Thursday, February 4, 2010

The Myth of Disinfection

A co-worker at the university where I work part-time fell victim to malware on her office PC, and called tech support.  They arrived quickly, took the machine away, and then returned with it later that same day--amazingly fast.  Too fast, I thought.  Based on the behavior the computer was exhibiting on the network previously, they knew exactly what bit of malicious code to find and eliminate in a surgical strike.  Once disinfected, the machine exhibited no immediate signs of infection, so they put back on my colleague's desk.

I wasn't surprised today when she told me she had lost network access again because her computer was infected.  The problem is not, as I was told, that my friend took a cleaned computer and carelessly got it reinfected.  The problem is that "disinfection," particularly one performed in just a couple of hours, is a complete crapshoot.  Yes, there's a chance whatever tools you take time to run (and those scans can take hours) will be able to remove all the nasties--but if just one remains, the game is over.  In my experience, the very first thing much of the world's malware is programmed to do is to download other malware (I suspect they get paid to do so).  The infection you remove, the one that triggered the problem, may well be just one of the children of something hidden deeper.  Assuming you take a day or two to scan with various tools, I'll give you 50-50 chances that the computer is clean and it's not sending credit cards or social security numbers to Croatia.  Is that good enough for you?

Not all criminals are stupid, just the ones who get caught.  The very best malware, the ones you can't see and the tools can't detect, are the ones we should fear the most.  Bottom line: anyone who tells you that they can use one or two tools to disinfect a computer in a couple of hours and know for certain that it's not still compromised is incorrect.  It just isn't so.

My co-worker's computer?  Tech support has collected it again, and this time they are going to reformat it, like they should have done in the first place.  She'll have it back in a day or two.  Will tech support learn anything from her adventure?  I hope so, but first they'll have to stop blaming the user for a problem that--this time at least--they caused.

Any job worth doing is worth doing right.  Right?