Interesting Conversation with a Hacker

Discussion in 'other anti-virus software' started by Nevis, May 22, 2012.

Thread Status:
Not open for further replies.
  1. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    pfsense is more than just a firewall though, or at least it can be

    And servers absolutely do. People will nmap just to check your server out and an IDS can go nuts over that and a Firewall will log it.
     
  2. STV0726

    STV0726 Registered Member

    Joined:
    Jul 29, 2010
    Posts:
    900
    In response to some of the "heat" I've been getting...

    1. I put the raw ingredients in my forum signature. I don't put the exact recipe. Nice try though.

    2. The hacker's motivation can be giving you bad advice so he can target you easily and know exactly which exploits to play since you've told him your security recipe.

    3. I've done a lot of extensive research on malware in the wild and all that I've seen always relies on eventually executing some code. For this reason, I still consider anti-execution (regardless of how it's achieved; as long as it is true whitelisting) to be the best security measure. I feel a lot of people think this way and it will take solid proof to change this notion.

    4. Software firewalls are imperative. Windows Vista/7 (especially 7) firewall has no impact on performance and turning it off because of this guy's sole opinion would be a very, VERY stupid move in my opinion. Leave it on...seriously. If you are behind a router, then great, it will add an additional layer of protection from other computers on your network. If you are traveling, it is your only firewall. Outbound firewalls...well, that's your call. This guy is not giving good advice, especially considering for the general public. :thumbd:

    ...this guy is basically a radical and it's essentially no different than if someone was to write an article entitled, "Why You Should Stop Browsing the Web and Just Enjoy Other Computer Uses".
     
  3. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    I agree with your fourth point. While I don't run a Firewall (I have no ports open) I don't think that turning the Windows one off is a good idea and there's really no reason to do so.

    I don't think his motivation is to do anything other than have a fun discussion.
     
  4. trismegistos

    trismegistos Registered Member

    Joined:
    Jan 29, 2009
    Posts:
    363
    Sure, he won't recommend software firewalls, so that his 'bread and butter' botnet installs' outbounds will be unhampered. But then again, he can code a more sophisticated malware to easily bypass those which unfortunately for him, some of those have HIPS component.
     
    Last edited: May 23, 2012
  5. jitte

    jitte Registered Member

    Joined:
    May 2, 2012
    Posts:
    67
    For someone who doesn't even run a firewall you presume to know a lot about mine.

    Have extensive experience with the OpenBSD packet filter firewall, do you?

    And I'm not running a server.
     
  6. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    All I've said is that pfsense can be more than a firewall. You can set it up to do IDS/IPS. No idea how you've set it up.

    What I was saying is not that you're running a server. I was saying that if you do run a server you'll see huge logs. If you don't run a server you're unlikely to see massive logs.
     
  7. Tsast42

    Tsast42 Registered Member

    Joined:
    May 7, 2012
    Posts:
    137
    Location:
    United Kingdom
    With regards to anti-virus the part that seems the most dubious is the signature-based detection; if the heuristics are high/effective enough they WILL catch such intrusions. This is another vote in favour of real-time anti-virus protection with tweaked settings over the more popular on-demand scanning, which I also see as pretty pointless. Sure if it does find malware then it has thrown up a red flag telling you to scrub yourself in disinfectant but if it clears you it proves nothing, leaving you essentially in the same position you were in before the scan of not really knowing for sure if you are clean one way or the other.

    One thing to bear in mind with that discussion is that the infection vectors that he's talking about are just what HE uses to infiltrate. Just because a security measure such as whitelisting for example won't safeguard you from everything one hacker throws at your machine doesn't mean it isn't useful against myriad other sources of infection.
     
  8. Atul88

    Atul88 Registered Member

    Joined:
    Dec 8, 2011
    Posts:
    259
    Location:
    India
    U reminded me something when i was doing some test and disabled the Realtime Protection!!!
    What happen was i collected bunch of Malwares And doing OnDemand Scanning on them all were found as malwares ..Then i Extracted again and forgot to delete So what i did was pressing Ctrl+A and was about to click on DELETE i also pressed the Enter :blink: :blink: (How Stupid Of Me ;) ) .
    lol lol. And within few minutes my PC Got hijacked :eek: :eek:


    I Agree!!!:D :D :D
     
  9. jitte

    jitte Registered Member

    Joined:
    May 2, 2012
    Posts:
    67
    He wasn't talking about servers. He made a generalized statement about the average firewall producing thousands of warning messages an hour:

    And I responded to it:

    Nothing was said about servers till you mentioned it.

     
  10. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    Then obviously that is my mistake.
     
  11. jitte

    jitte Registered Member

    Joined:
    May 2, 2012
    Posts:
    67
    No problem. ;)
     
  12. Nevis

    Nevis Registered Member

    Joined:
    Aug 28, 2010
    Posts:
    812
    Location:
    255.255.255.255
    Lol, This infact reminded me of my first self stupid action in which one of my hacker friend sent me a file and said its a FUD and wont be detected by any AV.

    I did not knew what FUD meant and clicked the file. All my password went to his ftp server. Lucky me, he was a friend and he made fun of me for long time :D
     
  13. Atul88

    Atul88 Registered Member

    Joined:
    Dec 8, 2011
    Posts:
    259
    Location:
    India
    +1 :D :D
    FUD Keyloggero_O
     
  14. SirDrexl

    SirDrexl Registered Member

    Joined:
    Apr 14, 2012
    Posts:
    556
    Location:
    USA
    And that's just what's behind him telling you that AV and firewall are useless. It's like someone telling you not to bother locking your car because he can break a window.
     
  15. Thank you for bringing this up...

    For some reason I'd taken it for granted that it was generally impractical to run the entirety of malicious code in the address space of a hacked program. You're talking about... what, forcing the hacked program to load a malicious DLL? How common a technique is that in the malware world? It certainly warrants rethinking of anti-executables as a main strategy.
     
  16. trismegistos

    trismegistos Registered Member

    Joined:
    Jan 29, 2009
    Posts:
    363
    It used to be that shellcode size limitation prevents the entirety of the malicious code to run in the same address space as the hacked program. But Dll loading from memory has been accomplished by skape(miller) successfully from Stephen Fewer's Reflective Dll injection technique- www.harmonysecurity.com/files/HS-P005_ReflectiveDllInjection.pdf . After an initial exploit, the shellcode loader will inject the dll entirely to the address space of the exploited process through "VirtualAlloc". And this was incorporated in HD Moore's Metasploit as the Meterpreter module.
    http://searchsecurity.techtarget.in/tip/Metasploit-tutorial-part-2-Using-meterpreter

    Didier Stevens was also able to do just that but differently...
    http://blog.didierstevens.com/2010/01/28/quickpost-shellcode-to-load-a-dll-from-memory/

    As for in the wild malware world, I only now one instance that does that exactly...
    https://www.wilderssecurity.com/showthread.php?t=320477
    http://www.techweekeurope.co.uk/news/kaspersky-lab-discovers-invisible-memory-only-bot-68362

    More like this type of attacks are used more for the targeted types for reconnaisance and as a trojan for the subsequent APTs (advanced persistent threats) of valuable targets rather than for mass distribution of malwares. But who knows what the future will bring.

    It is also very difficult to do statistics on memory only attacks because more Memory forensics is needed.

    So, yes, AE, SRP, Applocker even HIPS, Sandboxie will not be able to catch this one. I was able to configure HIPS tightly as to restrict but it is PITA. Something like memory corruption protections like the one provided by EMET may or may not prevent.

    There is also a POC from a french security firm about a purely shellcodised executable.
    http://benjamin.caillat.free.fr/ressources/backdoors/videos_en/attack_presentation.avi
    http://www.blackhat.com/presentatio...t-Europe-09-Caillat-Wishmaster-whitepaper.pdf
     
    Last edited: May 25, 2012
  17. Atul88

    Atul88 Registered Member

    Joined:
    Dec 8, 2011
    Posts:
    259
    Location:
    India
    LOL...i like it when someone gives that good example :D :D
     
  18. Thanks trismegistos, that's quite interesting. Could SRP block this stuff by disallowing unknown DLLs, or would that be hopeless?
     
  19. trismegistos

    trismegistos Registered Member

    Joined:
    Jan 29, 2009
    Posts:
    363
    Since in this case the injected dll is not registered as in the usual, SRP, AE even HIPS will not be able to catch the loading of such unknown dll.

    Try this for yourself, Didier Steven's “Excel Spawn CMD in Memory”...
    http://blog.didierstevens.com/2011/04/19/signed-spreadsheet-with-cmd-dll-regedit-dll/
     
  20. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    I missed the follow up questions, sorry GJ.

    Trismegistos, you've said everything I could have said and then some =p
     
  21. STV0726

    STV0726 Registered Member

    Joined:
    Jul 29, 2010
    Posts:
    900
    So in summary...

    First the BAD news: Anti-executables, software restriction policies, and similar true whitelisting approaches aren't invulnerable. They can fall victim to unknown DLL injection by hacked processes and memory-only attacks.

    The GOOD news: That sh*t appears to be very rare/specialized malware attack; NOT in-the-wild/trending.

    So I still conclude: True whitelisting is the BEST security measure/implementation for intermediate to advanced users...

    ...That being said, however, I should make note that I have never been one who advocated for using a SRP alone without other layers/anti-malware. A lot of SRP users do that and while I believe that was ok, now with these memory-only attacks, I would want at least EMET used with that, and preferably an anti-virus as well.
     
    Last edited: May 25, 2012
  22. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    Well that's an interesting conclusion... your summary is accurate though.
     
  23. STV0726

    STV0726 Registered Member

    Joined:
    Jul 29, 2010
    Posts:
    900
    My conclusion is based on the fact that anti-virus software struggles to keep up with and protect from ~90% of the widely used techniques of malware out there...

    ...Whereas SRPs and true whitelisting will protect against 99.99% of the widely used techniques because they rely on execution to work.

    As for the remote, tiny percentage of new threats that use memory-only techniques that which whitelisting will not protect from, there's no gurantee at this time that blacklisting (like anti-virus) will prevent those either since they are so new (and not to mention the fact that they borrow another process for stealth so you would need good heuristics to catch it)!
     
  24. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    And using Windows 2000 will keep me safe from 99.99% of the malware out there because no hacker gives a **** about it lol that doesn't make it secure
     
  25. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    Count up the number of intermediate/advanced users, compare them to the number of "typical" users, and you'll see the problem. And why specialized software such as HIPS, Sandboxie and its kind, etc are still considered niche products and aren't raking in the cash that AV companies and other "standard security" providers are making.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.