0Day Threats

Discussion in 'other anti-malware software' started by AndyXS, Mar 23, 2009.

Thread Status:
Not open for further replies.
  1. AndyXS

    AndyXS Registered Member

    Joined:
    Mar 17, 2009
    Posts:
    44
    The other day I downloaded some software off the net. With the source looking a little suspect I scanned the files with three engines. GData AV (BitDefender & Avast) returned clear for the files, Kaspersky online also returned clear. Prevx Edge was also running but did not come back with any problems.

    Although it seems that all the tests have passed, this doesn't mean to say that there wasn't any malware installed, just that it wasn't detected or unknown. Lets say there was 0day malware in this application, how can I check this out for myself?
     
  2. Miyagi

    Miyagi Registered Member

    Joined:
    Mar 12, 2005
    Posts:
    420
    Location:
    Honolulu, Hawaii
    Betta hire one antimalware ExPert.
     
  3. G1111

    G1111 Registered Member

    Joined:
    May 11, 2005
    Posts:
    2,127
    Location:
    USA
    You can try scanning single files with: http://www.virustotal.com/ It will scan the file with many scanners. Chances are one of them had picked up the malware sample and created a signature for it. Also, a HIPS program (Malware Defender, EQSecure, DefenseWall) or sandbox would trap it or detect it before AV programs. The HIPS programs will prompt you whether to allow the file to run. You then have to make the right decision. Running in it a sandbox would (hopefully) isolate it from doing damage to your system. Best approach is a layered security system (firewall, AV/AM, HIPS and/or sandbox type program) and fully patched system.
     
    Last edited: Mar 23, 2009
  4. AndyXS

    AndyXS Registered Member

    Joined:
    Mar 17, 2009
    Posts:
    44
    I don't see how a sandbox would work. The real application would normally write to system32, the windows folder, and the registry. I would have to run this application as trusted just to get it installed normally, thats without malware.
     
  5. G1111

    G1111 Registered Member

    Joined:
    May 11, 2005
    Posts:
    2,127
    Location:
    USA
    See: http://www.youtube.com/watch?v=PBKNHBl-yos for some ideas of how GesWall works. The best advice is only download from a trusted source and then scan the file before running it. I use KAV and Prevx and right-click on them. There is always the possibility of getting infected. Make sure all your data is backed up on a separate drive and have a program that can return you to a snapshot of your system before the infection occurred. Worst case scenario is to reformat.
     
    Last edited: Mar 23, 2009
  6. AndyXS

    AndyXS Registered Member

    Joined:
    Mar 17, 2009
    Posts:
    44
    Is there any way to lock an entire drive so it can't be modified?
     
  7. Osaban

    Osaban Registered Member

    Joined:
    Apr 11, 2005
    Posts:
    4,215
    Returnil, Shadow Defender, ShadowUser Pro, DeepFreeze (these are the ones i've tried, there are more)
     
  8. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Sandboxie creates duplicate registry sections and system folders as they're needed. Most legitimate applications can't tell the actual system folders from the Sandboxie created alternates. The same applies to the registry. Except for some security software that operates at a kernel level, I'd be suspicious of any software that wouldn't install in Sandboxie or in a virtual environment. If for some reason I felt it necessary to use such software, I'd install it on a separate test unit first and evaluate it thoroughly before I considered installing it on a good system.

    Regarding zero-day malware, no scanner will identify true zero day malware. The exception here is if the AV identifies it heuristically (by behavior). By definition, zero-day malware hasn't been identified and is in the wild. In most cases, a sandbox or virtual system can contain the malicious code, preventing it from installing on the physical operating system. That said, a keylogger running on a virtual system can collect keystrokes made on that system. It's also possible that we will see malware that can break out of a sandbox or virtual system. The only sure way to prevent unknown or unidentified malicious code from running is to implement a default-deny security policy. With this approach, only those apps/processes that the user has specified can run, nothing else. Classic HIPS are ideal for enforcing a default-deny policy, provided that the user can identify which applications/processes are part of the system and installed software, and are necessary for its normal operation.
     
  9. Someone

    Someone Registered Member

    Joined:
    Jan 18, 2008
    Posts:
    1,106
    Maybe you could scan it with something like ThreatExpert?
     
  10. dawgg

    dawgg Registered Member

    Joined:
    Jun 18, 2006
    Posts:
    817
  11. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,187
    Location:
    Sydney, Australia
    If I recall correctly, you could use DefenseWall and run as untrusted until you iz happy :) http://www.softsphere.com/
    I could be wrong, been a while since I used DW and things may have change( but I suspect not)
    Not sure about kernel level installs either if that's what you want.
    Ask at forums: http://gladiator-antivirus.com/forum/index.php?showforum=192

    EDIT: Ahh, sorry; I see you already run DW:
     
    Last edited: Mar 24, 2009
  12. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    maybe, they didnt detect anything because what you thought was a malware source, didnt install anything on your PC.;)
     
  13. andyman35

    andyman35 Registered Member

    Joined:
    Nov 2, 2007
    Posts:
    2,336
    I'd go with the install in Sandboxie option until I was sure of it's safety.If it wouldn't run in SBIE it wouldn't be installed full stop.;)
     
  14. AndyXS

    AndyXS Registered Member

    Joined:
    Mar 17, 2009
    Posts:
    44
    Returnil? Thats like DeepFreeze isn't it?

    I have tested DeeoFreeze, the only problem I found is that it doesn't allow folders for AV to update. Does Returnil?
     
  15. innerpeace

    innerpeace Registered Member

    Joined:
    Jan 15, 2007
    Posts:
    2,095
    Location:
    Mountaineer Country
    You've got a lot of good suggestions so far. I would suggest that you only download reputable softwares from reputable sources. You can also checkout the background of the company and site. If in doubt, ask about the software/company in a security forum like Wilders. Who knows, you might even find a good program that does the job better without all the worry.

    With Returnil, you would have to turn it's protection off and then update your AV and then turn the protection on again. The same with all updates etc. unless you can move where the data is stored to an unprotected location.
     
  16. Tarq57

    Tarq57 Registered Member

    Joined:
    Oct 7, 2006
    Posts:
    966
    Location:
    Wellington NZ
    Actually a perceptive and important question, about a topic that affects all web users.
    It is quite possible (likely, even) the files are malware-free, as alluded by trjam. You do have to be a little unlucky to score a genuine zero day threat. (Yet it happens all the time. )
    The Sandboxie suggestions sound good to me. Better are the suggestions to submit files to an av vendor with the appropriate facilities for analysis.
    Consider running a behaviour blocker to receive alerts about suspicious attempted changes. (Which will likely need a bit of inside knowledge to interpret correctly.)

    With Prevx running, and in the light of the comments made on your other thread about the library of modified vs original files and repair ability of same (I agree, that is impressive if it works.) your chances are further improved, I would think.
     
  17. Osaban

    Osaban Registered Member

    Joined:
    Apr 11, 2005
    Posts:
    4,215
    Shadow Defender and ShadowUser have the possibility to allow security applications to update. ShadowUser doesn't work with Vista, Shadow Defender seems to have a dynamic developer behind and works with Vista.
     
  18. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    974
    Location:
    Paris
    It's actually quite interesting to get a true zero-day sample, then check on a daily basis at Virustotal to see which product will detect it and when it happens. It will also point out an intrinsic flaw in AV testing- the lack of something like a "Time to Detection" factor.

    At the end of 10 days maybe all AV's will detect the sample, but prior to that product differences will be totally different.
     
  19. dawgg

    dawgg Registered Member

    Joined:
    Jun 18, 2006
    Posts:
    817
    Seems more like your methodoligy's more flawed than anything... the settings, update frequency and detection ability of AVs on virustotal are not necessarily the same as that on home-user products.
     
  20. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    974
    Location:
    Paris
    Actually they do seem to be. I've tried the above and seen (without mentioning any names) product detections going from zero to 3 to 6, etc.

    If after all does stand to reason that some companies will be more responsive than others.
     
  21. andyman35

    andyman35 Registered Member

    Joined:
    Nov 2, 2007
    Posts:
    2,336
    The best weapon in determining the safety of a new program is often Google.By simply entering the product name a wealth of information can be found.If it's available on reputable download sites such as Softpedia and Majorgeeks then you should be fine,however if it's only available on less straight sites such as Brothersoft,alarm bells should ring.Of course truly new software won't yet have been passed safe by sites such as these which check files they host are malware free.A website rating utility comes in handy here to determine which sites are which.Also the Google search might link to forums such as this or bleeping computer etc.

    At the end of the day if in doubt,or no info is available due to it being too new,you need to ask yourself just how necessary is this program now rather than waiting until it's been properly categorized,or as was mentioned before,is there a known safe alternative available.
     
    Last edited: Mar 25, 2009
Loading...
Thread Status:
Not open for further replies.