Can Malware infect your pc without Executing??

Discussion in 'other anti-malware software' started by arran, Oct 10, 2008.

Thread Status:
Not open for further replies.
  1. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    Actually, Microsoft does have an email list for security notifications:

    Microsoft Technical Security Notifications
    http://www.microsoft.com/technet/Security/bulletin/notify.mspx

    However, they are always in plain text and never are there any update executables as attachments.

    This is the point you have to stress with users, and also explain that unless they subscribe, they wouldn't
    receive an email notification anyway.

    ---
     
    Last edited: Oct 13, 2008
  2. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    I think "educating" the typical user is futile. Most of what the average user falls for is basically the same things it's always been. For years, users have been told, don't open attachments from people they don't know, but they still do. When you get right down to it, the biggest security problem is protecting PCs from their users. I don't see the average or casual user ever becoming educated enough to make secure decisions. It hasn't worked in the last 10 years and I don't see that changing. IMO, the only way to protect a PC from the average user is to lock it down so they can't install or engage in other risky behavior. Since most of them won't tolerate that, the cycle continues.
     
  3. noway

    noway Registered Member

    Joined:
    Apr 24, 2005
    Posts:
    461
  4. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    Over the years, I've had success with those who will listen, and are interested enough to take the time to read and become aware of the types of threats they are likely to encounter.

    For those who won't listen, well, what can one say?

    But that shouldn't discourage anyone from helping when the opportunity does present itself.

    ---
     
  5. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Excellent details Rmus

    Thanks for the screen shots of course. It's always interesting to pour over your testings like this & others plus they always expose (in detail) many ways malware attempt to circumvent their way to try to make entry and the many points of possible slippage i call it, on systems where they (malware) disquise theirself.

    Pretty hard evidence. And AE definitely sets a good standard in which to test these browser and other techniques most simply would never expect.



    EASTER
     
  6. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    Hmmm... that makes it clear now.

    Anyway to me it seems a no threat unless I have an AV that tries to unpack it all upto the last archive.
     
  7. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    Thanks, and as I was writing, I thought of all of the spoofed executable tests you ran on a number of products a while back -- good examples of preventing malware from installing by remote code execution, hence, no infection!

    You are welcome, and by the way, you've done a lot of testing and I've hoped that some day you will post some screen shots!

    Hello, noway,

    Long time no see! Do you remember the SloanTreeFarm Google redirect exploit? You did great work in analyzing it.

    I just realized your post here refers to the infamous .wmf (Windows Media File) exploit from December/2005. This created quite a stir for a week or more as everyone rushed around trying to come up with some type of patch while Microsoft was working on one.

    It also stirred up a lot of attention because it was a Buffer Overflow exploit, and also because some of the early in-the-wild variants made use of the notorious Spy Sheriff exploit.

    I and another person happened to be on line on December 27th/2005 when sans.org reported the first sighting of this at unionseek.com. We checked out the site and determined that the exploit could be blocked with execution prevention.

    A couple of weeks later, milw0rm published the code, and it was interesting to see that the Shell Code was similar
    to that used in the .ani (Animated Cursor) exploits:

    urlmon.dll-URLDownloadToFile-WinExec-​

    These are Windows functions which trigger the downloading of the trojan by remote code execution, aka Drive-by Download; that is, it happens in the background with no user action.

    An analysis a couple of years later by Threat Fire called "Download and Execute" had this comment:
    Here is my write-up on the wmf exploit:

    http://www.urs2.net/rsj/computing/tests/wmf

    Two points here:

    1) While Buffer Overflow exploits have the potential to do many things with shell code, yet the payload in all in-the-wild exploits we've found downloads and executes a trojan. Why? Because that is where the money is: install spyware, adware; get a backdoor on the system; get it into a botnet, etc.

    2) In line with this thread's topic, these types of exploits, while sensationalized by the media because of their behind-the-back tactics, are the easiest to prevent with some type of Default-Deny protection, where there is no possibility of a trojan downloading/executing, hence, no infection. (Other solutions have been mentioned in this thread)

    More difficult to prevent, in my opinion, are exploits which trick a user into making the wrong decision. Recent ones are the WinAntiVirus exploits where pop-ups with a fake scan warn the user that the computer is infected; and the fake Microsoft update email attachment I mentioned above.

    And so we come full circle back to the question of user education, which many think is an excercise in futility -- with which I disagree.


    ----
     
  8. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    OK. I'll modify my statement regarding user education slightly. It does work with some of them. Out of those I've worked with, the majority would rather pay for a cleanup than take the time to learn to use a PC safely. In the next few weeks, I expect to buy a PC tower with XP for about $50. It's infected. I've cleaned it once before only to have the user remove the security apps I installed, including the AV. Now they're complaining it's slow and has too many popups. Instead of having it cleaned again and leaving an AV on the system, they're buying a new one. I have no doubts that it'll be just as bad as their present one in 6 months, or as soon as the AV it comes with gets out of date.

    Once in a while I find one who appreciates the performance gain a cleaned PC gives them and makes an effort to keep it that way. Unfortunately they're the exceptions.
     
  9. nomarjr3

    nomarjr3 Registered Member

    Joined:
    Jul 31, 2007
    Posts:
    502
    Some spyware do not need user intervention to infect a PC, like the new variants of Vundo.
    Fortunately, we have SAS and MBAM to take care of the job :thumb: ;)
     
  10. wat0114

    wat0114 Guest

    Thank you for the clarification Rmus. I read many of your posts with interest. They are, as always, informative with sound advice most anyone can benefit from.

    Yes! I fully agree with you on this one noone. I know someone who exactly fits this category. All he wants is the "free" game, with no regard whatsoever to the source of the download or the possible consequences of launching the executable. He's been pwned a few times because of his carelessness, even installing the toolbars that are offered with the installation. No amount of advice or education helps. Sometimes there is nothing you can do.
     
    Last edited by a moderator: Oct 15, 2008
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.