PDA

View Full Version : Viruses, Trojan, Worms and Adware, Oh My!


ndebord
December 14th, 2005, 05:35 PM
Duane White has a very interesting thread over in VirusCentral about where we are these days in terms of malware.

http://community.netscape.com/n/pfx/forum.aspx?nav=messages&tsn=1&tid=155347&webtag=ws-viruscentral

N

fhaber
December 15th, 2005, 11:28 AM
He ain't kidding. It's getting completely evil out there. Remember those articles six months ago about people who threw out their one-year old machines and bought new ones, or Macs? We laughed.

Stop laughing. I'm now up to three machines where the better part of valor was to reformat, and one, three years old, where I just phoned the user, then ordered a new Dell for him. You don't want to ask what these fixes cost, and they were all loss leaders for me. Thank heavens I don't do this for a serious living, and thank goodness all these clients are as economically comfortable as they are.

There simply isn't any one automated magic remover any more, when the badness can hide from the whole filesystem.

ndebord
December 15th, 2005, 11:41 AM
He ain't kidding. It's getting completely evil out there. Remember those articles six months ago about people who threw out their one-year old machines and bought new ones, or Macs? We laughed.

Stop laughing. I'm now up to three machines where the better part of valor was to reformat, and one, three years old, where I just phoned the user, then ordered a new Dell for him. You don't want to ask what these fixes cost, and they were all loss leaders for me. Thank heavens I don't do this for a serious living, and thank goodness all these clients are as economically comfortable as they are.

There simply isn't any one automated magic remover any more, when the badness can hide from the whole filesystem.

Frank,

Yes, totally evil. I was secure in my insecure cocoon of W98se. I woke up fast
when Duane said there were files that not only could he not remove, but that he could not even see. (I had thought my old DOS file mgrs could see everything, particularly if I booted into DOS instead of Windows.)

The one that really got me was the malware which is actually TWO files. If you remove one, the other recreates it and vice versa. And the idea that even in SAFE mode you're not, ah, safe. And the inability to find the files in DOS.

As I said over there, I keep a freedos boot disk around and have F-Prot for DOS on floppies and on the HD as my backup, in addition to my Kerio 2.1.5 firewall, AVG 7(free) and AdWare SE (Personal) with Hijack This sitting around. But I'm definitely going to have to update my protection considering the sheer numbers of bad websites out there who get more money for running malware than they do the old-fashioned ad banners.

:-(

davidh
December 15th, 2005, 12:43 PM
He ain't kidding. It's getting completely evil out there. Remember those articles six months ago about people who threw out their one-year old machines and bought new ones, or Macs? We laughed.

Stop laughing. I'm now up to three machines where the better part of valor was to reformat, and one, three years old, where I just phoned the user, then ordered a new Dell for him. You don't want to ask what these fixes cost, and they were all loss leaders for me. Thank heavens I don't do this for a serious living, and thank goodness all these clients are as economically comfortable as they are.

There simply isn't any one automated magic remover any more, when the badness can hide from the whole filesystem. Even in MS-DOS I think it was not so hard to make a BAT file that could run DEBUG to load a TXT file with executable code embeded and run the code. I think you could load an arbitrary sector off the HD (e.g. infected and hiding in free space, etc.) using BIOS and execute that too.

Maybe get a used CP/M machine or Apple II and a UNIX-style shell account, if any ISP still has them, and hope they don't blow your ISP out of the water? Or get a dumb (serial) terminal and a dot matrix serial printer.

David H.

Judy G. Russell
December 15th, 2005, 09:15 PM
There simply isn't any one automated magic remover any more, when the badness can hide from the whole filesystem.What are the various recommended badness removers anyhow? I'm very comfortable with NOD32 as an antivirus program. What else should I have?

fhaber
December 16th, 2005, 11:33 AM
You're not going to like this answer, which may change next week.......

1. Benign, free and totally manual, for careful people who answer "yes" to nothing but their mother's requests, and don't visit sites that she wouldn't:

MS Antispyware beta, with monitoring off.

Ad-Aware (not as sharp as it used to be).
Spybot S&D (on the way down?). Their resident Tea Timer ain't great. Do not run.


2. Resident, for the average trusting bozo:

The same MS Antispyware (Giant, in other clothing).

Select one from the magazine review of your choice, Spyware Doctor, Spy Sweeper, Trend's suite, etc. All paid. All somewhat intrusive. Don't trust the reviews too much, the bad and good guys are constantly playing leapfrog. You must have at least two opinions, if you think you're in trouble.

For the advanced paranoid: Rootkit revealer, Hijack This, CWS shredder, the Panda antirootkit beta, etc.

For everyone: Online scans - Trend, Panda, McAfee tend to be the best. Kaspersky is the most aggressive, for advanced users.

Consider a firewall (yes, intrusive and annoying at times).

Wireless laptop users who travel should take all precautions, use webmail, change their passwords frequently, and allow space in their luggage for an economy-size box of Depends.

98 and Me users can't use 3/4 of the above, but they're a bit less exposed.

PATCH! NOW! Scan, frequently.


Prayer and clean living? Couldn't hurt.

Jeff
December 16th, 2005, 01:27 PM
Question. I ran Shields Up against my wireless router (with Sygate also in play) and all was stealth except ping. Then I dialed into a CIS node leaving only Sygate in play and ping was stealthed too. Why was the router responding to the ping? I am not liking that too much as I've had the same Comcast IP address for six months, and regardless of what Comcast says it appears to be permanent which I do not want but can't change.

Judy G. Russell
December 16th, 2005, 02:04 PM
I have both a hardware and a software firewall (router plus ZA), antivirus (NOD32) and run the spyware stuff roughly once a month. And I practice safe computing (I rarely click on anything in any web page, and keep both AdBlock and FlashBlock going). Enough?

fhaber
December 16th, 2005, 03:29 PM
Judy, you should be fine. Just don't let any keen teens near the machine. Haber's rules of thumb: rugrats and yard apes are typhoid Annes and Archies - they transmit disease (love 'em). When they get older, they do stupid things, and if said stupidities are on your computer, may G_d have mercy.

==
Jeff, I haven't kept track of Gibsonalia. "Stealth" isn't essential, and I don't know how he tests ping. Where's his ping test?

Shields up is a port scan, right? Mostly, of course, it's testing your router, not your computers. But not always. These days, many ports have to be kept open for VPN, etc. Ping doesn't have ports - ping is usually ICMP (sometimes UDP), not TCP, and totally benign, unless someone is flooding you. Your ISP won't let those through - they'd have to shut down. I leave ping-echo on, even on the SP2 half-firewall, and on my router. It's harmless for us small guys.

If you want your IP changed, buy another router and swap them every week. You'll get a change when the ISP detects a new Mac address. Or leave your router off for a day. And don't worry too much about it. We're small targets.

I'm so retro that I keep the radio off on my router most of the time. Manhattan is so crowded that WPA takes a week and a half to connect, even with no interference. When I test a new portable I have to run the wireless wide open for a few minutes, just to get anything done fast. Needless to say I set and secure the machines via wired connections, first.

Judy G. Russell
December 16th, 2005, 04:28 PM
Judy, you should be fine. Just don't let any keen teens near the machine. Haber's rules of thumb: rugrats and yard apes are typhoid Annes and Archies - they transmit disease (love 'em). When they get older, they do stupid things, and if said stupidities are on your computer, may G_d have mercy.Oh Lord... I had TWO teenagers here at Thanksgiving... time to do a triple check on the machine...

Worst case I ever had: the freshman-in-college niece of a friend who stayed at my house while looking for housing. Installed some weird version of AOL on my system without my knowledge (and certainly without my consent). It trashed my network settings (and a few other things) so badly I ended up doing a format c: /s to try to correct it...

Jeff
December 17th, 2005, 01:06 PM
Yeah, ShieldsUp is a port scan, which apparently includes the ping.
http://grc.com/zonealarm.htm I was a bit startled to have the router respond to the ping, while Sygate by itself did not. Speaking of which Sygate is now Symantec<grrr> I'm glad I saved the Sygate installer.

I've got quite a gig going out here in the boonies. 6 gigs incoming down the cable and a 5.4 gig router. Thank you Comcast. Which reminds me, the installation came with a WiFi card, so if I install that it should give the router a new MAC, and thus me a new IP yes? I could then swap back and forth. I may have to try that.

fhaber
December 17th, 2005, 01:29 PM
Jeff,

You mean like this?

207-237-113-##.c3-0.80w-ubr#.nyr-80w.ny.cable.rcn.com

That's simply a reverse lookup that sites like checkip.dyndns.org can supply.

Careful with that additional wifi card messing up IBM's auto wireless gizmo. Should work, but....

rlohmann
December 17th, 2005, 05:52 PM
What's your sense of the vulnerability of Linux? The impression I have is that it's becoming more interesting to the bad guys as its popularity increases.

fhaber
December 17th, 2005, 06:08 PM
Ralph,

I'm really not the one to ask, since I run Linux rarely.

If you want me to try -

There are plenty of exploits, and you must keep yourself patched. That's why it's essential to run a distro with a convenient update mechanism and a publisher who's non-moribund. Then patch the apps. Of course, run only what you must run, and run only at the privilege you need for what you're doing. You might run an antivirus package for Linux occasionally.

I haven't heard of the same sort of phishing and commercially-driven spypware/adware droppers for UNIX, yet. Likewise for Mac, which is otherwise solid BSD underneath, of course.

Caveat: the above is parrotted from my betters, by one who's only partially informed, and not to be taken as a guru utterance.

rlohmann
December 17th, 2005, 06:29 PM
There are plenty of exploits, and you must keep yourself patched. That's why it's essential to run a distro with a convenient update mechanism and a publisher who's non-moribund.I have both from Novell, which recently bought the SuSE Linux distro from its originators in Nuremberg. Novell has continued the agressive security-update mechanism that was included with earlier SuSE distributions.

Of course, run only what you must run, and run only at the privilege you need for what you're doing.The nice thing about Linux is that it defaults to a restricted mode. Every installation you download requires a superuser password, and when that's finished, you revert to peasant status. It's possible to do this with Windows, but it's so complicated that it's totally impractical.

You might run an antivirus package for Linux occasionally.I haven't seen any out there.

I haven't heard of the same sort of phishing and commercially-driven spypware/adware droppers for UNIX, yet. Likewise for Mac, which is otherwise solid BSD underneath, of course.Mac OS is BSD? You're kidding!

Caveat: the above is parrotted from my betters, by one who's only partially informed, and not to be taken as a guru utterance.<pondering that, and sneering on general principles> :)

Jeff
December 18th, 2005, 12:57 PM
Jeff,

You mean like this?

207-237-113-##.c3-0.80w-ubr#.nyr-80w.ny.cable.rcn.com

That's simply a reverse lookup that sites like checkip.dyndns.org can supply.

Careful with that additional wifi card messing up IBM's auto wireless gizmo. Should work, but....

Actually my full report looks like this: c-67-162-xxx-xx.hsdx.co.comcast.net
HighSpeedDigitalx.Colorado (Can't we keep the google bots outta here?)

I've been a little worried about the interaction of the built-in and the card, and just this morning I've discovered that the little 'tech' utility to talk to the router reports remaining DHCP lease time. Now I'll know when to turn off the router to recycle the IP. Comcast seems to be unaware that if the router is never turned off at the right time the IP doesn't change, although it's supposed to be 'dynamic'. Well yeah, like a dialup IP is dynamic I spose.

Except with Comcast cycling the router does not cycle the IP; been there done that. Apparently the router has to be off when the lease expires. I'll know in a day and a few hours.

Mike
December 18th, 2005, 06:45 PM
Question. I ran Shields Up against my wireless router (with Sygate also in play) and all was stealth except ping.
Within the router's settings there should be an option that looks something like "ignore pings from WAN" or "allow pings from external IP addresses."

Find that setting and change it to whatever appears to disable the pings.

fhaber
December 19th, 2005, 09:54 AM
Correct. I should have mentioned that. I will say that a simple echo response to an ICMP ping is sometimes good net citizenship, rarely does harm, and may be required when your ISP does diagnostics. Be prepared to restore the setting, at least temporarily.

Jeff
December 19th, 2005, 12:39 PM
Correct. I should have mentioned that. I will say that a simple echo response to an ICMP ping is sometimes good net citizenship, rarely does harm, and may be required when your ISP does diagnostics. Be prepared to restore the setting, at least temporarily.

ISP does diagnostics... Yup. The router is a Linksys, with an "operating mode" of "cable home". IOW a custom Comcast setup, with no 'disable ping' in sight. Comcast is the ISP and I know they can see the insides of the router from Canada where CS is; I've been on the phone with them when they've done that. I'm ok with ping, I just didn't know why the router would be responding.