Uninstalled my firewall solution today...

http://www.youtube.com/watch?v=1roTgk_SrMw

 

Overangry,

Could you please describe to me what it is I would discover at the youtube.com link?
youtube.com is on my personal Black List.


HKEY1952

 

Software firewalls with outbound protection aren't necessary in any way, but can be useful for some people, in some cases. People can decide for themselves whether they want and need one or no.

About the password stealers, though..

FUD is a pretty fitting word in more than one way. Apparently some people call those boring password stealers Fully Un-Detectable. I call that Fear, Uncertainty and Doubt. These things are nowhere even near undetectable. Sure, they might go undetected by blacklist security software, but then again, what doesn't? Sure, they might have built-in protection to do nothing when executed monitored or virtualized, such as in VMWare or Sandboxie. But still, these stealers are executable files most often from highly untrusted sources. Downloading some crack from a torrent? Downloading some porn flick that for some weird reason seems to be an executable file (probably pretending to be a self-extracting archive)? Downloading from some random file site? Stuff like that should already alert your mental heuristics to a likely malicious file, long before even the most rudimentary analysis could have been done on the file. As for what counts as an untrusted source, common sense goes a long way here. Have you heard of any major software company hosting files on their official site that were actually password stealers? How often does that happen? Any guesses..?

But sure, if you are in the habit of executing files from unreliable sources, then an outbound firewall and HIPS are the kind of stuff that come in very handy. Just don't place too much faith in them. There are many things that a malicious file, when executed, could use to try and attempt to evade firewalls. For example, using IPv6 for the connections, or using BITS. There are many firewalls that let those through no questions asked. Really the best defense is not executing untrusted executables in the first place. But with many of these password stealers there are some fun tricks you can use against them, if you feel like it. A lot of these things assume that a network connection exists and include a self-destruction routine to delete the malicious executable and files to remove traces. Guess what happens if you run one of these stealers while your network cable is disconnected. Obviously it can't connect, and then one of two things tends to happen: either it stupidly assumes it has done its job and kills itself or it just hangs eternally waiting for a network connection - and in the latter case you'll be able to get rid of it just by terminating its processes that are hanging around achieving nothing.

 

So they are nowhere undetectable, yet they use anti VMWare/Sandboxie, implement IPv6 and BITS to bypass firewalls, use polymorphic code, custom packers, secure socket connections and the list goes on. The one that hit me went right through my up to date AV Suite without prompt, all the leading scanners picked up nothing and neither did the online scanners.

Sorry, i know for a fact they can be made undetectable to all the leading antivirus and malware solutions.

I will say this again, the file i downloaded was from Snapfiles who have been providing Freeware/Shareware downloads for 12 years. Much like Softpedia, they have an Adware/Spyware policy and review the files. How this file slipped through i can only guess, developers domain expired and someone snapped it up for $20 on TDNAM auctions.. Who knows.

I guess it's all relative really, you wouldn't employ the same security on Fort Knox as you have on your spare coin jar.

I own/manage around 300 websites, which are on 5 dedicated servers and several VPS's. I have root access to all the machines, SFTP to the individual sites as well as admin front end credentials to the scripts powering them. Some of the sites are around the top 5k trafficked sites according to Alexa.

I have a responsibility to millions of people, probably even to you to serve up clean pages, downloads, addons and redirects and keep users of the sites data safe.

If having my credentials stolen just meant someone gaining access to my Facebook account and sending obscene messages to people, well yeah i'd probably just drop the restrictive Firewall and aggressive alerts every time i do something.

So to answer the question, do i "need" an Outbound Firewall or even the latest XYZ type product? I believe it's relative to what you're trying to protect, and the level of threat to it and should be decided on a case by case basis.

My main machine has different security to my second machine, which is different to my laptop which is different again to my 60yo mother who just browses Ebay.

 

Yes, precisely: they are nowhere near undetectable. As long as we understand - and we definitely should - that "undetectable by some blacklist scanner" or "employs some pseudo-clever tricks to bypass some security software" does not mean "undetectable by everything and anything, including the human mind." As usual, it seems that people have different definitions for what "undetectable" means. To me, it means something that cannot be detected at all, by anything. And of course, there is no such malware. Yes, we know that blacklist antivirus and antimalware products can be easily evaded. Yes, that was already true ten years ago, and that will never change. Sure, it's easy to obfuscate a malware executable so that it will not be detected by "leading" antiviruses. That's not news. That's why no-one should ever rely on any blacklist scanner to tell them a file is clean. Yes, malware can have various tricks like anti-virtualization or firewall bypassing by IPv6 for example. That still don't make it undetectable. If it exists, it can be detected when it comes your way.

If you think these are really absolutely undetectable, why bother with a firewall? If they're undetectable, surely they won't be detected by the firewall, either? Well, sometimes they are detected by firewalls, as we all probably know. But still, relying on a firewall for detection of malicious software is... risky. I prefer to rely on myself. Firewalls are useful, no doubt about that, but sometimes even firewalls will not save the day - but even in those cases something else, like the use of one's head, may. Now would be a good time to ask how the firewall would detect something like these "undetectable" little malwares. What do firewalls do? Inspect and filter network traffic? Could monitoring - or should I say sniffing - network traffic be one of countless methods that a human could use to detect these "undetectable" password stealers? Riddle me this.

But really, yes, I understood that you meant "undetectable by AVs" and not "undetectable by everything." The reason I replied was to make the point that even though an AV may not detect something, there are still many ways to detect it. Traditional blacklist AV technology is getting more and more obsolete every day. A trained human mind can do things an AV can't.

Yes, and I wouldn't trust Snapfiles for the time of day, unless I had a very trustworthy second opinion that agreed with them. Those sites link thousands of files from numerous sources, and files get updated with new versions all the time. There's no way they can perform any reviewing on the files that is worth much. At most, they'll do some AV scanning (unreliable) and sometimes might actually make a test where a human user physically installs the software and plays with it for a minute, performing primitive analysis. It would be a fantastic miracle if nothing malicious ever slipped through to sites like these. If one has ever tried to review thoroughly thousands of files, one would know that it either takes an eternity or gets unreliable quick. And unreliable means malware will slip through sooner or later.

That's good for you. Sounds like you have a job that can keep you busy and should earn a great paycheck. Congratulations. Someone in your position should be acutely aware that sites like Snapfiles cannot be relied on to only link and serve clean, benign content.

Very well said and I agree. As I said in my previous post, people can decide for themselves. In any case it's important to know the limitations of any security measure, so as to avoid a false sense of security. Limitations such as "AVs will never detect all malicious software and therefore a file that is clean according to AVs may still be malicious."