London uni fears 0-day used to cram network with ransomware

Thanks.

Honestly I was wondering when someone was going to comment on that by saying overkill/overlap or whatever.

Fact is I been like that for years. LoL On XP I ran HIPS + SD + Sandboxie + FD-ISR etc.

Keeps the AV's off my system for sure. Lost total trust in them and the last time I did try again with 360IS Proactive by Qihoo. I got hit (less than 6 months install) with my first ever ransomware. I was lucky and it didn't get a full grip but made me so irate I swore off AV's for good again and now stick with Anti-Exploit/Anti-Malware/Virtualization tech and a host of tweaks only.

 

If your machine is fast, having Windows Defender enabled is another layer that will give a name to malware if detected. As long as it is not the only security layer, a free AV is not redundant, and WD lately has dramatically improved in terms of detection... Sure it's not a must.

 

@EASTER

To be clear: No way I intended to imply overkill. It's highly intelligent, sophisticated, and impressive and I respect it. If software were food, you would be rated as a Five Star Chef. But it does invite a wise-crack

 

Thanks, and I didn't mean to imply that "you" would even suggest that. I was just softly generalizing what I USED TO EXPECT I suppose is a better way to word that.

In times past I put the whole works into security and indeed overlapped similar modules/detections but as long as performance didn't falter too much it was a mainstay. Sometimes it was raised there might be too many apps doing the same thing which was true but the ever competitor that I am, I liked to see to determine which app had the quicker trigger response to the abnormal on the windows stack list which sometimes changed priority on a whim.

Wise cracks are always welcome too

 

A comment on the use of ad blockers. They are of no use on HTTPS web sites unless they perform SSL/TLS protocol scanning like the stand-alone version of AdGuard or, your AV solution has a SSL/TLS protocol scanning option and it is enabled. This latest Adgholas based attack used an ad on a HTTPS web site.

 

An ad blocker is preventing ads from appearing on a website, whether it is HTTP or HTTPS.

"Malvertising - or malicious advertising - see poisoned adverts placed on legitimate websites."
"Adblocker = An ad blocker will prevent ads from appearing in your browser"

if the attack is based on malicious ads, but the adblocker is preventing it from being displayed in the browser, the attack is prevented.

 

Without a test, I am not sure the ad blocker would prevent a drive-by download from a HTTPS web site.

The browser is decrypting the web page code. Once the code is decrypted and formatted, it is active code. However, the formatting of the web page is done in a buffer. The browser displays the web page when formatting is complete.

The question is a what point does the ad blocker start parsing the web page for code to block? If the drive-by download code was triggered upon web page loading but prior to ad blocker monitoring, it is game over.

 

correct me if i am wrong but i dont think webpages usually contain the ads i think the webpage has a place holder to which the ad is downloded so the adblocker prevents the placeholder from loading the ad therefore the ad's malicous code is not executed.

 

I think the main cause is bogus technology that is claimed "will enhance your browsing experience" When its true purpose is to facilitate ads that can execute code. There really is no excuse for any of it. An ad could function just as well as a jpg or a regular video format.
I personally would be much happier without any enhanced browsing experience I wish all websites were like wikipedia.

 

That's not true for adblockers which are installed in browser (extensions or addons). They don't need to perform Mitm for https connections and can block ads on https sites with no problems.

 

Also, a malicious drive-by download upon web page execution does not have to be ad based. I recently encountered one that was cookie based:
https://www.wilderssecurity.com/thr...attacks-april-2017.394887/page-2#post-2687539

 

Yes, ads are usually delivered through ad networks which are placed as "placeholders" on webpages. Usually adblocker prevents browser request for blacklisted ad network resource so request for this (potentially malicious) resource never leaves your computer. If something was not requested by your browser it will not be downloaded.

 

Has anyone ever heard of an ad network getting punished for delivering malicous code in their ads?

 

Nope, never heard of it. Usually they only give vague response, similar to "they've resolved a problem, they're sorry for inconvenience and they'll do better to prevent such incidents in future".

 

Yeah sounds about right. It's a good thing the nuclear industry isn't run like the tech industry thats all I can say. We would be discussing which type of biohazzard protection suits we should wear to go outside.

 

FYI - I specifically asked AVLabs - Poland which recently performed an AV comparative in regards to browser based malicious script, drive-by download, and exploit detection if ad blocking is an effective mitigation. The answer is that ad blockers offer basic protection against the aforementioned but they can be bypassed: https://www.wilderssecurity.com/thr...attacks-april-2017.394887/page-2#post-2687748

 

https://www.infosecurity-magazine.com/news/massive-adgholas-malvertising/