Wormguard still useful?

Hi FanJ,

No, this is the weakness of WG (and all other script blocking programs) as I outlined in my Post #5 above. This is the reason I find these programs of no use to me.

I'm not worried about my being tricked into clicking on an untrusted script file. It is the remote code execution exploits using wscript.exe, etc., that can be dangerous.

But these exploits are easily handled by other means:

• Disable AutoRun on USB drives (many ways to do this)
  
  
• Use .reg files to toggle the disabling/enabling of wscripte.exe and cmd.exe
  
  
• Security in place to block executable payloads

Take care,

-rich

 

Are you referring to HIPS only here or other programs?

 

Exceptionally hard is the answer.

 

http://www.mechbgon.com/srp/index.html

If you have Home edition, that can be fixed too

 

There are a number of solutions, including Software Restriction Policies (SRP) which Pedro refers to.

Earlier this year, I enlisted the help of several people to test different applications which successfully block the running of executable files by remote code execution. Here is the write up:

http://www.urs2.net/rsj/computing/tests/remote

ProcessGuard, Anti-Executable, and of course, SRP, are not HIPS. I'm not sure about the others. What it is called is of lesser importance than what it is able to do.

Because the script blocking programs discussed in this thread do not work against remote code execution attacks (especially those using browser and plugin vulnerabilities), it is important to have security in place which will block those script payloads which attempt to deliver a malicious executable, as most attacks today do.

While Anti-Virus is helpful, it is not always dependable because of the sophistication of malware writers these days. An example today, with an explanation as to why AV can be fooled:

Adobe Reader vulnerability exploited in the wild
http://isc.sans.org/diary.html?storyid=5312

(Modifying code to fool AV is nothing new, of course. At the height of the Storm malware attacks, variants were seen in the wild on a daily, sometimes hourly basis)

The script used is Javascript. I confirmed with the ISC handler that the payload is a trojan executable. A patch was recently put out by Adobe, but anyone with protection mentioned above would be immune to such an attack should an encounter with the exploit have occurred before the patch was issued.

To recap: the reason why the script blocking programs mentioned in this thread will not catch this PDF exploit is that the user is not clicking-to-open a .js (javascript) file that is on the hard drive. Rather, the Adobe Reader is interpreting the javascript code directly as a javascript object embedded in the PDF file.

Some solutions:

• Be careful with unknown, untrusted PDF files
  
  
• Disable javascript in the Reader
  
  
• Have execution prevention security to block the executable payload

----

 

Rmus,

You spoke of USB payloads and remote execution.

I had a situation that puzzles me.
I have a new computer going to use for non internet stuff, installed windows but not activated, past activation period.
Decided to update bios to new version.
My laptop has malware issues that aren't being solved by scanners.
I used a USB stick, downloading the bios update to it.
Took it to my offline computer.
Boot into bios. Stick must be in before booting, argh.
After doing this, my HDD spun up, which it never did before when booting into the bios. It stayed active until I completed the process and shut down.
Now when I boot up the bios the HDD does not spin up. It was only in conjunction with the USB stick.

Should I be worried of something lurking now?

What type of malware would be able to spin up a HDD from USB?
What USB needs the HDD in order to function?
If there is something malicious occuring, then nothing listed in this posting will protect me, you, except not using usb period for file transfers.
Now since I am going to wipe and reinstall anyway, If there is something in the file system of the drive, no big deal.
But on the other hand if something was installed in firmware or the HDD controller or other places, I am SOL.

 

You seriously need to tune the paranoia about 239 notches down...

A HDD spinning up is perfectly normal when you insert a non-bootable USB stick, since the BIOS tries to boot from another device.