When will the security hole be fixed that allows a worm to disable NOD32?

I posed this question to Eset yesterday in the thread “Nod 32 Not Detecting Viruses”, but that thread was closed before they had a sufficient opportunity to respond.

Some people I’ve been in contact with believe the closing of that thread amounted to overt censorship which was orchestrated by Eset, so they could avoid answering my question. But I told them no way, because there are numerous other Internet forums and newsgroups available for me to post in which they have no control over. So censoring me in this forum would be pointless--and would make them look EXTREMELY bad in the other forums, etc. Besides, I have a news release I’m working on that an international news media conglomerate has already expressed interest in.

In any event, I don’t believe Wilders Security administrators could be pressured into engaging in such blatant censorship. As the word would soon spread around the Internet that the views expressed on this forum ‘didn’t reflect the whole story‘. And my experience, so far, has been that as long as your statements are factual, your post will not be deleted or otherwise censored.

The following is an open letter I posted to the Eset Moderator named Marcos:



“Congratulations on the continued improvement of your program--it’s looking better and better all the time. Now if you could just fix that darn security hole so prospective customers could rely on your program to work ALL of the time. You know, the hole that allows a kid to shut your million dollar program down with a free worm. Any chance that you could provide an estimated date as to when this hole will be patched??

I realize that your competitors subject their customers to the same security flaw. But why not be the first to set an example, and thereby establish a reputation as a TRUE leader in your industry? As this would be far better than the alternative--which is the embarrassment of a competitor beating you to the fix.

It would be a prestigious opportunity that’s lost to you forever--and probably something that your company would regret forever. Especially as the AV market heats up and becomes more competitive, since you'll need every marketing edge you can get. Remember, the $7,500 a year software programmers in India will be nipping at your heels before you know it. So NOW is the time to crank things up and establish a pace FAR ahead of the pack.

Imagine being able to prominently advertise on your web site “The industry leader in anti-virus programs. We are the first company in our industry to patch the gaping hole that allows a 13-year-old kid to shut down your defenses with a worm.” Or something along that line.

And just think of all the extra market share you’d snatch away from you’re competitors as they’re scrambling to catch up with you. The bottom line is that someone WILL fix this flaw in the near future--so why not let it be you, so you can be the industry leader instead of just part of a long line of followers?

Also, consider how much better you'll sleep at night knowing that you're no longer forcing your customers to use the equivalent of a security guard who can have sleeping pills dropped into his water bottle while he's on his rounds.

Cordially,
Jack”



And here’s a previous letter I posted to Marcos in the same thread, that he apparently didn‘t have time to respond to either:



“Marcos,

I’d like to complement you on your program, as I think it’s very nice after reading so much about it--and I think it has a lot of potential. Although I have no connection with the software industry, I’d venture to guess that it has a market value in excess of $1 million. But the problem is that it can be surreptitiously disabled by a 13-year-old hacker with a free worm, leaving users with ZERO protection. So after you fix this massive security hole, please let me know--as I’d love to buy NOD32 when I‘m able to rely on it.

Jack”


So this new thread will now give them an opportunity to publicly respond to this issue and disclose how they intend to deal with it. As I’m sure they realize ‘the enquiring minds’ of 99.9% of their customers who use forums will be interested in their response.

 

Hi, Jack.

A couple of thoughts about your post:

I'm supposing that you are aware that the worm in question does not limit itself to shutting down NOD32, but that it also shuts down many other AV's and firewalls, according to the link you cite from TrendMicro:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_RBOT.JZ

What's needed is simply a definition, so that this worm will be detected.

According to Virus Bulletin (VGREP), NOD32 does not detect the worm in question: http://www.virusbtn.com/resources/vgrep/vgrep.cgi?terms=WORM_RBOT.JZ&product=0
However, these Virus Bulletin results are relying on the NOD32 definitions from 11 August 2004, that is, v. 1.840: http://www.virusbtn.com/resources/vgrep/which_products/
Since 11 August, Eset has not only released many new definitions, the company has also upgraded the program components:
http://www.nod32.com/scriptless/support/info.htm
https://www.wilderssecurity.com/showthread.php?t=45886

Even this morning's definitions update, v. 1.866, included a signature for an Agobot worm variant:

So if by chance this particular worm is not yet included in the definitions files (I don't know whether it is or is not), it seems that Eset developers are working to get it covered.

It thus seems that this supposed security hole is a bit of old news, or should I say another bit of same:
https://www.wilderssecurity.com/showthread.php?t=46991
https://www.wilderssecurity.com/showthread.php?t=46993
https://www.wilderssecurity.com/showthread.php?t=46990
https://www.wilderssecurity.com/showthread.php?t=46988
Surely any news organization with professional fact checkers will easily determine this, as well.

Nothing wrong with trying to assure that Eset includes definitions for "In the Wild" malware. But is it necessary to perfume the atmosphere with the scent of scandal to make the point? This approach weakens your case, in the end.

Regards,
pollux

 

Jack,
maybe I'm not getting it right. Do you mean by the security hole that NOD32 didn't detect a variant of Agobot? If so, wasn't it detected by advanced heuristics neither? If so, would you please send the sample to samples@nod32.com for analysis?

The problem is that most of other AV programs report even corrupted non-functional files as infected though they are actually harmless. That's not the case of NOD32 and therefore it's not fair to blame NOD32 for not detecting it without analysing the file in question.

 

Hey Jack,

The thread you refer to was closed by a Wilders Admin and I can assure you it was closed by that individual for no other reason than what was stated. It in no way was closed to accomplish "overt censorship". If the day ever comes that Wilders is "pressured into engaging in such blatant censorship"....you'll have to beat me to the punch in letting other "Internet forums and newsgroups" know.

Having said that....let's get a few other things clear. I do not have any clue to how well NOD is when used as an Anti-virus program other than what I read when following threads in my moderator duties and also at times in my quest for knowledge of AV's. I also do not have much knowledge of Anti-virus programs due to my surfing habits and lack of need for one as a whole. So in a way....I have no dog in this hunt for the answers to your question and I can assure you I do not answer to Eset. What I do have is the responsibility to make sure all threads follow Wilders TOS and make sure posters follow a little common decency in making their posts.

While I did follow the "Nod 32 Not Detecting Viruses" thread you referenced....I will not concern myself with that thread when dealing with this one and what I'm asking of you is to post what worm your speaking of as far as your accusation concerning the "security hole" that "allows a worm to disable NOD32". Please do this also without referencing back to or continually quoting from the other thread and I also ask this of any other posters to this thread. If those that wish to follow your thread wish to having a understanding of the question you have brought up....they then can visit the below link to the thread you reference in your opening paragraph.

Let's cut to the chase in this thread and You be a little more specific with the name of the trojan your referencing without causing interested lurkers\posters to review the other thread. Treat this as a whole different thread and bring to the table any and all new info concerning your accusation....be it factual or not.

Also....feel free to "spread around the Internet" in any all you wish to spread about Wilders and your thoughts when it comes to censorship @ Wilders.....good or bad. Wilders has a track record that is second to none....especially when it comes to letting the members\lurkers post factual information or share their opinions....as long as it does not violate Wilders TOS.

This thread---> Nod 32 Not Detecting Viruses

 

Perhaps the title of this thread should be:

"When will I--or others, including but not limited to 13 year old boys--learn to keep my AV updated?"

 

Agreed. Jack, I think that you need to take a breath and calm down. If you let malware run on your system with administrative privileges, then your machine is compromised... period. ESET might be able to do some things to "harden" their process to process-termination attacks (for example, Zone Alarm claims to be able to make some modifications to protect their processes); but, at the end of the day, I think most of us are more concerned that they simply develop the proper detection signature so that the malware code never gets a chance to execute. In a perfect world with infinite resources of time and money, I'm sure Eset could spend hours responding to every question and concern. However, in this world with finite resources, Eset likely faces every day a prioritization problem of what to tackle next. I would suggest that malware signatures are job one.

If the process termination payload is of extreme concern to you. Then, I would suggest two things: 1) make sure you do the bulk of your computing in a normal "user" account and not as an "administrator" with heightened privileges; and/or 2) investigate products like DiamondCS's Process Guard. Or is it your claim that this malware can terminate processes even when run without administrator level privileges and even in the face of specially designed utilities like Process Guard?

 

I believe Jack is talking about the ability of a worm/virus disabling Nod32, and he is referring to this as a security flaw, in that Nod32 (and other AV) should be able to protect themselves from this form of attack…

Cheers

 

The NOD32krn process is unkillable.

 

I had a virus/worm in my store the other day, we installed Nod32 and updated it, everytime we start a scan it "killed" Nod32, brought it to it's knees. We ended up having to slave this drive off a clean system in order to remove the virus/worm...

Cheer

 

Was that a Win9x/ME machine or a Win2K/XP/NT machine?

 

Blackspear, do you mean it killed the on-demand scanner or the nod32krn process?

 

Does it really matter?the fact is to clean the worm off the machine he had to slave the drive to a clean machine:-Nods' ability to remove this worm was disabled:- thats all that really matters!
Whats going to be the recommended line of action if a clean machine isn't available:-a format and reinstall of everything?!,this problem really needs looking into and a cure found!

 

The fact is, no software can be made immune to compromise, unless precautions are taken in OS configuration. As others have suggested, you're at risk anytime you accept unknown code while signed on with full administrative privileges, or running a system with wide open ports. Accept the fact that software exploits are here to stay.

 

true, this has happened to me before.

now i use processguard to protect nod32 and my firewall.

now it is un killable - tested etc.

http://www.diamondcs.com.au/processguard/

 

QUOTE=leehigdon3]The fact is, no software can be made immune to compromise, unless precautions are taken in OS configuration. As others have suggested, you're at risk anytime you accept unknown code while signed on with full administrative privileges, or running a system with wide open ports. Accept the fact that software exploits are here to stay.[/QUOTE]

I am aware of that but Blackspear,who if I am correct,is a Nod reseller and was trying to cure(clean) a customers machine,surely if this worm is in Nods data-base then Nod should by definition be able to remove it!also if it is in the data-base then Eset know what this worm can do and thus,I feel,should have made Nod immune from its effects:-there is no point in adding definations to a virus base of any AV just to allow that AV to recognise a threat just before it disables it!:-if an exploit(weakness)of any security software is known to the vendors then these weaknesses should be plugged,after all what do we pay our money for?
An Av that can be disabled by the threats we buy it to protect our PCs from is really a bit of a bad joke!

 

Blackspear,

I'm curious about this. Are you saying that you initiated the scan on an infected machine with a fresh install of NOD32 from within a normal Windows boot?

 

Yes, the key is that the threat is recognizable in NOD's data base. However, relying on heuristics and the on-access scanner to identify and stop a process before it can be processed into memory is a lot to rely on. Take a look at NOD's web-site. All of the top threats are variants of some already identified worm or trojan. If it was really safe to just relay on advanced heuristics, do you think effort would be placed into updating signature files?
Securing the OS and taking steps to avoid executing unauthorized code is the key to desktop protection.

 

But that wont help clean a machine thats already infected,its like telling someone with an incurable infectious disease:-you should have been more careful!(I pesonally dont like relying on heuristics for protection feeling it would be like my doctor giving me a drug that might cure an ailment rather than one specific to that complaint:much prefer a "definition" based av protection!)

 

Did everyone read the interview with Steve Gibson mentioned here:
https://www.wilderssecurity.com/showthread.php?t=47309
In it Mr. Gibson states a couple of times that as soon as you install a software program onto your operating system, ANY software, you have become compromised.

Acadia

 

I think if the machine is already infected with a virus/worm that is looking for anti-virus sofware, you can never guarantee that any A/V product will be able to detect and disable an already running process. A virus may well be masquerading as an OS-level process, and may well have higher privilege levels, if it is already loaded when the A/V is installed. That isn't really a security hole in NOD32; I think you may be able to detect an already running virus, but I don't see how you could assure that you could. What you need is a boot CD capable of loading an OS and scanning the hard drive. Older versions of Norton Anti-Virus came with a boot floppy you could use the scan the PC before continuing the installation.

If there's a straight-forward way of creating a boot CD (or floppy) with the NOD32 scanner on it, that could cure infections, I haven't found it yet. I know there are boot CD's in existence (the UBCD, with McAfee on it), where you can manipulate the image, and merge in an A/V with updated signature files. But it would be very nice for Eset to detail a process for doing that, ideally as part of the installation program. If the virus/worm is already running in some sort of stealth mode when NOD is installed, it may not be detectable after that with the current installation scheme.

 

I prefer an AV that provides both!

 

I agree that the problem here is not about whether the nod32 kernal process can be killed because in this instance the virus was already resident on the box when NOD32 was installed. This seems to me to be a perfect example of where you need to be able to boot from a special floppy/CD with NOD32 on there.

There is a way to create a boot CD with NOD32 on it. I know Blackspear uses this method but I don't know if he used it in this instance.

http://www.nu2.nu/pebuilder/#download
http://www.bootcd.us/BartPE_Plugins_Commercial.php
https://www.wilderssecurity.com/showthread.php?p=251346#post251346

 

It killed the on-demand scanner twice, a tech then called me over to show me what was going on, I tried a further scan and it too was killed.

Then the infected drive was slaved off another clean system running Nod32 and Nod32 picked up everything and cleaned it, so it is in the virus database. It is the first time I have experienced such, and will quarantine and take more detailed notes should I ever come across it again...

Unfortunately I don't remember the name of the virus/worm, I asked the tech and he couldn't remember what it was called either…

Cheers

 

Correct

Correct again, 2 out of 2

I tend to agree with you here…

Cheers