Real Antivirus

Discussion in 'malware problems & news' started by LenC, Jan 6, 2009.

Thread Status:
Not open for further replies.
  1. LenC

    LenC Registered Member

    Joined:
    Jul 25, 2006
    Posts:
    846
    Location:
    CT, USA
    My computer is infected - I keep getting a pop up website wanting to sell me this bogus product. Two questions...

    1) My configuration of Norton antivirus and Windows Defender didn't block it. In fact, if I now scan with Defender, it tells me my computer is operating normally. What products might have blocked this?

    2) I use Acronis so I can just restore a previous image - not a big deal. However, if there is a way to easily and quickly knock this off my computer, I'd like to hear about it.

    Thanks,
    Len
     
  2. BrendanK.

    BrendanK. Registered Member

    Joined:
    Jun 23, 2008
    Posts:
    520
    Location:
    Australia
    Download MalwareBytes Antimalware. It should get rid of it for you.
     
  3. tsilo

    tsilo Registered Member

    Joined:
    Apr 29, 2006
    Posts:
    376
    I submitted this virus to Symantec and hope they will add soon it to database....
     
  4. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    If you're referring to the rogue below then Malwarebytes has it in it's database.
    Rogue.RealAV
    Date spotted:
    First seen on 2008-09-05.
    Last seen on 2009-01-06.

    Detection statistics:
    This object is 0.00% of all objects detected.
    19,060 instances detected worldwide.
     
  5. andyman35

    andyman35 Registered Member

    Joined:
    Nov 2, 2007
    Posts:
    2,336
    As stated the likes of MBAM and SAS should remove this,blocking this kind of thing however is another matter.Since they are usually user-initiated downloads,there's little to distinguish these rogues from legitimate security applications as far as anti-malware software is concerned.Usually signatures are added in time,however if you're unlucky enough to encounter it before this happens then the best defence is careful online habits,coupled with a hardened browser/system.
     
  6. TechOutsider

    TechOutsider Registered Member

    Joined:
    Sep 26, 2008
    Posts:
    549
    Norton .... 2009?
     
  7. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    what would have prevented from even touching the drive in the first place.thats easy whats its in my sig:D
     
  8. eagle5

    eagle5 Registered Member

    Joined:
    Oct 4, 2008
    Posts:
    21
    The fact you got infected would be enough for me to re-evaluate my setup
     
  9. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    If you can describe how you got infected, it would be easier to determine how you could have blocked it.

    ----
    rich
     
  10. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?
    Today with the open and free resources on the internet, no one needs to be infected simply because your antivirus "Does Not Know" a specific infection...

    I wrote an article about this for my web site unfortunately no one seems to bother reading these things as it requires "work" before they get nailed and we all know how found of reacting after the fact Joe User really is when it comes to security! :D

    For those who want to read it here it is: You have a new unknown Virus?
     
  11. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Good information, Hermescomputers!

    The reason I asked the OP to describe if possible how the infection took place, is that it could answer the question asked in the post,
    "What products might have blocked this?"

    If a drive-by download, for example: The following is not an uncommon statement in analyses of such attacks:

    One solution here is not even a product, but simple Software Restriction Policies.

    If a social engineering ploy, such as update_flash.exe: with a firm policy of "not installing anything you didn't go looking for," again, no extra product is needed. The same with receiving an email to watch a video of some hollywood star: Thou shalt not be fooled."

    If the user has scanned a file which she/he intends to download and it turns up clean upon scanning, and then turns out to be a virus, well, now the user is in trouble. All people I've discussed this with agree that the best protection here is to consider the source of the file/program, and all agree that this has always protected them.

    We'll see if the situation of the OP turns out to be something different...

    ----
    rich
     
  12. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?
    Hello RMus

    You are right installing something simply because it is offered on a web page is highly inadvisable these days as this is now the prime infection vector. However restrictive user accounts are not used by most people simply because well... they are restrictive and slow them down.

    The only solutions I know of to circumvent this, is simply to preemptively patch your system. Also early detection of installed components being listed in security advisories is recommended. Unfortunately the average Joe has no idea how to find out what needs to be updated simply to stay secure.

    Here is some pointers on that:

    Better Patch That System - Part 1/3
    Better Patch That System - Part 2/3
    Better Patch That System - Part 3/3

    Also it is by far preferable to use Firefox with a few add ons, like WOT and NOScript and perhaps SiteAdvisor as these are often able to detect and block hostile sites trying to crap user security...

    Also another account restriction alternative is perhaps a tool like Threatfire, which provides a method by which unexpected installs or hidden background behavior are intercepted and an opportunity to block is offered. This works well in most cases, and it also provides some scanning and recognition of Key loggers and other unpleasant crap.
     
    Last edited: Jan 8, 2009
  13. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    This is of no consequence when the user chooses to install something. Storm, one of the most successfull exploits and largest of botnets, is proof of that. Subject lines in the emails include,

    • “Stand by my side”
    • “I want to be with you”
    • "Lucky to have you”
    Clicking on the link takes the victim to a web page. Clicking to download brings up a prompt:

    storm-dl-1.gif

    As one analyst observed about an exploit for MAC, this type of ploy works no matter the Operating System:

    Storm's tactic of delivering many variants daily insured that many AV did not keep up with them.

    Do you think patching would prevent these trojans from installing when the user gives permission? It's possible that some sophisticated behavior analysis, like Threafire as you suggest, would throw up a flag, but it seems to me that anyone with the technical knowledge to use such a device and understand the prompts would not succumb to this type of ploy in the first place.

    The "average Joes" I've talked to about these matters don't do more than update when their products notify them. Some do by email, some by prompts. Opera, for example, prompts when a new version is available. None of the "average Joes" I'm in contact with have delved at all into the sophisticated technicalities of malware today. I don't think that any would know what hook, heruistics, rootkit, kernal mode, etc, are. They would be totally befuddled at the technical discussions in some of these threads and become lost after the first line.

    Yet they understand that all malware (they would probably use the term, "virus") have to get on the computer and execute before they can infect. They understand the basic ways that a virus can be delivered.

    The remote code execution exploits are much sensationalized. Using Opera or Firefox pretty much eliminates that threat. And restrictive user accounts, as you suggest.

    It is the social engineering exploits that pose the biggest challenge because of the trickery involved. It doesn't take a lot of sophisticated gadgets to solve this challenge.

    This is not to be unsympathetic towards the millions of unfortunate people who have become victims of such stuff.

    But in prevention, our responsibility in these matters, in my view, is first to ourselves, and then to those in our sphere of influence who will listen.

    The rest will have to depend on the work that people like you do in helping them restore their systems!

    ----
    rich
     
  14. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?
    Rmus,
    There are many attack vectors, and Patching helps prevents the indiscriminate applications of hooks into vulnerable components. These trojans often use these "vulnerabilities" to exploit functionality with minimal use of code. By patching early you may deny access by those methods thus reducing the potency of the infection and perhaps prevent some altogether.

    Also as I stated earlier using a tool like Threatfire or perhaps I should have said HIPS would have provided an opportunity to detect the "behavior" instead of a listed hostile executable. Perhaps as in the case of Prevx, and Threatfire, it may also have picked up the hostiles, and kill them in the bud during activation of the executable as these also have a rather nimble response to new infections.

    Where it regards social engineering, only a system such as WOT and SiteAdvisor can effectively provide protection as they in time (usually short) become aware of such a web site's track record by providing users the ability to report hostile and inappropriate or actionable social engineering attempts. Thus when the ratings turn red the attempt will be blocked by the software. It is somewhat reactive in it's response, but to someone being protected by such it can prove incredibly useful.

    It can also offers Joe the Plumber a way to help and contribute his input, and thus protect other users from getting nailed by the same scam site or social engineering tactics...
     
    Last edited: Jan 10, 2009
Thread Status:
Not open for further replies.