[Enigmail] First signed message -- Is tinyurl.com safe and reliable?

Faramir faramir.cl at gmail.com
Wed Aug 27 12:26:57 PDT 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Robert J. Hansen escribió:
> Faramir wrote:
>>   Well, yes, if you know when did you catch the virus, you know restore
>> points older than that date are "clean".
> 
> How do you know?  The restore points are stored on disk; they're a high
> value target for malware.

  Yes, that is true. But I think the main problem with virus, is they
make you lose information and time. Information, since they can corrupt
files (or delete them), and time, because you need to fix the computer,
by using a virus removal tool, or by formating - reinstalling
everything. If you chose to don't try to remove the virus, and just
format... then you already lost a lot of info and time, so maybe it is
worth trying to remove the virus... Is it 100% reliable? No, but maybe
to format would make you lose even more info than the virus would
destroy... so I would try my less destructive chances before applying an
EMP to my computer...

> Expect malware -- especially competently written malware -- to go after
> the restore points.

  Yes, but maybe the malware was not so competently written... Last time
I got infected, it was an msn worm... it tried to infect all my
contacts, but to my surprise, the few contacts that received the virus
message, reported there was not any link in the message (the malware
spreads by sending a link, if the user clicks it, they get infected).
Something was smart enough to remove the link... I don't know if it was
my AV, or my firewall, or msn server... I just know it tried to send the
message to a lot of people, and just a few of these people got the
message, and none of these people actually received the dangerous link.
Anyway, I ran all the detection tools I could have access, I checked the
 active process running on the computer, and I searched info about the
link, to know what was the malware capable to do...

>> My AV also scan the restore
>> points, so I can know if one of them is infected.
> 
> Unless, of course, the malware hijacks your AV.

  That is possible, I think I put some lines about that subject, if not
in the message you replied from, in another message about the same
topic. I have read a paper from Jesper M. Johansson, Ph.D., CISSP, MCSE,
MCP+I, at microsoft technet, it is named "Help: I Got Hacked. Now What
Do I Do?"
  That paper talks about the fact we can't know trust anything running
on a compromised system, because it can be hijacked by the malware.
However, I figure if we could boot from a CD containing the AV software,
we could clean the system with tools we know are safe to use... but
since I stopped using Norton AV, I have never had those "rescue disks"
again.

>> if I succeed in removing the malware
> 
> How do you know if you've succeeded?

  Well, in my case, because I didn't have any strange behaviour... also,
if you know the malware's identity, you can know what it does, and you
can know if it is capable of hijacking the AV tools, or if it is easy to
remove. But that probably requires to know how did the virus entered in
the system, so you can look for info about the virus from a clean machine.

  And what about these virus that can compromise the BIOS? That is so
scary I don't even want to think about it... we could format, reinstall,
and still have an unwanted guest in the system...

> Malware, and especially malware recovery, is a _huge_ open problem in
> computer security.  I have no knowledge of any reliable recovery method
> other than using a known-clean backup.

  As I said, probably booting from a removable media, like a CD, and
using tools from that CD, would be safe enough to be able to trust the
AV reports.

  But, another scary thing: how can you know your system has not been
compromised? If a malware can avoid detection, and it doesn't cause
unexpected behaviour (lost of performance), we would never know we have
a problem... even the known-clean backup can be not so clean... But at
some point we must say "enough, I don't want to live with a tin foil hat"...

 Best Regards
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQEcBAEBCAAGBQJItaqAAAoJEMV4f6PvczxAP4sIAJnW0SUjNC3KAR8Y9iJgPuFe
qbls5KOIzRaJliqON9gIME9UFJu56alU/DETFAtRRd0eJ4HwFcGPe2OFMHfCp65I
Lw3dL8iqMEcycxXQ1TY5zkY/j77HX2/IDmQXVZTR4/r3eZNaS0KyhbQOfuYsbhpT
6zAvnb8TBVlSHe5l9oHmWHzFd80xYB0LrO5+Z95caoRAmqeFYdYzM6ktyp4THcRi
PZhPblyg0ou8mqIjb+vDDjaOlI/T3VKj5Ks3Y0lsE7QjAR2ekdaWZrHV3hEmpHPc
cEeCfuT5JCNwPXVn9gLGvxmVRJUMPMCOOe6MhlSPEAPyimjtlDJ5BKZp5LAws2g=
=lTfg
-----END PGP SIGNATURE-----

More information about the Enigmail mailing list