April 18, 2011

See me at security wandering

see more at:
http://securitywandering.com/

September 26, 2008

New Zero day virus follow up

The virus is not detachable by the current anti virus definition for the Symantec anti virus product distributed by the software center….

The current products that see this virus are:

F-secure
bitdefender
prevx csi
panda
ikarus
antiver
GDATA
AWIL
Microsoft…..YES they see it way to go Bill and Ballmer.

Here is the BIG why does my antivirus product not see it and why does it take many days to weeks for larger vendor to get out new definitions that find this stuff.

Little know facts about anti virus companies:

1) They all belong to a trade group that shares all virus samples discovered be any one else in the group on as frequently as hourly bases.

They all get equal and far access to the sample file so why so long then... getting there…

The best site to submit “POTENTIAL” virus files is www.virustotal.com
They are an independent security company that runs all file against 30 to 40 different anti virus product and provides a detailed report of which ones find a bug or not.

And yes this site is a member of the anti virus trade group so after submission here it’s in the large sample pool for all anti virus trade group members to use.

Answers to the why so long

AV Company have been moving away from the single AV product for years now.  They have all moved to a more defense in depth model.  This a good model and works well for some of the companies f-secure for one. 

The other large companies tend to just be very slow because they have a bunch of extra crap in there in depth model… and there product may not be as good at parts of the AV detection process.

That process works this way.
1) Viruses are almost always compiled code Compilers leave finger print on all things they compile so AV products finger print what compiler was used to create “package” when it is scanning files.

2) Compiled code is machine readable and contains character string patterns. Most compiler out have been used at this point in time so almost all files fit the compiler check.  The character string patterns are unique and in unique patterns. All most like a one hash or a human finger print.

3) Last is the file behavior or file use check.  Many types of files behave in the same way as it relates to a system or they use the system fairly the same.

So if the av product gets a hit on compiler check and nothing else it may or may not be a virus right.  But if it hits on the compiler and 1 of the other 2 checks it’s probable a virus right…. could be.

Back to the why so long.

Well you need to understand the steps something must do to understand the time thing. 

Smaller AV vendors have very tight and aggressive code.  It works very well and is very easy to extend.  It’s compartmentalized well and  very very fast.  They have fewer customers and are still hungry for business.  They get business by finding or being the best at discovers things that are design to be hidden and difficult to find. 

Large companies have a lot more poorly “bloated” code in their products.  They are slower to react because false positives are a very bad thing, for their market share.  Come on now would buy the product that mistakenly destroyed a few hundred thousand systems by mistake right.  So big companies prefer the low and slow approach.  It does provide comfort for them but not us.  It guarantees them market share because anti virus purchasing is determined mostly by price…. not by how well it works… and large companies usually wrangle multi year deals and then you are kind of locked in….sad but true..

So the next question I think I would have reading this is what does Lou use or “Evil Lou” to my friends.  I use f-secure and prevx csi….hmm why.

F-secure is an old time AV vendor it is an in-depth product and black light is the best root kit detection product I have used.  It general is a 4 to 8 hour for zero day product.  Many times less than that.

Prevx csi because it is very good at malware and behavior type use.  It is very fast and works well as the second banana or second av product on a system

I spend about 50 to 70 bucks a year for the 2 products and that license is good for up to 4 systems…

I look at as you can pay a little cash now or a lot later if you get infected.

 

 

 

 

 

New Zero day virus


Yesterday thru one of the many tech mailing lists I became aware of a new zero day virus…  This virus is new in some of its infection vectors…  I’ll cover them in a bit.


Symptoms of infection


The central symptom of an infected system is not being able to do any network activity.  I.E. web surfing email the like.  The network interface port on the system is up and active but no local system traffic or shall I say computer owner traffic is going out that interface.


The new and interesting infection vector is the use of USB based thumb drives or USB based external hard drives.  Seems that when USB external removable devices i.e. thumb drive is attached to an infected system. The system writes an autorun file and creates a system restore file on the usb device. 


Since the use of USB removable is a normal practice when looking at systems by Help desk or pc techs.  In this case the USB diagnostic device is now the infector of any system that it is plugged into…. This is due to autorun file and the system restore


If you are a Case Western Reserve university student, faculty or staff member and are having these symptoms on your computer please get in contact with help desk and email security@case.edu.


December 03, 2007

Who has something to hide

Rove investigator erases his PCs - to kill computer virus

A US official overseeing a probe of former Bush aide Karl Rove has been called on the carpet after it was discovered he hired a private computer-help company to erase all the hard drives belonging to him and two deputies.

Special Counsel Scott J. Bloch bypassed his own agency's computer technicians and instead hired an outside firm to perform a seven-level wipe, all but guaranteeing the files could never be restored. Although the official said he contracted the work after suspecting his computer was infected by a virus, a manager with the private firm said a wipe that thorough is an unusual way to treat a malware infection. The receipt for the work performed makes no mention of a virus.

source:
http://www.theregister.co.uk/2007/12/01/official_purges_agency_computers/

Now playing: Meat Loaf - Objects In The Rear View Mirror May Appear Closer Than They Are

California gov site invaded by smut and malware again

Raising troubling questions about the security of America's government websites, more domains ending in .gov have been found hosting links that push porn and malware.

They include the Marin County Transportation Authority, which has has watched its site get hacked at least twice before. In early October the domain forced the shutdown of all California government websites until admins could remove the links. A week after the sites were disinfected, the rogue pointers returned.

source:
http://www.theregister.co.uk/2007/12/01/government_sites_serve_malware/

 

Now playing: Meat Loaf - Objects In The Rear View Mirror May Appear Closer Than They Are

November 18, 2007

Trojan steals usernames and passwords from online gamers

Online gamers, be on guard - A new Trojan named ‘Win32.OnLineGames.dr’ can rob your username and password of the game account, warn the experts at MicroWorld Technologies. ‘OnlineGames.dr’ comes into computers via offers and help notes posted by crooks in game forums or by exploiting browser vulnerabilities.

Written in Delphi language, ‘OnlineGames.dr’ injects its DLL component into running processes and places an ‘autorun.inf’ file in the root of each drive to ensure that it gets activated every time a drive is opened.

 
Once active, it snoops on user activity, steals confidential account information from unwitting victims and sends it to a remote attacker. In a few cases, the Trojan also posts this stolen information to certain malicious websites. With the username and password of a virtual game player in his hand, the Trojan writer can directly log on to the victim’s account and sell off the characters and other goods for real world money.
 
This Trojan targets ‘Massively Multiplayer Online Role-playing Games’ (MMORPG), particularly the ones like Gamania and Wowtaiwan, meant for the Taiwanese audience. MMORPG is a genre of online computer role-playing games where a huge number of players interact with each other in a fantasy world. Every participant plays the role of a fantasy character and buys and sells fictional goods online, while they also barter stuff among each other. On many websites you can buy goods and characters using actual currency and do vice versa.

source:
http://www.net-security.org/malware_news.php?id=880

November 14, 2007

Malicious Website / Malicious Code: Rock Phish Using YouTube

Websense Security Labs ThreatSeeker has received reports of new malicious code that utilizes the YouTube brand to lure users into running the code.

The attack begins with an email lure written in html that invites users to view a video from YouTube. Upon connecting to the site, users are directed to a page that resembles the real YouTube site. The page then reports that the video cannot load and attempts to dupe users into downloading and installing a flash player.

 

Source:
http://www.websensesecuritylabs.com/alerts/alert.php?AlertID=818