How do you get pWned online??

Discussion in 'other anti-malware software' started by Sully, May 21, 2009.

Thread Status:
Not open for further replies.
  1. Sully
    Offline

    Sully Registered Member

    I am just wondering. Many posts state that using program XYZ and 123 in combo is awesome because of *%@@^!!. And then someone will say they had malware #2211 and virii #xuu* get past that very same setup.

    So, how exactly do you who get bitten get bit? I run often with only Avira. Many times XP Firewall is on, but more often not. I use SRP a lot in Basic User mode from Admin login. I use Kmeleon browser. I don't surf pr0n sites, but do venture to alot of reverse engineering and such places to learn coding stuff. I never get bitten.

    So what is it you do that gets you bitten? Not that I want to, but I am very curious what it is that makes it happen for so many and why it never seems to be an issue for me.

    Sul.
  2. Franklin
    Offline

    Franklin Registered Member

    By deliberately downloading any and all malware I can get my hands on but they do all the biting inside the sandbox.

    Would you like to run the samples below and see if you get bit?

    Let's just hope Avira has been updated, eh.;)

    And to be honest Avira overall is about the best in detecting new samples.

    ~VirusTotal screenshots removed per policy.~
    Last edited by a moderator: May 21, 2009
  3. Sully
    Offline

    Sully Registered Member

    Eh? Sure, but I would only purposefully do that in vmWare or Sandboxie.

    What I mean is not what you do. I understand that. But when peeps post that they had this or that happen, how did they get it? Email? Facebook? Lot's of ways to get bitten, but even at work where I set systems up, we have not had an instance there in 4 years of being online yet. So I am left scratching my head thinking, how do semi-experienced or experienced get these problems?

    It must be self induced, like installing new software.

    Sul.
  4. m00nbl00d
    Offline

    m00nbl00d Registered Member

    I guess is a mix of it all. E-mails, installing software (new or upgrading/updating), downloading illegal MP3s, etc.

    The other day a family member got an e-mail, supposedly from a friend, and as soon as it clicked the link on that e-mail it opened IE and tried to enter a malicious domain. I say tried, because it was stopped by one of my security measures. ;)

    It turns out that the e-mail account of my family's member friend got hacked.
    There's nothing worse than people believing that this can't happen to themselves.
    I'm always telling them to be careful and not to click any links in their e-mails, MSN, etc. They can never know if the person who is sending those links is the person they know.

    It may also happen that people install an application they've always used, and perfectly safe, and the latest could be compromised, without the developer(s) even knowing about it, etc. And, when this happens, unless people use an anti-malware software application that may trigger some alert, hence make people be suspicious, then people will go ahead and install it as happily as before.

    All scenarios can happen.
  5. Rmus
    Offline

    Rmus Exploit Analyst

    Hi Sul,

    This may give you something to start with. Referring to a particular product, the poster writes,

    http://www.wilderssecurity.com/showthread.php?p=1471040#post1471040
    The clue here is "problem files."

    I used to peruse the hijack forums and AV forums to get an idea of what types of infections were going around. Interestingly, the majority were not from drive-by attacks, but downloading "problem" files, which I came to describe as anything that I would not download.

    Several big culprits:

    Codec files

    An example that I like to cite:

    DNS changer Trojan for Mac (!) in the wild
    http://isc.sans.org/diary.html?storyid=3595

    The clue here is that the user grants installation privileges.

    Big complaint from victims: Why didn't "it" (my AV or whatever is popular these days) catch this. Easy explanation: malware codecs and flash updates change quickly and signature-based solutions can't keep up. Even behavior-based solutions often fail to catch.

    Storm e-cards

    ...and similar tricks. Now, these are executable files, yet victims willingly grant installation privileges. Many victims have been successfully tricked, as you know, since the Storm botnet is one of the largest.

    Same problem with detection as above. Storm variants changed hourly in the early months of its success.

    So, I think it's pretty clear why people get owned while on line. In a few cases in corresponding with victims, it became evident that

    • they had a false sense of security gained from following advice on forums about this and that product as the end-all to security. The majority of discussions on "security" forums revolve around anti-malware products, yet my experience has been that those I know who have never been infected don't use many, if any, such products, and don't frequent security forums.

    • there was a lack of general knowledge about security basics, such as Brian Kreb's rule, "Don't install anything you didn't go looking for." Or, mine: "If a video requires a new codec, or flash update, move on."

    It also became evident to me that security has nothing to do with which Operating System or browser one uses.

    Good example late last year: a victim of a PDF exploit complained that

    • his AV was up to date (one of the popular ones that has a forum here at Wilders)

    • he uses Firefox

    When pressed to explain, he admitted that

    • he assumed that he was immune from drive-by attacks because he uses Firefox,

    • he didn't know that a PDF exploit is not a browser exploit,

    • he had no protection against executable payloads in a drive-by attack

    So, I think the answer to your question is quite easy. And I'm sure there are factors in addition to what I've listed that can be considered.

    Interesting topic! and should be thoroughly thought-out by all security-minded people.

    regards,

    rich
  6. Keyboard_Commando
    Offline

    Keyboard_Commando Registered Member

    I got well and truly pwned online via a 3rd party chat messenger. I wont mention which because it just gives the creep that did it fame he doesnt deserve. Apparently he hacked into the 3rd party messenger update file location and planted an infected update there. So anyone with auto update enabled got screwed (unfortunately this was the default setting). Completely wormed the drive. Luckily for me I saved my music files, which is all I really cared about :p

    Apart from Comodo, everything is set to manual update now. So yeah I guess am burnt out by the experience.
  7. Rmus
    Offline

    Rmus Exploit Analyst

    Very interesting! You may have seen this:

    Google Chrome's Security Practices Raise Eyebrows
    http://www.pcmag.com/article2/0,2817,2347216,00.asp
    ----
    rich
  8. Sully
    Offline

    Sully Registered Member

    @Rmus

    I think that is a good overall picture. I don't download codecs, or music. I view all my email without html/rtf as just plain text. Never open those e-card things.

    The analogy of don't open or install what you did not request is what I have always practiced, including telemarketers and the like. I've been surfing since the web was a bunch of bbs type forums, all text with few pictures. That was back in 3.11 days. LOL, I even remember we had a modem for the Commodore64, that you laid the phone onto the cradle. It was only a text screen, but it was pretty cool at the time. I have had a few items installed when I was too lazy to actually read the EULA agreement, like google toolbar, which I cannot stand. Maybe I just spend too much time coding or messing with windows and playing games to do the things the authors target users for.

    I have downloaded items that have bad things in them. Archives normally if possible rather than installers. In the old days F-Prot would scream at me and nowadays Avira will. I have a few test files I play with, but about the only thing Avira ever tells me these days is occassionaly somethign in my browser cache is suspicous so I delete it.

    I have yet to make it to that friends house with the autorun virii. The infected computer is still in the same state. I talked them through on the phone how to remove it, as I lack time for that right now. Maybe I can snag that and play some.

    Yeah, I was hoping there could be some sort of 'theme' that developed from this thread. I am curious, but also to help those I support, sort of like saying to them 'according to many peeps who are into computer security, activity X and activity Y seem to be the most common way to get bitten, so don't do those things'.

    Thanks for the replies. Good info.

    Sul.
Thread Status:
Not open for further replies.