How quickly the malware/security landscape changes!

Discussion in 'other anti-malware software' started by besafe, May 31, 2007.

Thread Status:
Not open for further replies.
  1. besafe

    besafe Registered Member

    Joined:
    Mar 29, 2007
    Posts:
    222
    2-3 years ago when I started visiting this forum:

    1. Process Guard was the king of HIPS...it now appears to be a has been

    2. NOD32 was sold to me as a one stop product. My rep told me that I wouldn't need antispyware applications with NOD32, all I would need was a good firewall.

    3. Sandbox applications were relatively unknowns or at least not spoken about nearly as frequently

    Amazing how quickly things change in the technology world!
     
  2. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Ha, you bet!
     
  3. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    And How Little The Means of Malware Distribution Have Changed

    Social Engineering has become much more sophisticated:

    An inside look at a targeted attack
    http://isc.sans.org/diary.html?storyid=2894
    However in the end, same old thing:

    And same tried and true solution:

    If it can't execute, it can't infect

    The triggering mechanisms have become more sophisticated and very difficult to analyze
    without the proper tools:

    Analyzing an obfuscated ANI exploit
    hxxp://isc.sans.org/diary.html?storyid=2826

    In the final analysis,same old thing:

    And same tried and true solution:

    If it can't execute, it can't infect

    If you followed the sloantreefarm exploit, you saw how clever and sophisticated it was, with referer heading and redirect means of getting the user to a page which attempted to download a trojan by remote code execution. In the end, it was prevented by the same tried and true solution, as many here demonstrated:

    If it can't execute, it can't infect

    Appearances are deceiving. PG is still a formidable warrior standing guard at the gate.
    Nothing like the above exploits gets past PG.

    regards,

    -rich

    ________________________________________________________________
    "Talking About Security Can Lead To Anxiety, Panic, And Dread...
    Or Cool Assessments, Common Sense And Practical Planning..."
    --Bruce Schneier​
     
  4. besafe

    besafe Registered Member

    Joined:
    Mar 29, 2007
    Posts:
    222
    I hope that you don't think I was trying to slam Process Guard. I have never even used it. I really can't speak of it's effectiveness or ineffectiveness. I was merely noting that it appeared to be the "hot program" a few years ago and now people rarely speak of it. Other programs like SSM and Prosecurity seem to have replaced it as the "hot program".

    And even more than that, just 2 years ago NOD32 + a Firewall was a tight security set up. Now it's not even the bare minimum as the bare minumum seems to be FW + AV + Antispyware.

    So I hope that neither Process Guard nor NOD32 users took offense. I was merely pointing out how fast the world of PC security seems to be changing.
     
  5. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I'm sure you weren't :)

    But sometimes our views on these things are influenced by the media which loves to hype and sensationalize the world of malware.

    It deserves our attention, of course, but often close scrutiny of what is written reveals that tried and true simple solutions are still effective.

    Naturally, one needs to evaluate her/his own circumstances and proceed accordingly.

    But the blanket statements one reads are often misleading, and deserve a closer look.

    regards,

    -rich

    ________________________________________________________________
    "Talking About Security Can Lead To Anxiety, Panic, And Dread...
    Or Cool Assessments, Common Sense And Practical Planning..."
    --Bruce Schneier​
     
  6. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    A good AV and Sandboxie will get you through any storm.;)
     
  7. besafe

    besafe Registered Member

    Joined:
    Mar 29, 2007
    Posts:
    222
    But for how long?
     
  8. masqueofhastur

    masqueofhastur Registered Member

    Joined:
    Nov 19, 2005
    Posts:
    109
    You forgot to mention that Phishing is now a major concern. It's also not anymore that malware's purpose is to screw your computer up. Now malware is there to gather information about you and send it to someone else so that they can use it. If it can't execute prevents malware and keyloggers from being used, but Phishing depends on social engineering, and there's no software solution that cleanly solves it. To spot Phishing you have to have a close eye. You have to be aware that a small icon will change when you're at a secure website. You have to be aware that there should be a security certificate, but usually you just get a warning when the certificate is expired or invalid, which usually means the site is legit but they've let something lap. Now, with URL redirection being quite common, it's easy for them to make a Phishing site that's plausible, if you haven't paid close attention, and maybe uses a spelling like www.micorsoft.com, www.paypall.com or perhaps something like www.cibcvisa.com they could even go a step further and do secure.cibcvisa.com - someone who has a Visa from CIBC might not twig on this. There's no foolproof software that will prevent someone from actually giving their information out. That's the biggest new issue that hasn't caught on yet. Spyware has, because it behaves similarly to Viruses, and it can be prevented with software. Phishing isn't as easily preventable, and it's not talked about nearly enough either.

    BTW, don't click on the micorsoft one, turns out it's one of the standard spelling mistake portals. Probably nothing, but don't go there unless you trust your security software.
     
  9. EASTER.2010

    EASTER.2010 Guest

    That little trick of social engineering is possibly the easiest of them all to prevent.

    DON'T DO NO CREDIT CARD BUSINESS ONLINE! PERIOD! FOR ANYTHING!

    My motto goes something like this, if any online busines is really legitimate then they will have already made provision for a potential customer to contact them via the old-fashioned way. TELEPHONE.

    Otherwise, they don't get any business from me period.

    No matter how safe you think secure site is, your credit card private number is VERY VISIBLE if others want to review for malicious purposes. Think of the internet as a global telephone party-line.
     
  10. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,006
    how do you know the phone is safe?
    do you really know who your giving your credit details to via the phone?
    if you shop online it is normaly through acompany suh as element5 which is a known safe company that does onlien transactions.
    via the phone its just you and the person on the other end.
    i just thought i would chime in.
    lodore
     
  11. Huupi

    Huupi Registered Member

    Joined:
    Sep 2, 2006
    Posts:
    2,024
    safest !! but that's ridicilous is go to seller in person,hand over your money ,and get your thingy,greedy world we live in and it seems worser than yesteryear.
     
  12. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    And even then you have no assurance that the seller won't scam you. But then that may already have nothing to do with malware or computer security. :D
     
  13. flinchlock

    flinchlock Registered Member

    Joined:
    Jan 30, 2005
    Posts:
    554
    Location:
    Michigan
    CAUTION, put on your paranoid protection suit...

    I hate to even mention this, BUT, there are still a gazillion analog phone connections into a home or business. I am not talking about all the fancy digital stuff in your house or business.

    See the physical wire coming into your home/business?

    ALL outside telephone techs have a test "telephone" with clips... it is called a "but in". The "but in" looks like the handset from a pay phone with a dial on the back side where the ear piece is.

    Telephone wires have only 48 volts and very low current, and can not really hurt you. (If you were holding the two telephone wires when a persons phone rang... zap... zap... 105 volts at 20 Hz with little current. Sure will make you let go very fast!)

    Or, just use a simple cheap headset with a 9v amplifier. Just make sure the resistance of whatever you use, is high so the phone company "central office" does not think you have the phone "off hook".

    Mike
     
    Last edited: Jun 1, 2007
  14. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    The days of simple malware are over, now we get :
    - the sophisticated malware
    - the hidden malware
    - the quiet malware
    - the hard-to-detect/remove malware
    to steal your identity data, your money, your private info, etc.

    This requires other security measurements, like
    - firewalls
    - immediate system recovery
    - whitelists
    - anti-executables
    - isolation
    - behavior based
     
  15. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,006
    being a safe surfer is most of what is needed to stop the lastest malware.
    a email asks you to give bank details in an email
    you just delete it right away or report it to the bank then delete.
    i know somepeople where unlucky and got infected by the zero day attack at the asus site but thats the problem of asus.
    they should have better secuirty systems.
    the main thing is dont go overboard.
    next thing you will be telling us is we need retinal scanners on every door.
    and if the wrong person trys to access the door then a gun starts shooting:D
    lodore
     
  16. flinchlock

    flinchlock Registered Member

    Joined:
    Jan 30, 2005
    Posts:
    554
    Location:
    Michigan
    Looks like in the future, it will still be a problem, just have a different name... "unwittingly collaborate to one another's mutual advantage"

    Scientific American - Breaking Network Logjams (June 2007)

    Page 4, under "Tomorrow's Networks"
    (All red highlighting is mine.)

    Mike
     
  17. elio

    elio Registered Member

    Joined:
    May 3, 2007
    Posts:
    77
    How true :)
    I hate repeating myself, but these "common sense" advices aren't enough yet.
    And as you said, no current "anti-phishing solution" can really stop this problem, especially if the domain and the SSL certificate are the true and original ones: speaking of which, I've just been credited on Slashdot by the author of my favorite security tool, who slightly improved my infamous ZoneAlarm PoC :cool:
     
  18. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,006
    just think if you click a link in a email pop client it will open in IE as default.
    so it pays to make e.g. opera or firefox tthe default browser to minimize damage if you click the link by mistake.
    just remember kasperksy is the only av that can scan secure traffic.
    maybe other av's will follow suit.
    lodore
     
  19. flinchlock

    flinchlock Registered Member

    Joined:
    Jan 30, 2005
    Posts:
    554
    Location:
    Michigan
  20. masqueofhastur

    masqueofhastur Registered Member

    Joined:
    Nov 19, 2005
    Posts:
    109
    Not really, you're thinking about malware again. Phishing doesn't require malware. Opera is in the default configuration worse (at least when I used it), it doesn't show the URL of the link you're hovering.

    What would probably be needed is a program that has a white list (both by URL and by IP address, in case of HOST file infection or DNS poisoning), a black list, and an algorithm that detects likely phishing sites either by similar spellings or dropping URLs and just having an IP adaddess.r
     
  21. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,006
    what about using something like open dns?
    that would help against that sort of thing.
    it blocks phising sites.
    and say you where at a wireless hot spot and the router was exploited the dns settings changed.
    if you went to example hsbc.co.uk it would first look up the ip address from the router then it would be checked by the open dns settings of your connection and you would then go to the right place.
    lodore
     
  22. masqueofhastur

    masqueofhastur Registered Member

    Joined:
    Nov 19, 2005
    Posts:
    109
    That'll definitely help.
     
  23. elio

    elio Registered Member

    Joined:
    May 3, 2007
    Posts:
    77
    Really? :rolleyes:
     
  24. besafe

    besafe Registered Member

    Joined:
    Mar 29, 2007
    Posts:
    222
    Elio...How did you do that with that link? It fooled spoofstick.

    I thought spoofstick would prevent me from this sort of thing.
     
  25. flinchlock

    flinchlock Registered Member

    Joined:
    Jan 30, 2005
    Posts:
    554
    Location:
    Michigan
    Of course I just had to also try it. But, knowing you, I pasted the link into Notepad so I could look at it... 1096 characters. :shifty:

    So, the first screen was leaving BofA, and then to http://www.sipc.org/

    Hmmm, should I have seen your "If you did not see it written here ..." message?

    Mike
     
Loading...
Thread Status:
Not open for further replies.