PDA

View Full Version : OT malware is getting worse



J Tiers
07-20-2008, 02:45 PM
neighbor has the worst malware problem I have yet seen.

of course, he is using XP with no service packs, although he IS (was?) using Zonealarm and an anti-virus program.

Apparently his IP suggested a program to fix a problem for him, and he says that the program infected the comp.... maybe, maybe not.

In any case, the malware pops up a message to go and get a particular program to fix the detected problem. He at least isn't silly enough to do that.

It has also turned off Zonealarm, turned off the AV, and refuses to let any remotely common AV or antispyware program run.

Zonealarm is represented by a red X in the tray, and the malware has added another X next to it as its link to whatever nasty stuff it wants to do.

Nice........

ProGunOne
07-20-2008, 03:01 PM
I had a similar problem a while back and these folks here walked me through it and helped me get rid of it for free. They do accept donations.

http://www.malwareremoval.com/

Yankee1
07-20-2008, 03:03 PM
Hi JT
Look up program in "Add or Delete Program" then change extension in order to be able to delete it. If extension is not changed you won't be able to delete it. This worked for me before.

J Tiers
07-20-2008, 05:45 PM
Add or delete WHAT?

You didn't suppose the malware was going to look like MS Works or "Mavis Beacon Typing Tutor" in the "all programs" display, did you?

Obviously it came IN with the alleged program, but does not DELETE with it.....

tattoomike68
07-20-2008, 06:01 PM
Find the name of it.. so we can warn our friends.

the last one that bad I saw was the CIH (chernoble virus) back in 2002. it would eat a virus scanner and flash your bios on the 28th of any month. back then I used everything to try and get rid of it. One program would load up and kill it....... Norton the one and only POS.. but it did work.

My brand new laptop came with norton for 60 days after that im dumping it.

dp
07-20-2008, 06:14 PM
These discussions always get my broken record spinning - nothing takes the heartbreak out of running Windows like running Windows in a virtual machine. Even when Windows is the host the VM runs in.

When a VM becomes infected (and it will) you just delete it and replace it with a fresh copy from a DVD or set of CD's, complete with all your applications already installed and ready to go. In fact that is the only role the host OS has - to replace and run the VM. Because you never actually use the host it can never become infected.

You need only be sure you don't store your data in the virtual machine hard drive without backing it up to the host - you can copy your vm "My Documents" folder to your host system by dragging and dropping, or by sharing your host's folders to your vm. We're talking about 30 minutes recovery time for a full recovery - far less than it takes to dl yet another AV/Malware tool and install it, and by deleting and replacing the VM you delete the viruses with it.

The software that runs the VM is free. How you get a Windows virtual machine to run is as simple as asking a Mac owner to make one from your installation DVD or CD.

J Tiers
07-20-2008, 09:54 PM
'Tain't my problem, it's my neighbor's.

I have to place SOME blame on him for running XP no service packs, and possibly not having all the AV running. And, not updating Zonealarm for a recent vulnerability, etc, etc, etc.

While I don't think SP2 is that much better, some programs require it, and AFAIK nothing refuses to run if it is in place.........

Anywho, I gave him a CD with every freeware AV and anti-spy program I know of on it. Something has to work, or he will have to re-install.

And that may not even do it, I understand some malware hides very well in "unused" or "marked bad" areas of the disk.

I think this one may be actually "Blackmail-ware"...... the kind that installs malware, and then requires a specific pay-for program to remove it. Naturally, your CC is probably "collected and re-used" when you DO "pay-for"..................

FEH...

pcarpenter
07-21-2008, 12:02 AM
Most malware nowdays travels in the form of "bots" looking for vulnerable machines. No SP1, no post-SP1 hotfixes, no SP2, no post SP2 Hotfixes etc....that's a HUGE number of vulnerabilities your neighbor has chosen to live with. Security is about doing all the right things (not just some) and hoping for the best. Just using a firewall is one piece. Its not a substitute for plugging the list of holes that get fixed nearly every month. He needs to have automatic updates turned on. Without it, running a firewall is like locking the doors when you leave home, but leaving all the windows open.

In our experience, once a machine is hacked, usually the first piece of many that the bot installs is a rootkit used to hide the other stuff installed from the user logged in at the console. We usually then remotely map to the c$ share on an infected machine so that Virus detection etc. can find stuff that it would miss if run on the local machine (due to the rootkit damage done).

One other trick is to go get the malware removal tool released monthly from MS. Running it will touch nearly every file and often "touching" those files will allow your virus detection (if updated) to see a payload in a file that may otherwise lay dormant until the next reboot--at which time registry keys that were added will make use of it...so don't reboot until you are done with some cleanup.:rolleyes:

Once infected its pretty much impossible to know you found everything they did under the cover of a rootkit. The most common things are that an FTP server or remote control service will get installed on some odd TCP port number and a port scanner would let you find odd open ports. You then have to figure out what service is running that accounts for it. They occasionally name things poorly enough in the service names or in the "comments" in the services applet that you can easily find it--sometimes in broken english. Sometimes even names of legitimate services that were otherwise disabled are used to hide the FTP server and others they are running. You might have the "indexing service" disabled, for example and they name their malware item "indexing service" in hopes that it will get overlooked. You pull up properties on each service and look at the path to the executable and compare to a clean machine and it points to something other than the executable that is the indexing service on the good machine. Again, however, this is usually hidden from the console user so you have to use the "services" applet on another computer and point it to that one.

Good luck
Paul

Evan
07-21-2008, 02:19 AM
With only a very few exceptions a firewall does nothing to protect your machine against client level malware. That isn't the purpose of a firewall. The primary job of a firewall is to monitor traffic to see where it is coming from and why. In general, unless you are running a server of some sort there is no reason for a connection to be initiated from the outside. Note that various forms of chat software, webcam software, inet phone software et al may contain a server function as well as some gaming software. The firewall inspects data packets to see why they exist, not what they contain. The default condition for nearly any firewall is to not allow connections to be started from outside the machine. This has virtually nothing to do with stopping a virus with the exception of a few items such as the Code Red worm or the Blaster worm. Viruses sail right through the best firewalls because identifying and stopping them is not a firewall's job.

The great majority of viruses/spyware/malware/scamware depend on the user to do something in order to install the malware. They generally use "social engineering" to trick the user into activating the virus. This is far easier for the hackers than trying to find and exploit a vulnerability that allows for fully remote compromise of a machine. It means that if your machine has a virus it is most likely because you did something to help it.

You might try SuperAntiSpyware. I have used it in the past and it seems pretty effective.

http://www.superantispyware.com/

dp
07-21-2008, 02:53 AM
A good firewall can prevent interior systems from connecting on well-known and dangerous ports. In a well managed environment there is little if any reason for an interior system to connect to any exterior system on port 25 (smtp) except for those addresses provided by the ISP. This prevents the system from becoming a spam broadcaster and is simple to do. Same goes for ports 20, 21, 22, 23, and a number of others (IRC ports are evil). Shut them down (for outgoing connections) and your system becomes useless for the attacker's purposes.

A good firewall will also act as a proxy for many inbound and outbound connections and can actually use real-time AV software to check incoming data. See http://www.opensourcehowto.org/how-to/squid/squid-clamav--havp.html.

A really good firewall will inspect all outgoing mail to be sure it is virus and spam-free. Nowhere near enough businesses check their outgoing mail for viruses which of course means I have to check it on inbound. All the servers I run also check outbound and alla y'all who don't get spam and viruses from my systems are welcome :)

All it requires is a decent dual-core PC running Solaris 10 or Linux of some flavor and some free software.

Evan
07-21-2008, 03:23 AM
A really good firewall will inspect all outgoing mail to be sure it is virus and spam-free.

That isn't a firewall function within the original meaning of the term. "Firewalls" are turning into security suites instead of just a firewall. The problem is that many firewalls available including the one built in to Windows XP are just firewalls. Expecting them to prevent a virus or spyware riding in on legit data is a misplaced hope based on an incomplete understanding of what a firewall should do. The firewall included with XP serves just fine as a firewall and is all you need for the firewall function. To detect malware requires different functionality which may or may not be included in a firewall package. For a software vendor to describe a product as a firewall even though it doesn't contain virus checking or other malware prevention features is perfectly honest and consistent with the definition of firewall.

J Tiers
07-21-2008, 08:08 AM
1) Many "firewalls" are pretty meaningless.

however, Zonealarm does TWO things, both within the basic firewall "definition".

a) it closes all open ports except ones you WANT open. That means that remote atempts to access via an open port will fail, there will appear to be no machine present.

b) it also closes off OUTGOING traffic except from authorized apps. Obviously this is not "as" effective, since in order to use the 'net, some form of browser is needed, and it must be open for receive and send. To "hide", malware need only use the services of an authorized program such as a browser. However, that is almost unavoidable.

None of the above will help when the user, as apparently occurred in this case, actually downloads and installs a program which is either carrying malware, or is pretending to be "goodware".

2)
As far as "automatic updates", MS versions of that can be dangerous. I have personally seen "security updates" make certain programs unusable, turn off services, etc. The default seems to be "turn it off" before figuring out how to actually FIX the problem.

I don't recall the details, it was at the last job, and the IT people were pretty hot about the user in question (not me) having activated updates. But I DO recall that it messed up some programs as well as system access, and they had to work on his machine for some time.

NickH
07-21-2008, 08:45 AM
1) I don't recall the details, it was at the last job, and the IT people were pretty hot about the user in question (not me) having activated updates. But I DO recall that it messed up some programs as well as system access, and they had to work on his machine for some time.

Poor IT people I'm afraid, if they didn't want him to do that it is within the capability of any decent IT department to produce a Windows build with any chosen functionality denied to the user, most are too lazy or not competent enough to do it though,
Nick

Evan
07-21-2008, 10:12 AM
...it is within the capability of any decent IT department to produce a Windows build with any chosen functionality denied to the user...

Yep. You could do it even with Win 98, NT is a snap. People lose sight of the fact that a machine supplied by an employer is a tool to do a job and how it works is entirely up to the employer. We had laptops when I worked for Xerox and they soon adopted a policy of total standardization of the software suite on the machine. This was done by issuing updates as "golden images" on a CD that replaced the entire disk image with a new one by ghosting the C drive. Any data that needed to be persistent was was first burned on a CD by a script and that most definitely didn't include anything that wasn't part of the approved install package. If you didn't update your machine it soon became out of sync with the online systems it had to communicate with and you couldn't do your job. When they implemented that system there was a lot of grumbling but they pointed out that they supplied the computer and keeping it working their way was a condition of employment.

dp
07-21-2008, 01:22 PM
That isn't a firewall function within the original meaning of the term. "Firewalls" are turning into security suites instead of just a firewall.

Evan, firewalls are my livelihood and have been for years (well, before I retired a few weeks ago) so trust me when I tell you, firewalls do so very much more than what you describe and even what I have described so far. They have always been "suites". An interesting early implementation being the "Firewall Tool Kit". We now have streams based stateful inspection packet sniffers and marvelous opensource tools like "Snort" to examine content in real time and compare it against databased patterns (http://www.snort.org/), full intrusion detection tools, malware detection in real time, behavior analysis, data mining... A very large list. These and more are what people I deal with expect from their firewalls. The term firewall defines a boundary, not an implementation.

What constituted a firewall 20 years ago when I first started working with them has grown into what we have today. It would be odd to cling to an early definition of a term that actually began as jargon and nobody in the trade considers describing modern firewalls to be anything but more complete firewalls. Clearly the field has grown by necessity, but the objective of today's very complex firewalls remains what it was when the Internet went public - keep the bad guys out, detect them if they get in, fix the hole.

But to put things on context, I'm talking about real firewalls, not the kinds of things an end user is likely to install on their Windows box. Not that there's anything about the systems I work on that cannot be put in place in the home. I have one :) and I'm building one for a friend in Hawaii who was recently hacked (on a Mac of all things).

The notion of having a firewall on the end-user's system is in itself a bit optomistic. They really need to be stand-alone systems as the name implies - between the user and the world. To a degree many cable and DSL modems provide simple firewall features, but the CPU on those things haven't the power to deal with much of a threat, and you'll read many support websites where people complain their modems restart constantly.

dp
07-21-2008, 01:35 PM
None of the above will help when the user, as apparently occurred in this case, actually downloads and installs a program which is either carrying malware, or is pretending to be "goodware".

Which is why a firewall on an end-user system is a bit of a joke. In the movies this is where the bad guys say "you take out the guards and Louie and I will grab the cash". They are the first thing good malware will defeat.

I archived the intruder's "home" directory they created on a system I'm cleaning up. I'm very impressed with the tools they installed to take over the system once they got in. Very organized and highly automated, though they seemed puzzled with the system being a Mac and not Linux. That delay in execution allowed me to jump in and stop the show for them. How they got in was a silly mistake on the owner's part. He installed a web/ftp/dns/email product that came with a default admin password which he didn't change for a week. That's all it took for someone to get in and take over.

I'm building a proper DMZ for him that, apart from my labor which I'm donating, will cost less than $200 (1U Sun Sparc server from Ebay, Solaris 10, IPFilter packet filter, NAT with ARP forwarding, lots of customizations) but will be as robust as I can make it which is pretty damned robust.

Evan
07-21-2008, 02:42 PM
I disagree DP. I also spent years in the computer business including consulting on security. Here is the standard set of services a firewall provides. It may provide only stateful inspection or the entire set, but it is still a firewall. The definition and the function hasn't changed.



Firewall Techniques

Following are the different methods used to provide firewall protection, and several of them are often used in combination.

Stateful Inspection
Tracks the transaction to ensure that inbound packets were requested by the user. Generally can examine multiple layers of the protocol stack, including the data, if required, so blocking can be made at any layer or depth. See stateful inspection.

Network Address Translation (NAT)
Allows one IP address, which is shown to the outside world, to refer to many IP addresses internally; one on each client station. Performs the translation back and forth. NAT is found in routers and is built into Windows Internet Connection Sharing (ICS). See NAT and ICS.

Packet Filter
Blocks traffic based on a specific Web address (IP address) or type of application (e-mail, ftp, Web, etc.), which is specified by port number. Packet filtering is typically done in a router, which is known as a "screening router." See bastion host.

Proxy Server
Serves as a relay between two networks, breaking the connection between the two. Also typically caches Web pages (see proxy server).

http://www.techweb.com/encyclopedia/defineterm.jhtml?term=Firewall

None of those functions make a security decision based on actual packet content. Additional client services are provided by different applications which may or may not be integrated with the firewall application on the client or on a dedicated proxy machine.

lazlo
07-21-2008, 03:43 PM
Most malware nowdays travels in the form of "bots" looking for vulnerable machines. No SP1, no post-SP1 hotfixes, no SP2, no post SP2 Hotfixes etc....that's a HUGE number of vulnerabilities your neighbor has chosen to live with.

Agree 100%. There's at least 1 major security and vulnerability update from Microsoft each week, and if you're not up to date on your service packs, you might as well bend over and smile.

Some of the vulnerabilities Microsoft have fixed include non-privledged software being able to turn off the Firewall service :rolleyes:

As far as ZoneAlarm, it used to be pretty good, but has really gone down-hill in the last several years.

But seriously guys, for $30 you can buy a hardware firewall with stateful packet inspection -- that's so much more secure than relying on a client-side software service. Like Dennis says, software Firewalls are a joke in comparison:

http://www.gearxs.com/gearxs/product_info.php?products_id=9783

pcarpenter
07-21-2008, 04:28 PM
Agree 100%. There's at least 1 major security and vulnerability update from Microsoft each week, and if you're not up to date on your service packs, you might as well bend over and smile.


Yeah...with the fixes for these nearly weekly vulnerabilities released once a month on "Patch Tuesday" (aka black Tuesday):rolleyes:

Even with automatic updates on, there are still occasions to get hit. I subscribe to RSS feeds from SANS, Security Focus and some others and we have seen stuff get found and published there (updates are every 15 minutes in my feed reader) an hour or so after we had some wierd behavoir that ended up being the exploit that just got exploited:rolleyes: Still, you do the best you can and that *must* include having automatic updates turned on. Imagine then if you will how bad it is if you are missing literally hundreds of such security related hotfixes.

Paul

dp
07-21-2008, 05:58 PM
I disagree DP. I also spent years in the computer business including consulting on security. Here is the standard set of services a firewall provides. It may provide only stateful inspection or the entire set, but it is still a firewall. The definition and the function hasn't changed.

If I were hired to put in a firewall I'd be fired if it didn't include all that. On the other hand, if that was all I installed I'd be fired. It's a little bit like the difference between inertia and mass - a firewall is a boundary, and the suite of tools you use to defend that boundary are, well, boundless. There's no such thing as "a firewall product" though to think that is a common error. A firewall implmentation is a combination of software, hardware, and policy applied to your perimeter, DMZ, and all throughout your interior network.

Your page fails to list one of the most important tools in the kit. Some day the boss is going to ask if the firewall has been breached and there's nothing on that page that can answer that question. That takes a good IDS (intrusion detection system). Years ago I became a certified instructor for the Checkpoint Firewall products. Have a look at http://checkpoint.com/ for a better list of firewall products. It isn't complete, either.

.RC.
07-21-2008, 07:16 PM
Tell your neighbour to stop looking at pr0n or do what I do and get a decent antivirus/firewall and then look at pr0n.. :D:D

I use Eset Smart security and am quite happy with it..

mochinist
07-21-2008, 09:12 PM
But seriously guys, for $30 you can buy a hardware firewall with stateful packet inspection -- that's so much more secure than relying on a client-side software service. Like Dennis says, software Firewalls are a joke in comparison:

http://www.gearxs.com/gearxs/product...oducts_id=9783 (http://www.gearxs.com/gearxs/product_info.php?products_id=9783)
How hard is it to set up one of those properly if you're not a tech guru like you and Evan? I've used zonealarm for ages but wouldn't mind being more secure. The thing about zonealarm is the ease of use, it basically ask/tells you a program is trying to access the internet and you can allow it or deny it. I looked at the above website and it says this about it's firewall features(see below). Lol it might as well be in chinglish though, I dont have a clue what most of that means.
Firewall:
Stateful Packet Inspection (SPI), Network Address Translation (NAT), DoS Attack
Detection/Logging, Dropped Packet Log, Security Even Log, E-Mail Log,
multiple VPN Tunnels (Pass-Through, 2 IPSec, and multiple L2TP & PPTP)

J Tiers
07-21-2008, 09:22 PM
Tell your neighbour to stop looking at pr0n .

Surprisingly, I actually believe he followed ATT's advice....... The malware infested program wasn't theirs.... and I know he has had lots of trouble with ATT.

I have their DSL also, but have not had troubles of his types.

Oh, yeah....... he has a wireless modem....... so the last 10 feet is wireless.... Just another vulnerability.

As far as the firewall jargonfest...... I don't care whatcha call the software, such as Zonealarm. It still seems to keep the yentzers at bay.

I seriously doubt if he would have had any trouble if he had not put the program in place himself. I don't think ZA would allow it to be "back-doored" via some other "service".

Now I am wondering if the shlemazl has the messenger service turned on..... he has a 14 yo kid, whi uses same machine, so it's possible it is on...... yet another open door.

lazlo
07-21-2008, 09:28 PM
How hard is it to set up one of those properly if you're not a tech guru like you and Evan? I've used zonealarm for ages but wouldn't mind being more secure.

It's really simple -- I walked my Dad through it over the phone: you plug the router into the DSL/Cable head-end, plug the computer into the router, and there's a CD with a Wizard that will walk you through setting up the IP address and the DHCP settings. Takes about 10 minutes.

If you get stuck, the local cable and DSL providers know all the major brands and models, and they can walk you through the settings.

mochinist
07-21-2008, 09:49 PM
thanks lazlo

lazlo
07-21-2008, 09:52 PM
I looked at the above website and it says this about it's firewall features(see below). Lol it might as well be in chinglish though, I dont have a clue what most of that means.

Most of that stuff, including the VPN features, you probably don't need. "Stateful Packet Inspection" is a fancy way of saying that the router tracks all the network connections passing through your firewall and makes sure they are valid. The router keeps track of each active network connection (the "state"), which makes it much easier for the firewall to detect spoofing.

Older routers, and some firewall software, just look at each network packet individually, so it's a lot harder to detect the more sophisticated network attacks.

One feature most of these cheap router/firewalls (based on the AMIT chipset) have is event logging: if you're a masochist you can flip through the log of all the security events the firewall has blocked. I was shocked at how many port scan attacks are constantly pounding the firewall, looking for open ports.

The freeware I use to look at the firewall logs is "routerlog":

http://homepage.ntlworld.com/nitech/routerlog/

Evan
07-21-2008, 10:27 PM
But seriously guys, for $30 you can buy a hardware firewall with stateful packet inspection -- that's so much more secure than relying on a client-side software service. Like Dennis says, software Firewalls are a joke in comparison:

http://www.gearxs.com/gearxs/product...oducts_id=9783
__________________

This illustrates the point I am making perfectly. While that is no doubt an excellent firewall product it will do nothing to stop malware, spyware, viruses etc. As I have said, that isn't it's job. To secure the machine you also need additional software that isn't part of a firewall such as antivirus software and spyware scanning applications.

Dennis is using the term "firewall" as an all encompassing description of a set of security policies and software/hardware that is assembled to protect a network. While there is nothing in particular mistaken about calling it a firewall it can lead to confusion as to what is actually covered by a firewall product. I favor a more strict definition of firewall as it leaves much less room for misinterpretation of exactly what is being done by the product.

macona
07-21-2008, 10:34 PM
I am carefull and still get crap on my PC.

Simple solution, buy a mac. I use a Mac Mini as my primary internet computer and keeps the crud out of my PC.

lazlo
07-21-2008, 10:51 PM
While that is no doubt an excellent firewall product it will do nothing to stop malware, spyware, viruses etc. As I have said, that isn't it's job. To secure the machine you also need additional software that isn't part of a firewall such as antivirus software and spyware scanning applications.

I was trying to stay out of the nomenclature discussion, but I agree with that Evan -- even the best Firewall isn't going to stop your browser from installing a malicious Javscript if you surf the wrong page: your browser is effectively asking for the malware to be downloaded, and the Firewall will dutifully inspect the request, see that your browser asked for that packet sequence, and let it through.

I was suggesting something somewhat orthogonal, but on-topic to Jerry's original request: if you're having problems with a software-based Firewall like ZoneAlarm (and I've had a b!tch of a time with the later versions of ZA) then you can save yourself a lot of headaches with a cheap hardware firewall/router.

fasto
07-21-2008, 10:52 PM
www.ipcop.org
install it on an old pc
firewall worries gone
unless you blow it up yourself

turn off java in the browser
install privoxy
www.privoxy.org
to filter web content

don't let the kids use the computer

switch to linux for web browsing using a bootable CDROM

J Tiers
07-21-2008, 11:02 PM
I was trying to stay out of the nomenclature discussion, but I agree with that Evan -- even the best Firewall isn't going to stop your browser from installing a malicious Javscript if you surf the wrong page: your browser is effectively asking for the malware to be downloaded, and the Firewall will dutifully inspect the request, see that your browser asked for that packet sequence, and let it through.


if you have other stuff to stop malware, it MAY detect the baddie before it gets further.

Several different layers is better than one only. So long as they don't compete, of course...... some don't play well together..... as with Norton and any otehr computer software of nearly any type........

Still, a deliberate manual installation of bad software is difficult to prevent without rendering the computer nearly useless.

I have not heard how the issue was resolved as of yet.

Evan
07-21-2008, 11:59 PM
I use a Mac Mini as my primary internet computer and keeps the crud out of my PC.

Only because the hackers prefer the low hanging fruit. There is nothing about owning a Mac or any other computer operating system that protects from BDO errors (Brain Dead Operator). Social engineering has been the method of choice for a long time since it is so easy. It doesn't matter what system you have if you invoke an executable file you can infect your machine. Yes, I know that a user on a MAC isn't running root by default but that isn't a guarantee of security. Macs are in part more secure by design of the operating system but in larger part because of "Security through Obscurity". There aren't enough of them to bother with, usually.

Here is an example of a scam e-mail. It doesn't matter what you are using you can still be bit if you fall for something like this.

http://vts.bc.ca/pics4/paypal.jpg

dp
07-22-2008, 10:04 AM
Here is an example of a scam e-mail. It doesn't matter what you are using you can still be bit if you fall for something like this.

One objective of a good firewall implementation is to prevent those from reaching your inbox. A well-designed mail server in the perimeter will do that (excluding some day one examples that get past heuristic detection). Businesses rely more and more on commercial solutions like MessageLabs and Postini, but good affordable mail gateway services are available to the average user. Which demonstrates the larger point that not all elements of a firewall defense system have to be behind your firwall. And for the very adventurous it is quite possible to build an excellent mail gateway from free software.

Your sample is an excellent example of the kind of thing that perpetually ignorant people will get into trouble with, and I don't know if there's any defense for that problem, but it does make it all the more important to try.