Protection against malware without AV

I gather from what you are saying that you no longer use DeepFreeze and AntiExecutable.

Using Firefox as an example with the 'NoScript' extension will protect you from just about anything, the point is how do you know whether the script is benign or not, I mean what if you want to allow something to show the full contents of the page? I think a sandbox or a virtualizer would be practical to have in such situations.

 

I use Deep Freeze but not for the purpose of malware, rather, to keep my system partition always clean from temp, MRU and other such junk.

Deep Freeze works best as a malware protector on a single partition, such as the College where I worked. On multiple partitions such as I have where not all are frozen, malware can intrude on those. A good example was mentioned by fcukdat in another forum where he described a file infector that looked across all partitions. If I were concerned that such malware could intrude, I would *consider* a Sandbox, where, as I understand it, malware cannot do anything outside of it. But I'm not sure on that point, since I haven't tested. For example, in my DLL and self-contained executable tests using AppGuard, would Sandbox prevent IE from connecting out to the internet? That test was to suggest that data stealing could occur without an alert from AppGuard, since nothing was written to System. Deep Freeze also would be of no help in that scenario.

Regarding Anti-Executable, I use it for testing malware sites. Based on what I wrote in the previous post, nothing would ever alert here in normal work since the malware sites all require IE to trigger the payload. PDF and SWF files would not trigger malware because of other preventative measures here. However, I install it on other's computers because it is useful in locking down a family computer, for example, so that only the parents can download software/programs/games, etc., prevents email attachments from running in case of a lapse of good judgment, etc. Also some like to use IE. Even though people configure it properly for security and use it safely, nonetheless Microsoft is not always prompt in patching, so there is a potential danger, and AE protects.

Do you have a current exploit in mind?

I look at all exploits when possible, and recent ones that use scripts fall into two categories.

1) SQL injection, where a user gets to a compromised site and an injected script or i-frame on the page redirects to a site that attempts to download malware. An example:

Code:

i frame src="http://bbs.jueduizuan.com"> /i frame>

Upon being redirected, this code triggers the download of the malware exploiting an IE vulnerability:



Whereupon the trojan ri.exe is successfully blocked from downloading:



Using a browser other than IE, this exploit fails to run at all here. Anti-Executable not necessary. Deep Freeze not necessary. Sandbox not necessary.

2) WinAntiVirus200x -- script on the page does the work:

Code:

script src='fileslist.js'>/script
script src='progressbar2.js?v=1.1'>/script
script src='common.js'>/script

...

function stateaction(state, data)
{
switch(state)
{
case 'BEGINSCAN':
startScan();

Whereupon the fake scan starts:



This exploit is not browser-specific, therefore, depends on social engineering to trick the victim to download the malware:



Assuming a user has scripting enabled and this fake scan runs and the download prompt appears, can Sandbox help?

----
rich

 

See thread Browsers hacked -not all of them- at Pwn2Own contest.

 

I had skipped that article when I saw the word "contest" but decided to check it out since you mention it.

Aren't these vulnerabilities rather than working exploits? I *normally* don't pay attention to vulnerabilities, since they surface, are patched, and then new ones show up.

By the way, what is the significance of "pwn"?

----
rich

 

They're demonstrated working exploits.

Here is part of Wikipedia's entry for 'pwn':

 

I need to re-phrase to mean exploits circulating in the wild. If they are not circulating, should one still be concerned enough to change the browser?

Thanks.

----
rich

 

That's your call - I can't answer that. There is apparently a $100,000 black market value for reliable IE exploits. There must be some incentive for people to pay that much money, and for these black markets to exist. Source: http://www.theregister.co.uk/2009/03/19/pwn2own_day1/

 

How does one find a vulnerabilities in software? I am guessing its not just a case of trial and error.

 

I wasn't aware those exploits fetched such a high price!

My question about changing browsers was intended as 'food for thought' since it's occurred to me in the past that since so many vulnerabilities/exploits come and go for browsers, that the safest action resulting in no worries would be just to disconnect from the internet altogether!

More realistically, if a working exploit is not circulating in the wild, then one's chances of becoming victimized by it are not very likely.

On the other hand, one could switch to another browser until the vulnerability is patched, then switch back.

On the other hand #2, one could never really be sure that an unknown/unreported working exploit for the other browser might suddenly circulate, making it susceptible to installing malware. With that thought constantly nagging, one could never be sure any time she/he connected to the internet!

"What to do, what to do," she thought as she paced the room.

----
rich

 

That's why some people use limited user accounts, buffer overflow prevention products, HIPS, Anti-Executable, etc. Statistically though, it seems that most average users who are infected are being infected by being tricked into downloading software that they don't realize is malware.

 

That calls to mind a comment in a Prevx blog last year,

and...

http://www.cio.in/news/viewArticle/ARTICLEID=5800121

----
rich

 

Perhaps good advice to protect against the malware download threat is to use a browser with a good malware reputation service. According to this thread, Internet Explorer 8 has the best one by far.