Case Study: Prevx, SSM, PG 2.5, overkill or not?

Discussion in 'other anti-malware software' started by richrf, Oct 27, 2004.

Thread Status:
Not open for further replies.
  1. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi everyone,

    Briefly, this is what happened last night.

    I was looking for information about a program that Giant AS detected as spyware. While searching on Google using FireFox, a clicked on a site that all of a sudden took control of my browser and started to run an application. SSM stopped it from running but by system was hung up. services. exe was taking lots of CPU. I used WinPatrol to shut down the system.

    When I rebooted, SSM (I think it was SSM) gave me a warning that a program had changed within SSM and I should re-install. I didn't think much of this until I noticed unnecessary activitiy on my modem/router. I then check TM and saw that services.exe was unusally active. So I cleared system restore, re-booted in safe mode, and re-installed SSM. When I restarted, teh services.exe activity was eliminated and I though I was fine.

    Until Prevx trapped a potential buffer overflow. I looked at my system using SSM and Security Task Manager (which I have a trial copy) and didn't notice any strange activity. On a hunch, I decided to load PG 2.5 to see if it would catch anything. Surprisingly, a couple of Norton Utlities were running which I never saw running before. For some reason they did not show up on SSM's or STM's listings.

    After re-booting, Prevx still detected the overflow condition so I thought that NAV may have been compromised. I uninstalled NAV and all traces that I could find. I also ran Crap Cleaner and found some traces in the registry which I deleted.

    When I re-booted, everything seem back to normal. So far no problems.

    Quick question: If my programs were compromised, does changing directory names help or or the current viruses smart enough to scan the drive looking for programs?

    Any other comments are MORE than welcome.

    Thanks.

    Rich
     
    Last edited: Oct 27, 2004
  2. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    I know that it can help, I think it kind of depends on HOW it targets that software, however. If you have the latest updates for Prevx it SHOULD alert you if anything tries to modify any executables or DLL files within your Program Files folder. So if you have them installed there, just keep an eye on the Prevx alerts.

    Glad to hear these programs in action, and that they did the trick for you, especially since your last experience! You probably should run some scans, however, just to make sure it's gone all the way. You might try the free eScan Toolkit (http://www.mwti.net/antivirus/free_utilities.asp) it's based on the Kaspersky engine and uses their defs, so it's a good tool for 2nd opinions. If you don't already have it, TDS-3 would be another good one to scan with (you have to update the trial version manually, make sure to do so.)
     
  3. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Re: Cas Study: Prevx, SSM, PG 2.5, overkill or not?

    Hi Notok,

    I ran the following scans before installing PG 2.5:

    KAV 4.5.104 - nothing found
    NOD32 trial - nothing
    TDS-3 - nothing
    Ewido - nothing
    Ad-aware - nothing
    Spybot - nothing
    TrojanHunter - nothing and last but not least -
    Giant AS - Bingofun Spyware!

    Cleared Bingofun and all traces using Crap Cleaner. However, this did not eliminate the problem as I described in my first posting. For some reason Prevx didn't catch the changes - if there were any, unless that initial message that I received about SSM came from Prevx. But I do not think so since it was not a normal Prevx message. I think SSM must have done a self-check or something. Or another program caught it. I don't know. It was all so wierd. It was only when PG showed the programs running.

    I am working on installing some backup software. I think Disk Snapshot seems like the best. Also, FirstDefense might be really helpful in these kinds of situations. Any comments?

    My browsing was all so innocent - and all of a sudden Zapped. I am really, really aghast at how easy it is to catch lethal viruses nowadays, even with really good defenses. A good backup would really help I am sure. Just clear out everything and start time-1.

    Rich
     
  4. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    Re: Cas Study: Prevx, SSM, PG 2.5, overkill or not?

    Well it is possible that there's some conflicts or corruption causing the problem. I know that there can be problems with SSM and both Prevx and PG.. so it's also possible that it just kind of blew up on you (so to speak.) I know when I was trying out SSM, "buffer overflows" were one of the things I got, it's possible that a normal alert set off a chain reaction. You might try removing SSM and use one of the registry monitors mentioned in the "registry monitor comparison" thread for a little while and see if that doesn't change things at all (especially if you have the paid version of PG, it serves almost entirely the same functions except registry monitoring.) Those are all trustworthy scanners, so I wouldn't doubt their results TOO much.
     
  5. chew

    chew Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    515
    Location:
    GeordieLand.
    Re: Cas Study: Prevx, SSM, PG 2.5, overkill or not?

    I don't know if this is a good idea (moderator please delete as appropriate) but may I ask what program were you searching for?

    I just want to avoid that search if possible or the experts can test it out to see what they are. Could be some new nasties that are still lurking in the wild that nobody knows.

    :)
     
  6. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Re: Cas Study: Prevx, SSM, PG 2.5, overkill or not?

    Hi Chew,

    Try as I might, I can't recall which site I went to. I was search for information about an alert which I thought might be a FP and I fell into a site that whacked me hard. I don't know how it got through Prevx, SSM, Wormguard, as well as KAV 4.5.104, BOClean and Giant AS. Luckily I noticed the network traffic and the SSM warning was enough to warn me that something was up. Prevx stopped the overflow cold but it was PG that somehow showed the tasks that were running. Somehow all were hidden from System Task Manager and WinPatrol.

    Rich
     
  7. TheSnowGuy

    TheSnowGuy Guest

    Re: Cas Study: Prevx, SSM, PG 2.5, overkill or not?

    RICH SAID:

    **I uninstalled NAV and all traces that I could find. I also ran Crap Cleaner and found some traces in the registry which I deleted.

    When I re-booted, everything seem back to normal. So far no problems***

    *****************

    How can you be certain it wasn't NAV that was causing the problem...a corrupt install of NAV perhapo_O

    With the security programs you listed it seems highly unlikely that an exploit got through...although that alot of system resources being consumed by those programs......test that with your resourse meter Rich.....say, did you have both NAV and KAV running at the same timeo_O
     
  8. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Re: Cas Study: Prevx, SSM, PG 2.5, overkill or not?

    Hi everyone,

    It certainly is possible that there was a chain reaction. The website I went to went haywire. Then something happened to SSM so I re-installed. And then some programs that shouldn't be running with Systemsworks were running. So I had to uninstall Systemworks (NAV was not installed). All of the stuff may have been falling all over itself. It was just a test. I am now back to a more normal runtime situation with KAV, Prevx, BOClean and Zonealarm. But the mess does give me an impetus to continue looking for a good backup strategy so that I can restore to an image when I need. I am thinking about Disk Snapshot as the simpliest solution though I am a bit concerned about online backups. I know that they can be tricky.

    Thanks for the ideas. I think you guys might be right. The website I visited might have triggered a domino-like effect on the applications.

    Rich
     
  9. chew

    chew Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    515
    Location:
    GeordieLand.
    Re: Cas Study: Prevx, SSM, PG 2.5, overkill or not?

    richrf

    If it got through all of those I am afraid it could be something potential serious and powerful.

    You must try to inform them (Prevx, SSM, Wormguard, as well as KAV 4.5.104, BOClean and Giant AS) of such events even if you need to write a long report. So that they can research into the breach or problem that you encountered. Perphas then they can give you full explaination of what to do etc.,

    hmmm ... rather scary I must say if it could breach all your defence.

    :eek: o_O :)
     
  10. Re: Cas Study: Prevx, SSM, PG 2.5, overkill or not?

    My story may be absolutely irrelevant, though it have some similar points.

    When MSBlacter thing appeared I was already patched and pretty happy with it. But ~year after this (this summer) odd things had happened: all patches were rolled back, so my computer became vulnerable to MSBlaster, Sasser and Co. Windows update was removed. COM dependent applications (installers, debuggers, ...) reported "no such interface supported" and ceased to work.
    Few weeks ago I have reinstalled windows (this solved most of problems) and proceeded with all updates but this didn't help to patch msblaster/sasser holes. So how I found SSM useful (yeah, may sound kinda funny ;) ):
    When MSBlast tried to reach me it "asked" svchost to run either cmd.exe or ftp.exe.
    When Sasser tried to infect me it instructed lsass.exe to start cmd.exe
    Both attacks were caught by SSM with parent-dependent rules for cmd.exe and tftp.exe.
    Unfortunately after buffer overwlow in svchost occurs (msblast) any application hangs when it tries to list "My Computer" folder

    So I wonder what application had tried to stared malware: Firefox or svchost?
     
  11. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Re: Cas Study: Prevx, SSM, PG 2.5, overkill or not?

    Hi Divine,

    Sometimes I am amazed at how the malware creeps through. I don't know how some of it enters into my machine. I am more careful about the sites I visit (I do a lot of research on the net) and I take nothing for granted anymore. It is really like walking down a dark alley. I just have to be more careful. The security I have put in place definitely helps, but it cannot protect against all of the unknowns on the net, so care, I guess, the the best defense. Surfing ain't what it use to be - but that is life.

    Rich
     
  12. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Re: Cas Study: Prevx, SSM, PG 2.5, overkill or not?

    Locking down browser settings is important - even if you use a non-IE browser, allowing Java and Javascript opens the door (albeit by a crack) to malicious sites. Since your security programs will be configured to "trust" the browser, extra care needs to be taken in restricting what HTML it sees - many firewalls can do web filtering, but standalone filters (like Proxomitron) offer better control, at the cost of having another program to learn. Also note that almost all web filters will fail with https pages (see The dangers of HTTPS for more details).

    Richrf, were you running a (properly configured) firewall? This would be the first line of defence against any probes and while it would not prevent your browser from being compromised, it would definitely rule out any other causes.
     
  13. still_longhorn

    still_longhorn Registered Member

    Joined:
    Oct 3, 2004
    Posts:
    256
    It seems my "Bradley" Fighting Machine wouldn't stand a chance against what is out there if these threats can penetrate you systems configured as M1 Battletanks. So far (knock on wood) I have avoided such threats even after surfing the darkest alleys of the net.

    Which leads to my question: If one doesn't let them in without permission(downloads) how are they injected into a system?
     
  14. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,046
    Re: Cas Study: Prevx, SSM, PG 2.5, overkill or not?

    Hi Rich

    Couple of things. First of all I would be sure and have the latest full version of ProcessGuard installed. That way if something had tried to get thru it would have been stopped cold. Raxco's First Defense would have been perfect for this situation. 2 minutes and you would have been back like nothing had happened. Finally I use Internet Explorer (latest version) and I also use Edensoft's Popup Cop. Popup Cop has stopped a lot of flyby downloads, and attempted activeX nasties dead in their tracks.

    Pete
     
Thread Status:
Not open for further replies.