[nsp-sec] [SPAM] RE: 1Million Botnet Ips

[Nicholas Ianelli]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Ah, the age old problem: what to do with infected systems.

Best case scenario - user needs to completely wipe and reinstall their
OS, then restore their personal data from backup (after attempting to
verify that those files aren't infected).

To address your specific question, from a provider standpoint dealing
with large scale infections from the same malware on your network
(totally ignoring the liability question) - while this is not a blanket
statement, the short answer is yes.

One would need to analyze each piece of malware to determine how it
installed itself on the end host. In many cases a white/clean executable
could be written that users could run that would then remove that piece
of malware from the end system (totally ignoring the liability question).

In some cases, if you have your own sinkhole, one may be able to issue a
"remove" command to the bot and effectively remove that particular piece
of malware from the the compromised system (without actual analysis of
the malware, you won't know if there is a routine that unsecures the
system even further prior to complete removal).

|> When we provide bot-infected IP list to ISPs, they ask for
|> effective clean tools. They said the end user usually have not
|> ability to completely clean the computer by thmeselves thought they
|> know it is compromised.
|
| I would change this request a bit. Is there a tool that works on this
| one specific version of this bot. I realize some customers may have
| multiple infections so I am not asking for something that will clear
| all possible infections just this one specific malware;)


Nick
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (MingW32)

iD8DBQFIcpF9i10dJIBjZIARCGWzAJkBguL1fs2RI17WV0ySVy3oOWmm5QCgpIRA
eE/D+tGopFmaVTlHRBjiLjQ=
=1u2x
-----END PGP SIGNATURE-----