There are various security vendors that produce anti-spyware products that either does or doesn't include anti-virus protection. For example PC Tools and Webroot both have programs that can combine both anti-spyware and anti-virus technology into one product, but you can also buy only the anti-spyware package without the anti-virus protection.

Since a clear difference between different kinds of malware is becoming blurred more and more, and all kinds of malware have characteristics that can either belong to viruses, spyware or other malware.... how do security vendors like PC Tools and Webroot make the decision in what product/suite they are gonna add a certain malware sample as signature? They can either add it only to there combined anti-spyware with anti-virus package or they can choose to also add it to there anti-spyware only package without anti-virus.

Any ideas?

To clarify my question a bit:

Quote from the PC Tools website:

-{ Quote: "
Spyware Doctor with AntiVirus Full Version:
Protection Against: Spyware, Adware, Trojans, Viruses, Worms, Keyloggers, Identity Theft, Hijackers, Tracking Threats, Rogue Anti-Spyware, Unwanted Software, Phishing, Popups and Bad Websites.

Spyware Doctor Full Version:
Protection Against: Spyware, Adware, Spyware Trojans, Keyloggers, Identity Theft, Hijackers, Tracking Threats, Rogue Anti-Spyware, Unwanted Software, Phishing, Popups and Bad Websites.
" }-

The items marked bold are the differences in detection signatures.

Good question. I asked this myself too and I knew ahead, I would never get a clear answer.

Webroot has an AV-box and AS-box. If they get a new malware, they put it in one of those boxes and the choice is based on someone's opinion at Webroot.
The users of course don't know in which box the malware is, so Webroot recommends users to buy AV and AS in order to get a "complete" removal of malware.

Everything about scanners is blurry, insure, .... and I don't like such situation.
So I fixed it myself and now I have a very clear solution. :)

Incredibly blurry indeed, I guess that's one of the reasons why complete security suites are becoming more and more popular, because a clear definition of what specific malware is, is becoming harder as more malware comes out and becomes more advanced.

-{ Quote: "Incredibly blurry indeed, I guess that's one of the reasons why complete security suites are becoming more and more popular, because a clear definition of what specific malware is, is becoming harder as more malware comes out and becomes more advanced." }-
Security suites are as blurry as the rest. They are usually a collection of Firewall, AV scanner and AS scanner, that doesn't make things better.
I call them Frankenstein suites, because many suites are a combination of components (FW, AV,AS) from different companies.

i gues its not easy to make an engine(algorithm) that covers them all,so just a litle respect for these developpers who trying hard to keep you safe ! ;)

-{ Quote: "Security suites are as blurry as the rest. They are usually a collection of Firewall, AV scanner and AS scanner, that doesn't make things better.
I call them Frankenstein suites, because many suites are a combination of components (FW, AV,AS) from different companies." }-

I take the same stand as member herbalist here in that if a malware is fashioned well enough it can bring down the entire Suite of firewalls/AS and all and is why i prefer to individualize security with different apps by separate vendors in a classic layered approach.

Just in my own opinion i have more confidence and have realized better results from depending on the experiences individual developers have put into their respective products since they test test them against even POC's which i'm sure commercial types do too, but there is far less potential for the single developers to get lost in a flood of too much at one time, and with a single product they can super fine tune them to be at their very best with the least amount of issues or confusion that plague the bigger players all the time relentlessly.

One point of view. EASTER

I remember a thread at a forum I used to work about a PC that was always opening to a page with porn ads. Scans with AVs, both local and online found nothing. Neither did AAW, Spybot, and several other tools. We finally narrowed it down to an hta file, which they send me. At the time, my test PC had every scanner I could get on it. Only one app alerted to this hta. That was Script Sentry, which only warned that the file would open web pages. I checked with different vendors. The AV vendors called it adware or a trojan, depending on which one you asked. Said it was outside the scope of their detections. AAW considered it a trojan, which they didn't detect back then. An anti-trojan vendor called it adware. The end result was it went past all of them.

The pri/sec community has been fighting this classification problem forever. The reality is that malicious code hasn't fit into single categories for years. IMO, classifying malware is an obsolete idea that should have been stopped years ago. Commercial interests have kept this outdated idea alive, primarily to sell users another anti-whatever product, the same interests that still push file scanning and detection by signatures or only detect certain types of threats unless you buy their "pro" version.

The different vendors have never agreed on any standardized definitions for even the simplest of categories such as worms, viruses, trojans, etc. This is easily seen by submitting a malicious file to VirusTotal and looking at the results. It's bad enough that they don't use the same names, but they can't agree on whether it's a trojan, worm, or something else. This has caused nothing but problems for users, especially when the malware requires a specific tool to remove it. If vendor "A" says it takes a special tool to remove a specific piece of malware and the user gets the tool from vendor "B", it's entirely possible that it could be for a completely different piece of malware.

This is just one of the many problems with AVs, ATs, AS, and other "anti's" that use definitions, reference files, etc. Their biggest problem is that they're reactive instead of proactive. If they don't recognize it and don't see any obvious malicious intent in its design, they allow it to run. IMO, that makes them too undependable for front-line defense. All it takes is a new piece of encrypted malware (one that they don't have a signature for) that attacks AVs and security suites to take one down. On mine and the PCs I maintain for my clients, HIPS and a separate rule based firewall are the frontline software defenses, and they're configured to defend each other.
Rick

I disagree. AV vendors may be stumbling a bit introducing the needed changes to again fill the gap, but I think as time goes by, you will see they are just as capable of keeping you safe as using multiple products from different vendors.

In the last several years, AVs have changed. Whether it's for the better depends on your point of view.
The installers are 3-5 times larger than they were a couple of years ago.
The present installer for AntiVir is over 21MB. Last year it was 11mb. In 2004, the whole package was 3.7mb. AVGs present free version is 36.6MB. In 2006, it was 16MB. In 2004, it was under 10MB. Bloated is an understatement.

They've gone fron using 1 or 2 running processes to 4 or more. They comsume more disk space and resources than they ever have. The performance loss they cause is noticable on most systems. On older ones, it's severe.

Updates had to be made incremental because the reference files are so big they takes hours to download on slow connections. The present detection files for AVG are almost 22MB. For AntiVir, they're just under 20MB. Two or more hours just to download an incomplete list of what you don't want on your PC! With malware kits being sold, this will only get worse.

Many of the AV vendors have started updating several times a day. Some update almost every hour. That does not mean that they can detect new malware within an hour or 2 after its release. I submit the malware that I encounter on the web or that turns up in my webmail box to VirusTotal. The usual results are detections well under 50%. I'm not out hunting for the newest malicious code. Much of it I encounter while searching for something completely different or it just shows up in my mailbox. I've received malware from people I know who don't realize they're infected and don't believe it when I tell them. If AVs were as effective as they'd like us to believe, we wouldn't be contending with huge botnets, created by malware the AVs didn't detect.

IMO, the biggest reason for not relying on AVs for a primary defense is the cost of failure. Malware used to be annoying, intrusive, and very hard on a PCs performance. A lot of it was very "in your face", almost challenging you to get rid of it. Remember CoolWebSearch? Present day malware is careful to hide its existence. The average user would never know it's there. Its purpose is far more costly. Financial theft. Turning your PC into a porn server. Sending spam. Launching attacks on legitimate sites.

It's much harder to detect and remove modern malware. The average AV isn't going to remove a rootkit or one that infects the BIOS. No security software is going to remove malicious code if it infects the firmware. The malware writers maintain and update their code. They test it against the different AVs and security apps. The result is PCs that get infected will most likely remain infected, even with up to date security software. Think about it. If the BIOS or firmware is compromised, even a live CD isn't secure.

The only truly secure OS is one whose components, whitelisted processes, and security policies are strictly "read only", unchangable. Unfortunately, Windows is the exact opposite. Anything goes. A lot of malware can already tell when it's being run in a sandbox or virtual operating system. They will figure out how to break out and infect the underlying system, with the user completely unaware of it. IMO, the only way to keep Windows secure is a strictly enforced default-deny policy for the users, the operating system, and every installed application. The cost of failure is too high to trust your security to a concept that has been obsolete for years.
Rick

herbalist, I am disappointed that someone as knowledgeable as you would resort to misinformation simply for the sake of championing your personal ideologies. BIOS and firmware can be corrupted or otherwise rendered inoperable by malware, but they cannot be "infected" in the manner you suggest, and with the newer versions, resetting them to their default states is often a trivial task. I also want to address some other (in my opinion, misguided) points you've made:

1. AVs are bloated. The top vendors detect literally terabytes' worth of malware with only several MBs worth of signatures. I don't think that's bloated; in fact, I think that's amazingly efficient. Their increase in size and resource usage is far, far outstripped by the growth in hardware capabilities, and with several notable exceptions, the majority of them perform well even on low-end systems, since low resource consumption is a desirable product feature that vendors strive for. In fact, I'd have more problems naming products that DON'T perform well on low-resource systems, than naming products that do.

2. If AVs did as well as their creators claim, then we wouldn't see botnets or other malware. This is incredibly short-sighted and ignorant of the dynamics of malware propagation. herbalist, I see you are extolling the virtues of whitelisting in your post to the extent of claiming that the only "truly secure" OS is one that employs whitelisting. Do you honestly think that the malware problem would end once and for all if you took whitelisting to the masses and made it the only option available to them?

Security "experts" have been predicting the death of AVs for years now, and their justifications all read like they're taken from the very same script: that malware writers are evolving to combat traditional AVs and vendors can't keep up with the sheer volume. What many people don't seem to realize is that the battle of attrition is a smaller part of the picture than expected. The antivirus industry thrives on its diversity. Every vendor chooses different parts of a file to fingerprint and add to their signature databases, and every vendor uses different algorithms and techniques for their generic and heuristic detections. Simply put: you can fool some of them all the time, but fooling all of them all the time is a feat achieved only by a very rare few. The antivirus industry itself acts almost like an ecosystem by shoring up each other's weaknesses, with any imbalances quickly rectified by their creators (the antivirus vendors). And unless a virus can defeat this entire ecosystem as a whole, or at least a major part of it, it tends to be quite short-lived indeed.

That, in my opinion, is one of the major reasons antivirus software have performed well, and will continue to do so. Of course, let's not forget that, while they have their own individual weaknesses, the logistics abilities of antivirus vendors far exceed what the general public can conceive. That is also one of the reasons why there's no such thing as a "best" antivirus, for if one would ever emerge to claim such a title and command the market share it would immediately find itself in a precariously besieged position. This was what I think happened to Symantec during 2003-ish, and it's happening to Rising in China now.

Infected firmware is a reality. There's already several instances of products being shipped with infected firmware. Pre-infected firmware identified as additional IT security risk factor. (http://www.prosecurityzone.com/Customisation/News/IT_Security/Network_Security,_Routers_and_Data_Centres/Pre-infected_firmware_identified_as_additional_IT_security_risk_factor.asp) This could just as easily be done on PCs. Like any other system update, the BIOS and firmware are updated with downloadable utilities. These could be replaced with infected ones if someone wanted to compromise the server they're stored on. Trusted sites and servers getting hacked is becoming commonplace.

Yes, the BIOS can be reset on the newer hardware, if the user has some reason to think it's been compromised. Modern malware gives very few if any indications that it's there. Just how would the average user determine whether his BIOS or firmware is compromised? I wholly expect that malware will continue to dig deeper into PCs, deeper than the OS itself, into the BIOS, firmware, chipset drivers, etc. This is one instance about which I truly hope I'm wrong.
-{ Quote: "The top vendors detect literally terabytes' worth of malware with only several MBs worth of signatures. I don't think that's bloated; in fact, I think that's amazingly efficient." }-
Efficient?? What is efficient about checking every file and process against against a list that's several megabytes long just to make sure that it's not something that's malicious? It would be hard to come up with a more inefficient method. It's far more efficient to make a list of the desired processes that are part of your system. It's also much safer as the unknown malicious file does not run. Just the fact that malicious code has been created in terabyte quantities tells me just how proactive AVs are not. I'd hate to guess how many infected PCs that translated into before each one was added to their detections.
-{ Quote: "If AVs did as well as their creators claim, then we wouldn't see botnets or other malware. This is incredibly short-sighted and ignorant of the dynamics of malware propagation." }-
I am very much aware of how malware is propagated and how that has evolved over the years, enough so to recognize that AV technology has not evolved nearly as fast and has not taken advantage of the advances in technology. Malware writers have made full use of todays high speed internet service to distribute malware and maintain the botnets. Malicious code can be spread almost instantly. Unlike the virus and worms of a few years ago, it doesn't take days or weeks to make their code widespread. What used to takes days can be done in less than an hour now. By the time AVs add a piece of malware to their detections, it's already infected plenty of PCs.
-{ Quote: "I see you are extolling the virtues of whitelisting in your post to the extent of claiming that the only "truly secure" OS is one that employs whitelisting." }-
Actually, I said that the only truly secure OS is one where everything is "read only" and unchangable. That's not windows or an installed OS. That's a live CD. Whitelisting the allowed processes is a step in that direction but it's a far cry from a read only system. Yes, I do recommend and use whitelisting and a default-deny security policy. It works. It is so much simpler and easier to keep tract of and allow the hundred or so executables that run on your system than it is to maintain and check against a detection list that contains hundreds of thousands or millions of entries, one that is never complete or completely up to date. As for the masses, as long as users, operating systems, and security packages allow the unknown to install and run, a large percentage of the masses will have infected PCs. Educating users with bits and pieces of advice accomplishes very little. If educating users was effective, we wouldn't be seeing phishing e-mails, infected attachments, etc. Users wouldn't be opening them. The fact that this garbage is in circulation only proves that the users haven't learned the simplest steps to protect themselves, starting with "Don't open that unsolicited junk".
-{ Quote: "The antivirus industry thrives on its diversity. Every vendor chooses different parts of a file to fingerprint and add to their signature databases, and every vendor uses different algorithms and techniques for their generic and heuristic detections. Simply put: you can fool some of them all the time, but fooling all of them all the time is a feat achieved only by a very rare few." }-
Why would any malware writer need to fool all of them all of the time? Users don't have all of them installed. Most PCs run one AV. A malware writer only needs to beat that one AV one time to own that system. Whether that infection is short term or lasts the life of the PC isn't that important. If it lasts long enough to gain access to your accounts or to harvest a fresh list of potential victims, that's plenty long enough to be very costly.

I want to make one thing completely clear. I have not said that AVs are useless or that the average users shouldn't have one. My position is that they're not dependable enough to be the front line defense. Their weakness is that they allow code that's unknown to them to run. When this is combined with users and an operating system that allows the unknown to run, PCs will be infected, identities stolen, accounts accessed, etc.

A simple policy change regarding how unknown code is handled would prevent a very large percentage of infections if not the majority of them. Setting up a security package that will enforce such a policy is not difficult. Getting the average user to stop opening or installing junk is the hard part.
Rick

-{ Quote: " Do you honestly think that the malware problem would end once and for all if you took whitelisting to the masses and made it the only option available to them? " }-One need not take on the burden of the masses. Suffice it to work with those who will listen. Whitelisting of all executable files on the user's computer will prevent any other executable from installing without the user's permission.

This takes care of one of the two principal methods by which malware installs: remote code execution.

-{ Quote: "Since a clear difference between different kinds of malware is becoming blurred more and more, and all kinds of malware have characteristics that can either belong to viruses, spyware or other malware.... " }-In another forum there was a heated argument as to the difference between a virus and a trojan. Does it really matter? Whitelisting will block any malicious executable, no matter what its name.

Computer security doesn't have to be complicated.

The second method by which malware installs is when the user is tricked into installing a program which is really malware.

I am not in the camp which believes that educating the users is not effective. It's true, that you can be overwhelmed by the statistics of the misfortunes of the "masses," but why should that influence your own work with people who will listen?


----
rich

_________________________________________________________________________
Just because someone else's shoes are too tight, why should my feet hurt?

-{ Quote: "Infected firmware is a reality. There's already several instances of products being shipped with infected firmware. Pre-infected firmware identified as additional IT security risk factor. (http://www.prosecurityzone.com/Customisation/News/IT_Security/Network_Security,_Routers_and_Data_Centres/Pre-infected_firmware_identified_as_additional_IT_security_risk_factor.asp)" }-

Reality? What reality?

herbalist, have you taken the time to read that article before quoting it as proof of your so-called reality? I did, and it was an absolute waste of my time. I see nothing but an alarmist "security firm" warning the public about the "reality" of infected firmware from communist China. The basis behind their claim? Some instances of USB removable media being shipped infected with autorun worms in the past. herbalist, please stop wasting my time with ridiculous jokes like these.

-{ Quote: "Yes, the BIOS can be reset on the newer hardware, if the user has some reason to think it's been compromised. Modern malware gives very few if any indications that it's there. Just how would the average user determine whether his BIOS or firmware is compromised? I wholly expect that malware will continue to dig deeper into PCs, deeper than the OS itself, into the BIOS, firmware, chipset drivers, etc. This is one instance about which I truly hope I'm wrong." }-
In other words, more speculated misinformation. I will have to reiterate my utmost disappointment that one as knowledgeable as you chooses to resort to such methods, herbalist. There are legitimate means to advertise your personal ideologies, and this is not one of them.

-{ Quote: "Efficient?? What is efficient about checking every file and process against against a list that's several megabytes long just to make sure that it's not something that's malicious? It would be hard to come up with a more inefficient method." }-
You claimed that AVs were bloated, and I was simply refuting that misguided claim. There's no need to shift the goalposts in hindsight by pretending you were talking about something else. There's also nothing "inefficient" about checking every file and process, since efficiency is a measure of input effort against obtained results. The user gets a quite a good measure of protection with minimal (or zero) interaction on their part. Several megabytes of signatures are used to detect terabytes of malware. If those were the other way round, then it would be inefficient; but it's not.

-{ Quote: "Why would any malware writer need to fool all of them all of the time? Users don't have all of them installed. Most PCs run one AV. A malware writer only needs to beat that one AV one time to own that system." }-
Wrong. Obviously you didn't understand my previous post, if at all. Like all the other paranoid alarmists, you're trying to simplify the situation to virus beats AV = virus owns computer, which is a popular but utterly misguided conception. To make it to that computer, a virus often has to make it through layers of AVs at different checkpoints through the internet, not only the one on the end user's computer that it can beat. A virus has to be unnoticed by the general populace at large if it wants to be successful, only that the problem is that everyone uses different AVs. If a site gets hacked, visitors and providers will find out because they all use different AVs. If a virus spreads via USB drives, it has to get through every single other AV on every single computer to finally reach the computer that uses the AV it can beat. Not to mention that the successful propagation of malware are also dependent on a host of other factors, such as demographics, the presence of exploitable loopholes, how fast can you spread before the AVs update and catch you, etc etc etc. This is why malware writers need to fool all of them all of the time, because writing a virus that beats only one specific AV and then gets wiped out by the collective antivirus ecosystem mere seconds after it is released is so stupid it's funny. What's even funnier is that the pundits who groan and moan about the "death" of AVs actually seem to believe this crap, and the ones they spew.

You also claim that user education is useless. Here's a quick reality check for you, herbalist. ANYTHING without user education is useless, including whatever security methods that you care to praise all the way to the heavens. It all starts and ends with user education, unless you're the owner of their computers and have the legal right to dictate, to the very letter, what they can or cannot do with them.

-{ Quote: "Whitelisting of all executable files on the user's computer will prevent any other executable from installing without the user's permission.
" }-

Whitelisting is a nice strategy for those willing to abide by it, but I have found it lacking for my own use. I use a HIPS with a vendor-supplied whitelist. Unfortunately, when I install anything relatively new, it is often not found on the whitelist. So what do I do then - not use it, or find an older version somewhere that perhaps might be on the whitelist? Vendors and download sites often have only the most recent version of a given program. And what if the primary reason I wish to use the new version is that it fixes a security problem?

It's clear that you will only see what you want to. It's also clear that you have a full set of derogatory labels for those who don't agree. Malware has managed to make identity theft into big business, making their owners huge amounts of money. They control thousands upon thousands of other peoples PCs and use them to spam and attack whoever they choose, and you call that failure. By your standards, if they don't control the world, they've failed. That's a very twisted definition of failure. The botnets don't get taken down when AVs start detecting the malware that was used to build them. The AVs aren't capable of removing that malware, but you call that failure for the malware and success for the AV vendors? Take off your rose tinted glasses and stop sounding like an industry spokesman claiming that everything will be fixed with the next update. As for infected firmware and BIOS infections, There were a few thousand Google entries for each. Read them yourself.

When I respond to your statements, you accuse me of "shifting the goalposts". You changed the subject each time. I'm not going to waste my time answering each point or addressing each statement of mine that you've twisted.
Rick

-{ Quote: "It's clear that you will only see what you want to. It's also clear that you have a full set of derogatory labels for those who don't agree." }-
Don't look at me, herbalist. You're the one presenting vague, unsubstantiated misinformation of infected BIOSes and firmware, presenting redoubtable media sources as "evidence" of your misguided conceptions. I think you're in a poor position indeed to accuse the people who debunk your myths of seeing only what they want to see. Has it ever struck you that you may be guilty of the very shortcoming you so vehemently accuse others of?

-{ Quote: "By your standards, if they don't control the world, they've failed. That's a very twisted definition of failure." }-
And you accuse me of twisting your statements. Well done.

The very simple fact remains that users, as always, play a vital role when it comes to the effectiveness of any software. Whether deliberately or out of genuine ignorance, you're omitting this very important factor and placing the blame squarely on the software, and what's more, you seem more interested in repeating your misguided drivel over and over instead of presenting any scientifically valid statistics that would actually get you somewhere. Of the people who use antivirus software, what are the ratio of infected users to uninfected ones? Of the infected users, how many have kept their software updated, correctly configured, and used other protection in tandem to cover themselves (firewall, antispyware if their antivirus doesn't detect spyware, etc)? The list goes on.

I know it's tempting to simply repeat popular rhetoric, herbalist. It's easy, and it sounds convincing to the unsuspecting, uneducated masses. Best of all, it's hard to debunk because it does contain some truth to it, no matter how twisted to fit your purposes and how irrelevent they are to the situation. Unfortunately, it also gets you nowhere. The Earth isn't flat, herbalist. It's round.

-{ Quote: "As for infected firmware and BIOS infections, There were a few thousand Google entries for each. Read them yourself." }-
Here's another reality check, herbalist: There's a few thousand Google entries for just about everything under (and above, for that matter) the sun. At this point, I'm no longer surprised that you had to resort to Google for an emergency search of "evidence" to back up your claims, as opposed to you knowing the subject matter before you opened your mouth. And since there's so many; surely it would be a trivial matter to find a credible one that backs up your claims, instead of some vague FUD about communist China developing infected firmware in secret to dominate the world?

-{ Quote: "Whitelisting is a nice strategy for those willing to abide by it, but I have found it lacking for my own use. I use a HIPS with a vendor-supplied whitelist. Unfortunately, when I install anything relatively new, it is often not found on the whitelist. " }-I specified that I refer to Whitelisting of executables already installed on the computer, which prevents any remote code execution exploit from succeeding - the first method I described for getting malware. For example, this would have prevented being exploited by the 2007 Super Bowl web site hack, or a current banner ad exploit, both of which install a malicious trojan

As far as installing new programs - the second way I described by which malware can install: either you trust your source, or trust what you use to check/scan. I see no difference.


----
rich

Very good exchanges gentlemen and good information, i'll back off NOW and let this MEETING continue but i will say this, this Topic is making for a great book of articles i'm personally taking serious note of and it's one of those that will prove very good reading material chalked full of differing and some like comparisons that better brings things to grips on this ordeal we all must deal with.

EASTER

In a period of two months I ran most AVs and certainly all the big ones. They didn't detect anything, not even a MRU, except false positives.
That's because I use two whitelists : Anti-Executable (= only executable objects) and FDISR-archives (= all objects). The second whitelist also cleans my system partition in a way I've never seen before.

No AntiVirus scanner can beat an AntiChange scanner and my computer is the living proof of it. Give me any AV/AS/AT/AK/AR/... scanner and I will run it.
I don't only remove known malware, I also remove undiscovered, new malware and unborn malware, including zero-day threats.

No malware can survive in my system partition Isn't that the final goal of security, having a clean system ?
And the beauty of all this, that I don't have to do anything to accomplish this. I only have to reboot my computer, like everyone else does.

-{ Quote: "One need not take on the burden of the masses. Suffice it to work with those who will listen. Whitelisting of all executable files on the user's computer will prevent any other executable from installing without the user's permission.

This takes care of one of the two principal methods by which malware installs: remote code execution.

In another forum there was a heated argument as to the difference between a virus and a trojan. Does it really matter? Whitelisting will block any malicious executable, no matter what its name.




----
rich

_________________________________________________________________________
Just because someone else's shoes are too tight, why should my feet hurt?" }-

(partial quote above)

Whitelisting as the solution ?
What if some piece of malware became whitelisted, or a whitelisted program were altered ?

For example, by an exploit. There are plenty of those. See secunia.com. From what I've read, criminals can reverse-engineer a patch to take advantage of a vulnerability in minutes or seconds.

There is social engineering. One way to add a potentially dangerous program to get whitelisted. Or by flash, scripting, etc.

Or perhaps the whitelisting software is bugged. What program isn't ?

Whitelisting can be useful, but it does not provide perfect protection.

-{ Quote: "(partial quote above)

Whitelisting as the solution ?
What if some piece of malware became whitelisted, or a whitelisted program were altered ?

For example, by an exploit. There are plenty of those. See secunia.com. From what I've read, criminals can reverse-engineer a patch to take advantage of a vulnerability in minutes or seconds.

There is social engineering. One way to add a potentially dangerous program to get whitelisted. Or by flash, scripting, etc.

Or perhaps the whitelisting software is bugged. What program isn't ?

Whitelisting can be useful, but it does not provide perfect protection." }-

To kill them all in one sweep,maybe Erik Alberts approach to reboot to a clean slate ?? Its certainly the most hard on any changes including the things you don't like(malware).

-{ Quote: "I specified that I refer to Whitelisting of executables already installed on the computer, which prevents any remote code execution exploit from succeeding - the first method I described for getting malware." }-

Ok, noted.

Do you make exceptions for auto-updating programs (including Microsoft Automatic Updates and anti-malware program auto-updates) or simply not use auto-updating? When you install a new program, do you have an exception for a certain download folder, or do you turn off the whitelisting protection altogether temporarily?

Fly's post is correct that a whitelisted program can behave maliciously in the presence of malicious content (whether it's a malicious script exploiting a security vulnerability, a buffer overflow exploit active within a whitelisted process, or perhaps in the future null+offset pointer dereference exploits - see http://www.wilderssecurity.com/showthread.php?t=207023).

-{ Quote: "Whitelisting as the solution ?" }-Please keep in mind the two methods of infection I described. White Listing is the solution for the first method.

In setting up a White List, you assume a clean computer. Then, all executable files are White Listed (there are many besides .exe -- .dll, .ocx, .sys).

(The same applies to creating a clean image, or installing a program such as Deep Freeze: you assume a clean computer.)

At this point after the White List is created, no executable file can install as long as the protection is enabled. This takes care of any remote code execution vulnerability which attempts to install a malicious executable, meaning that even if the system is not patched (a MSWord exploit which has an embedded trojan, for example) that trojan cannot install if the user is running as LUA, or with SRP enabled, or with a 3rd party program such as Process Guard or Anti-Executable.

-{ Quote: "There is social engineering. One way to add a potentially dangerous program to get whitelisted....
Whitelisting can be useful, but it does not provide perfect protection. " }-Not in the case of social engineering, of course, because the user disables the protection to install what is considered to be a legitimate program. This falls into "user education" which I covered in my post #12.

-{ Quote: "Fly's post is correct that a whitelisted program can behave maliciously in the presence of malicious content (whether it's a malicious script exploiting a security vulnerability, a buffer overflow exploit active within a whitelisted process, or perhaps in the future null+offset pointer dereference exploits - see http://www.wilderssecurity.com/showthread.php?t=207023). " }-Yes, that is very interesting code manipulation. Will a real-world exploit fall into a remote code execution exploit, or depend on social engineering? The preventative measures are different for each case.

-{ Quote: "Do you make exceptions for auto-updating programs (including Microsoft Automatic Updates and anti-malware program auto-updates) or simply not use auto-updating? When you install a new program, do you have an exception for a certain download folder, or do you turn off the whitelisting protection altogether temporarily?" }-White Listing protection is turned off, the new program is installed, protection turned back on and the program is added to the White List.

This falls into the second method by which malware can get installed: user gets tricked into installing a malicious program. Its evident that White Listing is not intended to protect in this situation.

It seems to me that there are two alternatives here:

1) you trust your source

2) you trust a way of verifying (checking/scanning).

I don't see any difference between the two.

Each gives the user some degree of confidence in allaying the fear of installing something malicious. Each user has her/his own levels of uncertainty and fear about such things.


----
rich

Exploits are also objects. You can't exploit a whitelisted object without installing something else in a system partition, so exploits are removed just like any other malware.

-{ Quote: "
Yes, that is very interesting code manipulation. Will a real-world exploit fall into a remote code execution exploit, or depend on social engineering?" }-

All you need to do to expose yourself potentially to malware is merely surf the web. From http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9058599, we learn that "the majority of Web sites serving up attack code are legitimate domains that have been hacked by criminals." An example cited by http://windowssecrets.com/2008/04/17/02-Flash-ads-bearing-malware-plague-popular-sites is that merely visiting the USA Today website recently exposed you potentially to malware, as a malicious Flash ad appeared on the site.

Unfortunately, buffer overflow exploits are all too common. And when they happen, the exploit code executes within the whitelisted process. Whitelisting will not stop this. However, whitelisting will stop downstream effects, such as if the buffer overflow exploit code attempts to download and run a malicious .exe to continue the attack. (The space available within the buffer is often limited.)

Using Returnil or similar will indeed restore the system partition upon reboot. However, changes to other partitions are not covered by Returnil. Also remember that stolen data cannot be rolled back by a reboot in Returnil.

-{ Quote: " An example cited by http://windowssecrets.com/2008/04/17/02-Flash-ads-bearing-malware-plague-popular-sites is that merely visiting the USA Today website recently exposed you potentially to malware, as a malicious Flash ad appeared on the site." }-From Dunn's article:

-{ Quote: "A hacked Flash advertisement meant that merely viewing a page in your browser was capable of triggering a malware attack on your PC. According to an alert (http://windowssecrets.com/links/$P20d/fd4868h/?url=securitylabs.websense.com%2Fcontent%2FAlerts%2F3061.aspx)on the security site Websense, the ad can take control of the browser without any user interaction at all." }-This is very misleading, for "triggering a malware attack" suggests malware downloading by remote code execution.

The Websense analysis linked by Dunn clarifies:

-{ Quote: "The banner ad leads to the download of various spyware and ransomware, appearing as legit anti-virus scanners to the uninitiated. " }-This exploit is a social engineering type, where the victim is enticed to permit the download/installation of the fake software. A prompt-to-download box appears for user action.

-{ Quote: "Unfortunately, buffer overflow exploits are all too common. And when they happen, the exploit code executes within the whitelisted process. Whitelisting will not stop this. However, whitelisting will stop downstream effects, such as if the buffer overflow exploit code attempts to download and run a malicious .exe to continue the attack. (The space available within the buffer is often limited.)" }-The exploits need detailed descriptions, otherwise the user is left with too many questions.

How is the exploit set in motion? Remote code execution? Social engineering enticing the user to click here?The downstream effects you describe more often than not, do download a malicious executable. Otherwise, what else does the exploit do? Will one's reboot-to-restore security erase all changes? One can't know without detailed analysis.

Buffer overflow -- and now, Null point attack -- are loaded words which are nothing more than descriptions of methods of attack.

As shown above, when analyzed, they reveal their weaknesses and strategies for combatting them.

One such banner ad exploit redirected to a site to display an animated fake scan, if the flash object were permitted to run:


document.writeln('<embed src="tpl/1/images/scanner.swf"


199442
_________________________________________________________

I, nor anyone I know, would click to play this .swf object, which was a very realistic looking real-time scan. Therefore, not be tricked into downloading malware a la "PC Protection for Free."

End of exploit.


----
rich

-{ Quote: "
How is the exploit set in motion? Remote code execution? Social engineering enticing the user to click here?The downstream effects you describe more often than not, do download a malicious executable. Otherwise, what else does the exploit do? Will one's reboot-to-restore security erase all changes? One can't know without detailed analysis.
" }-

I'll give a different example then. Look at http://www.scmagazineus.com/Malicious-MySpace-banner-downloads-spyware-in-latest-social-networking-attack/article/33655/. Simply going to MySpace at one point in the past could have gotten you infected, if your system was not patched, as there was an infected banner ad. No social engineering or remote code exploit was necessary. One million computers were infected by this. Just going to MySpace with a vulnerable system did the trick - nothing more needed.

-{ Quote: "
The downstream effects you describe more often than not, do download a malicious executable.
" }-

Although I don't have hard data, I would agree, as malware would often like to run on reboot also. There are other possibilities though. For example, a poisoned video could theoretically contain keylogging code with transmission of results via web browser. Whether such malware actually exists others can maybe address.

-{ Quote: "
Will one's reboot-to-restore security erase all changes?
" }-

Yes, whatever is protected by your reboot-to-restore security. If other partitions outside coverage were messed with, then no. Remember also that stolen data cannot be undone by a reboot.

-{ Quote: "
Buffer overflow -- and now, Null point attack -- are loaded words which are nothing more than descriptions of methods of attack.
" }-

If you want a specific example, check out Adobe Flash Player Multiple Vulnerabilities - http://secunia.com/advisories/28083/: "2) An integer overflow in the processing of multimedia files can be exploited to cause a buffer overflow ... Successful exploitation of the vulnerabilities may allow execution of arbitrary code."

-{ Quote: "I'll give a different example then. Look at http://www.scmagazineus.com/Malicious-MySpace-banner-downloads-spyware-in-latest-social-networking-attack/article/33655/. Simply going to MySpace at one point in the past could have gotten you infected, if your system was not patched, as there was an infected banner ad. No social engineering or remote code exploit was necessary. One million computers were infected by this. Just going to MySpace with a vulnerable system did the trick - nothing more needed. " }-Actually, it was a remote code execution exploit, exploiting the .wmf vulnerability:

-{ Quote: "The ad attempts to exploit the infamous Windows metafile (WMF) vulnerability against the victim's web browser, and if it is vulnerable, the code will download a trojan that silently installs spyware from the PurityScan/ClickSpring family." }-And easily blocked (no patch, in this case), as shown in another site with the same exploit:

199444

199445
________________________________________________________________________


-{ Quote: "If you want a specific example, check out Adobe Flash Player Multiple Vulnerabilities - http://secunia.com/advisories/28083/:" }-And here is a more recent one affecting other Adobe products:

http://secunia.com/advisories/29838/

There are two considerations I look at:

1) What is the liklihood of encountering such an exploit? (a malformed .bmp file in the above case)

2) What steps to I take to prevent the exploit from carrying out its intentions?

Here is a good example: MSWord file-parsing vulnerability in 2007.
This was of concern to my colleagues who use Word documents on a daily basis:

http://isc.sans.org/diary.html?storyid=3757

-{ Quote: "There are two common scenarios of attack involving Word documents:
Documents that are in themselves not malicious but contain a malicious “embedded object”.

Documents crafted to exploit a file-parsing vulnerability in the application software...
It generally either downloads an external, second-stage payload, or executes an embedded Trojan binary.

These attacks are sparingly used “in public”, but are very common in closely targeted attacks." }-

For consideration #1, it is a targeted attack (mostly corporate)

For #2, White Listing will prevent the downloading of the trojan binary. Also, common practice at the college
is to open student's MSWord documents in a text editor, in which case no embedded code (macro viruses, for example) will run.

I think it's possible to deal with all exploits in a similar fashion.

While security advisories are useful -- they alert to the exploit -- it's not until one can test a real one in the wild
(or read a detailed analysis of one, as in the sans.org example) that one can formulate a strategy.


----
rich

-{ Quote: "Whitelisting is a nice strategy for those willing to abide by it, but I have found it lacking for my own use. I use a HIPS with a vendor-supplied whitelist. Unfortunately, when I install anything relatively new, it is often not found on the whitelist. So what do I do then - not use it, or find an older version somewhere that perhaps might be on the whitelist? Vendors and download sites often have only the most recent version of a given program. And what if the primary reason I wish to use the new version is that it fixes a security problem?" }-
Vendor supplied whitelists have many of the same problems as AV detections or blacklists. It's physically impossible to create a whitelist that covers every version of every user application. Keeping one up to date is another impossible task, which is the scenario you described. The best the vendor producing the whitelist can do is to include the commonly used apps and keep it as up to date as realistically possible.

Vendor supplied whitelists have another potential problem. Just because an application is whitelisted by the vendor doesn't mean that it is compatible with your system and all the other apps you have installed. An application that conflicts with something else you use can be almost as damaging as malware.

If you're reasonably knowlegable about how Windows works, what the different processes do, and how they interact, you do have another option. Make your own whitelists. HIPS is ideal for creating and enforcing whitelists of the processes on your PC. Ideally, the best time to start building this whitelist is when you install your operating system. That's as close as you can get to being sure your PC is completely clean, that is assuming that your install disk isn't a pirated OS.

There's always some amount of risk when installing and upgrading software. No matter what strategy you use, the risk can't be 100% eliminated. That said, you can eliminate almost all of the risk by establishing a set policy regarding how updates and software installs are done and enforcing that policyfor all users. This is the policy I follow when installing or updating software, which includes Windows updates and patches.

Make a full system backup before you install anything. Ideally, the backup should be on a separate hard drive or removable media. There's several good options available for backup software. If at all possible, use something other than Windows built in system restore.
Verify the digital signature of the update/installer if one is available.
Regardless of what the file is or where it came from, scan the item to be installed at VirusTotal or an equivalent site with multiple scanners. No site or server is 100% secure or safe from malicious tampering. Neither are the files they contain.
Keep your security software running. Update any AV or malware scanner you have before starting the install. A PC is very vulnerable when the software is being installed or the operating system is being updated. Just because you scanned the installer with every AV available does not guarantee it's clean. There are methods of encrypting malware that will conceal it from AVs. The malware might not be detectable until the installer is unpacked. Some installers download some or all of the files used in the installation. It's also not unusual for an application or its installer to "call home". If your firewall is running during the install process, you'll be alerted if these things happen.
Monitor the install with a utility that detects and records changes. I like Inctrl5 for this task. It records all files and folders that are added, deleted, or modified, all registry changes, and can save the change logs as text, html, or in csv format. It's not absolutely necessary to monitor the install process but there are several benefits to doing so. The records let you see any new autostart entries that are created. You can see any file associations that get changed. If you make a file list of all the files on your PC after the initial install, then use Inctrl5 to monitor/record every install and update, You'll have records that show where every file on your system came from and what app uses it.

If the update or software works properly on your system, gets along with your other apps, and meets your expectations, then you can create permanent rules for it with your HIPS and firewall. This effectively adds it to your whitelist. If for some reason you don't want to keep the app or update, use the system backup to get back to the exact same system you started with. There's no problems this way with uninstallers that don't remove everything or don't put the file associations back the way they were.

A policy like this can be an inconvenience, especially when installing something big. It does minimize the risk to your system when installing, prevents leftover files and registry changes from causing unexpected conflicts later, and makes it much easier to restore your system to its previous state. IMO, the benefits easily outweigh the inconvenience.
Rick

I don't need a world-wide whitelist, possible or not. I only need a whitelist of applications installed on my system partition. :)

-{ Quote: "
I think it's possible to deal with all exploits in a similar fashion.
" }-

I think we don't actually disagree on anything. I use a HIPS program to control execution, whereas you use a whitelist product, and each is fine.

On the likelihood of exposure issue, you may wish to look at a Google Feb 2008 research paper - http://research.google.com/archive/provos-2008a.pdf. Here are the concluding remarks from the paper:

"The fact that malicious URLs that initiate drive-by downloads are spread far and wide raises concerns regarding the safety of browsing the Web. However, to date, little is known about the specifics of this increasingly common malware distribution technique. In this work, we attempt to fill in the gaps about this growing phenomenon by providing a comprehensive look at the problem from several perspectives. Our study uses a large scale data collection infrastructure that continuously detects and monitors the behavior of websites that perpetrate drive-by downloads. Our in-depth analysis of over 66 million URLs (spanning a 10 month period) reveals that the scope of the problem is significant. For instance, we find that 1.3% of the incoming search queries to Google’s search engine return at least one link to a malicious site."

"Moreover, our analysis reveals several forms of relations between some distribution sites and networks. A more troubling concern is the extent to which users may be lured into the malware distribution networks by content served through online Ads. For the most part, the syndication relations that implicitly exist in advertising networks are being abused to deliver malware through Ads. Lastly, we show that merely avoiding the dark corners of the Internet does not limit exposure to malware. Unfortunately, we also find that even state-of-the-art anti-virus engines are lacking in their ability to protect against drive-by downloads. While this is to be expected, it does call for more elaborate defense mechanisms to curtail this rapidly increasing threat."

Thanks for that link, which has lots of useful references.

-{ Quote: "The fact that malicious URLs that initiate drive-by downloads are spread far and wide raises concerns regarding the safety of browsing the Web...For instance, we find that 1.3% of the incoming search queries to Google’s search engine return at least one link to a malicious site." }-A year or so ago, a friend and I experimented, using IE on Low Security for several hours each weekend, doing our normal work, including Google searches. Not once did we encounter a site with a drive-by download. And we clicked on prominent ad banners whenever encountered.

Recently some bloggers mentioned the prevalence of compromised Google links. I repeated my experiment for a couple of weekends, again, encountering nothing.

It made me wonder, How do people get to these compromised sites? Looking at lists posted by bloggers, I concluded that *none* would be sites that I would be likely to encounter in normal work.

Some other revealing quotes:

-{ Quote: "A more troubling concern is the extent to which users may be lured into the malware distribution networks by content served through online Ads.

Unfortunately, we also find that even state-of-the-art anti-virus engines are lacking in their ability to protect against drive-by downloads.

While this is to be expected, it does call for more elaborate defense mechanisms to curtail this rapidly increasing threat." }- What, do you suppose, these "more elaborate defense mechanisms" could be?

-{ Quote: "I think we don't actually disagree on anything. I use a HIPS program to control execution, whereas you use a whitelist product, and each is fine." }- LUA and SRP can be included (discussed in recent threads here at Wilders).


----
rich

-{ Quote: "For example, by an exploit. There are plenty of those. See secunia.com. From what I've read, criminals can reverse-engineer a patch to take advantage of a vulnerability in minutes or seconds." }-

Therein lies the premise supporting my own intense scrutiny and high suspicion regarding PATCHES, and why? Just like what's been mentioned and documented too i might add, they have all too easily been repatched by malware enthusiasts thru clever exploits and why i refuse to accept any of them anymore PERIOD!

-{ Quote: "No AntiVirus scanner can beat an AntiChange scanner and my computer is the living proof of it. Give me any AV/AS/AT/AK/AR/... scanner and I will run it.
I don't only remove known malware, I also remove undiscovered, new malware and unborn malware, including zero-day threats.

No malware can survive in my system partition Isn't that the final goal of security, having a clean system ?
And the beauty of all this, that I don't have to do anything to accomplish this. I only have to reboot my computer, like everyone else does." }-

You can acomplish the same and realize equally exact results from the combo of Faronic's Deep Freeze with it's own Anti-Executable program which is just fantastic IMO. AE also demands that the user exercise the proper precautions however to make a CORRECT decision that their new included app is first been declared safe by a reliable scannner to ensure it's indeed whitelist-safe.

As an alternative measure Returnil and in my case Power Shadow Master can also serve to isolate the volume(s) virtually and dismiss accumulated objects on reboot. Other alternatives also exist to improve a sound defense strategy of this nature.

-{ Quote: "Thanks for that link, which has lots of useful references.

A year or so ago, a friend and I experimented, using IE on Low Security for several hours each weekend, doing our normal work, including Google searches. Not once did we encounter a site with a drive-by download. And we clicked on prominent ad banners whenever encountered.
" }-

You're welcome :)

I'm not sure of what to make of the differences between your experiment and Google's report, other than possibly the time the experiments were conducted. Were there differences in the browser addons present? Did you have JavaScript, etc, turned on in the browser? Were you using XP or Vista? Did you have other security software in place? Were you using a limited user account?

As for "more elaborate defense mechanisms," I think it's the kind of stuff discussed here at Wilders :)

You may also wish to look at this Google report, if you haven't seen it already: www.sagecertification.org/events/hotbots07/tech/full_papers/provos/provos.pdf ('The Ghost In The Browser - Analysis of Web-based Malware').

-{ Quote: "Therein lies the premise supporting my own intense scrutiny and high suspicion regarding PATCHES, and why? Just like what's been mentioned and documented too i might add, they have all too easily been repatched by malware enthusiasts thru clever exploits and why i refuse to accept any of them anymore PERIOD!
" }-

You might wish to reconsider. It is true that patches can be reverse engineered to see what changed between the old and new version. But this reverse engineering gives the hacker an idea of what to attack in the old version. The new version, after all, contains the fixes.

-{ Quote: "I'm not sure of what to make of the differences between your experiment and Google's report, other than possibly the time the experiments were conducted. Were there differences in the browser addons present? Did you have JavaScript, etc, turned on in the browser? Were you using XP or Vista? Did you have other security software in place? " }-I purposely use IE6 unpatched for testing -- all scripting enabled, Low Security setting, *hoping* to get something.

After each web site encountered, I checked the cache -- sometimes, looking inside some of the page codes, and .js files -- then deleted the cache.

Only security running was Anti-Executable and Deep Freeze. Any drive-by attempt to download an executable would be flagged by AE.

I concluded that Mrk's statement holds true, "You have to really try to get infected."

I suppose I just didn't get to the "right" places to encounter these dreaded Remote Code Execution exploits (aka Drive-by Downloads).


----
rich

-{ Quote: "I purposely use IE6 unpatched for testing -- all scripting enabled, Low Security setting, *hoping* to get something.
" }-

Maybe your testing window needs to be longer than a weekend. After all, the Google report on page 10 gives the random URL infection (counting both identified malware and behavior suspected of malware as malware) rate of approximately 0.25% for most categories and a bit above 0.6% for adult sites. Assuming you don't use adult sites for work, 0.25% translates into 1 of every 400 URLs. So you'd need to visit 400 URLs on average just to get 1 infected site. And, given that the problem is getting worse, the problem wasn't as bad one year ago when you tested, so the infection percentages were probably even lower then.

By the way, were your tests done on XP?

-{ Quote: "So you'd need to visit 400 URLs on average just to get 1 infected site." }-

Another point to consider: in the Google study, this is from random URLs. In your browsing habits, you're probably visiting multiple, sometimes many, pages on the same website. Thus, when you reach 400 URLs, you've probably been exposed to far fewer websites than in 400 random URL visits in the Google study.

Win2K and WinXP.

400 URLs?

That's more than my normal workload.

My experiment was to do my regular research in my normal way (except using IE instead of Opera). My aim was to show that a drive-by download can be thwarted by White List protection. However, I never encountered a single one in normal work.

On the other hand, going directly to compromised sites mentioned in security analyses was fruitful.
Some time ago, I put a group of them together:

System:

Win2K, WinXP
IE6 unpatched
Anti-Executable
Deep Freeze

http://www.urs2.net/rsj/computing/tests/remote

In one sense, it doesn't really matter what the code exploit is. If the end result
is to download an executable binary, it's no show.

The recent flash exploit which brings up a window enticing the user to download PC Protection
is tame by the earlier RegClean exploit where the browser is completely taken over by the exploit
and any click on any part of the window triggers the download by remote code execution:

http://www.urs2.net/rsj/computing/tests/fontmania/


----
rich

-{ Quote: "Another point to consider: in the Google study, this is from random URLs. In your browsing habits, you're probably visiting multiple, sometimes many, pages on the same website. " }-That's not correct. Using a list of topics for a particular project, I used Google to search for them.

-{ Quote: " Thus, when you reach 400 URLs, you've probably been exposed to far fewer websites than in 400 random URL visits in the Google study." }-The point of my test was to use the internet in my normal fashion to see if I could encounter such a site. No one I know has ever encountered such a site.

The problem I see with such studies is that they are not always a realistic portrayal of what a user may do, thus creating needless fear and uncertainty.

You should do the same test -- just do your normal work, and see if your HIPS alerts to the download of any executable by remote code execution.


----
rich

The very next night (and this is no exaggeration on my part), after a pretty strong Tornado had went thru Atlanta Georgia USA and while the SEC Basketball Playoffs were in town, i just casually as anyone would went to the CNN site to see what their reviews of it were since their CNN News building was struck too, and i got hit with an Iframe exploit the likes of which i not seen since the Windows 98 "You Are An Idiot" bombardment and it actually buffer overflowed my IE to the point i had to hit the reset button.

Now whether somewhere there done that as a practical joke which i wouldn't think likely or someone took advantage of the ordeal to exploit their News webpage it came as a shock to me.

I still keep that "You Are An Idiot" iFrame exploit from 98 days in my collection and it still works on XP Pro. Guess i wasn't patched for it. LoL

It's just a nonsense silly loop throwing craze of windows. Downloads nothing but what lands in the TIF cache.

-{ Quote: "400 URLs?

That's more than my normal workload.
" }-

Thus, you shouldn't have expected to have been infected in the timeframe you did your test in. Your results were actually the expected case for your workload.

-{ Quote: "The problem I see with such studies is that they are not always a realistic portrayal of what a user may do, thus creating needless fear and uncertainty.
" }-

People do sometimes do this. I'm not sure what Google's interests would be in overstating the danger of the web though? I would think Google would want to understate the danger of the web - they want you to click on their search result links, right?

-{ Quote: "
You should do the same test -- just do your normal work, and see if your HIPS alerts to the download of any executable by remote code execution.
" }-

I might do this in a virtual machine. I haven't had any abnormal HIPS alerts or Comodo Memory Firewall alerts regarding my browser yet. Then again, I'm using Opera as my browser, not IE. And I also keep important programs, including browser plugins, up to date.

-{ Quote: "
LUA and SRP can be included" }-

How are things going with LUA for you? I tried this a few years ago in Windows 2000. I thus created a new part-time job for myself. Maybe things have gotten better since then? Or maybe it was just me....

-{ Quote: "I might do this in a virtual machine. I haven't had any abnormal HIPS alerts or Comodo Memory Firewall alerts regarding my browser yet. Then again, I'm using Opera as my browser, not IE. And I also keep important programs, including browser plugins, up to date." }-Well you 've got to simulate what those who get hooked up to botnets run: IE unpatched and nothing else updated. Otherwise, you'll never get any pickings!


----
rich

-{ Quote: "
http://www.urs2.net/rsj/computing/tests/remote
" }-

Thank you for the links. I have seen them before somewhere. Is this Anti-Executable in the screenshots?

-{ Quote: "Well you 've got to simulate what those who get hooked up to botnets run: IE unpatched and nothing else updated. Otherwise, you'll never get any pickings!
" }-

I know, hehe! That's what I would do in the virtual machine.

-{ Quote: "How are things going with LUA for you? I tried this a few years ago in Windows 2000. I thus created a new part-time job for myself. Maybe things have gotten better since then? Or maybe it was just me...." }-I haven't done this personally. I just mentioned it as another option.

When I searched for this type of protection years ago, I had in mind families where several, including children, use one computer. I decided that LUA was a possibility, but when Anti-Executable came on the market and replaced FreezeX, I realized that this was an ideal solution: upon installation, it creates a White List of all executables, and nothing else can be installed w/o parental permission. Essentially a Default-Deny, set-and-forget solution, password protected. Nothing else to configure.

While it's principal purpose in these situations is to control installation of software (games, screensavers, other freebies), an added feature is protection from drive-by downloads of malware/adware/spyware.


----
rich

-{ Quote: "Thank you for the links. I have seen them before somewhere. Is this Anti-Executable in the screenshots?" }-Yes.

I think I posted this in another thread discussing drive-bydownloads a while back.


----
rich

-{ Quote: "Thus, you shouldn't have expected to have been infected in the timeframe you did your test in. Your results were actually the expected case for your workload." }-
One of the problems with this are the demographic of exploited websites. Of those I've seen, Chinese + Russian + Ukrainian sites compose of the majority, with English websites forming a rare few. It isn't really much use, I guess, to target the European/American populace with exploits when the majority of them keep their genuine of OSes well-patched and where Firefox enjoys strong popularity.

This might be a bold statement to make, but remote code execution exploits are all but dead and gone, as long as the digital world of the West is concerned. That's why the few sites that do get exploited are so newsworthy.

-{ Quote: "So you'd need to visit 400 URLs on average just to get 1 infected site." }-

Infected site percentage rates in real life might be different (higher or lower) than this, for several reasons. The Google study used browsers with apparently no plugins. In real life, most users have Flash, Java, etc, thus increasing the attack surface. The Google study used virtual machines, but some malware detects the presence of virtual machines and avoids behaving maliciously in the presence of one. Finally, the Google study uses random URLS. In real life, some sites are much more popular than others, and thus URL usage is not random.

It's important to mention that this number is not the same as the infection rate, because landing on an infected site does not necessarily lead to an infection, due to the operating environment and types of security measures used.

-{ Quote: " I'm not sure of what to make of the differences between your experiment and Google's report, other than possibly the time the experiments were conducted." }-Ironically, my testing period occurred during their time frame:

-{ Quote: "We provide an estimate of the prevalence of web-malware based on data collected over a period
of ten months (Jan 2007 - Oct 2007)." }-Regarding my comment:

-{ Quote: "The problem I see with such studies is that they are not always a realistic portrayal of what a user may do,
thus creating needless fear and uncertainty." }-You said,

-{ Quote: "I'm not sure what Google's interests would be in overstating the danger of the web though?
I would think Google would want to understate the danger of the web -
they want you to click on their search result links, right? " }-I wasn't implying overstating. The study itself is problematic, in my view.
Their data is impressive, and no one doubts the existence of malicious URLs.

Here is the pertinent criteria:

-{ Quote: "We study the relationship between the user browsing habits and exposure to malware,

4.3 Impact of browsing habits
We examined two different data sets: the first is a sample of 7.2 million randomly selected URLs and the second is all 3.3 million malicious URLs found during the course of this study. " }-More relevant, it seems to me, would be to set up control groups and monitor what users do during their browsing sessions, noting what search topics yield what results, and the frequency with which the user does indeed click on a malicious URL. This would give readers a look at real-life browsing, and not just a laboratory study.

This is not to discount the millions (by some analyst's data) of computers hooked up to a botnet.
But note the Google Study method:

-{ Quote: "Each honeypot instance runs an unpatched version of Internet Explorer" }-As I indicated in my above post, this is what I have to do, when testing, in order to get these drive-by thingies to work. In real life, not everyone runs this way. Many I know use another browser, and those using IE7 keep things up-to-date.

Not only that, as I've stated in other places, malware downloaded by remote code execution (drive-by download) is the easiest to defend against with some White List protection in place.

Their definition of drive-by (note that it does not differentiate between various types of malware):

-{ Quote: "Drive-by downloads are caused by URLs that attempt to exploit their visitors and cause malware to be
installed and run automatically." }-
For those with such protection, this is a no-threat.

While these types of Studies are academically impressive, if that amount of time (10 months) to create such a study was spent in educating people as to the "more elaborate defense mechanisms to curtail this rapidly increasing threat," to quote part of their conclusion, it would certainly be time better spent.

Why waste time talking up the statistics of a danger that becomes irrelevant with proper security?
Why not a study showing how Remote Code Execution exploits can be effectively blocked, neutralized?

And, by the way, the defense mechanisms don't have to be elaborate!

----
rich

-{ Quote: "How are things going with LUA for you? I tried this a few years ago in Windows 2000. I thus created a new part-time job for myself. Maybe things have gotten better since then? Or maybe it was just me...." }-
UAC in Vista and SuRun in every NT-based OS have made LUA an option to be considered. The concept of the least privilege is better implemented on Unix-based system, though.
-{ Quote: "It made me wonder, How do people get to these compromised sites? Looking at lists posted by bloggers, I concluded that *none* would be sites that I would be likely to encounter in normal work." }-
Rich,
Your analysis is biased to your browsing patterns.
-{ Quote: "One of the problems with this are the demographic of exploited websites. Of those I've seen, Chinese + Russian + Ukrainian sites compose of the majority, with English websites forming a rare few. It isn't really much use, I guess, to target the European/American populace with exploits when the majority of them keep their genuine of OSes well-patched and where Firefox enjoys strong popularity.

This might be a bold statement to make, but remote code execution exploits are all but dead and gone, as long as the digital world of the West is concerned. That's why the few sites that do get exploited are so newsworthy." }-
So, do you think that the malware gangs serve exploits to Chinese/Russian/Brazilian/Indian poeple running pirated/unpatched systems and they use social engineering tricks to Westerners who happen to be fairly protected thanks to Automatic Updates?
Interesting.

-{ Quote: "Rich,
Your analysis is biased to your browsing patterns." }-Hi, Lucas,

You noticed!

Shouldn't everyone approach security based on their habits and patterns?

Most of the time, notices about this and that exploit are so generically described that the user has no idea how it might affect her/him. When given the opportunity to examine more closely, a better analysis can be gained.


----
rich

-{ Quote: "Shouldn't everyone approach security based on their habits and patterns?" }-
I think so. However, I think that it's difficult for a novice to know his/her habits and patterns and it's even more difficult for the one trying to help with the setup.
That's why we need statistical data about "trends" on malware spreading to get a "complete picture" of the malware landscape (which I attempted to do in my recent thread). This way, we can know if safe surfing still works (to some extent), if execution control still works, if patching policies are effective at dealing with drive-by downloads, etc.
-{ Quote: "Most of the time, notices about this and that exploit are so generically described that the user has no idea how it might affect her/him. When given the opportunity to examine more closely, a better analysis can be gained." }-
Agreed. You need to dig a bit to find the real useful information

-{ Quote: "More relevant, it seems to me, would be to set up control groups and monitor what users do during their browsing sessions, noting what search topics yield what results, and the frequency with which the user does indeed click on a malicious URL. This would give readers a look at real-life browsing, and not just a laboratory study.
" }-

I agree. The Google paper did address this, at least for the population as a whole. On pps. 8-9 the following excerpt is found:

"To study the potential impact of malicious web sites on the end-users, we first examine the fraction of incoming search queries to Google’s search engine that return at least one URL labeled as malicious in the results page. Figure 3 provides a running average of this fraction. The graph shows an increasing trend in the search queries that return at least one malicious result, with an average approaching 1.3% of the overall incoming search queries. This finding is troubling as it shows that a significant fraction of search queries return results that may expose the end-user to exploitation attempts."

"To further understand the importance of this finding, we inspect the prevalence of malicious sites among the links that appear most often in Google search results. From the top one million URLs appearing in the search engine results, about 6,000 belong to sites that have been verified as malicious at some point during our data collection. Upon closer inspection, we found that these sites appear at uniformly distributed ranks within the top million web sites—with the most popular landing page having a rank of 1,588. These results further highlight the significance of the web malware threat as they show the extent of the malware problem; in essence, about 0.6% of the top million URLs that appeared most frequently in Google’s search results led to exposure to malicious activity at some point."

By the way, as of when you did your tests about a year ago, April 2007, approximately 0.35% of Google search queries resulted in at least one malicious URL. As of January 2008, the percentage had more than tripled, to approximately 1.3%.

-{ Quote: "
Not only that, as I've stated in other places, malware downloaded by remote code execution (drive-by download) is the easiest to defend against with some White List protection in place.
" }-

I agree. For the sake of completeness, however, I'd like to point out again that whitelisting protects against the downstream effects of a buffer overflow exploit, but doesn't stop the buffer overflow exploit initial code (called shellcode) from running. If the shellcode directly deleted all of your mp3 files, for example, your whitelist product would not prevent this.

Or the shellcode could have a script made to terminate/delete your execution control solution. Once the whitelisting solution is down, the gate is open for malicious binaries.

-{ Quote: "I agree. For the sake of completeness, however, I'd like to point out again that whitelisting protects against the downstream effects of a buffer overflow exploit, but doesn't stop the buffer overflow exploit initial code (called shellcode) from running. If the shellcode directly deleted all of your mp3 files, for example, your whitelist product would not prevent this." }-This is true (hopefully one has all mp3 files backed up!)

One who is concerned about such things needs to take other measures, of course. The buffer overflow thread has suggestions.


----
rich

-{ Quote: "Or the shellcode could have a script made to terminate/delete your execution control solution. Once the whitelisting solution is down, the gate is open for malicious binaries." }-That is an interesting scenario indeed!

Can you give an example of how this could be done, and how the person writing the exploit could cover all of the numerous white list solutions available?


----
rich

-{ Quote: "I think that it's difficult for a novice to know his/her habits and patterns and it's even more difficult for the one trying to help with the setup." }-I will agree that this true in a general sense.

However, if you are in a position to work with others, you can help to instill good habits. For example, I suggest to families that they become involved with their kid's school library, and local public library for lists of safe web sites for children's games, educational materials, etc. And to interact with other familes in a like manner.

The parents monitor the on-line activities of the younger children and teach them good habits. Will the children continue in a like manner when they get older and have their own computer? Who knows, but at least the parents have done their part.

Other habits such as "Don't agree to popup notices about computer infections, etc." are better explained with examples, and I like to use real examples when possible. The recent banner ad - flash exploit is a great one. I posted a screen shot of the page in post #26. Meanwhile, I downloaded the page and the .swf file. I've shown this to a few people, letting the .swf file run : it's a very convincing, realistic real-time, but fake, scan. Screen shot:

199468
____________________________________________________________

Then I click on the download button to show the download prompt:

199469
____________________________________________________________

I think that seeing an example of the types of social engineering tricks makes the idea stick better, rather than just a list of "Thou shalt nots..."

I do this with a lot of different types of exploits.

BTW - relating this to the topic of this thread: In using examples such as the above, I never differentiate between malware types with most people. Malware is malware. The goal is prevention, no matter what you call it. What does it matter if you are preventing a virus, trojan, worm, etc? Or spyware, adware? I have found that the terminology tends to confuse people, and certainly instill fear.



----
rich

-{ Quote: "Or the shellcode could have a script made to terminate/delete your execution control solution. Once the whitelisting solution is down, the gate is open for malicious binaries." }-

That's a great point. Thus the advisability of making sure your buffer overflow protection is sufficient. I posted advise about this at http://www.wilderssecurity.com/showthread.php?t=207074&page=3.

I thought they made dykes for over flow.???

-{ Quote: "For the sake of completeness, however, I'd like to point out again that whitelisting protects against the downstream effects of a buffer overflow exploit, but doesn't stop the buffer overflow exploit initial code (called shellcode) from running." }-
-{ Quote: "Or the shellcode could have a script made to terminate/delete your execution control solution. Once the whitelisting solution is down, the gate is open for malicious binaries." }-
-{ Quote: "That's a great point." }-I was hoping one of you would elaborate on this.

I can think right off hand of 6 whitelisting, or execution protection, solutions, and am curious how such an exploit could terminate all of them.

For example, many have benefited from the discussions on SRP, and I think anyone who uses this protection would be concerned that it could be disabled/terminated by a buffer overflow attack, leaving "the gate open for malicious binaries."


----
rich

-{ Quote: "That is an interesting scenario indeed!

Can you give an example of how this could be done, and how the person writing the exploit could cover all of the numerous white list solutions available?" }-
It would need a very skilled malware writer writing a very targeted exploit. The attacker would need to know your vulnerable apps and the whitelisting/execution control solution you're using. It would be next to impossible if you have a good patching policy and buffer overflow protection (hardware-DEP)
So, I'd say that the possibility of this type of attack (shellcode designed to disable your whitelisting solution and transported in a data filetype exploiting a buffer overflow vulnerability) is very low.

I agree. Brilliant malware writers are rare, the majority of malware writers copy malware and make changes to create a variant, these fools only provide the quantity.

-{ Quote: "I was hoping one of you would elaborate on this.

I can think right off hand of 6 whitelisting, or execution protection, solutions, and am curious how such an exploit could terminate all of them.
" }-

How about if the buffer overflow initial code (the shellcode) restores the kernel-mode hooks that your security products use to detect changes on the system, thus possibly neutralizing your security products? This is a general method. See http://membres.lycos.fr/nicmtests/Unhookers/unhooking_tests.htm for more information. According to the DefenseWall creator, this is possible to do without needing to load a driver first - see http://www.wilderssecurity.com/showpost.php?p=1050955&postcount=94. Maybe your security products can defend against this, or maybe they cannot.

I see that lucas1985 also spoke of this possibility already at http://www.wilderssecurity.com/showthread.php?t=171576&page=17.

-{ Quote: "How about if the buffer overflow initial code (the shellcode) restores the kernel-mode hooks that your security products use to detect changes on the system, thus possibly neutralizing your security products? This is a general method. See http://membres.lycos.fr/nicmtests/Unhookers/unhooking_tests.htm for more information. " }-It is my understanding that nicM used binary executables, and not shell code.
See http://www.wilderssecurity.com/showthread.php?t=180969

Post #8 by Peter2150:
-{ Quote: "What form were these malware in, for example were they exe's and did you first have to allow them to run." }-and Post #14 response by nicM:

-{ Quote: "Peter : Yes, of course, .exe were allowed to run, at least the droppers (initial .exe, when several files are involved). This is something I've probably forgotten to mention on the 1st page this morning; it will be added tonight." }-And he did add to his test page:

-{ Quote: " For all programs providing execution prevention, the test [s]ample was allowed to run ." }-So, he is in fact tesing HIPS action after an executable is allowed to run.

The impetus for this was a couple of months earlier in this thread by nicM:

Process Guard Rootkit prevention - in need of an update?
http://www.wilderssecurity.com/showthread.php?t=174012

The misunderstanding was whether PG's blocking of the executable from running counted as Rootkit Prevention, thus passing the test. See post #4 by fcukdat:

-{ Quote: " from a security standpoint/software assessment point of [vi]ew the execution control of the free version would have offered a chance to block the droppers from running and the loading driver part becomes irrelevent.

In plain english inorder to load the drivers you had to click on files to execute(run)them in the first place." }-But since nicM is testing HIPS action after a malicious executable is launched, PG clearly fails the test. However, the definition of "prevention" was never agreed upon in the thread.

..................

Back to buffer overflow: I would like to see a current exploit which can disable execution prevention in both OS protection, such as LUA and SRP, and also the many HIPS and other products which do the same.

Meanwhile, we seem to have gotten off topic in this thread, so if we can go to the buffer overflow thread:

http://www.wilderssecurity.com/showthread.php?t=207074&page=4

I've responded to your last post, and asked if anyone can add to the list of browser addons in my post #86.

thanks,


----
rich

-{ Quote: "One of the problems with this are the demographic of exploited websites. Of those I've seen, Chinese + Russian + Ukrainian sites compose of the majority, with English websites forming a rare few. It isn't really much use, I guess, to target the European/American populace with exploits when the majority of them keep their genuine of OSes well-patched and where Firefox enjoys strong popularity.

This might be a bold statement to make, but remote code execution exploits are all but dead and gone, as long as the digital world of the West is concerned. That's why the few sites that do get exploited are so newsworthy." }-

Things are changing. From http://ddanchev.blogspot.com/2008/03/massive-iframe-seo-poisoning-attack.html, we find out some high-profile Western sites recently infected: "USAToday.com, ABCNews.com, News.com, Target.com, Packard Bell.com, Walmart.com, Rediff.com, MiamiHerald.com, Bloomingdales.com, PatentStorm.us, WebShots.com, Sears.com, Forbes.com, Ugo.com, Bartleby.com, Linkedwords.com, Circuitcity.com, Allwords.com, Blogdigger.com, Epinions.com, Buyersindex.com, Jcpenney.com, Nakido.com, Uvm.edu, hobbes.nmsu.edu, jurist.law.pitt.edu, boisestate.edu."

From Sophos 2008 first quarter security report (http://www.sophos.com/pressoffice/news/articles/2008/04/secrep08q1.html):

-{ Quote: "
Research into which countries host the most infected webpages shows some interesting changes since the 2007 Sophos Security Threat Report. The US in particular has experienced unprecedented growth, from hosting less than 25 percent of all infected pages overall in 2007, to almost half in the first three months of 2008.

China has demonstrated the biggest drop, from hosting more than half of all the infected pages seen by Sophos in 2007, to just under a third in the first quarter of 2008.
" }-

I didn't see CNN News site added but i got Iframed to pieces one day just trying to check the latest news article. Ended up having to reboot my machine, IE of course was the target since i use it. CNN was definitely exploited. This happened the very next day after the Tornado had hit the CNN building and the rest of Atlanta Georgia during the SEC Playoffs.

Surprised me i'll say.

-{ Quote: "Therein lies the premise supporting my own intense scrutiny and high suspicion regarding PATCHES, and why? Just like what's been mentioned and documented too i might add, they have all too easily been repatched by malware enthusiasts thru clever exploits and why i refuse to accept any of them anymore PERIOD!
" }-

There's even an automated (http://www.cs.cmu.edu/~dbrumley/pubs/apeg.html) way now to generate the exploit from the patch. The exploit applies to the old version though, not the new one, unless the issues weren't properly fixed in the new version.

-{ Quote: "Therein lies the premise supporting my own intense scrutiny and high suspicion regarding PATCHES, and why? Just like what's been mentioned and documented too i might add, they have all too easily been repatched by malware enthusiasts thru clever exploits and why i refuse to accept any of them anymore PERIOD!" }-
EASTER, your anti-Microsoft-ism is sometimes amusing. At other times it defies plain logic and common sense. You will accept anything at face value as long as it perpetuates your beliefs, without pausing and thinking, "Now just wait a minute, this doesn't make any sense at all."

Suffice to say that it is very unlikely indeed for the events, as you interpret them, to happen. What Fly was referring to, was that hackers reverse-engineered security patches to find out what the patches fixed, and wrote targeted exploits for that flaw in hopes of catching people who still hadn't yet applied the patch. In which case it becomes even more crucial to keep oneself patched, instead of avoiding them in the belief that they harbor some sort of bogeyman.

-{ Quote: "
A year or so ago, a friend and I experimented, using IE on Low Security for several hours each weekend, doing our normal work, including Google searches. Not once did we encounter a site with a drive-by download. And we clicked on prominent ad banners whenever encountered.
" }-

Too bad you didn't conduct your test this past week. 500,000 legitimate sites were hacked to serve malware. See http://www.wilderssecurity.com/showthread.php?t=207455 for discussion, including the specific browser-based exploits used. If you're using Internet Explorer, think about setting Internet Zone security to High to turn off ActiveX.

-{ Quote: "EASTER, your anti-Microsoft-ism is sometimes amusing. At other times it defies plain logic and common sense. You will accept anything at face value as long as it perpetuates your beliefs, without pausing and thinking, "Now just wait a minute, this doesn't make any sense at all."

Suffice to say that it is very unlikely indeed for the events, as you interpret them, to happen. What Fly was referring to, was that hackers reverse-engineered security patches to find out what the patches fixed, and wrote targeted exploits for that flaw in hopes of catching people who still hadn't yet applied the patch. In which case it becomes even more crucial to keep oneself patched, instead of avoiding them in the belief that they harbor some sort of bogeyman." }-

Your false accusations are purely full of sh*t solcroft and you are in sore need of professional correction.

All you seem to do consistently is stalk not just my post with negative connotations and downplaying others experiences but personally like them i about had it up to here with your relentless lame kiddish behaviors and foolish nonsense false accusations, others might praise your so-called knowledge regarding various products and your own interpretations which are your own personal opinions by the way, and not always as right as you might like to think they are, and although you do prove skilled at convincing others in an effort to persuade them that your opinion is oddly without error, but everybody else who constructively challenges your BELIEFS or corrects your wrong impressions you find it easy to dismiss them as lacking something you think you have that they don't.

So if you have any reasonable bone left anymore it would do you much better to be more civil and less confrontational and hop off that horse because everyone is entitled to their own opinions of the products they use and are completely justified in either their approval or disapproval of them, including Operating Systems. If you want to spout off about anti-microsoft find Linux and Unbuntu etc. users to write your disputes to, because as i said too many times before like a broken record, while i myself harbor many disagreements with MS policy i still support their O/S NT Systems or i wouldn't be using them. Does that not sink in at all?

-{ Quote: "... while i myself harbor many disagreements with MS policy..." }-
Which have been misguided, incorrect, and unfair on more than a few occassions...

Without resorting to your froth-at-the-mouth, spittle-flying fury, I'll just present the facts as they are:

http://www.cs.cmu.edu/~dbrumley/pubs/apeg.pdf
http://erratasec.blogspot.com/2008/04/automatic-patch-based-exploit.html
http://www.securityfocus.com/news/11514

There are a few other interesting papers, but since they contain intimate details on how to accomplish the feat they describe, I think they're not suitable for public posting here. Suffice to say that it's a good idea to keep up with patches regularly, since some groups of black-hat hackers target the demographic that doesn't do so.

These exchanges solcroft continue to divert totally off-topic to a point here so i must refuse engaging anymore in tit for tat nonsense, plus no amount of links or opinions is gaining any encouragement to dissuade my attention to Linux or Unbuntu which seems your odd intention anyway. ;D

I do however reserve the right instead to extend the proper courtesy to other members who wish to continue to contribute their valuable discussions to the topic at hand.

Sorry to have to disappoint you. Technology is my business & life, and contrary to popular belief i'm not totally devoid of facts, and the facts are MS Patches can be easily exploited and i choose to avoid them for two reasons, that is one, the other is they are not fashioned by the best engineers microsoft has to offer either. Their long track record of problems with them are evident of that fact. Besides, theres enough hi quality security apps to more then make up any gaps or limitations should a user forfeit those patches as i exercise my right to do. And since then i have the best running machine i ever experienced compared to before as well as solidly protected, who could ask for more? Patches? Bandaids?

Articles supporting their usefullness is propaganda when you pit their security flaws with security vendor's addressing of the same and more issues.

-{ Quote: "plus no amount of links or opinions is gaining any encouragement to dissuade my attention to Linux or Unbuntu which seems your odd intention anyway. ;D" }-
Pushing your own suppositions onto me doesn't really achieve anything. I was merely making sure that people aren't unnecessarily misled by your claims, by providing the facts to the contrary. Mission accomplished.

Patches are safe and you should apply them ASAP. Yes, some patches may be troublesome in certain systems (hardware/software conflicts, etc) but they are fine for most people.
You can't have a secure system if its foundation is vulnerable. Before even considering security apps, you should ensure that you have the most secure version of your OS and applications.

Many Reliable Security Programs are safe too and should be applied ASAP, but does that mean they can be trusted 100%? Of course not, but i rather put my money on layers of security apps than patches but then thats just me, i don't trust them and likely never will, they can be exploited now more than ever plus what do they do that a good security strategy of a combo of security apps couldn't do better at this point in time?

Patches and Updates are ok for some but they leave me with many doubts because microsoft engineers ARE NOT the best in the world even on their own machines!

Thats very valid reasons for serious doubts.

This thread didn't turn out like I expected, but nevertheless it's still an interesting read. ;)

See Automatic classification of malware (http://pandalabs.pandasecurity.com/archive/Automatic-classification-of-malwaree.aspx)

From paper 'Automated Classification and Analysis of Internet Malware' (http://www.eecs.umich.edu/techreports/cse/2007/CSE-TR-530-07.pdf)

-{ Quote: "
Using a large, recent collection of malware that spans a variety of attack vectors (e.g., spyware, worms, spam), we show that different AV products characterize malware in ways that are inconsistent across AV products, incomplete across malware, and that fail to be concise in their semantics.
" }-

Relevant paper from Symantec: Virus and Vulnerability Classification Schemes: Standards and Integration (www.symantec.com/avcenter/reference/virus.and.vulnerability.pdf).

@MrBrian:

That was an interesting read indeed, it seems like the various vendors differentiate all kinds of malware it radical different ways. What one vendor calls a worm, the other vendor calls a trojan and with the rising of blended malware (malware which have characteristics that belong to many different kinds of malware all at once), problems will become even worse.

I seriously doubt that signature based recognition will be the way to go in recognizing new future malware. Signatures alone just won't be enough as time progresses. The trend has already been set, first there were only signatures, now we have heuristics scanning, behaviour based recognition, HIPS, virtualization, sandboxing, etc.

I wonder where things will be in say 10 years from now?!

-{ Quote: "@MrBrian:

That was an interesting read indeed, it seems like the various vendors differentiate all kinds of malware it radical different ways. What one vendor calls a worm, the other vendor calls a trojan and with the rising of blended malware (malware which have characteristics that belong to many different kinds of malware all at once), problems will become even worse.

I seriously doubt that signature based recognition will be the way to go in recognizing new future malware. Signatures alone just won't be enough as time progresses." }-

The malware count is definitely accelerating. From http://computerworld.co.nz/news.nsf/scrt/BE0FBE39C58ED591CC2574250077DA30:

-{ Quote: "Of the 1.1 million code threats that Symantec has detected since it began writing signatures more than a quarter-century ago, 711,912 were discovered in 2007; 499,811 were picked up in the last six months of the year alone.

In other words, nearly two-thirds of all the threats that Symantec has ever uncovered were found last year." }-

-{ Quote: "By Symantec's estimate, 65% of the 54,000-plus unique applications deployed on Windows-based PCs in the [2nd half of 2007] were malicious. "[Whitelisting] is a better approach," said Greenbaum, "considering the modern threat landscape."" }-

The reports (http://www.wilderssecurity.com/showthread.php?t=208095) from Symantec, by the way, are excellent to read if you want to know more about malware trends.

You can't win the war with signatures and heuristics and they create other problems, one of them are false positives.
I don't use any scanners anymore and no scanner is able to find something on my system partition.
If you want to change something thoroughly, you have to forget everything and start all over again and all users will call you a nut, because you don't act like them. :)

Anyone notice something here?

Time and again those statistics consistently elevate as reported from the AV fellows and that is a progression that will never end.

Like the above, signature identifications via a blacklist is not going to equate with security as well as with a HIPS, Virtualware, Sandbox, etc.

Map the O/S critical attack points and lock them in with a Whitelist of safe executables and then all other files be scrutinized or condemned and even go constantly Virtual with a safe zone for keeping files you can examine before activating, and you suddenly have a more stable and dependable security arrangement IMHO.

Heuristics to me equal False Finds, not reliable enough to depend on, but then i don't need to bother with AV's anymore with their ridiculous statistics or false negatives but instead just a simple combo of a decent HIPS & FD-ISR/Returnil, plus a few minor supporting apps that won't stress a PC like AV's do.

A worm is a self-replicating computer program.
A trojan is a computer program that appears to be useful, but that actually does damage.
Both changed my system and that is their weakness, because my reboot undoes changes.
Change + Anti-change = Nothing or the Einstein way : C+Ac=N²

Several VirusTotal/Jotti result posts removed. They are not allowed under any circumstances unless requested by the staff. Policy (http://www.wilderssecurity.com/showthread.php?t=180057)

Here's some information. Understanding virus names (http://antivirus.about.com/od/whatisavirus/a/virusnames.htm)

-{ Quote: "
Patches and Updates are ok for some but they leave me with many doubts because microsoft engineers ARE NOT the best in the world even on their own machines!

Thats very valid reasons for serious doubts." }-

I found some relevant data in reports (http://www.microsoft.com/security/portal/sir.aspx) from Microsoft. On page 48 of the latest full report, we find data on the disinfection rate by Microsoft's MSRT program that runs automatically with Microsoft updates. According to Microsoft's data, during the 2nd half of 2007, for every 100 computers running Vista, 100 computers running XP SP2, 100 computers running XP SP1, etc., this is the percentage of total MSRT disinfections by each operating system:

Windows XP with no service pack: 30.6%
Windows XP SP1: 21.5%
Windows XP SP2: 7.2%
Windows Vista: 2.8%

Note: the numbers don't add up to 100% because I didn't include Windows 2000 figures.

Microsoft's conclusion:

-{ Quote: "
The higher the service pack level, the lower the rate of infection. This trend can be observed consistently across all three operating systems shown for which service packs have been issued. There are two reasons for this:

Service packs include fixes for all security vulnerabilities fixed in security updates at the time of issue, and also sometimes include additional security features or changes to default settings to protect users.
Users who install service packs generally maintain their computers better than users who do not install service packs, and therefore may also be more cautious in the way they browse the Internet, open attachments, and engage in other activities that can open computers to attack.

" }-

-{ Quote: "I found some relevant data in reports (http://www.microsoft.com/security/portal/sir.aspx) from Microsoft. On page 48 of the latest full report, we find data on the disinfection rate by Microsoft's MSRT program that runs automatically with Microsoft updates. According to Microsoft's data, during the 2nd half of 2007, for every 100 computers running Vista, 100 computers running XP SP2, 100 computers running XP SP1, etc., this is the percentage of total MSRT disinfections by each operating system:

Windows XP with no service pack: 30.6%
Windows XP SP1: 21.5%
Windows XP SP2: 7.2%
Windows Vista: 2.8%

Note: the numbers don't add up to 100% because I didn't include Windows 2000 figures.

Microsoft's conclusion:" }-

Thanks for the time to compile those stats and post them. I normally don't put much stock in such MS release stats much like i wouldn't for a voting poll but some averages can point to certain patterns worth considering.

The problem for me is if those percentages are with and/or without using commercial or third party PC protections or not.

-{ Quote: "Thanks for the time to compile those stats and post them.
" }-

You're welcome :).

-{ Quote: "The problem for me is if those percentages are with and/or without using commercial or third party PC protections or not." }-

These percentages are for the population as a whole that uses MSRT, typically I suppose automatically with Windows/Automatic/Microsoft Updates.