Case Study: Prevx, SSM, PG 2.5, overkill or not?

Hi everyone,

Briefly, this is what happened last night.

I was looking for information about a program that Giant AS detected as spyware. While searching on Google using FireFox, a clicked on a site that all of a sudden took control of my browser and started to run an application. SSM stopped it from running but by system was hung up. services. exe was taking lots of CPU. I used WinPatrol to shut down the system.

When I rebooted, SSM (I think it was SSM) gave me a warning that a program had changed within SSM and I should re-install. I didn't think much of this until I noticed unnecessary activitiy on my modem/router. I then check TM and saw that services.exe was unusally active. So I cleared system restore, re-booted in safe mode, and re-installed SSM. When I restarted, teh services.exe activity was eliminated and I though I was fine.

Until Prevx trapped a potential buffer overflow. I looked at my system using SSM and Security Task Manager (which I have a trial copy) and didn't notice any strange activity. On a hunch, I decided to load PG 2.5 to see if it would catch anything. Surprisingly, a couple of Norton Utlities were running which I never saw running before. For some reason they did not show up on SSM's or STM's listings.

After re-booting, Prevx still detected the overflow condition so I thought that NAV may have been compromised. I uninstalled NAV and all traces that I could find. I also ran Crap Cleaner and found some traces in the registry which I deleted.

When I re-booted, everything seem back to normal. So far no problems.

Quick question: If my programs were compromised, does changing directory names help or or the current viruses smart enough to scan the drive looking for programs?

Any other comments are MORE than welcome.

Thanks.

Rich

 

I know that it can help, I think it kind of depends on HOW it targets that software, however. If you have the latest updates for Prevx it SHOULD alert you if anything tries to modify any executables or DLL files within your Program Files folder. So if you have them installed there, just keep an eye on the Prevx alerts.

Glad to hear these programs in action, and that they did the trick for you, especially since your last experience! You probably should run some scans, however, just to make sure it's gone all the way. You might try the free eScan Toolkit (http://www.mwti.net/antivirus/free_utilities.asp) it's based on the Kaspersky engine and uses their defs, so it's a good tool for 2nd opinions. If you don't already have it, TDS-3 would be another good one to scan with (you have to update the trial version manually, make sure to do so.)

 

Re: Cas Study: Prevx, SSM, PG 2.5, overkill or not?

Hi Notok,

I ran the following scans before installing PG 2.5:

KAV 4.5.104 - nothing found
NOD32 trial - nothing
TDS-3 - nothing
Ewido - nothing
Ad-aware - nothing
Spybot - nothing
TrojanHunter - nothing and last but not least -
Giant AS - Bingofun Spyware!

Cleared Bingofun and all traces using Crap Cleaner. However, this did not eliminate the problem as I described in my first posting. For some reason Prevx didn't catch the changes - if there were any, unless that initial message that I received about SSM came from Prevx. But I do not think so since it was not a normal Prevx message. I think SSM must have done a self-check or something. Or another program caught it. I don't know. It was all so wierd. It was only when PG showed the programs running.

I am working on installing some backup software. I think Disk Snapshot seems like the best. Also, FirstDefense might be really helpful in these kinds of situations. Any comments?

My browsing was all so innocent - and all of a sudden Zapped. I am really, really aghast at how easy it is to catch lethal viruses nowadays, even with really good defenses. A good backup would really help I am sure. Just clear out everything and start time-1.

Rich

 

Re: Cas Study: Prevx, SSM, PG 2.5, overkill or not?

Well it is possible that there's some conflicts or corruption causing the problem. I know that there can be problems with SSM and both Prevx and PG.. so it's also possible that it just kind of blew up on you (so to speak.) I know when I was trying out SSM, "buffer overflows" were one of the things I got, it's possible that a normal alert set off a chain reaction. You might try removing SSM and use one of the registry monitors mentioned in the "registry monitor comparison" thread for a little while and see if that doesn't change things at all (especially if you have the paid version of PG, it serves almost entirely the same functions except registry monitoring.) Those are all trustworthy scanners, so I wouldn't doubt their results TOO much.

 

Re: Cas Study: Prevx, SSM, PG 2.5, overkill or not?

I don't know if this is a good idea (moderator please delete as appropriate) but may I ask what program were you searching for?

I just want to avoid that search if possible or the experts can test it out to see what they are. Could be some new nasties that are still lurking in the wild that nobody knows.

 

Re: Cas Study: Prevx, SSM, PG 2.5, overkill or not?

Hi Chew,

Try as I might, I can't recall which site I went to. I was search for information about an alert which I thought might be a FP and I fell into a site that whacked me hard. I don't know how it got through Prevx, SSM, Wormguard, as well as KAV 4.5.104, BOClean and Giant AS. Luckily I noticed the network traffic and the SSM warning was enough to warn me that something was up. Prevx stopped the overflow cold but it was PG that somehow showed the tasks that were running. Somehow all were hidden from System Task Manager and WinPatrol.

Rich

 

Re: Cas Study: Prevx, SSM, PG 2.5, overkill or not?

RICH SAID:

**I uninstalled NAV and all traces that I could find. I also ran Crap Cleaner and found some traces in the registry which I deleted.

When I re-booted, everything seem back to normal. So far no problems***

*****************

How can you be certain it wasn't NAV that was causing the problem...a corrupt install of NAV perhap

With the security programs you listed it seems highly unlikely that an exploit got through...although that alot of system resources being consumed by those programs......test that with your resourse meter Rich.....say, did you have both NAV and KAV running at the same time

 

Re: Cas Study: Prevx, SSM, PG 2.5, overkill or not?

Hi everyone,

It certainly is possible that there was a chain reaction. The website I went to went haywire. Then something happened to SSM so I re-installed. And then some programs that shouldn't be running with Systemsworks were running. So I had to uninstall Systemworks (NAV was not installed). All of the stuff may have been falling all over itself. It was just a test. I am now back to a more normal runtime situation with KAV, Prevx, BOClean and Zonealarm. But the mess does give me an impetus to continue looking for a good backup strategy so that I can restore to an image when I need. I am thinking about Disk Snapshot as the simpliest solution though I am a bit concerned about online backups. I know that they can be tricky.

Thanks for the ideas. I think you guys might be right. The website I visited might have triggered a domino-like effect on the applications.

Rich

 

Re: Cas Study: Prevx, SSM, PG 2.5, overkill or not?

richrf

If it got through all of those I am afraid it could be something potential serious and powerful.

You must try to inform them (Prevx, SSM, Wormguard, as well as KAV 4.5.104, BOClean and Giant AS) of such events even if you need to write a long report. So that they can research into the breach or problem that you encountered. Perphas then they can give you full explaination of what to do etc.,

hmmm ... rather scary I must say if it could breach all your defence.

 

Re: Cas Study: Prevx, SSM, PG 2.5, overkill or not?

My story may be absolutely irrelevant, though it have some similar points.

When MSBlacter thing appeared I was already patched and pretty happy with it. But ~year after this (this summer) odd things had happened: all patches were rolled back, so my computer became vulnerable to MSBlaster, Sasser and Co. Windows update was removed. COM dependent applications (installers, debuggers, ...) reported "no such interface supported" and ceased to work.
Few weeks ago I have reinstalled windows (this solved most of problems) and proceeded with all updates but this didn't help to patch msblaster/sasser holes. So how I found SSM useful (yeah, may sound kinda funny ):
When MSBlast tried to reach me it "asked" svchost to run either cmd.exe or ftp.exe.
When Sasser tried to infect me it instructed lsass.exe to start cmd.exe
Both attacks were caught by SSM with parent-dependent rules for cmd.exe and tftp.exe.
Unfortunately after buffer overwlow in svchost occurs (msblast) any application hangs when it tries to list "My Computer" folder

So I wonder what application had tried to stared malware: Firefox or svchost?

 

Re: Cas Study: Prevx, SSM, PG 2.5, overkill or not?

Hi Divine,

Sometimes I am amazed at how the malware creeps through. I don't know how some of it enters into my machine. I am more careful about the sites I visit (I do a lot of research on the net) and I take nothing for granted anymore. It is really like walking down a dark alley. I just have to be more careful. The security I have put in place definitely helps, but it cannot protect against all of the unknowns on the net, so care, I guess, the the best defense. Surfing ain't what it use to be - but that is life.

Rich

 

Re: Cas Study: Prevx, SSM, PG 2.5, overkill or not?

Locking down browser settings is important - even if you use a non-IE browser, allowing Java and Javascript opens the door (albeit by a crack) to malicious sites. Since your security programs will be configured to "trust" the browser, extra care needs to be taken in restricting what HTML it sees - many firewalls can do web filtering, but standalone filters (like Proxomitron) offer better control, at the cost of having another program to learn. Also note that almost all web filters will fail with https pages (see The dangers of HTTPS for more details).

Richrf, were you running a (properly configured) firewall? This would be the first line of defence against any probes and while it would not prevent your browser from being compromised, it would definitely rule out any other causes.

 

It seems my "Bradley" Fighting Machine wouldn't stand a chance against what is out there if these threats can penetrate you systems configured as M1 Battletanks. So far (knock on wood) I have avoided such threats even after surfing the darkest alleys of the net.

Which leads to my question: If one doesn't let them in without permission(downloads) how are they injected into a system?