Your system is NOT infected?

Does anybody know how to confirm positively that your PC (Windows or Mac) is not infected with any malware? It occurs to me that we don’t have a way of knowing. We can install anti-virus software which will look for signatures and perhaps some behaviors but generally doesn’t detect botnet software and other types of dynamic or zero-day threats. There are new services like FireEye that can detect botnets and traffic that is leaving your device towards known botnet sites, however these too are looking for known traffic to known sites and known behaviors.

I guess a clean install of the OS might lead you to believe your system is clean, but that assumes the install disk and image was not compromised which is generally true.  However,  an OS install is a bit extreme to validate a clean system.

So how do you know for sure that your system is not infected with something?

9 thoughts on “Your system is NOT infected?”

  1. I don’t think, there is an answer. However, I think, prevention is better than cure, Mark. Since you asked the question, I’d like to know your thoughts.. Provocative blog for sure..

    Regds

  2. Mahesh, It seems you’d have to do some kind of hash across all the system files and executables to see if there are any changes but that is dumb solution. Any setting you change would result in a change to the files and a mismatch so it would be a mess to manage.

    I don’t think you can know for sure today. There are even cases of new computers in some places being infected before you do anything!

    Thanks for stopping by.

  3. Hi Mark,

    I don’t think there is a solution to this problem. Like you mentioned, even the manufacturer can ship infected media / device. Recently Microsoft found PCs that shipped pre-infected. And this was the one that was caught by Microsoft. There could be other that were never caught.

    There is some hope with the closed ecosystem where the manufacturer ships the device pre-loaded with tamper-evident Operating Systems like ChromeOS. But even in these closed ecosystems we are trusting the manufacturer to take proper precautions to prevent pre-loading of a compromised Operating System.

    The vision behind the Trusted Computing Group’s Trusted Platform Module (TPM) was to create a Chain of Trust. But how can we trust the authority initializing that TPM?

    Quis custodiet ipsos custodes? Who will guard the guards themselves?

    Saqib

    1. Hi Mark,

      I started reading Prof. Zittrain’s book, “The future of the internet and how to stop it.” An extremely interesting read. In the Generative Net chapter, he talks about the “less autistic computers”, which are more aware of their [internet] surrounding, and are able to report to their owners of what they are doing, for e.g. acting as a zombie or connecting to a malicious network etc. I think this capability should be built at some trusted hardware level such as the Trusted Platform Module (TPM) or in ChromeOS Verified Boot Loader so that a virus can not turn these off to make the machine more autistic.

      Thanks for recommending this book.

      Saqib

  4. Very true, it’s difficult to be absolutely certain that a system is not compromised. And I think there is a diminishing return on system assurance spend that is probably somewhat analogous to chasing nines in availability. You can certainly obtain degrees of confidence by employing practices of defense in depth. You can limit attack surface on the host with patch, configuration and anti-virus management programs. As noted you can deploy a variety of signature and behavior based controls. Controls that detect and contain and those that predict and prevent. You can define and enforce draconian acceptable use policies. You could even move to virtual desktops and present users with a fresh gold image every time they login. To me it’s really about finding the balance that is right for your situation. I see the challenge as understanding your business requirements, the value of your data and being able to weigh it all against the cultural and literal cost of deploying each layer of the security solution.

    Good blog and comments,
    Clint

  5. The ramblings of Eeyore. I’m not sure what the answer is, but I do know if it can be conceived it can be deceived. Whatever the future holds in store for us with regard to exploitation, it really doesn’t matter. It’s coming and it will be as successful as the intelligence and persistence of the adversary. The next century will be less about re-actively stopping the known and more about proactively finding the patterns in volumes of data. SIEM is still immature and underfunded in most companies but finding patterns and anomalies in your data, or predicting anomalies is still the work of the greatest magicians. However, recently at TUCON 2012 I saw something that I thought was really interesting and that was the marriage of TIBCO and LogLogic. TIBCOs ability to find the needle in the haystack with Spotfire and LogLogic’s ability to manage logs seemed like a complementary relationship. After hearing some customer testimonials, watching some demos and taking into account the anatomy of a hack, I am convinced that anything out of the ordinary will leave a trail in a networked environment and noticing that trail (amongst all of the noise) as out of the ordinary will be paramount to protecting your treasure. This could be a real game changer in the SIEM world. The others will definitely have to step up their game to compete in this space. http://www.thetibcoblog.com/2012/10/24/innovation-at-its-finest-tibco-loglogic/

    I am not a cheerleader for TIBCO. I’m a cheerleader for my employer. Therefore, I want whats best for us, but as Vivek Ranadive, TIBCO Founder, said this at TUCON. “If the 20th century was the century of Science, I believe the 21st century will be the century of Math. When I say “Math trumping Science,” I mean that you no longer have to know the why of something, you have to know the what. You simply have to know that if A and B happen, then C will happen; you have to find the pattern. For years, AIDS researchers tried to find the secret of how the AIDS virus mutated and they were not able to. About a year ago, they converted it into a Math problem and put it into a game called Foldit. Within a week, gamers had found the answer – something scientists had not been able to find for years.”

    Time to eat turkey.

    Eeyore W.

  6. This continues to bother me. I can’t figure out how to proceed on this problem. I’m having problems with one of my computers and I wonder about whether or not it has been infected by some form of malware.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s