Interesting Conversation with a Hacker

[Nevis]

Hi

I found an interesting ongoing conversation going on with a hacker on reddit.
He is clearing the doubt of many people, telling many things about security stuff.


Warning: You may loose confidence in your AV if you read this ( which many of already know that you just cant rely completely on a Antivirus )

The link :http://www.reddit.com/r/IAmA/comment..._operator_ama/

[andyman35]

Most interesting read there.

To paraphrase Marx "The AV is the opium of the people".

[PaulBB]

Another good one:

Q: What anti virus software free/paid for presents to you the biggest obstacles?

A: Kaspersky was the most challenging at first, Kaspersky is paranoid as f...k! But it has an exploit in KIS, KAV and PURE, allowing to start malicious code in the memory context of a trusted system process unnoticed. Kaspersky won't interfere if it thinks it's the system process doing changes to the system.

LOL.

Interesting. Makes me want to keep using Linux (and common sense).

[No_script]

H A HA I've been reading that, he's right AV is useless. Only decent tools are Comodo, even Malwarebytes is OK but the attacker knows your using it once you hit a website.

very good discussion there in that article. i hope he gets a real job out of it, Lol!! I hear Kaspersky's hiring.

Quote:

Trash your AV
Deactivate your firewall (you most likely have NAT on your router anyway).
Check your autostart entries every now and then from a boot disc. Autostart is the most sensitive spot of every malware, every malware needs to start with the system, yet it is just a fragile registry entry...
Use GMER (http://www.gmer.net/) every now and then when your spider sense is tingling.

... and I like to collect AV licences

[dw426]

I don't like what the guy does, but he's pretty much right on as far as the "usual security" not working anymore. The thing about people like this, imho, is that you detest what they do, but, I'd rather learn from them than be "protected" by government measures, which usually only serve to protect them than you. I just wish the message these kind of guys send would get through to users.

[Page42]

Quote:

I have no empathy to people, who can barely power on their computer, such people shouldn't be on the internet. Getting infected is very hard if you have a touch of common sense.

Ah, a ray of hope.

[Tsast42]

Also shows what a joke UAC and Standard User Accounts are. Sandboxie gets a good mention

[Page42]

I missed the Sandboxie mention, and can't find it. Where it be?

[Tsast42]

Far down the (very long) page, towards the bottom.

[Page42]

Not seeing it, nor is it showing up in search.
What's the quote?

[Tsast42]

I wasn't too keen on going through all that headache inducement all over again lol but I found it fairly quickly this time; it's a couple of continuation clicks down so doesn't show in seach. Not a very long mention but good to see a 'professional' can't just bypass its protection somehow. Here you go:

Quote:

–]Busanjin 1 point 10 days ago

What do you think about setting up a user account in Windows 7, using the computer strictly under the user account, and giving the admin account a strong password? Would that help against typical malware as long as one does not type the admin password at the time of an infection?
permalink


[–]throwaway236236[s] 1 point 10 days ago

The malware will run as the user account and will only be able to hijack information that is run in the user context, meaning everything that was started while using the same user account. If the malware is made well it won't even trigger UAC and even if, there is a way to bypass UAC completely, because you can inject your malware into a trusted process (explorer.exe, there is a whitelist somewhere on the net) that autoelevates UAC. Only on a guest account it will be though to install malware, because guest usually only have temporary write access in windows 7.
permalinkparent


[–]kovert 1 point 10 days ago

Are you telling me that running as a regular user you can inject code into explorer and wait for UAC to be triggered? Eventually elevating the code? If you can do that then that and wait for an administrator to come by then there is no stopping you.
permalinkparent


[–]throwaway236236[s] 1 point 10 days ago

No, you don't need administrator at all. You need no admin rights to install malware on your system. If you however want to make system wide changes (like installing malware to all users on the system) you need admin privileges. If you are a regular user and are allowed to get admin rights tru UAC, you can simply inject into whitelisted processes to not trigger the UAC popup.
permalinkparent


[–]kovert 1 point 10 days ago

I was worried as a limited user that needs a password for UAC to succeed, you could inject code into explorer.exe and wait until I needed to say...view a directory I didn't have access to. After UAC was successful, the code that was injected into explorer would be elevated with the rest of the process (assuming UAC elevates explorer.exe to view that directory). The process then could do other things and completely bypass my software restriction policy.

I'm paranoid, I run as a limited user and use a Software Restriction Policy (not AppLocker though they are similar) on Windows 7. To do administrative things I use runas. I use the default SRP extensions plus I block JAR files. To exploit my machine you have to exploit something that is already installed on my machine (not that hard though Adobe Flash/Adobe Reader/Java). I'm ruling out possibilities of something new that I've downloaded and needs administrative privileges to install or be used. It is unlikely that I would be getting something that wasn't from a well established place. I don't download pirated software. If I did I would get a legit copy and use a keygen. I'd never run a keygen as admin. I'm assuming the things I've already downloaded from trusted locations aren't inherently malicious. I use Secunia PSI to make sure my programs don't have any security advisories or need to be updated. Regular full anti-virus/malware scans are done as well. I used to reformat my PC a lot before Windows 7.

Assuming you could inject code into UAC and wait for the privileges to be elevated getting to that point would be difficult. You would have to have an 0-day for one of my already existing programs like Adobe Reader/Java. Your exploit would have to run in memory without starting another EXE from disk (SRP would block an EXE from say the TEMP directory if the exploit downloads a dropper) to inject Explorer. As far as I know there is no common directory that you would know ahead of time that allows executables to be run by my limited user account. Assuming by default I didn't add the JAR extension in SRP it would be a better choice for a Java dropper if Java was detected on the system. Directly injecting into the Explorer process from the exploit would also work too. Then you would have to be lucky that the process you injected would be elevated.

The absolute worst case scenario I can think of would be two exploits. If you had an exploit for say Adobe Reader that exploited another SYSTEM level process that resulted in privilege escalation I wouldn't be able to block it. Sadly, nobody could since SRP only applies to users/administrators and I can't lock down what the OS does. At this point we've exhausted all of my (and anyone with Windows) built-in preventative measures against malicious code in a persistent environment.

Now I have to use signature/heuristic based methods to help anything that gets past this point. If anti-virus worked like that Triumfant website you posted to aid detection, also OSSEC. Sandboxie could help with any of my userland programs preventing is from spreading to the system.

I worry about malware that can hide it's so well that I have to use a boot CD to scan the host. Some kernel level goodness. PARANOID PARROT AIN'T GOT **** ON ME!

TL;DR I'm paranoid when it comes to PC security. I'm well protected but I've mentioned hypothetical ways you could still pwn me or any user that would be unstoppable using all of the built-in Windows defenses.
permalinkparent


[–]throwaway236236[s] 2 points 9 days ago

Sandboxie will protect you from system changes, but malware could still read for example your saved firefox passwords and send it to me. Malware that doesn't even write to the disk exists in the wild, but a botnet will be impossible to install without a exploit or custome driver to write to the disk directly (impossible in x64 without a stolen certificate). As I already mentioned at some other comment, a UAC bypass doesn't magicly gives you admin rights, it simply triggers admin rights, that you could already get according to system policies, without triggering the UAC popup.

[fax]

Uuuhm, could only find this:

Quote:

[throwaway236236] 1 point2 points3 points 9 days ago

Sandboxie will protect you from system changes, but malware could still read for example your saved firefox passwords and send it to me. Malware that doesn't even write to the disk exists in the wild, but a botnet will be impossible to install without a exploit or custome driver to write to the disk directly (impossible in x64 without a stolen certificate). As I already mentioned at some other comment, a UAC bypass doesn't magicly gives you admin rights, it simply triggers admin rights, that you could already get according to system policies, without triggering the UAC popup.

EDIT: ooops, 2 minutes late

[JoeBlack40]

As i'm not a native English speaker,did the guy mentioned something about the HIPS,provide protection of some kind or not?

[Tsast42]

I didn't notice any discussion of HIPS, really for all the endless posts there wasn't that much there about security. Feel free to ask him though lol

[Noob]

Interesting . . .
Did not understood anything when they got too technical. *Information Overload*

[Brandonn2010]

I didn't read it, but I would have to say an AV is not completely useless. While it may not be great for preventing data leaks, it can still stop average malware that simply tries to damage your computer, but then again, most malware noadays tries to steal information doesn't it?

[No_script]

Quote:

Originally Posted by Brandonn2010

I didn't read it, but I would have to say an AV is not completely useless. While it may not be great for preventing data leaks, it can still stop average malware that simply tries to damage your computer, but then again, most malware noadays tries to steal information doesn't it?

It is useless, does nothing even against old malware. All you have to do is edit the malware with a H3X editor and it will bypass the Anti Virus.

Yes and No. Some stuff is out of this world, I'm talking about infecting your monitor/network cards/router/BIOSs & just r00ting your system.

The number of Botnets I think is probably around 400 million machines all up.

[dw426]

Quote:

Originally Posted by Brandonn2010

I didn't read it, but I would have to say an AV is not completely useless. While it may not be great for preventing data leaks, it can still stop average malware that simply tries to damage your computer, but then again, most malware noadays tries to steal information doesn't it?

Malware that does damage to a system (outside of major attacks via Stuxnet-type malware) has no benefit to current cybercrime. If I'm a hacker looking to make a profit (and that consists of the majority of your real threat), I'm not going to harm a hair on your system if I can help it. I'm going to run silent and deep, and wait for you to provide your passwords and accounts willingly without you ever smelling a hint of trouble.

The majority of times, an AV is like a car alarm. It'll tell you when something is wrong in its opinion, but it might be a cat instead of a thief (FP vs real threat..and that's if it even has a definition in the database, in which case it'll sit there on its thumbs). The "old school" no longer works well enough to rely on. The problem is, the more effective methods require babysitting, which isn't effective for a user either.

At this point in the game, the best options are to either, if you can handle such, go the full on default deny route, in which you'll need to make decisions on what and when to allow, use Sandboxie or another similar method (which, as this hacker stated, can't protect from everything), or go Linux. That's my opinion on the matter.

[STV0726]

......

Am I the ONLY one who thinks it is probably a BAD idea that we are

1) Taking advice from a hacker who is an ACTIVE criminal and admitting he is stealing money from people

2) Telling him our defense strategies so he can improve his offensive strategies

3) Trusting his advice at what seems to be face value (Granted, some of it does sound genuine and not far off, but still)

As for the UAC, if it is set to maximum (Always Notify), I haven't heard of any proof of concept of it being bypassed, and even if it was, then yes something theoretically COULD happen such as an exe being run but it can't actually install onto the system therefore deleting the user account would solve the problem and this effect is enhanced by the SRP because it wouldn't be allowed to run at all in the first place.

He makes some interesting points, but I won't give any credit to an active criminal. I wish him to be caught and slammed to the ground by the feds and handcuffs put on him as rough as possible without crossing the police brutality threshold. I f****** hate malware hackers and have no respect for them.

This also goes for Anonymous. To quote someone else on here (I forget who said it), "For every 1 good hack they do, they do 10 stupid ones".

[KelvinW4]

+1

[Page42]

Quote:

Originally Posted by STV0726

He makes some interesting points, but I won't give any credit to an active criminal.

It has been said that one must know one's enemies, or be in peril.
The very best detectives think like criminals.
I would dare say there is credit given too.

[treehouse786]

a strong firewall would put an end to this guys mischief. plus i doubt he can bypass UAC and comodo defense plus in tandem