I was reading this
Windows 2003 Enterprise infected by Conficker; post-infection problems continue
And they talk about nuking it from orbit (which apparently means wiping out the system and starting over) or at least doing an OS reinstall with full format
How are the two things different? Or is it because it is a server thing that these two mean different things?
-
"We must destroy the village in order to save it" = MilSpeak for The Viet Cong have so infiltrated everything that we can no longer differentiate between friendlies, civilian bystanders and enemy combatants. Which meant, "Call in the BUFFs for a complete carpet bombing to erase it." Same thing goes with a really complete virus/malware pwnage, burn it to the ground to kill the anthrax and start again. – Fiasco Labs Mar 13 '13 at 01:00
-
Doesn't look like a duplicate to me. Both the questions and accepted answers are different. The duplicate question assumes you already know the answer to this one. – OrangeDog Oct 21 '19 at 09:34
4 Answers
I say we take off and nuke the entire site from orbit. It's the only way to be sure.
Probably the origin of this saying.
In the context of having your computer infected by a virus: even if malware seems to be removed, it may not be - and the only way to be sure it's completely gone (and even then it's hard to be 100%) is to completely wipe the system and start fresh.
We all know what happens when you don't nuke Xenomorph's from orbit. Don't expect any better from malware.
- 706
- 3
- 10
The phrase nuke it from orbit basically means to wipe your system and start from a clean slate. What that clean slate might be differs in different situations.
If you perform regular backups of your system, which you should, restoring from a previous backup might be possible IF you were able to use forensics means to discover the time of infection. Restoring from a backup point before you got infected will be safe enough.
Of course, if you do not keep regular backups, you are in for a world of hurt. If you have important files on the system, you must diligently analysis each and every single file and ensure that it isn't infected before transferring it to the new, clean system. This is difficult.
-
so nuking is more robust removal method as opposed to restore points? How is it different from format and reinstall? Or does it also include reinstalling of the firmware for routers in case we are talking about servers and networks? – user13267 Mar 13 '13 at 00:57
-
Yep. Less chance of residual infection from infected backups. You should be aware of malware that's persistent in things like the BIOS as well, in which case Nuke it might mean scrap the hardware as well! – NULLZ Mar 13 '13 at 00:59
"Nuke the site from orbit - it's the only way to be sure" is a quote from the movie Aliens, in which the protagonist suggests that an infestation of xenomorphs is so pervasive that a nuclear response is the only sure way to destroy it.
Synonyms in this context include:
"Flatten the box"
"Repave it"
"(FDISK,) Format and reinstall"
"Start again"
So when someone says "nuke it from orbit", they're really meaning "destroy it utterly". (and start over).
- 433
- 2
- 8
Substantial difference between nuking it from orbit and formatting disk is that malware may be also present on other components of your server than the disk.
As this answer to the linked question already states, malware can by now - at least theoretically - affect any flashable, persistent storage.
And since there are more and more components running a firmware inside one server, it would be really a PITA to verify each component's (flash) storage.
E.g. someone could modify your NIC's firmware, creating backdoor access to booting the machine from a remote source (network boot) or enabling/exploiting any other remote management feature.
Therefore: Nuke the whole machine!