Malware Dev Answers Questions on Reddit

[dAnceguy117]

http://www.reddit.com/r/IAmA/comment...developer_ama/

kinda old, but still a good read. plenty of interesting tidbits. the questions and answers range from low-level and generic to highly technical. I'll flesh out this post with some quotes sometime soon. for now, here are some ideas he reinforces which we should already know:

• antivirus software can't detect the newest malware
• browsers and browser plugins, if not up-to-date, can be easily exploited
• Mac and home Linux/Unix users make up a relatively small portion of the Internet's population, so most malware developers don't target these users' systems
• Windows XP is hella vulnerable

[UserNameGoesHere]

I didn't click/read it or anything, but there is one very important point I want to make.

Once you are infected with anything there are two and only two ways to truly remedy that. One such way is to restore from a known good backup (saved on some medium other than the infected one, of course -- backup partitions on an infected hard drive are no good). The other way is to wipe the medium (fully 0-write it) and reinstall everything from scratch.

NOTHING apart from one of those two methods can guarantee the malware was removed, despite what anyone else tells you. (Keep in mind the computer repair place just wants your money and will run some programs which will remove some stuff and they'll do what they can but you can never be sure it is 100% except for one of the two above methods)

Also, if you have extremely rare firmware malware (in other words, it didn't just write data to your hard drive but it updated firmware in some piece of hardware) then even restoring from a known good backup or 0-writing the drive and reinstalling from scratch won't fix it. That kind of malware is very rare though since it generally can only be written to affect some very specific piece of hardware and unless you had that exact hardware, it does nothing.

Removal of firmware malware may/may not be possible depending on the hardware and depending on the infection.

[ELRayford]

Quote:

Originally Posted by UserNameGoesHere

Once you are infected with anything there are two and only two ways to truly remedy that. One such way is to restore from a known good backup (saved on some medium other than the infected one, of course -- backup partitions on an infected hard drive are no good). The other way is to wipe the medium (fully 0-write it) and reinstall everything from scratch.

NOTHING apart from one of those two methods can guarantee the malware was removed, despite what anyone else tells you. (Keep in mind the computer repair place just wants your money and will run some programs which will remove some stuff and they'll do what they can but you can never be sure it is 100% except for one of the two above methods)

I would have to call you on this one. It very much depends on the type of malware/infection. I have been successful in completely removing various forms of malware. Rkill bad processes, Find infected files, delete files, find bad registry entries, delete registry entries. Infection gone. Sometimes you can remove a malware infection in minutes. Sometimes you "can't" remove it without reloading the OS.

Give THIS a read. THIS is a sort of walkthrough of the manual removal process. Pretty easy.

[who_cares973]

I've paid elray hundreds of dollars to remove malware, spyware, desktop icons and I regret nothing. Best 700 dollars I ever spent

[ELRayford]

Quote:

Originally Posted by who_cares973

I've paid elray hundreds of dollars to remove malware, spyware, desktop icons and I regret nothing. Best 700 dollars I ever spent

[rushyrulz]

I lolld

[dAnceguy117]

thanks for posting the resources, elray. I need to get more comfortable with poking around in the registry. ugh such a pain in the ass.

Quote:

Originally Posted by ELRayford

Sometimes you can remove a malware infection in minutes. Sometimes you "can't" remove it without reloading the OS.

pretty much the bottom line when it comes to dealing with this stuff.

I lol'd at that one too, rushy. a couple more goofy comments:

[UserNameGoesHere]

Quote:

Originally Posted by ELRayford

I would have to call you on this one. It very much depends on the type of malware/infection. I have been successful in completely removing various forms of malware. Rkill bad processes, Find infected files, delete files, find bad registry entries, delete registry entries. Infection gone. Sometimes you can remove a malware infection in minutes. Sometimes you "can't" remove it without reloading the OS.

Give THIS a read. THIS is a sort of walkthrough of the manual removal process. Pretty easy.

Go ahead and call me out on it. The fact of the matter is, once a machine is infected, you can never be truly, 100% sure everything is clean except for one of the two methods I stated. You can do a good job of removing most stuff, true -- but it's the malware that you don't find which is the most dangerous. And the more malware present on a machine which is findable, even the greater chances of even more malware which isn't so easy to find being present as well.

I'm not saying malware removal services aren't useful -- they are. What I am saying is you can never 100% prove you removed absolutely all malware. Because, remember, the most dangerous malware is intended to be as invisible or undetectable as possible. That includes with using the best tools available.

And if you do happen to run into firmware malware, even the two methods I mentioned won't work.

[Calcium Deposit]

That's a level of paranoia that doesn't belong to consumer-level computing

At the enterprise level, yes you have to be super cautious because odds are you're worth hacking into to someone. But if youre just some dinky nerd on a computer trying to chat people up on neopets you've got the protection of anonymity and not being worth a damn

Tl;dr Odds are pretty good as long as you're not retarded or running a public server you're not going to run into any attacks/malware

If you did get a virus or whatever it's always 100% your fault

[UserNameGoesHere]

Install WindowsXP original edition (not SP1 or SP2) from official Microsoft installation media on a brand new hard drive and then immediately get the updates (don't browse any websites or install anything else first) and let me know how that works out for you.

10 out of 10 says you'll be infected before you can even get the updates.

The "solution" is to block specific ports in a hardware firewall, disable very specific things on WindowsXP prior to ever connecting a network cable, change several other things, and then connect to update and hope it's good enough to be able to get the updates before you get hit with something exploiting that older unpatched version of Windows. And/or download the updates on a different machine, copy them to some media you'll then use on the unpatched machine (external hard drive for example) to patch prior to ever touching the Internet.

Mind explaining why that's 100% the user's fault without resorting to lol buy a newer computer or lol buy a newer version of Windows or lol use Linux/Mac or some other non-answer?

[dAnceguy117]

^ wow good call. yeah that's some bullshit really. pretty sure Microsoft doesn't tell its "legacy" customers (aka people who keep things until they stop working) that safely running XP while connected to the internet is basically impossible.

Quote:

Originally Posted by Calcium Deposit

That's a level of paranoia that doesn't belong to consumer-level computing

At the enterprise level, yes you have to be super cautious because odds are you're worth hacking into to someone. But if youre just some dinky nerd on a computer trying to chat people up on neopets you've got the protection of anonymity and not being worth a damn

Tl;dr Odds are pretty good as long as you're not retarded or running a public server you're not going to run into any attacks/malware

If you did get a virus or whatever it's always 100% your fault

lol neopets.

gotta say though, I disagree. obviously people are in it for the money. would you rather spend time working on a way to break through corporate network security, or just infect and steal credit card info from a ton of machines operated by incompetent home users? not saying the latter is always more lucrative, but I think it's foolish to assume no one has any interest in going that route.

anyway I have my own reasons for being interested in the topic. IT major, yada yada.

[PsYcHoZeRoSk8eR]

Just spent 30 minutes writing up a response to this. Then it got deleted when it would post. Saving as a placeholder incase I decide to re-write my responses to all of this. To keep this post worth the space:

Serious question: Does anyone here work with/on this stuff professionally? Anyone else studying this sort of stuff?

@dAnceguy117 what are you studying and when do you graduate?

[Choofers]

I really want to see some malfoyware

[Nullifidian]

Quote:

Originally Posted by Calcium Deposit

If you did get a virus or whatever it's always 100% your fault

That's not entirely true. Some malware gets in your computer without you doing anything except for browsing.

see:

[dAnceguy117]

^ hey cool someone else read this stuff :)

Quote:

Originally Posted by PsYcHoZeRoSk8eR

@dAnceguy117 what are you studying and when do you graduate?

the major is actually just called information technology, haha. I plan to graduate this coming spring. I'm mostly looking to do coding/programming work (should've majored in CS mayhaps? oh well), but I'm generally interested in any IT-related topic.

just started an internship a month ago. I've done a little bit of web development, but mostly it's been poking around a database using phpPgAdmin plus a bunch of generic desk job tasks.