Zero Day-How's your AV

Mrkvonic,
I don't really care if it's all real, true, untrue, ... that doesn't matter to me as long I can keep my computer clean and I mean really clean.
A scanner message "Congrats, no infections !!!" doesn't assure me my computer is clean. Maybe it does that to scanner-fans, but not to me.
A scanner is a sissy method to fight against malware.

 

I've heard the same from others, but in the 3 years I've had this Yahoo account I've never received any malware. Lots of spam in the Bulk folder, but no malware.

So, all Yahoo accounts are not created equal. Or maybe there are different ways of signing up for a Yahoo acct.??

-rich

 

IMHO the answer to your question should begin with analyzing the ways malware gets installed, developing a security strategy, then select the products that you feel are most effective for each of those ways.

None of the products you mention are effective against the Storm threat. Because this avenue of infection falls into the category of "installation of trusted applications."

So even if you have default-deny protection, that is moot if you decide to let the patch.exe file run. You've been convinced that this patch is legitimate, then you disable your security to let the executable run.

EDIT: someone pointed out the possiblity that an AV *might* detect it, but I hope you realize that it's not reliable.

While in the present Storm sample I received, the firewall alerted to the outbound connection of the rootkit wincom32.sys, fcukdat has pointed out in another forum that

My emphasis. What is the prevention here? Already covered in previous posts: Never install an executable received anonymously in an email.

No security product necessary. Herbalist says it best:

Why indeed?!

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."

--Bruce Schneier​

 

If you are referring to, I dunno, AV-Comparatives and Kaspersky then maybe. In realty you gonna need a little bit more than that. AV-comparatives's (or any independent test house) malware test samples make a small fraction of the total worldwide malicious files.

YUP!



tD

 

If it is an executable, Faronics's Anti-Executable would stop this malware, because it isn't whitelisted.
But AE isn't foolproof either, so I still need my frozen snapshot for all the failures of security softwares,
including my firewall of straw and router.

 

Hello,

Frozen snapshots aren't bulletproof either if your system dies.
The only bulletproof thing is knowledge. The ability to reproduce desirable results.

Save your personal stuff 100 times. And learn to build a setup that will suit you. Then, if you are lazy, create an automated environment to reproduce this setup if you will, be it imaging or whatever.

Lastly, malware... boring. Irrelevant. Just use Linux. Or Windows, but again, it's no big deal. You don't need FD-ISR to defend against malware.

Imaging was not created to test / recover from malware.

Besides, if you want me to scare you - it is possible to overwrite MBR - even as a mistake, not talking about malware - or even the partition table. Not healthy if you do not have off-system procedures, like live CD or such...

Mrk

 

Any software is vulnerable for a direct attack. What is common for all softwares, isn't worth to talk about. Backup Images take care of that. Case closed.

FDISR latest build 202, doesn't require MBR anymore. So that problem is also solved. In the previous builds, it wasn't a problem either. Backup Images take care of that. Case closed.

Image Backup is a slooow recovery solution, Immediate System Recovery is not, otherwise I wouldn't have FDISR on my computer.

I'm building on a solution one without 30+ security softwares.

Linux isn't used by everybody, also Windows users need solutions.

 

Given Prevx1, i don't know if that's true. The best about it is that you run the .exe (you are warned that it is unknown- very rare thing, should raise suspicion as is) and Prevx1 should report it's behavior, later on label it as malware and clean. The program to cure shot in foot.

I don't know that Storm threat, or how Prevx1 would perform today. But conceptually, you have to agree, it's the only way.
It should handle custom made malware. If it's mature already to do that, i don't know, but it's the only program that shows promise for that effect.

 

In this situation, if the user decides to install the patch, he turns off AE, and all subsequent executables are then installed, including the rootkit.

The reason I blocked it was that I knew ahead of time what would happen, so I turned off AE to permit the patch_.exe file to extract; then I re-enabled AE so as to catch the loading of the rootkit, wincom32.sys.

This would not be standard procedure, since setup files often install drivers, dlls (executables) and you trust them, so you let them install. Unless you want to do a file scan/check on every executable unpacked.

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."

--Bruce Schneier​

 

Hello,
Erik, I have a security solution that is not based on any freezing / anti- and I still do not run 30+ software.
Mrk

 

Very interesting.

The sure test will be to watch for the next new in-the-wild exploit and try it out!

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."

--Bruce Schneier​

 

Linux is as vulnerable as Windows, it's just not an interesting target for the bad guys. Once there are enough Linux users, it will be target.

3 years backup Firefox was untouchable, now one patch after another, because it is a target now.
Everybody told me it was SAFE.

History repeats itself and Linux will end in the same situation as Windows and Firefox.

 

Hey, maybe a wilders member can perform such test . If it happens, he/she has to wait a day or two to see if Prevx1 can clean, if it doesn't detect at first.
3 problems:
1-malware shuts down Prevx1. The obvious solution would be Prevx1 should detect that behavior and shut it down. Problematic, but possible, since Prevx1 is there before malware.
2-Prevx1 cleans too late: malware did what it had to do.
3-not signaled as malware, heh. But i don't think that's possible (sure, impossible is nothing, specially in software).

 

Yes, but who says I have to update. If I turn off my protection, I'm lost, just like I would de-freeze my frozen snapshot, when I'm online.
Do I really need these updates, if I reboot each time with a clean working snapshot ? There are other ways to update Windows and applications.

I only need Anti-Executable = ON, not OFF, except when I disable my internet right after reboot for installing some new legitimate software, which I don't do very often.

 

Erik, "Linux" works in a different way. Rootkits install if you specifically/intentionally/ consciously allow it- enter root password, ETC.
It doesn't have Netbios for one, you can derive other differences from that!

Firefox does have patches, but note that it isn't malware writers that submit those. The key thing here is was FF exploited or not? IE has, for sure.

 

Once people understand the importance of starting out with a security strategy which includes understanding the nature of malware threats and how they install and how to prevent them, then what OS or programs one uses is of no consequence. Threats like the current Storm exploit are of no concern to those who fit into this category.

For such people, arguments and discussions of which OS, browser, etc is more secure will be relegated to the dust heaps of academic blather.

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."

--Bruce Schneier​

 

Yes, Linux is unsinkable, just like the Titanic. People always have to learn it the hard way. Everything made by mankind, failed more than once. Never underestimate the bad guys, they changed the whole internet.

 

This is the point I'm making: for those who decided that they needed this patch, at that moment, it became "legitimate" software.


regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."

--Bruce Schneier​

 

Hello,
Or personal taste, preferences and functionality needs.
Mrk

 

Then it fails, because that is the whole point: nothing (so far) can detect a file for which a signature (or some other method of ID) hasn't been created.

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."

--Bruce Schneier​

 

No one says it can't be done. It is superior, yes. IMHO.

 

Yes, Of Course!!

But those are different reasons!

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."

--Bruce Schneier​

 

I say a day just to make the test interesting. One hour/ two should be enough.
What i'm saying is, malware passes everything (if user allows), nothing should detect it, since it was built that way (testing against AV's).
What has the chance of cleaning it? Assuming you're the only one with it (kind of ceteris paribus situation).

 

This is a battle between good and bad BRILLIANT minds, where average people don't play a roll anymore.
The smart bad guys provide the ideas and quality, the other bad guys provide the quantity.

 

That's the point of a behaviour blocker/analyzer. If a file isn't flagged as malware by signature/heuristic it will be allowed to run but with a watchful eye on its behaviour. Sure, all measures can be bypassed, but bypassing a behaviour blocker is a very difficult task.

Have you tested with a Rustock sample against your setup? It's interesting to see how Kerio outbound control is bypassed once the rootkit is allowed to execute.