Login  |  Register  |  Contact

Home Security Tip: Nuke It From Orbit

I say we take off and nuke the entire site from orbit. It's the only way to be sure. -Ripley (Sigourney Weaver) in Aliens

While working at home has some definite advantages, like the Executive Washroom, Executive Kitchen, and Executive HDTV, all this working at home alone can get a little isolating. I realized the other month that I spend more hours every day with my cats than any other human being, including my wife.

Thus I tend to work out of the local coffee shop a day or two a week. Nice place, free WiFi (that I help secure on occasion), and a friendly staff. Today I was talking with one of the employees about her home computer. A while ago I referred her to AVG Free antivirus and had her turn on her Windows firewall. AVG quickly found all sorts of nasties- including, as she put it, "47 things in that quarantine thing called Trojans. What's that?"

Uh oh. That's bad.

I warned her that her system, even with AV on it, was probably so compromised that it would be nearly impossible to recover. She asked me how much it would cost to go over and fix it, and I didn't have the heart to tell her.

Truth is, as most of you professional IT types know, it might be impossible to clean out all the traces of malware from a system compromised like that. I'm damn good at this kind of stuff, yet if it were my computer I'd just nuke it from orbit- wipe the system and start from scratch.

While I have pretty good backups, this can be a bit of a problem for friends and family. Here's how I go about it on a home system for friends and family:

  1. Copy off all important files to an external drive- USB or hard drive, depending on how much they have.
  2. Wipe the system and reinstall Windows from behind a firewall (a home wireless router is usually good enough, a cable or DSL modem isn't).
  3. Install all the Windows updates. Read a book or two, especially if you need to install Service Pack 2 on XP.
  4. Install Office (hey, maybe try OpenOffice) and any other applications.
  5. Double check that you have SP2, IE7, and the latest Firefox installed. Install any free security software you want, and enable the Microsoft Malicious Software removal tool and Windows firewall. See Security Mike for more, even though he hasn't shown me his stuff yet.
  6. Set up their email and such.
  7. Take the drive with all their data on it, and scan it from another computer. Say a Mac with ClamAV installed? I usually scan with two different AV engines, and even then I might warn them not to recover those files.
  8. Restore their files.

This isn't perfect, but I haven't had anyone get re-infected yet using this process. Some of the really nasty stuff will hide in data files, but especially if you hold onto the files for a few weeks at least one AV engine will usually catch it. It's a risk analysis; if they don't need the files I recommend they trash them. If they really need the stuff we can restore it as carefully as possible and keep an eye on things. If it's a REALLY bad infection I'll take the files on my Mac, convert them to plain text or a different file format, then restore them. You do the best you can, and can always nuke it again if needed. In her case, I also recommended she change any bank account passwords and her credit card numbers.

It's the only way to be sure...

—Rich

Posted at Tuesday 2nd October 2007 7:25 am Filed under: home securitynon-geek

Previous entry: Understanding and Selecting a DLP Solution: Part 4, Data-At-Rest Technical Architecture | | Next entry: Movement In The DLP Market?

Comments:

If you like to leave comments, and aren't a spammer, register for the site and email us at info@securosis.com and we'll turn off moderation for your account.

By davidv  on  10/02  at  04:57 AM

That’s exactly what I do. I would just add that you should make the volume you copy your files to FAT32 / FAT16 / a CD, so that any alternate data streams are not preserved in the files.

By Adrian  on  10/02  at  08:03 PM

I have needed to wipe out and rebuild three machines in the last two years because of infection so pervasive that it could not be fixed with confidence. This is a great piece of advice that sometimes even security professionals cannot fix the problem, and have to choose the nuclear option.  Problem is I think the average user is not prepared to perform a system re-install, so unless you are prepared to walk your mother-in-law through the process over the phone (ahem) I do not always volunteer this course of action.  I do recommend keeping the original software and key files somewhere so you can re-install.  Make sure that you save the ISP settings (IP, DNS, etc), email settings and the like prior to the install.  I run the installation, prior to the point the firewall and AV is configured, off line. I have even gone to the step of keeping a permanently ‘‘off the grid’’ computer for file, patch, license key and AV file storage.  The only way on or off the box is through scanned USB or production CD, and ‘‘auto run’’ is absolutely disabled.

By rmogull  on  10/02  at  09:41 PM

Good points, and some excellent suggestions- especially for dealing with the ADS problem.

I solved the problem a little differently. I jsut switched my Mom to a Mac :)

By davidv  on  10/04  at  12:49 AM

Oh, well that’s just cheating. Then again, anything with security and Macs qualifies as cheating in my book =D.

*pets his home iMac*

Page 1 of 1 pages

Name:

Email:

Remember my personal information

Notify me of follow-up comments?

Submit the word you see below: