable presence on an infected machine, have become the
weapon of choice for virus and spyware writers and, because they often
use kernel hooks to avoid detection, Danseglio said IT administrators
may never know if all traces of a rootkit have been successfully
He cited a recent instance where an unnamed branch of the U.S.
government struggled with malware infestations on more than 2,000
client machines. "In that case, it was so severe that trying to
recover was meaningless. They did not have an automated process to
wipe and rebuild the systems, so it became a burden. They had to
design a process real fast," Danseglio added.
Danseglio, who delivered two separate presentations at the conference
- one on threats and countermeasures to defend against malware
infestations in Windows, and the other on the frightening world on
Windows rootkits - said anti-virus software is getting better at
detecting and removing the latest threats, but for some sophisticated
forms of malware, he conceded that the cleanup process is "just way
"We've seen the self-healing malware that actually detects that you're
trying to get rid of it. You remove it, and the next time you look in
that directory, it's sitting there. It can simply reinstall itself,"
"Detection is difficult, and remediation is often impossible,"
Danseglio declared. "If it doesn't crash your system or cause your
system to freeze, how do you know it's there? The answer is you just
don't know. Lots of times, you never see the infection occur in real
time, and you don't see the malware lingering or running in the
He recommended using PepiMK Software's SpyBot Search & Destroy, Mark
Russinovich's RootkitRevealer and Microsoft's own Windows Defender,
all free utilities that help with malware detection and cleanup, and
urged CIOs to take a defense-in-depth approach to preventing
Danseglio said malicious hackers are conducting targeted attacks that
are "stealthy and effective" and warned that the for-profit motive is
much more serious than even the destructive network worms of the past.
"In 2006, the attackers want to pay the rent. They don't want to write
a worm that destroys your hardware. They want to assimilate your
computers and use them to make money.
"At Microsoft, we are fielding 2,000 attacks per hour. We are a
constant target, and you have to assume your Internet-facing service
is also a big target," Danseglio said.
Danseglio said the success of social engineering attacks is a sign
that the weakest link in malware defense is "human stupidity."
"Social engineering is a very, very effective technique. We have
statistics that show significant infection rates for the social
engineering malware. Phishing is a major problem because there really
is no patch for human stupidity," he said.
The most recent statistics from Microsoft's anti-malware engineering
team confirm Danseglio's contention. In February alone, the company's
free Malicious Software Removal Tool detected a social engineering
worm called Win32/Alcan on more than 250,000 unique machines.
According to Danseglio, user education goes a long way to mitigating
the threat from social engineering, but in companies where staff
turnover is high, he said a company may never recoup that investment.
"The easy way to deal with this is to think about prevention.
Preventing an infection is far easier than cleaning up," he said,
urging enterprise administrators to block known bad content using
firewalls and proxy filtering and to ensure security software
regularly scans for infections.
Donate online for the Ron Santo Walk to Cure Diabetes