Thursday, April 9, 2009

Virus strikes while reinstalling Windows

I heard more than one security expert preach "disconnect your machine while reinstalling Windows" I never really believed it until now. Is it really possible to be infected while reinstalling Windows? In short the answer is 'YES'

Recently at work we were rebuilding a Server with Windows Server 2003. Upon installation routine completion we attempted the usual configuration most system administrators can do in their sleep. This time however we couldn't access Task Manager. Windows kept saying its been disabled by your Administrator. Being the geeky technical types we checked Active Directory Group Policies and a bunch of other security policies. We must have spent just under an hour on all these other items before we saw the light and decided to scan for viruses. Remember this Server was just freshly rebuilt, we have not even browsed the Internet on it.

20 minutes after we initiated a scan we confirmed an infection. Needless to say we were blown away. When dust settled the reality of the situation hit us hard. "Oh my god" we have a worm loose on our network. It's actively scanning vulnerable machines. Panic set it and like good little fire fighters we set gears in motion looking for other Servers with similar symptoms. Took us several days to track down a handful of other Servers infected with same virus strain.

There you have it "Proof" you can be infected while reinstalling Windows. When you think about it. Makes total sense, I mean reinstalling from original Windows Recovery CD your going back in time potentially erasing years of security, years of painful and diligent patching.

Needless to say we've changed our practices... but only after learning the hard way.

Monday, April 6, 2009

Conficker - When will people get it?

Conficker was big time hyped in the media last week. What makes Conficker so special and raise its media worthiness status? Its just another piece of malware code infecting yet more Windows boxes turning them into spam spewing zombies or identity theft honeypots. By Symantec estimates Windows claim to fame in 2008 is over 1 Million Viruses and other flu causing agents are now floating around the Internet. Why are media outlets focusing on one or the other at any one time.

Shock and Awe. Simple as that. Media whether its TV, Radio, Print or other need sensational headlines. On the flip side hearing regular reports about each new Virus or piece or malware makes no sense and would eventually be counterproductive. People would stop listening. But splash the latest malware name everywhere and people listen.

However this is bad security... Viruses and malware work because people don't know or just don't care. Most don't understand the realities of malware infection, SPAM and Identity Theft. Most users I speak to don't understand and when I sit down and explain how things work they're amazed and shocked.

I think education is the key to a safer computing and Internet environment. It works in a business environment. When I've conducted training sessions with my users, I see a higher long term awareness of malware and Spam avoidance. Throwing more money into bigger and better Anti-Virus software isn't the answer. Users must take ownership of their machines and must understand the consequences of not protecting themselves. Until this happens Viruses and malware will continue their free ride from oblivious users.

Media outlets can help by spreading the education news. Instead of reporting splashy new malware, instead why not educate users how to protect themselves. Sure its not a headline grabber but if you repeat something 20 times it becomes a habit.