Online THREATS

Discussion in 'Virus Information' started by =?Utf-8?B?RGF2ZQ==?=, May 28, 2005.

  1. Windows have asked me to put my beef on the discussion groups.
    i didn't know ot would take half hour of mucking about.
    SELF EXPLAINATORY... WHY DON'T "Fixes" from Microsoft and other Firms Work
    Properly ?
    Dear Anti Virus Firms.
    1. On my computer, I have loaded Symantec. Norton AV 2004, which , after
    Scanning , has told me , for about 2 weeks, that I have 25 at Risk Files on
    my Computer -- Adware/Spyware/Malware. BUT will NOT delete any of them.
    The ONLY option is Manual Deletion.

    2, Earlier this Week, my "Guru" installed the Trial version of microsoft
    AntiSpyware.
    It removed 8 , leaving me with 17 Threats.

    3. Yesterday, Panda offered me a trial of Truprevent automatic protection.
    This removed 14 Threats -- leaving me with 3.

    4. Running Norton AV , again, these 3 ALL Prove to be the same Adeare
    "Adware.BetterInternet" BUT there is a REMOVAL TOOL.
    I ran this TWICE , on each occassion, it finally told me I did NOT have
    Adware.BetterInternet on my computer.

    5. Ran Norton AGAIN --- still there....

    IF ALL YOU FIRMS GOT TOGETHER AND POOLED YOUR INFORMATION, YOU MAY BE ABLE
    TO PRODUCE A HALF REASONABLE PROGRAMME.
    To Remove 24 threats, I would have to outlay WELL OVER $100 AUD, and still
    NOT have complete protection for my computer.

    WHEN can Computer Users, find GOOD PROGRAMMES, Which are FOOLPROOF, at a
    Reasonable Cost?

    IF, I purchase ANY, which is worthwhile ? NONE at the Moment .
    Can you PLEASE INFORM COMPUTER OWNERS, When you have programmes on which
    they can really rely?
    Dave.
     
    =?Utf-8?B?RGF2ZQ==?=, May 28, 2005
    #1
    1. Advertisements

  2. Dave

    All of the programmes are free, and some do specific tasks.. also, some of
    the 'threats' are only tracking cookies..
     
    Mike Hall \(MS-MVP\), May 28, 2005
    #2
    1. Advertisements

  3. --
    Dave.


     
    =?Utf-8?B?RGF2ZQ==?=, May 28, 2005
    #3
  4. Mike.
    the Microsost is a Trialware- 60 days.. The Panda is Trial- 30 Days.
    A REMINDER keeps popping up on the Screet, from both firms asking me if i
    wish to Purchase. in US$ , naturally, which is MUCH higher in $AUD.
    And, as I originally State, neither one does the job properly.
    Symantec State that benet IS dangerous-- not just a cookie.
     
    =?Utf-8?B?RGF2ZQ==?=, May 28, 2005
    #4
  5. =?Utf-8?B?RGF2ZQ==?=

    MAP Guest

    This is whay happends when someone uses an anti-virus program to remove
    malware,use a malware removal program insted.
    Betterinternet is a BHO (browser helper object).try this one
    BHO Demon - http://www.majorgeeks.com/download3550.html
    Each program does something a little different in an ever changing world.

    Sometimes,when you remove malware it will stop your TCP/IP
    stack from working (Internet connection).
    Winsock or LSP-fix will correct the problem,Download first.
    Note to anyone using NOD32 Anti-Virus software,Do Not delete the
    "imon.dll" this fix reports,This is your internet /e-mail scanning engine.

    YES-You need more than 1 malware program,the one's below are all free
    and work well.
    LSP-fix- http://www.cexx.org/lspfix.htm
    Spybot S&D - http://www.safer-networking.org/en/index.html
    CWS Smart Killer- http://www.safer-networking.org/minifiles.html
    About Buster- http://www.spychecker.com/program/aboutbuster.html
    Ad-Aware SE - http://www.lavasoftusa.com/software/adaware/
    MS Antispyware:
    http://www.microsoft.com/athome/security/spyware/software/default.mspx
    CWShredder - http://www.majorgeeks.com/download4086.html
    Hijack this - http://www.majorgeeks.com/download3155.html\
    Hijackthis tutorial -
    http://forums.maddoktor2.com/index.php?showtopic=165
    SpywareBlaster - http://www.javacoolsoftware.com/spywareblaster.html
    SpywareGuard - http://www.javacoolsoftware.com/spywareguard.html
    WinPatrol - http://winpatrol.com
    BHO Demon - http://www.majorgeeks.com/download3550.html
    asquared2 "Trojan Remover" - http://www.emsisoft.com/en/
    Socklock- http://nsclean.com/socklock.html
    A nice site -
    http://groups.msn.com/TeMercInternetSecuritySite/malwarecountermeasures.msnw
    NOD32Anti-Virus Free 30 day trial
    http://nod32.com/download/trial.htm
    Process Guard-
    http://www.diamondcs.com.au/processguard/index.php?page=download
    A link for free online virus and trojan scanners.
    http://virusall.com/downscan.html
     
    MAP, May 28, 2005
    #5

  6. What specific fix did not work properly?


    What has this to do with Windows? Anyway, most antivirus applications
    do not scan for or protect you from adware/spyware at all, because,
    after all, you've installed them yourself, so you must want
    them there, right?

    Neither adware nor spyware, collectively known as scumware,
    magically install themselves on anyone's computer. They are almost
    always deliberately installed by the computer's user, as part of some
    allegedly "free" service or product.

    While there are some unscrupulous malware distributors out there,
    who do attempt to install and exploit malware without consent, the
    majority of them simply rely upon the intellectual laziness and
    gullibility of the average consumer, counting on them to quickly click
    past the EULA in his/her haste to get the latest in "free" cutesy
    cursors, screensavers, "utilities," and/or wallpapers.

    If you were to read the EULAs that accompany, and to which the
    computer user must agree before the download/installation of the
    "screensaver" continues, most adware and spyware, you'll find that
    they _do_ have the consumer's permission to do exactly what they're
    doing. In the overwhelming majority of cases, computer users have no
    one to blame but themselves.

    First of all, Microsoft Anti-Spyware is a beta product, so it can
    hardly be expected to be completely affective. Secondly, who in the
    world would go to a "guru" (some sort of spiritual guide/adviser?) for
    help with a purely technical issue?


    Again, what has this to do with Windows?

    You know, I once saw a bumper sticker that read "Insanity is doing the
    same thing over and over again, and expecting different results each
    time." Seems to apply. Why repeat an action that you already know
    won't work?


    You do realize, don't you, that by posting to a news group you're not
    addressing *any* of the firms with which you imagine you have a grievance?

    Then you need to learn how to perform simple Internet searches. (And
    replace your apparently clueless "guru.") You could easily have found
    free solutions, had you looked. Or, better yet, if you had taken the
    time to learn to safely use your own computer, none of this would have
    been necessary.


    Just as soon as those computer users accept responsibility for the
    consequences of their own actions. Just as soon as computer users stop
    expecting a computer to be no more complicated to use than a toaster
    oven. But, as for "foolproof?" Never - fools are so damned ingenious;
    they're always finding new ways to screw up.


    There are several essential components to computer security: a
    knowledgeable and pro-active user, a properly configured firewall,
    reliable and up-to-date antivirus software, and the prompt repair (via
    patches, hotfixes, or service packs) of any known vulnerabilities.

    The weakest link in this "equation" is, of course, the computer
    user. No software manufacturer can -- nor should they be expected
    to -- protect the computer user from him/herself. All too many people
    have bought into the various PC/software manufacturers marketing
    claims of easy computing. They believe that their computer should be
    no harder to use than a toaster oven; they have neither the
    inclination or desire to learn how to safely use their computer. All
    too few people keep their antivirus software current, install patches
    in a timely manner, or stop to really think about that cutesy link
    they're about to click. These people are a danger to themselves and others.

    Firewalls and anti-virus applications, which should always be used
    and should always be running, are important components of "safe hex,"
    but they cannot, and should not be expected to, protect the computer
    user from him/herself. Ultimately, it is incumbent upon each and
    every computer user to learn how to secure his/her own computer.

    To learn more about practicing "safe hex," start with these links:

    Protect Your PC
    http://www.microsoft.com/security/protect/default.asp

    Home Computer Security
    http://www.cert.org/homeusers/HomeComputerSecurity/

    List of Antivirus Software Vendors
    http://support.microsoft.com/default.aspx?scid=kb;en-us;49500

    Home PC Firewall Guide
    http://www.firewallguide.com/

    Scumware.com
    http://www.scumware.com/



    --

    Bruce Chambers

    Help us help you:
    http://dts-l.org/goodpost.htm
    http://www.catb.org/~esr/faqs/smart-questions.html

    You can have peace. Or you can have freedom. Don't ever count on having
    both at once. - RAH
     
    Bruce Chambers, May 28, 2005
    #6
  7. "Windows" says that?
    You are scanning for malware while the malware is active. Is it
    surprising the malware wins?
    OK - that looks like either a false positive (or residues) if the
    removal tool is right, and a new varient unknown to the removal tool
    if NAV is right. Residues is likely, i.e. where the malware's ability
    to operate is destroyed by punching it out, but leftover malware
    content is left lying around for other scanners to alert on.
    We already have helf reasonable programs, and that is as good as it's
    likely to get, for as long as MS fails to improve maintainability
    (e.g. a malware-safe Safe Mode plus a maintenance OS) so that when
    (not if) the bad guy owns your system, you can get it back.
    What did you spend AU$100 on? Norton? The other tools you mentioned
    (AdAware, MSAS Beta) are free, as are Avast and AVG that you could
    have used instead of knee-jerk Norton.
    When the OS is structured to facilitate recovery from malware
    ownership. Until then, the only maintenance OS in town is a volunteer
    effort from Bart's that is at risk of being litigated off the map by
    MS at any time. Needless to say, that makes it a very high risk for
    av vendors to invest in (i.e. develop for).

    So you have three approaches from the av industry:
    - hope the problem will go away / pretend what we have works
    - develop for Bart, but charge a fortune to recover costs quickly
    - build a mOS from scratch, which costs effort and therefore money

    MS themselves fall into the first category, maintaining (in the face
    of all evidence to the contrary) that XP on NTFS is sooo secure that
    it will never be malware-owned, so need for recovery does not arise.

    Avast have stepped up to the plate in the first category, building
    exactly the siort of thing we all need; an av scanner written
    specifically for Bart's PE, and bundled with it, that does the job.
    Alas, it costs a lot more than AU$100 to buy it in a form that
    freelance techs could use in the field to clean your system. It's
    only cheaper if crippled to work within one domain only (fine for
    corporate sysadmins, to hell with anyone else) or if it's crippled
    further so that it works only on one PC.

    Kaspersky's taken the third approach, as far as I know, by using a
    bootable Linux CD to host their recovery (post-infection) scanner. As
    Linux can't safely write to NTFS, I presume this is a "look, don't
    touch" scanner that hopefully informs how to proceed thereafter.

    Kaspersky AV doesn't fall out of the sky for free, either.
    Firstly, when it comes to commercial malware in particular, it may be
    a judgement call as to whether you wish to be rid of the "threat" or
    not. That may be why you see "X threats found, Y threats removed".

    For example, if I look in your medicine cupboard and find rat poison,
    LSD and Insulin, I'd likely destroy only the rat poison. All three
    might kill you if taken in excess, but you may choose to run the risk
    of taking LSD in small doses for recreation, and you may need to take
    Insulin to survive. And for that matter, you might shout at me for
    killing the rat poison if you were planning on killing some rats.


    Secondly, this is MALicous softWARE we are talking about here, i.e. it
    is *designed* to be unco-operative and beastly. Is it really
    surprising that detecting and removing this will be tricky?


    Thirdly, a basic rule of combat is that whoever owns the air, wins.
    If you are taxiing to take off and I'm over you dropping bombs, who is
    likely to win? If the malware code is running and you try to start up
    a defence tool, which is likely to win?

    You'd only place bets on the second if the first was really useless,
    i.e. a bomber who can't shoot straight, or a malware that ignores the
    opportunity to defend itself or react punitively.

    Right now, folks are flapping their arms and jumping up and down
    because malware has started to take this opportunity, in the shape of
    "root kits". A root kit is simply a malware that hides itself, by
    tapping into all OS functionalities that might reveal its presence,
    and thus censor the information flow to hide itself from view.

    It's like phoning home to see if your family is OK, and one of the
    home invaders picks up and (mimicing your wife's voice) says "Ah yes,
    all's well, no balaclava-clad gun-toting rapists here, see you later".


    The obvious thing to do is not rely on a word from iside the ?owned
    house, but to check it out yourself. That means not running the
    infected code (i.e. using a mOS) and then checking the code to see if
    there are any known bad guys (blacklisting) and that only approved
    code is in place in unaltered form (whitelisting).

    Because of the constant code creep from patches, whitelisting is
    difficult. What you you compare the code with, a data list on the
    same ?infected HD? So you detect that info has been tampered with;
    now what? You've just been DoS'd out of recovery, unless you have
    something that will replace all known code. Where is that magical,
    uninfected set of up-to-date code going to come from?

    Let's assume you've verified the core code is OK. Now we can run the
    OS in Safe Mode, but that's only malware-safe if two other conditions
    are met; that the OS processes NO integration points whatsoever, so no
    3rd-party code gets to run (integration by design), and that the OS
    does not handle any material on the HD so as to expose an exploitable
    risk surface (integration by code exploit).

    Notice that the above applies whether you choose to clean malware, or
    backup data and wipe the system. Unless you know what the malware
    was, you have no confidence that re-infection won't recur (as has
    already happened once). Without a firm difference between data and
    code, you can't be sure your backed-up data is safe to restore.


    Right now, we do not have a mOS, and the Safe Mode that the OS offers
    is far from malware-safe, as it explicitly processes a host of
    integrations by design (screensaver, file associations, drivers, BHOs
    and shell integrations, even parts of the startup axis Safe used to
    claim it did not run in Win9x) and it caresses material on the HD in
    ways that are quite likely to be exploitable.

    We can use 3rd-party media players, web browsers and email apps, so we
    don't really need MS to provide those. We do need MS to provide core
    OS value, and this they are failing to do.


    Forget http://cquirke.blogspot.com and check out a
    better one at http://topicdrift.blogspot.com instead!
     
    cquirke (MVP Windows shell/user), May 29, 2005
    #7
  8. On Sat, 28 May 2005 08:37:38 -0600, Bruce Chambers
    You're drifting in the right direction, Bruce - from "Neither adware
    nor spyware" through "almost always" to "While there are some" to
    "the majority of them". This is better than previous "blame the
    victim" posts that failed to acknowledge clickless attack at all.

    That commercial malware installs "by user's consent" is the
    cornerstone of what makes it commercial; it allows an entity to remain
    visible enough to be paid, while being able to plausibly deny that
    they are malware vendors and should be shut down.

    However, the distinction between commercial and traditional malware is
    blurring, for two reasons. Firstly, legal defence of the rights of
    users has been so poor, that cm vendors are emboldened to act more
    like traditional malware; persistance in Safe Mode, resistance to
    detection and removal, and yes, clickless attack. Secondly, some
    things that pose as commercial malware may not be, or are hosted by
    businesses beyond legal jusrisdiction.

    Clickless attack is facilitated by IE, by design. Web-generated
    content can spoof system dialog boxes, paint over the status bar or
    page content, hook "close window" to actually launch themselves, and
    so on. If a cm vendor wants to bypass user control, act against the
    user's intent, or misrepresent themselves, IE provides all the tools.

    Clickless attack is also facilitated by defect. Commercial malware
    regularly exploits known code defects to get traction, such as those
    within Java. That such behavior has not led to legal sanction is
    proof of my earlier point, that cm vendors are not limited to "nice"
    behavior because no-one is legally enforcing this behavior.
    When the system takes risk on behalf of the user, without giving the
    user a chance to say no, then the full blame should be borne by the
    system. Quick list: BadTrans.B, Kak, Melissa, Lovesan, Sasser,
    Sapphire/Slammer, OpaServ... what do these have in common? ALL of
    them are clickless attacks, where the only user blame you can
    attribute is poor choice of software, and using it in default form.
    And that will stop when vendors stop creating that expectation.
    Windows hides risk info the user needs to see (e.g. file name
    extensions) in order to make informed decisions. Then having
    (reluctantly) displayed a risk indication such as file type, that the
    user sees and consents to, the OS may act beyond that level of risk if
    the actual material is at variance with the risk description.

    For example, confronted with an .RTF file containing Word macros, the
    OS concludes this is simply a benign error made in good faith, and
    runs those macros automatically without extra user warnings. It's
    like a cop who says "you'll never break into the house that way, just
    by fiddling the locks; here, let be force open a window for you".
    Yup. And the geniuses who write our OS are so foolish, they keep
    offering new opportunities for the bad guys to screw us up.

    The user makes no pretence of being technical genuises; in fact,
    marketing keeps telling them not to worry about all that. It's the
    system that beats its chest about how secure it is. So yes, while one
    can blame both users and system, the expectations differ.
    I do agree with you there. I see av as the "goalie of last resort",
    not a license to be a drooling fool clicking everything in sight and
    expecting your ass to be covered.

    But a user can practive "safe hex" only if:
    - they are asked
    - accurate risk info is displayed
    - the system acts no further than the risk consented to

    If the system takes risk without asking the user (web site active
    content, inserted disks, file content not being "opened" but merely
    listed, ToolTip'd etc.) then the user cannot be blamed.

    If the system provides no risk info at all ("here's an arbitrary file;
    do you want to 'open' it?" or "here's an ActiveX control, which could
    do absolutely anything; do you want to run it?") then the user has no
    choice other than to risk everything, or deny interaction. Given the
    Internet is about interacting with strangers, absent risk information
    makes it impossible to do anything at all there.

    If the system displays a low level of risk, then actually takes a high
    level of risk, then once again, it's the system's "fault". If I say
    "eat this cake", implying it's edible food, and it acts as a lethal
    toxin, have you suicided or been murdered?


    A problem is that XP is NT, and NT was designed to be a network client
    within professionally-managed corporate installations. Several
    ASSumptions flow naturally from that...
    - the user's rights are trumped by the system administrator's
    - the system administrator controls the PC from the network
    - each user has a clearly-defined role
    - so each user's login is shrik-wrapped around that role
    - risk management is done by system administrator on user's behalf
    - the system administrator is trained in the IT security model
    - the PC doesn't matter, because all data is on the server

    When you take an OS designed for those conditions, and drop it as-is
    into consumerland, it's not suprising things don't work, because:
    - user's rights are trumped by any notional "system administrator"
    - the Internet is treated as just another big network
    - so any fake "sysadmin" controls the PC from the Internet
    - user may do many different things of varying risk
    - so one login role doesn't fit all the things they want to do
    - so everyone ends up running as administrator; maximum risk
    - the user is not trained in the IT security model
    - so user has no idea on how to manage risk
    - the PC does matter, because all data is on it alone

    If an OS is to be deployed in consumerland, it has to be shaped around
    what the user knows and how the user operates. It's useless to expect
    the user to behave as if they were an ant within a corporation.

    I may start up Windows (why should I "log in", I'm the only user, duh)
    and I may do my accounting, buy some stuff online, play a game, and
    visit a few arbitrary web sites. The needs of those tasks differ
    considerably; one set of access rights applied at logon misses the
    spot entirely. I'd want my web browser to have zero access to my data
    and zero rights to run stuff on my PC, but I'd want my accounting app
    to access my data, and I'd want my game to have fast hardware access
    bu no access to the Internet or my data at all.

    So at home, LUA isn't about the User, but the application. It's
    pathetic to expect me to log in as a notional untrusted user to view
    web sites, log out and back in as a trusted user to do my accounting,
    and then log out and log in again as administrator in order to run a
    game that requires fast access to hardware.

    Some of the most dangerous things I may do - quickly visit a web site
    while waiting for something - and some of the most data-dengerous
    things I may do - quickly look up and edit a client's account in
    response to a phone call - I may do while in the middle of other
    things that differ in risk profile.

    Yes, I *could* pretend to be a bunch of cubicle dwellers, and add an
    extra 512M RAM so I can do fast user switching between accounts, but
    it's still a clumsy and inappropriate way of doing things. Like
    pretending my car is still a horse-drawn cart, and having to get an
    annual vetinarian certificate for the "horse".


    Forget http://cquirke.blogspot.com and check out a
    better one at http://topicdrift.blogspot.com instead!
     
    cquirke (MVP Windows shell/user), May 29, 2005
    #8
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.