[nsp-sec] [SPAM] RE: 1Million Botnet Ips

[Stephen Gill]

> One would need to analyze each piece of malware to determine how it
> installed itself on the end host. In many cases a white/clean executable
> could be written that users could run that would then remove that piece
> of malware from the end system (totally ignoring the liability question).

The problem is that more often than not, a single binary is used to install
but many many many binaries come after that in the form of regular updates,
loaders, droppers, etc.  Unless you catch the infection near real time or
just after, having a full inventory of what happened on the system post
infection via the malware is practially impossible.  Given that malware
breeds malware one would probably want to run a litany of tools before
declaring the owned system semi-usable at best.

-- steve

> 
> In some cases, if you have your own sinkhole, one may be able to issue a
> "remove" command to the bot and effectively remove that particular piece
> of malware from the the compromised system (without actual analysis of
> the malware, you won't know if there is a routine that unsecures the
> system even further prior to complete removal).
> 
> |> When we provide bot-infected IP list to ISPs, they ask for
> |> effective clean tools. They said the end user usually have not
> |> ability to completely clean the computer by thmeselves thought they
> |> know it is compromised.
> |
> | I would change this request a bit. Is there a tool that works on this
> | one specific version of this bot. I realize some customers may have
> | multiple infections so I am not asking for something that will clear
> | all possible infections just this one specific malware;)
> 
> 
> Nick
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (MingW32)
> 
> iD8DBQFIcpF9i10dJIBjZIARCGWzAJkBguL1fs2RI17WV0ySVy3oOWmm5QCgpIRA
> eE/D+tGopFmaVTlHRBjiLjQ=
> =1u2x
> -----END PGP SIGNATURE-----

-- 
Stephen Gill, Chief Scientist, Team Cymru
http://www.cymru.com | +1 312 924 4023 | gillsr at cymru.com