Unix admins have known this for a long time.  There is only one way to reliably clean ANY infected machine…wipe and reload.


For a long time, the best-practices approach to malware infections has been to re-format and re-image the infected machine from known clean media. However, there are some corporate security teams that continue to simply run an antivirus product as a way to clean the computer of malware. This is often the case, especially when faced with an infection by “nuisance” malware such as spambots or rogue antivirus programs. The danger in simply running an antivirus product against the machine is that even if the antivirus product cleans the observed infection, how much other malware was installed on the machine that the antivirus engine can’t detect?

There are three major factors at play here, which illustrate why running a “cleaner” tool is often not enough:

Malware has become increasingly more sophisticated and capable of hiding from or disabling anti-malware scanners. These days only a forensic-level investigation can detect certain malware under some conditions.

Malware authors now have easy access to tools that let them run their creations through dozens of antivirus engines at once. Some of these tools do not deliver scanned samples to antivirus companies for analysis, so a malware author can simply keep tweaking his/her creation until it is no longer detected, and then deploy it to your network via existing botnets infections, malvertising, spear-phishing, and other attack vectors.

As evidenced by the botnets detailed above, more malware authors are taking advantage of pay-per-install services. These systems will always try to maximize profit and install multiple unique pieces of malware after they initially infect a PC. To date, antivirus has been shown to generally have a 20% or less effectiveness rate against new threats. So for each pay-per-install infection, if you detect one bot, there might be four more installed alongside that aren’t detected.

The major risk is that while you might have removed the nuisance malware, something more sinister may still be lying in wait to steal or destroy data. Any compromise of a PC should be treated as if it has the potential to do the maximum damage. One could hire a malware expert to do low-level forensic analysis on the infected system, but in some cases, it comes down to the skill of the expert versus the skill of the malware author – both are essentially unknowns. This is why we repeat the mantra of “re-format/re-image” – it’s the only way to effectively mitigate the risk with a high level of assurance.

via Spambot Evolution 2011 – Research – SecureWorks.