Page 1 of 5 123 ... LastLast
Results 1 to 15 of 63
  1. #1
    5 Star Lounger
    Join Date
    Jan 2011
    Location
    Seattle, WA
    Posts
    1,070
    Thanks
    42
    Thanked 132 Times in 86 Posts

    The malware wars: How you can fight it




    TOP STORY

    The malware wars: How you can fight it

    By Michael Lasky

    A tip-filled conversation with Andrew Brandt, director of threat research at Solera Networks, reveals some of the ways hackers sneak malware into PCs. Malware most often embeds itself with our unwitting help, but even when we have our defenses fully up, malware can still climb aboard. Nevertheless, there are practical and effective ways to defeat it or clean it out after the fact.

    The full text of this column is posted at WindowsSecrets.com/top-story/the-malware-wars-how-you-can-fight-it]/ (paid content, opens in a new window/tab).

    Columnists typically cannot reply to comments here, but do incorporate the best tips into future columns.

  2. #2
    5 Star Lounger
    Join Date
    Nov 2010
    Posts
    665
    Thanks
    1
    Thanked 26 Times in 24 Posts
    See my post here.

  3. #3
    New Lounger
    Join Date
    Dec 2009
    Location
    Guildford, Surrey, UK
    Posts
    24
    Thanks
    0
    Thanked 0 Times in 0 Posts

    I got a trojan from Microsoft

    On Monday this week by coincidence, I was trying IE9 (I normally use Firefox but in an idle moment). Then I thought isn't IE10 out soon and followed the links to the MS site.

    I downloaded and ran the installer and what an installer for just a browser update! It shut down everything including Security Essentials and even Windows Explorer so that my desktop vanished. Eventually it rebooted and almost immediately Security Essentials picked up Trojan:JS/Seedabutor.B in the IE temporary internet files folder.

    Obviously I let it delete the file and ran a full scan.

    Now I don't use IE at all and only last week ran CCleaner and MyDefrag for a monthly clean up. That Trojan must have come from MS.

    Worst of all there seems to be no way to report this to MS. I tried for half an hour to find an email address, I even rang the switchboard, twice, but just ended up dumped in a circle of "press 2 for this, press 5 for that." I gave up but maybe you guys have a back door to knock on?

  4. #4
    Star Lounger pseudoid's Avatar
    Join Date
    Feb 2011
    Posts
    99
    Thanks
    16
    Thanked 12 Times in 6 Posts
    I received 3 emails from "DHL".
    Each email stated that there was some "Postal Code" error in attempting to deliver me a package.
    Each email was received from a different sender.
    Each email stated that if I did not respond to the email in a timely manner, they had the right to ownership of the delivery item.
    Each email also contained a ZIP file which was supposed to contain the details of the error.
    This ZIP file actually contained an executable, as shown below.
    Third email was from "DHL Manager" and I became interested in finding out about the attached ZIP file.
    My Windows8 protection for antimalware did not think there was anything wrong with the ZIP file attachment.
    I put the ZIP file on an old USB stick and unzipped it.
    The executable had the same name as the ZIP file, yet my system still did not think it was a threat.
    I did a brief Google search, to find out if I could post this *.exe somewhere that could tell me if it contained a malware.
    One of the Google results was a company called virscanDOTorg.
    I was not comfortable that this website itself was a reputable website.
    I did a search to find out about h**p://rDOTvirscanDOTorg and read the company's "About VirScan" page and when I saw some Chinese characters at the site and that it was 'translated to English', I started getting concerned.
    But I needed to find out if any of the 37 listed anti-malware clients this website used could detect any sort of malware in the *.exe I was in possession of!
    All of the major big name anti-Malware programs appeared to be included in this list of 37.
    I finally relented and uploaded the file to dropbox and had VirScan do a scan on the *.exe.
    Of the 37 malware tests VirScan performed; only three (8%) of them detected a trojan in the *.exe package.
    h**p://r.virscanDOTorg
    File Name : **LABEL-ID-NY20**2013-GFK**.exe
    File Size : **56320 byte
    File Type : **PE32 executable for MS Windows (GUI) Intel 80386 32-bit
    MD5 : **65f**d2d3d8bb7fb3acfae94**8320e5
    SHA1 : **4f703854f**31c53cf8ccf2fa**55fd5e8186fd9
    Pasted from <http://r.virscan.org/73342d**19850748479758ae8f**7f73>
    Authentium >> W32/Trojan3.EYX (Exact)
    ClamAV >> PUA.Win32.Packer.Upx-53
    F-Prot >> W32/Trojan3.EYX (exact)
    I am now really puzzled if these emails were (or were not) a scam
    And I am really tempted to click on the *.exe, just in case my great great uncle left me a $million dollar booty
    But I would not dare
    Yet and in the interim, I hope that I was not jacked by this VirScan website
    Last edited by pseudoid; 2013-03-21 at 05:44.

  5. #5
    New Lounger
    Join Date
    Mar 2013
    Posts
    7
    Thanks
    0
    Thanked 0 Times in 0 Posts
    For the dozen or so Windows boxes I tend to (Win XP through Win 7, accessed remotely using TeamViewer), I favor a "layered" approach: all have Avira Free A/V (with configurations including heuristics set to 'high' and hourly update checks), the Comodo Firewall (configured per the recommendations from Gizmo's Freeware -- https://www.techsupportalert.com/con...o-firewall.htm , WinPatrol, the Secunia PSI (I prefer v2.0), the Firefox browser (with NoScript, HTTPS-Everywhere and Force-TLS), the Web of Trust (some configured to exclude certain types of sites) and SpywareBlaster (which does occasionally need to be updated manually). Oracle's Java is either not installed or not enabled in the browser.

    Some machines have Microsoft's EMET deployed; all XP machines have DropMyRights. The DNS have been changed to Comodo SecureDNS, Norton DNS or OpenDNS.

    CCleaner (augmented with CCEnhancer) runs at start-up.

    Regular on-demand scans with Malwarebytes Anti-Malware and SUPERAntiSpyware (free versions), Kaspersky's TDSSKiller and Trend Micro's RootkitBuster have consistently shown no infections over several years; Malwarebytes Anti-Rootkit (in beta) also shows promise -- http://www.malwarebytes.org/products/mbar/ (discussion: http://www.techrepublic.com/blog/sec...t-pursuit/9207).
    Last edited by AJNorth; 2013-03-21 at 15:58.

  6. #6
    Silver Lounger
    Join Date
    Oct 2012
    Posts
    2,335
    Thanks
    13
    Thanked 267 Times in 260 Posts
    Ya, I'm on the virtualization bandwagon also. I use almost nothing at all in the way of AV protection. Good router, I let Defender do it's thing as long as it stays out of the way. I'm not at all curious like pseudoid is. That said, my computers have not caught so much as the sniffles in years so I may not be a typical example, but virtualization is still the way to go, not if one is interested in protecting confidential data, but if interested in easily recovering from any infection from any direction should it get onboard it certainly is. One can still feel free to layer up, so to speak, but the virtualization layer will bail one out regardless.

  7. #7
    New Lounger
    Join Date
    Mar 2013
    Posts
    7
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Virtualization is an excellent approach; unfortunately, it is not a practical solution for the technically challenged -- which represents most of the machines in my care. Therefore, the trick is to harden these systems as much as possible in a way that requires an absolute minimum of operator interaction, or inconvenience (even having to work with NoScript and DropMyRights annoys several of the users...). The old acronym, KISS (Keep It Simple, Stupid) often comes into play, unfortunately.

  8. #8
    Silver Lounger
    Join Date
    Oct 2012
    Posts
    2,335
    Thanks
    13
    Thanked 267 Times in 260 Posts
    I agree completely when its a separate process but when it's built right into the boot process, similar to what Steady State is for XP, it could not be more simple, there is still challenge even there though, getting the user to recognize when and when not to have system virtualization active; so one can update programs and the operating system without removing those changes upon the next boot.
    Its always a challenge in some respect no matter what we maintain, and as you mentioned, virtualization can be screwed up just as easily by an inept user...and hence we come upon the real common denominator.

  9. #9
    New Lounger
    Join Date
    Dec 2009
    Location
    San Jose, Costa Rica
    Posts
    13
    Thanks
    0
    Thanked 3 Times in 2 Posts
    Gr8 article! Mike. Most important for me was the heads up on XP and the method for discovering Abbreviated URLs for the different services providing them. THAT made my day. Thanks.

  10. #10
    Lounger
    Join Date
    Jun 2010
    Location
    Ontario, Canada
    Posts
    27
    Thanks
    0
    Thanked 0 Times in 0 Posts
    From his years of observing malware, Brandt believes that "the number one delivery method of a hack is a ZIP file. It might be disguised as a link or email attachment, but when opened, it will automatically unzip and execute the exploit that lodges malicious code in your computer."
    Is something lost in translation here..? ZIP files do not unzip themselves. Self-extracting ZIP files unzip themselves, but technically those would be EXE files.

    "From my research, I've noticed that these files are usually deposited in temp-file locations. They show up as .exe or .dll files." You don't normally find executable files in a temp-file folder.
    And this is just paranoia. Executable files routinely end up in a temporary folder. It happens almost every time you run a perfectly legitimate installation program, or sometimes when you use a program's auto-update feature, or if you run an application inside a ZIP file without unzipping it somewhere else first (depending on what app you're using for ZIP files). Baffling.

  11. #11
    Star Lounger pseudoid's Avatar
    Join Date
    Feb 2011
    Posts
    99
    Thanks
    16
    Thanked 12 Times in 6 Posts
    kehander, Most archiving programs allow for integration directly into the FileManager/Explorer. When used in this manner, the ZIP files appear to look like folders and their content (normally) are shown on the right pain, as if they were data files within the ZIP 'folder'. Think of it as a form of virtualization but I would recommend against such integration, as it makes the content of a zip package too easy to execute. Cheers!

  12. #12
    Lounger
    Join Date
    Jun 2010
    Location
    Ontario, Canada
    Posts
    27
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Most archiving programs allow for integration directly into the FileManager/Explorer. When used in this manner, the ZIP files appear to look like folders and their content (normally) are shown on the right pain, as if they were data files within the ZIP 'folder'.
    "Most archiving programs"? The only one I know of that acts that way is the Zip-management built into Windows Explorer by default. Were you thinking of something in particular..?

    Even so, a ZIP file opened in such a fashion won't "automatically unzip and execute the exploit" all by itself you'd at least have to purposefully run whatever executable is in the ZIP.

    Pedantic? Perhaps, but we hardly need rumors about magical ZIP files that spontaneously infect computers, now do we?

  13. #13
    Star Lounger tgw7078's Avatar
    Join Date
    Jul 2010
    Location
    Seattle, WA., USA
    Posts
    90
    Thanks
    1
    Thanked 12 Times in 12 Posts
    Generally good article, but I would appreciate a more through explaination of the statement "Stop using Windows XP." To me, this sounds like it toes the Micro$oft line about the reason to upgrade. Yes, there was mention of UAC (User Access Control) built into Windows 7, but there was also a statement that indicated the typical Pavlovian dog response: "Most people just click Okay and continue". So, they are not gettng the benefit of UAC. What about running any operating system under restricted privledges for browsing, such that no software can be installed? Is Windows XP still in need of updating in that scenerio?
    Tom Wickerath
    Microsoft Access MVP
    4/1/2006 - 3/31/2012

  14. #14
    Star Lounger pseudoid's Avatar
    Join Date
    Feb 2011
    Posts
    99
    Thanks
    16
    Thanked 12 Times in 6 Posts
    kehander,
    I should probably not reply but just to kill any potential "rumors"; you are welcome to read the rest of this fresh piece of discussion:
    ... Today, we benchmark three of the most well-known archiving and compression tools: 7-Zip, WinRAR, and WinZip. Not only do they support a massive number of formats, but they also integrate with Windows Explorer, making their functionality easy to access from where its actually needed. Pasted from <http://www.tomshardware.com/reviews/winrar-winzip-7-zip-magicrar,3436.html>
    ... as it makes the content of a zip package too easy to (click to) execute .

  15. #15
    Lounger
    Join Date
    Dec 2009
    Location
    New Jersey USA
    Posts
    29
    Thanks
    0
    Thanked 4 Times in 3 Posts

    Thumbs down

    This is just another scare-you-to-buy article. Grade: Poor

Page 1 of 5 123 ... LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •