New Threat - Protected by WG?

Discussion in 'WormGuard' started by Dazed_and_Confused, Jun 4, 2004.

Thread Status:
Not open for further replies.
  1. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    Just read an article about a new worm propogating via e-mail. Does anyone know if WG has been tested against this latest threat? o_O
     
  2. TheQuest

    TheQuest Registered Member

    Joined:
    Jun 9, 2003
    Posts:
    2,301
    Location:
    Kent. UK by the sea
    Hi, Dazed_Confused

    Not sure but they should be with TDS, and if up todate with windows updates you should safe.

    I read about it here by Marianna.
    Thanks anyway.
    Take care,
    TheQuest :cool:
     
  3. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    Hi, Quest! I know TDS is very powerful and detects not only trojans but worms as well, but this is primarily the job for Wormguard, isn't it? With Wormguard installed, I would hope I would still be safe without TDS concerning this threat.

    I agree that one should take care to keeping windows up-to-date. However, I would also hope that Wormguard would still protect one who isn't as vigilent as they should be with OS updates. If keeping my OS up-to-date is all I need to do, then why bother purchasing Wormguard??
     
  4. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
  5. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    I'm sorry Jooske, what .exe names? Surely you don't mean all .exe names?

    Edit: Are you referring to the name "shrek_2.exe" mentioned in the PC World article?
     
  6. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Would add all those about 6 mentioned in the Kaspersky analysis.
    If you like, add the attachment names too. Those are all executables, and you have the exe extension normally not in your blocked list for it would block all your windows programs completely :D
    Never harms to add a few extra to the list.
     
  7. Sandish

    Sandish Registered Member

    Joined:
    Apr 29, 2004
    Posts:
    51
    I just checked it on my testmachine and WG didn´t cause an alert when i executed it. I´m maybe wrong, but i think wormguard works best with script-based worms and unencrypted, unpacked binaries - files that contain plain ascii-strings that can be used for detection.
    But i could be wrong.
    However - Wormguard does a fine job on such "bad scripts" .

    BTW - TDS picked it up as Possible Keylogger - NOD32 didn´t (with the 1.781).
     
  8. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi Sandish,
    once you're testing and infecting yuourself already, if you added the name(s) to the WormGuard blocked list, did you get changes and blocking alarms now?
    BTW: is your test system patched with all the latest security patches and did the nasty still run? Should not be possible!
    And did TDS exec protection not stop it as well?
    And other protection?
     
  9. Sandish

    Sandish Registered Member

    Joined:
    Apr 29, 2004
    Posts:
    51
    Hi Jooske,

    yes TDS stopped it.

    Of course it´s possible to stop it with WG, if you add the name.

    My testsystem isn´t patched at all, only bugfixes installed, that are not security related and needed for running smooth - the machine is only here to be infected - it has no connection to the internet and to the local network only if needed. I restored the clean installation already from an image. Don´t worry ;)

    I checked the file with KAV, RAV, McAfee, Dr.Web and NOD32 and only NOD32 failed (that tells nothing about the quality of NOD - don´t get me wrong) - but with the different layers D+C has installed, it´s not a problem. Please note that even on a patched system it´s possible to run it, cause it not only comes through the internet like Sasser, but also as an mail attachment.
     
  10. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    Thanks for the info, Sandish. That's good to know, and I'm glad I've got TDS-3 protecting me from this bad boy.

    But hold on one minute now. I read that this latest threat is classified as a WORM. I really don't care how it works. And to be honest with you, I (and I suspect most people that don't hang around Wilders) don't understand the difference between and unpacked binary, a text file, and a boiled egg. If it's a worm, I expect software that's billed as "the future of worm detection" to detect this fella. And personnally, I don't think I should have to search the net for filenames and extensions and then add them to the app's blocked list for it to work. Yes, I have TDS-3 and NOD32, but those apps were designed as primarily as an AT and AV (respectively). I wish someone would have told me before I purchased WG that while it may be the future of worm detection, the future is not here yet. :'(

    I apologize in advance to Wormguard fans if I offend anyone.
     
  11. Sandish

    Sandish Registered Member

    Joined:
    Apr 29, 2004
    Posts:
    51
    It was classified as a worm because it propagates wormlike. A worm digs his way through a network and doesn´t need a host like a virus. I can´t tell you too much about the way WG works, cause there isn´t too much info about it (or i can´t find it). But to me it seems like it searches for strings. But i think there is some more about it.

    Almost every binary (if not packed or crypted) contains plain human-readable textstrings. Now, if you take a look at the strings that you usualy can find inside a worm, and compare it with other worms, you will see many common parts - like the part that is used to talk to a mailserver (HELO, EHLO, Mailfrom, Rcptto,Data,quit) for example. A scriptworm - like a mIRC script or a VB script contains only plain text and it´s "easier" to recognize what the file is all about (well, not realy easy). A boiled egg can be very dangerous too, if you let it lie arround in the sun for 3 weeks and eat it then... ;)

    STOP - a worm isn´t a worm isn´t a worm. "Worm" only tells about the way it spreads - worms come in very different flavours (ask a fish, if you don´t believe it). WormGuard is very effective against script worms (that´s my very personal opinion, based on the experience i made with the WG-Trial, 100% biased and maybe even flawed). The product is alright and it does a very good job on many threats.

    Awww - but that is what trial-versions are made for. I don´t think you wasted your money on it, it´s worth it.
     
  12. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    More good info, Sandish. :D But I didn't see anywhere on the DCS site that this version was a trial version.

    My daughter has one. I'll see what he (or is it a she?) has to say about that. :D
     
  13. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    What Sandish is saying might be true, and if it is, I wish software vendors would inform prospective buyers. A suggested example.

    [MOVE] "Buy Wormguard - The future of Worm detection! Works great on script worms, but if you happen to run across ANY other type of worm, your on your own." [/MOVE]

    Edit: Might also consider changing the name to "Script Wormguard".
     
  14. Sandish

    Sandish Registered Member

    Joined:
    Apr 29, 2004
    Posts:
    51
    Dazed_and_Confused,

    please be fair. Detecting worms needs a lot of knowledge and skills. The fact that WG is able to catch many Worms without any signature update is a sign of good and hard work. But it´s impossible to catch all of them this way. Take NOD32 - the advanced heuristic is very powerfull - still it can´t recognize everything. And it´s easy to write an undetected worm - the worm writer knows the opponent - he can test his "product" against it - the av/at/aw vendor can´t.
     
  15. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    Understood, Sandish. Don't get me wrong. I'm not going to uninstall my WG, but I am still a little concerned. If it's impossible to catch all of them this way, then build it another way! The designer said it was the "future of worm detection", and to me that type of talk really raises the bar.

    Edit:
    By the way, "Many" is not good enough. A leading-edge AW should catch "ALL", or at least "Most".
     
    Last edited: Jun 5, 2004
  16. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    After ranting and raving about how inadequate WG apparently is against the most current threats, I have to apologize to the folks at DCS. Because I see here that they are already working to make the next version more potent. I can't wait to get it. :)
     
  17. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    You never opened an excel or word doc with macros?
    double extensions, email with scripts embedded, never visited infected websites? suspicious amount of spaces in a name, suspicious words or code in files which somehow could run, object data exploits, iframe exploits, js, hta, loveletter, screensavers, scripts, you name it?
    My system warned a lot of times over all those years.
    I'm glad i can add extra files to be blocked; Tassie posted a whole list long time ago for that moment.

    The new version has been rebuild completely with only own written elements, no more using any of the microsoft system files so just wait and see what it will be.



    The first version of this program was ScriptGuard, when only malicious script code was an issue, then DiamondCS was the first or among the first to release a special WormGuard, including Scripts and lots of other threats.
    Trojan Defence Suite also does much more then defending against trojans, keyloggers, rootkits, worms, trojan downloaders, trojan spyware adware, dialers, and lots more. And you can add more functionallity with the scripts.
     
  18. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    Jooske - I agree, that's a nice feature. I was just hoping WG wasn't relying on the user to have to constantly add files for the app to be effective. That shouldn't be (and apparently isn't) the first (or only) wall of defense.
     
  19. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi D & C, You may not have all that long to wait, remember that WG4 is just around the corner and it will have an update capability, probably not a daily update but a lot more flexible than the current version :)
    Also all users that have a WG3 licence will get a free upgrade to WG4

    Enjoy your weekend - Pilli
     
  20. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    Thanks, Pilli, I know you folks are working hard to improve WG, as well as your other products. And I have ABSOLUTELY no doubt, with my layered approach (WG, TDS, PG, RP, and NOD), that I'm well protected.

    Unfortunately, I fear most of the public is not as "safety conscious". :rolleyes:
     
  21. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Fortunately this forum is highly educative and this and more forums of this kind (computercops to name a very good example as one of the largest) really have a mission and goal into this to add to education.
    Google for computer security and these forums are in the highest rankings.
    So are our user profiles here, as you might have noticed! (very handy if you need to advertise yourself in your resume, tell people they can PM you here so never need to give out phonenumbers or email addresses, just remember this forum URL)
     
  22. A884126

    A884126 Registered Member

    Joined:
    May 16, 2004
    Posts:
    191
    I just did it but it is really a pain to do manual update. I hope that WG 4 will be out soon...
     
  23. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    The trouble is that a majority of these troubles could have been avoided simply by people keeping Windows Updated with MS Patches.

    A whole array of woes could easily have been avoided if they had simply gone to WU just once a week.

    MS Blaster; Sassar were avoidable if patches installed. The patch that could stop MS Blaster was out MONTHS before that one become prevalent.

    *Sigh* one day people will learn a PC is just like a car. Needs servicing, new *filters* *air cleaners* etc. :doubt:

    Cheers, TAS
     
  24. A884126

    A884126 Registered Member

    Joined:
    May 16, 2004
    Posts:
    191
    You bet Tass!

    Check my signature
    always up to date !
     
Thread Status:
Not open for further replies.