×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

The Current State of the Malware/AntiVirus Arms Race

Zonk posted more than 6 years ago | from the watch-out-for-weblife dept.

Security 139

An anonymous reader writes "An article at Net Security explores how malware has developed self-defense techniques. This evolution is the result of the double-edged sword of the malware arms race. Anti-virus technology is ever more advanced, but as a result surviving viruses are increasingly sophisticated. What Net Security offers is a lengthy look at the current state of that arms race. 'There are many different kinds of malware self-defense techniques and these can be classified in a variety of ways. Some of these technologies are meant to bypass antivirus signature databases, while others are meant to hinder analysis of the malicious code. One malicious program may attempt to conceal itself in the system, while another will not waste valuable processor resources on this, choosing instead to search for and counter specific types of antivirus protection. These different tactics can be classified in different ways and put into various categories.'"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

139 comments

When programers fight... (5, Funny)

Coraon (1080675) | more than 6 years ago | (#19731489)

it's the computers that suffer. Wont someone please think of the computers?!

Re:When programers fight... (3, Funny)

Dimentox (678813) | more than 6 years ago | (#19731525)

WARNING WORM DETECTED: By reading the parent you have been infected with the new slashdot worm. To remove it Please click here

Re:When programers fight... (1)

Dunbal (464142) | more than 6 years ago | (#19731827)

maybe not the slashdot worm but I HAVE noticed that a small flash window appears over my username (under "Slashdot it is what IT is", top left) from time to time. Seems like I can't see my personal info without clicking this flash window unless I manually close it.

Re:When programers fight... (0)

Anonymous Coward | more than 6 years ago | (#19731649)

Wont someone please think of the computers?!

Who cares about the computers? I, for one, have executed many a computer with my HK .40USP. I have also beaten a few to death with hammers.

Re:When programers fight... (2, Funny)

e9th (652576) | more than 6 years ago | (#19731991)

I tried that, but it was really expensive. After some tweaking, I discovered that it was better to have my computers execute instructions.

Re:When programers fight... (0)

Anonymous Coward | more than 6 years ago | (#19732101)

better to have my computers execute instructions
Won't anyone think of the instructions!?

Re:When programers fight... (0)

Anonymous Coward | more than 6 years ago | (#19733081)

Hanging 1s is easy, haven't figured out how to hang 0s though. Shooting them is also fairly difficult. Anybody found a good way to execute 0s?

Re:When programers fight... (0, Offtopic)

truthsearch (249536) | more than 6 years ago | (#19731753)

I'm not sure which is funnier, your comment or the fact it was moderated insightful.

Re:When programers fight... (0)

Anonymous Coward | more than 6 years ago | (#19731763)

Please no 2/3 page of ads sites, lets the malware in

Re:When programers fight... (0)

Anonymous Coward | more than 6 years ago | (#19731769)

You mean the microcomputers are suffering. Mainframes are doing just fine, thank you.

Re:When programers fight... (1)

UncleTogie (1004853) | more than 6 years ago | (#19733007)

You mean the microcomputers are suffering. Mainframes are doing just fine, thank you.

Are you forgetting the Worm of '88 [wikipedia.org]? NEVER assume, for as we all know, when you do you make an ass of Uma Thurman.

Re:When programers fight... (1)

DigiShaman (671371) | more than 6 years ago | (#19733197)

No, but the user sufferx when they have to upgrade the CPU and RAM just to handle the code bloated protection. Without it, their machine is 0wned.

Pick your poison indeed!

Viruses will never go away (2, Insightful)

Rosco P. Coltrane (209368) | more than 6 years ago | (#19731549)

not because virus writers are clever, but because A/V companies are always very careful not to make too successful products, otherwise they'd kill the golden goose.

Re:Viruses will never go away (3, Insightful)

doti (966971) | more than 6 years ago | (#19731655)

And how will they compete with Free software anti-virus?

Re:Viruses will never go away (1, Insightful)

smitty_one_each (243267) | more than 6 years ago | (#19732083)

F/OSS, itself, is the ultimate anti-virus.
a) keeping the source code in plain sight,
b) having a plethora of distributions similar enough that skills transfer, but sufficiently different that many kinds of attackes are harder,
c) not treating the users and admins like a bunch of sheep, but instead requiring they learn a bit
are three reasons you hear far less about virus attacks in the non-proprietary world.
Someone will supply the counter-argument that lack of market penetration == lack of virus penetration, and I will yawn and enjoy a relatively un-penetrated life.

Re:Viruses will never go away (4, Funny)

42Penguins (861511) | more than 6 years ago | (#19732223)

and I will yawn and enjoy a relatively un-penetrated life.

That's pretty much a given here on /.

Re:Viruses will never go away (1)

dave562 (969951) | more than 6 years ago | (#19733813)

I think you need to change it to "un-penetratING life." and then you're right on target. Even geek girls can get penetrated on a regular basis.

Re:Viruses will never go away (0)

Anonymous Coward | more than 6 years ago | (#19733405)

Maybe they should first start competing with the NULL antivirus.

That is, outages and information loss due to antiviruses (false positives, bugs, vulnerabilities) has, after outbreak x (slammer, blaster?) caused more damage than malware. Thats what I've been hearing in any case.

Re:Viruses will never go away (1)

doombringerltx (1109389) | more than 6 years ago | (#19731735)

Its true! All the anti-virus companies got together and decided it. They sat around in suits smoking cigars and cackling. Yeah... Yeah... Thats it!

Oh please... (4, Insightful)

Opportunist (166417) | more than 6 years ago | (#19731847)

This conspiracy is about as old as the AV industry. At least you spared us this time the drivel about AV vendors first of all creating malware so they can sell their stuff.

Basically it's impossible to write the perfect AV software. It simply does not work. The perfect AV software could, of course, exist: Simply disallowing ANY kind of user interaction and installation of additional products. Perfect computer. Useless, but perfectly safe.

The problem is that malware does not use anything "special" that makes it easy to say "something that uses function X or accesses Y is malware". Doesn't work that way. What malware does it usually not much different from normal program activity. They access the windows registry, create keys there, they create and alter files (not necessarily system files, which would be "suspicious" behaviour to say the least), they plug into Internet Explorer, they open ports for incoming connections, they transfer data to and from the computer.

It's not anything that is by defintion "bad". How'd you want to create the "perfect" AV product?

Re: Oh Please... (2, Insightful)

a-zarkon! (1030790) | more than 6 years ago | (#19733511)

It seems to me that the malware authors are putting at least if not more effort into research, development, and quality assurance than the major OS and AV vendors expend on improving their products. I wonder if that is a function of the malware authors being compensated more directly as a result of their efficiency? They don't appear to be trying to bundle a "malware suite" or get additional revenue from licensing and support.

I wonder if AV vendors would be able to deliver a better product if they cut overhead and simply focused on developing and maintaining a product that worked efficiently and effectively for a decent price. I know I would prefer an AV solution that just did anti-virus very well and didn't involve a hard-press sales call every other week to evaluate their "security suite."

Re: Oh Please... (1)

twistedsymphony (956982) | more than 6 years ago | (#19734395)

I wonder if AV vendors would be able to deliver a better product if they cut overhead and simply focused on developing and maintaining a product that worked efficiently and effectively for a decent price. I know I would prefer an AV solution that just did anti-virus very well and didn't involve a hard-press sales call every other week to evaluate their "security suite."
I've been using NOD32 on my windows machines for a while now and have been quite pleased with it... my machine has been squeaky clean since I started, I never get pushed to buy some upgraded product, it hardly uses any resources to the point where the only time I even know it's running is when it catches a virus. IIRC it's not all the expensive either (I think I paid $35 for the software+ a years worth of subscription).

I had various versions of Norton until a friend recommended me NOD32 about 2 years ago and I haven't looked back. I only comment because it sounds like it fits your description for what you look for in an AV program...

Re: Oh Please... (1)

doti (966971) | more than 6 years ago | (#19735169)

I wonder if AV vendors would be able to deliver a better product if they cut overhead and simply focused on developing and maintaining a product that worked efficiently and effectively for a decent price. I know I would prefer an AV solution that just did anti-virus very well and didn't involve a hard-press sales call every other week to evaluate their "security suite."
You just described a Free anti-virus.
Just substitute "vendors" for "developers/contributors", and "decent price" for "free".

Re:Oh please... (1)

FJGreer (922348) | more than 6 years ago | (#19733651)

Make some software that does your idea of Perfect AV (no user interaction) until the user an answer five questions about practical computer security correctly--every time they log in. If that doesn't have them getting wise in droves, I'll start giving the software away and charging to remove it (by answering 5 questions and hitting 'Uninstall').

Re:Oh please... (2, Interesting)

Vitriol+Angst (458300) | more than 6 years ago | (#19734027)

Wow.

Thanks for the usual post about; "there aren't any conspiracies" -- now THAT is a pretty flimsy theory. People get together in groups to figure out how to profit from others, or do something that they don't want people to know about. Wow, that NEVER happens. What was I thinking?

I think the almost PERFECT AV software can be made. You basically TRUST the applications and processes already running on a system. Any NEW process that enters the system, but be acting in a defined way and only allowed access to what it has permissions for.

So you need tokens, permissions, and a AV software that looks at what viruses DO -- rather than this mickey-mouse "signature" technique, that I'm sure has done a great job in creating a market for moving a few "1's" and "0's" around to roll out the next virus.

On the Mac, you not only have to use an Admin password to install a new application -- even running as an Admin, you have to "approve" the application opening a file the first time. The only weakness in this system is that it goes by name -- and a virus could be called "Photoshop." But with all of the reasonable actions set up on the Mac, and the fact that there is no ECONOMY for viruses -- there are few viruses.

There could be a lot more done, to protect an OS -- other than hope that every exploit like a buffer overrun on whatever the next function added to an application will be.

As long as devices communicate -- there is an opportunity for viruses -- just like in our own immune systems. But with computers, there is an opportunity to do a better job of "white listing" SAFE sources, and letting things run for a bit in a sand box, and only allow them to do certain things. It's that last bit that, even permissions don't effectively address. Should all applications be able to write ANYWHERE that the permissions allow? Perhaps not. Perhaps the permissions of WHAT an application can DO are more important than setting that on directories and files.

But the "perfect AV product" isn't the issue -- there isn't even a serious attempt to get rid of Malware in the first place. A product that could do that would kill the market.

Re:Oh please... (1)

QuoteMstr (55051) | more than 6 years ago | (#19734631)

How is an AV program supposed to distinguish an in-process Explorer COM extension from Explorer itself?

Re:Oh please... (1)

A non-mouse Coward (1103675) | more than 6 years ago | (#19734167)

How'd you want to create the "perfect" AV product?

Well, for starters, let's limit the attack surface significantly by blocking all executable code that is not on the guestlist (think "whitelist" or "default deny"). We'll certify apps we want on our systems and block everything else. That's the only way we can effectively eliminate all of the grayware and stop today's typical new virus variant (which, although not technically a zero-day, is similar in nature to the sysadmins since the AV signatures have to play catch up). An interesting by-product is increased adherence to strict change control practices. [Does the rate of new application adoption in your org have a curve like this [f-secure.com]?]

Second, let's have an OS that can separate data objects from executable objects in memory, thus preventing code insertion (buffer overruns). Not an optional kernel memory management function (nX [wikipedia.org]), but a true requirement for all applications compiled to run on the platform.

Third, let's leave users in least privilege [wikipedia.org] mode, so system-level malware is not possible. Again, the interesting by-product is better change control.

Fourth, let's use mandatory integrity levels [wikipedia.org] (or something similar) to ensure that one application does not automatically affect other user-level data. This will prevent the threats that will happen as soon as the other 99% of sysadmins figure out the least privilege concept for their users-- malware will turn to exploiting userland processes and data.

Fifth, let's have applications (i.e. browsers) that follow the same principles the OS does and separate dynamic code objects from data objects as well as not allowing executable code from source A to run as if from source B (think XSS). While we're at it, make sure the applications are designed to not confuse data objects as executable code (think input sanitization).

Sixth, let's make sure the whole process from hardware init to boot up to userland apps is trustworthy. That probably means something along the lines of TPMs [wikipedia.org], and nixing the possibility of device drivers overwriting memory via DMA (think IOMMU [wikipedia.org] or similar). [Why hasn't it been seen as a bad thing that your USB keyboard driver, regardless of whether it runs in kernel space, can overwrite kernel memory via DMA?]

Where does that leave us? Oh yeah ... that combination does not exist on any platform yet!!! My thought on the religious wars debate (which inevitably pops up whenever the topic of malware comes up): they all suck! Maybe MINIX [minix3.org] with IOMMU has a chance (also not available today).

A question about diminishing returns (3, Interesting)

Bombula (670389) | more than 6 years ago | (#19734531)

At what point is it simply not worth the effort to write a new virus?

I assume it's getting more and more difficult to write viruses as time goes by - is that correct? If this is indeed an arms race, then one side or the other is going to run out of time and energy and money sooner or later, and I'm guessing it won't be the AV companies since there's so much at stake.

Re:Viruses will never go away (1)

ushering05401 (1086795) | more than 6 years ago | (#19731871)

"...because A/V companies are always very careful not to make too successful products, otherwise they'd kill the golden goose."

While you may have something there, I tend to believe that anyone who is constantly aiming at a moving target is going to come up a little short. What is an O.S. but a moving target?

IMHO the true golden goose is the consumer (or corporate buyer) who has been trained to believe that newer is synonymous with better... I believe this is the mindset that allows software vendors to pawn off 'upgrades' that actually help the malware authors keep one step ahead of the game.

The A/V companies should not be blamed for simply being in the right place at the right time in the evolution of technology. After all, if they did not exist now, the practices currently dominant in the market would necessitate their creation.

Regards.

Re:Viruses will never go away (1, Troll)

freedom_india (780002) | more than 6 years ago | (#19731893)

Actually i had a bad experience yesterday just a clean install of XP with all updates.
I had installed Avast, Spyware blaster, XP firewall (enough as my prior experience with kerio led to a reinstall).
I paused avast ondemand scanner to rip a DVD. XP prompted me and i just dismissed it.
Then after 1 hour i forgot to resume avast, and connected to net.
Somehow i got infected even though used opera.
Avast full scan picked it, but could not completely wipe it.
An update and a call later i was able to remove it.
It was a pain
 

Re:Viruses will never go away (2, Insightful)

kestasjk (933987) | more than 6 years ago | (#19733379)

This XP install has been going for over a year and hasn't got malware yet, and I don't use any anti-virus or anti-spyware apps. If you don't download spyware, use some common sense, and run under a user account and not an admin you don't get malware.

Re:Viruses will never go away (4, Funny)

gardyloo (512791) | more than 6 years ago | (#19733655)

This XP install has been going for over a year

    Geez, and I thought Gentoo was supposed to take a while.

Re:Viruses will never go away (2, Insightful)

MajinBlayze (942250) | more than 6 years ago | (#19733833)

This always makes me laugh:

hasn't got malware yet
followed by:

I don't use any anti-virus or anti-spyware apps
Honestly, I used to have the same view; Then one day I was having some hd problems, and started watching traffic. After restarting my computer, it wouldn't boot, as something had corrupted my MBR. After that, I learned not to trust so much, and ultimately got interested in Linux. If for nothing more than the fact that there are fewer viruses/malware for the platform.

Re:Viruses will never go away (1)

tyler.willard (944724) | more than 6 years ago | (#19732357)

No. They don't.

This is just a tired old cannard. It's the same nonsense as "t3h AV companies write the VIRUSES!!1!".

Re:Viruses will never go away (2, Interesting)

HomelessInLaJolla (1026842) | more than 6 years ago | (#19733115)

Are you saying that every single one of the best AV software authors are too stupid to be able to write malware?

Or are you suggesting that every single one of the best AV software authors are, by some supernatural intervention, of such outstanding moral and ethical calibre that they would never do such a thing?

Or are you implying that every single one of the best AV software authors are so completely, single-mindedly, dry that they would never consider the academic exercise of writing extremely low-level "system administration software"?

Or are you trying to spread the idea that every single one of the best AV software authors are such mindless automatons that they would never brainstorm about new and novel malware methods in their course of duties?

And, if you're going to be rational enough to point out that "every single one of" is a little bit extreme, just what percentage of the global group of AV software authors do you suppose falls into the above categories? Of those, how many of them have family members, friends, social colleagues, or professional associates who have access to their ideas and experimental code and, of those family members, friends, social colleagues, or professional associates, what percentage of them meet the criteria of saintly moral and ethical fibre?

I think it's obvious that you're very wrong to dismiss the idea that a good portion of 0-day exploits and malware comes from inside the professional sector as "conspiracy theory" or "canard".

Re:Viruses will never go away (1, Informative)

Anonymous Coward | more than 6 years ago | (#19733783)

And I suppose that the Home Security System people are also the ones who rob people's houses, since they know who does and doesn't have an alarm installed, eh? All those people at ADT are just part of a big protection racket I tells ya...

Lets face it, there's enough bad people in the world to blame crime on without resorting to conspiracy theories to explain it.

Re:Viruses will never go away (1)

MajinBlayze (942250) | more than 6 years ago | (#19733873)

You are confusing "AV companies may write Viruses" (regardless of whether they release them)with "All viruses are written by AV companies"

Re:Viruses will never go away (1)

Vitriol+Angst (458300) | more than 6 years ago | (#19733883)

Said another way;
As long as you have Anti Virus companies that profit from virus protection -- you won't get rid of viruses. Just look at the bounty system for entrepreneurial people who submit new viruses to the major venders and you will see part of the problem. In this one case, I think it is right for Microsoft to build virus protection into the OS -- because then malware becomes a cost to their OS profit and a support headache. Unless there is an incentive for a CURE -- you won't get any.

Same reason you will see cures coming from countries that treat sick people as a cost, rather than health care as a cost.

Or countries like the US, where there are businesses that profit from warehousing criminals. There is too much money and power wrapped up in keeping things illegal. It isn't the drugs causing most of the trouble -- it's the money.

Seems to almost be some sort of Universal wisdom that we can glean from this.

If you don't want parasites on a system -- you don't create a healthy environment for them. Things that you want to get RID OF, should be a cost against profits -- not a source of revenue.

Same reason we shouldn't be taxing the middle class for Labor, unless we actually want to get rid of Work. Perhaps we should start taxing imports -- to reduce those and put Americans to work. What a far-fetched idea!

Evolution? (3, Funny)

truthsearch (249536) | more than 6 years ago | (#19731585)

Malware evolution? That's just theory and conjecture. If god had wanted our computers to be free of viruses he wouldn't have invented Microsoft.

(There goes some karma.)

From TFA (4, Informative)

Chris Tucker (302549) | more than 6 years ago | (#19731589)

"This article will only examine malicious programs written for the Windows operating system (and its predecessor, DOS) due to the rarity and relatively small number of malicious programs for other platforms."

OK, you had to go to the second page of TFA to see this, but at least they came right out and said that Windows is the primary and almost exclusive target of malware.

Unlike almost every other article about viruses and malware in recent years.

Mac OS X: Because it was easier to make UNIX user friendly than it was to fix Windows!

Re:From TFA (1)

Uthic (931553) | more than 6 years ago | (#19731773)

Or at least it's partly because Windows has a larger user base. More targets justify the time to attack, after all. Interesting read though, this must be interesting work for, well I guess both malware and anti-malware app authors. :P Not liking the ads on the site though

Re:From TFA (2, Insightful)

Opportunist (166417) | more than 6 years ago | (#19731913)

Hey, there is rather little malware for Vista! For the same reason there is virtually none for Mac or Linux: It doesn't pay.

Why is there very little "commercial" malware for Firefox? Firefox has quite a few security bugs and holes that can be exploited for phishing and identity theft, still, virtually all commercial malware relies on WinXP and IE. Why? Because of the numbers.

Writing malware for IE means that you can infect about 3/4 if not more of possible targets, while malware for FF means you will reach about 1/4 at best. So for which one do you develop if your goal is to infect as many targets as possible?

Since today most malware kits rely on user stupidity rather than system flaws, the system's own security is no deciding factor anymore. I'd rather attribute it to the number of possible targets and, of course, that the malware writers are used to the Windows architecture and can (ab)use it very creatively.

Re:From TFA (3, Insightful)

kebes (861706) | more than 6 years ago | (#19732267)

Market share is certainly a factor, but I think it's a stretch to say that it's the only factor.

Let's say some nefarious guys are trying to get their malware installed on everyone's computers. So they buy some exploit code that targets IE. They say "Great, this will infect 3/4 of the computers out there!"

Now if these malware distributors are approached by some other guy who says "I can sell you exploit code that targets Firefox"... do you think the malware distributors will say "no thanks" or will they say "Great, that covers the other 1/4 of computers out there!" (Maybe they will pay less for that exploit, but they will surely use it if it's available.)

Since Firefox's market share is not insignificant (10% to 25%?), there should be a market for such exploits. Similarly, there should be a market (perhaps smaller, but still a market) for the 4% Mac users. It appears that despite this, the targeting of Mac and Firefox is very much less than Windows/IE (more than can be accounted for by market share alone).

I'm sure that part of it has to do with market share. However inherent security is also part of the equation. (And frankly I don't know why such a statement is so controversial on Slashdot... why should security be based on only one factor in the first place?)

Re:From TFA (4, Informative)

Opportunist (166417) | more than 6 years ago | (#19733215)

Security is by definition the minimum of the system's capabilities and the user's. When the system can't hold its water (or data), the user can be the best security guru in the world and it is insecure. Likewise, the system can be as tight as possible, with a clickmonkey at the helm it is hopeless (provided it's an all purpose machine that doesn't restrict the user's ability to cause havoc).

Still, market share is a key factor when it comes to malware. Malware "kits" cost a wee bit of money, ranging from a few hundred to a few thousand USD, depending on sophistication and "additional services" (let's not get into too much detail, you get the idea). Basically, everyone develops for IE on a WinNT core machine. Why? Market.

Yes, there would be a market for FF exploits. But it's smaller. Development costs are pretty much equal for FF and IE exploits, and you can not really develop a "generic" exploit that targets both, unless you target the OS underneath and not the browser itself (that happens too, but generally requires a lot more knowledge about the OS itself, and it is by far less flexible). Since the cost of spreading malware is roughly equal for whatever you want to land, and doing so is not really cheap, attackers usually try to maximize their efficiency by limiting themselves to the most popular OS/browser combination (provided they want to do ID theft attacks). At the very least, they will limit themselves to the most popular OS.

The limiting factor here isn't that the "kit" itself would be costy. Yes, you might have a FF exploit kit available and you'd sell it for a fraction of the IE kit (but why should you, you could more easily develop an exploit kit for IE (there are effing templates for it in VC!) and cash in). But the spreading cost for either malware stays the same.

Thus the usual exploit targets IE/WinXP. Should the market share of FF rise, I'd wager to about 35-40%, we'll probably see mass spam of FF targeted malware, due to people using FF feeling secure and are thus maybe less wary. It might happen. But generally, you'll never see masses of malware for non-mainstream targets (OS, browser, webserver...). The cost of spreading is the same, no matter what your target is. So why shoot at something but the biggest target?

Re:From TFA (2, Insightful)

sid0 (1062444) | more than 6 years ago | (#19733769)

Not to mention the fact that the average Firefox/Linux/OS X user is smarter than the average Windows n00b, and would never open an executable email attachment.

Re:From TFA (1)

moosesocks (264553) | more than 6 years ago | (#19735109)

Pardon my ignorance, but what sort of mail client these days actually lets you do that?

Most if not all mail servers scrub anything that remotely looks like an executable. If it somehow does get through, any remotely intelligent mail client won't let you open it without displaying a very obvious warning.

Of course, there are some very fundamental security flaws in Windows that need to be addressed. I really don't buy the argument that there's not much malware for Linux/Mac/Firefox simply because of a smaller userbase.

Re:From TFA (0)

Anonymous Coward | more than 6 years ago | (#19733383)

Aw turns out that posting cliches and spreading FUD deserves insightful mod

There be Sharks! (1)

exi1ed0ne (647852) | more than 6 years ago | (#19734095)

Hey, there is rather little malware for Vista! For the same reason there is virtually none for Mac or Linux: It doesn't pay.
It's the same reason you don't need to be the fastest swimmer to get away from a shark. As long as you aren't the slow one, you're set!

Lack of Specifity on Infection Vectors (3, Interesting)

Cr0w T. Trollbot (848674) | more than 6 years ago | (#19731621)

My brief overview of the article leads me to believe that it's long on general malware theory, and short on the specifics of current malwear infection vectors as opposed to techniques. I believe that most of the readers of Slashdot are familiar with how a rootkit works. Far more valuable would be a breakdown of the most common infection vectors for rootkits right now. Is it TCP/IP stack overflows, Active-X controls, e-mail trojans, or old-fashioned human error?

Fruthermore, "trends" in malware construction obscure the reality that certain software packages (Windows, IIS) are otrders of magnitude more vulnerable than others (OS X, Linux, Apache). The unstated elephant in the room is that 95-99% of malware attacks are due to Microsoft vulnerabilities.

Crow T. Trollbot

Re:Lack of Specifity on Infection Vectors (2, Informative)

another_fanboy (987962) | more than 6 years ago | (#19731819)

The unstated elephant in the room is that 95-99% of malware attacks are due to Microsoft vulnerabilities.
Microsoft's dominance over the market makes it more enticing to malware writers, regardless of how many vulnerabilities it has. If damage is their desire, they want the most damage; if it is a zombie network, they want the biggest zombie network.
If linux ever manages to overtake windows, it will become the primary target.

Re:Lack of Specifity on Infection Vectors (1)

FJGreer (922348) | more than 6 years ago | (#19733867)

If linux ever manages to overtake windows, it will become the primary target.
A much harder to hit target. Honestly, while I can think of scores of ways to attack a system through running services (SQL injection, the occasion buffer problem, etc) I can't think of a single way a worm or virus could work effectively. The one proof-of-concept Linux worm I have seen (can't remember a reference) could only infect a regular account that ran a certain version of Firefox. One might lose data, yes, but it would a be a trivial fix. (mount -o ro /home, judicious file removal) You could write a Trojan for any platform, and it's possible to get root once you get access to an account.

But short of a direct attack at a single computer, I can't imagine a situation similar to a Botnet ever working in the Linux world. Also, it requires a certain amount of knowledge on a users part to run Linux, ergo the average linux user (even of the future I bet) will probably notice an infection and kill it. (Somehow I don't think that Linux viruses will be immune to a LiveCD and rm -f)

Re:Lack of Specifity on Infection Vectors (0)

Anonymous Coward | more than 6 years ago | (#19731937)

That's more or less unknowable.
By their very nature, malware infections that affect real users _affect real users_.
This or other researchers obviously can't get any kind of statistical insight into common avenues of malware infection without some kind of uber-monitoring daemon that would be installed on millions of consumer pc's, reporting back to antivirus-hq the moment it saw a malware infection
(and then the question becomes
1) if you can detect it, why don't you prevent it.
2) how do you prevent malware from preventing you from reporting on it?

Mostly user stupidity (1)

Opportunist (166417) | more than 6 years ago | (#19731965)

From my point of view, at least. Most malware today comes along as "invoice.pdf.exe" attachment to mails that allegedly come from "lawyer" (no, no name. "lawyer"). And similar rubbish.

The lastest big thing are hijacked server pages that serve you malformed frames for infection, but even that still needs a bit of user interaction to become really "useful".

Essentially, what it comes down to is the user. There is of course the bimonthly exploit in some MS package, usually with surprisingly little impact in the whole picture, but generally, most "commercial" malware writers don't get so sophisticated. They rely on social engineering and pure user stupidity.

And, unsurprisingly the success proves them right.

Re:Lack of Specifity on Infection Vectors (1)

CautionaryX (1061226) | more than 6 years ago | (#19734471)

Far more valuable would be a breakdown of the most common infection vectors for rootkits right now. Is it TCP/IP stack overflows, Active-X controls, e-mail trojans, or old-fashioned human error?

From what I understand, putting a Sony music CD into your CD-ROM drive is a common rootkit vector.

On a more serious note I've noticed a trend in my daily computing experience that tells me that viruses and worms may be on the way out. Although still dangerous and prevalent, I haven't had any encounters with them for the past 5-6 years. However I've had multiple encounters with trojans and ad/spyware - and I hear rootkits are on the rise. So, are the days of worms/viruses like Lovebug and MSBlaster numbered?

Re:Lack of Specifity on Infection Vectors (1)

keithjr (1091829) | more than 6 years ago | (#19735597)

Unfortunately, a compromised system is more than its own worst enemy. Could not a botnet built up of Windows machines still cause trouble for an apache server? This, in my opinion, is the real threat here: vulnerabilities in mainstream OS's that mean trouble for EVERYBODY.

No mention of the effect of whitelisting? (2, Insightful)

Anonymous Coward | more than 6 years ago | (#19731697)

There doesnt seem to be any mention of whitelisting in the arms race between malware and desktop management systems in this article. Companies like Trinamo are championing the approach of designating only a handful of applications as being "approved" for execution, denying viruses, trojans, malware, and other junk like toolbars a chance to run before they can do any harm. They have a bunch of free information on the subject online. http://www.trinamo-solutions.com/downloads/downloa d.html [trinamo-solutions.com]
This story is all over industry security portals at the moment, and has appeared in theregister, securityfocus, and others.
Jack

Re:No mention of the effect of whitelisting? (1)

apathy maybe (922212) | more than 6 years ago | (#19731839)

This reminds me of the first anti-virus software (and of course, I can't find a reference on the web...). Apparently, the software simply took a "snapshot" of the system and if anything changed, reverted it back.

This is a great way of doing things for corporate systems. Lock the system down so tight that no software not approved can modify any system files (or even, make it so that no software can modify system files...).

For home systems it is slightly more complicated 'cause there isn't a central IT team. What you could do is lock down user accounts so that software not installed by the admin only runs in a sandbox (perhaps cleaning it after every login?) and can only access files in that sandbox. You could also make certain partitions "non-executable" so that files can't even be run on them.

The only trouble with that final idea is that user systems vary so much that you couldn't make a user OS that would easily automatically partition a system that would work for everyone.

So, where was I? Ah yes, it isn't that hard (theoretically) to lock systems down so that they don't (can't) get malware, why are systems designed that way?

Re:No mention of the effect of whitelisting? (2, Insightful)

Control Group (105494) | more than 6 years ago | (#19731903)

Your idea boils down to making the computer no longer a general-purpose device. This, obviously, defeats the purpose of having a computer in the first place.

An awful lot of modern malware doesn't comprise "viruses" in the classical sense, it comprises trojans. The only way to absolutely prevent a trojan from running is by preventing the user from running arbitrary software. This may fly in a corporate environment, but never for home use.

Basically, it comes down to either being vulnerable to malware, or not letting the computer do what the user tells it to.

(The latter, of course, being the driving force behind so-called "trusted computing"...which is pretty much exactly what you're advocating)

Re:No mention of the effect of whitelisting? (1)

apathy maybe (922212) | more than 6 years ago | (#19732643)

Actually, not quite...

For a corporate environment, yes prevent the user from running any software that isn't installed (which does prevent it being a "general-purpose device", but only to the extent that you can't run everything).

For the home user, set up the system so that the system files (and all the applications) are installed in a place where ordinary users can't change them. Then you force them (ordinary users) to run any other software that they want, in a sandbox.

Of course, you don't do away with administrator accounts.

What I propose is not to prevent users doing what they want with their own hardware/system, but simply make it a little bit harder for the uneducated user to fuck the system up. Most X/GNU/Linux distros when being installed ask for a user account as well as a root password. Why? Because running as root all the time is generally fucking stupid.

You mould the system so that the users only install software from the repositories, and if they use software that isn't signed, then it runs in a sandbox.

It should be possible to do all that right now with a Linux or BSD kernel.

And of course, anyone with specific needs can get around all these restrictions, because they have the root password... (which is why my idea isn't like untrusted computing).

Re:No mention of the effect of whitelisting? (1)

turbidostato (878842) | more than 6 years ago | (#19734067)

"For a corporate environment, yes prevent the user from running any software that isn't installed"

You mean Microsoft Office cannot be used on a corporate environment, do you? I knew about malware exploiting due to Microsoft Office usage, so you either don't use Microsoft Office or you are exposed to malware.

Re:No mention of the effect of whitelisting? (1)

MajinBlayze (942250) | more than 6 years ago | (#19734099)

Absolutely rediculous:

Actually, not quite... For a corporate environment, yes prevent the user from running any software that isn't installed (which does prevent it being a "general-purpose device", but only to the extent that you can't run everything). For the home user, set up the system so that the system files (and all the applications) are installed in a place where ordinary users can't change them. Then you force them (ordinary users) to run any other software that they want, in a sandbox. Of course, you don't do away with administrator accounts. What I propose is not to prevent users doing what they want with their own hardware/system, but simply make it a little bit harder for the uneducated user to fuck the system up. Most X/GNU/Linux distros when being installed ask for a user account as well as a root password. Why? Because running as root all the time is generally fucking stupid.
Agree with you so far.

You mould the system so that the users only install software from the repositories, and if they use software that isn't signed, then it runs in a sandbox.
Ok, interesting, and similar to something I would recommend, but why should code from the repositories (outside system executables) be exception to this? Is there no possibility of bugs/exploits here?

It should be possible to do all that right now with a Linux or BSD kernel. And of course, anyone with specific needs can get around all these restrictions, because they have the root password... (which is why my idea isn't like untrusted computing).
What seems to be missing is this; There is nothing stopping one program from interfering with the config files, etc of another. At this point, most (all) user software runs with the permissions of the user. If this were extended out to application-level permissions, I think we would be well on our way to malware-free computing. For example: a web browser could be granted permissions for network access, as well as read permission on files ending in .html, xml, whatever (even seperated by mime-types). Then, your processor would not be able to touch the network, but could probably be set to read text mode files, and write to files when selected by the user (would have to have OS level support for open/close dialogue boxes).
It seems that this would not be vastly different than the current user/group setup, but would have to expand permissions to include applications/application groups.

Re:No mention of the effect of whitelisting? (1)

turbidostato (878842) | more than 6 years ago | (#19734029)

"Basically, it comes down to either being vulnerable to malware, or not letting the computer do what the user tells it to."

Basically, I've using my computer in whatever way I saw fit, with no antivirus, for more than six years with no direct malware sufferings. On a side note, that's exactly the same time span that I didn't use any Microsoft product.

Somehow, it seems it's possible.

Bit9's ParityDesktop (0)

Anonymous Coward | more than 6 years ago | (#19732389)

Perhaps you mean the ParityDesktop software from Bit9 [bit9.com].

Re:No mention of the effect of whitelisting? (0)

Anonymous Coward | more than 6 years ago | (#19731945)

How is this news? Windows has supported whitelisting since XP, and maybe before. There are all kinds of options like only running signed apps (and you control the local certificate store, so you decide whose signatures to accept) or only allowing certain ActiveX controls to run in IE (I use this to block everything except flash and msxml).

It's very useful.

Re:No mention of the effect of whitelisting? (2, Funny)

Brad1138 (590148) | more than 6 years ago | (#19733465)

Maybe Microsoft could have a pop up for every process that tries to run, then YOU would have controll. Ya, that sound likes a great idea.

Re:No mention of the effect of whitelisting? (0)

Anonymous Coward | more than 6 years ago | (#19734111)

Sorta sounds like SELinux.

They forgot one! (1)

ILuvRamen (1026668) | more than 6 years ago | (#19731709)

OMG I can't believe they didn't mention the technique of codependant programs that start each other when the other ends. That way you can never delete either one cuz the other one never lets it stop running. That one pisses me off the most :(

Re:They forgot one! (2, Informative)

syntaxeater (1070272) | more than 6 years ago | (#19731789)

http://www.microsoft.com/technet/sysinternals/util ities/ProcessExplorer.mspx [microsoft.com]

It's essentially a beefed up task manager that allows you to suspend and kill specific threads and processes.

Re:They forgot one! (1)

Aladrin (926209) | more than 6 years ago | (#19731973)

Wow, I had not seen that before. That -would- be a lot better than just being really, really fast at killing processes. Heh. I don't do this work much anymore, but I know some people who do. Thanks a ton!

Re:They forgot one! (1)

Dachannien (617929) | more than 6 years ago | (#19731989)

To be specific, the tactic is to suspend one of the codependent processes without killing it, kill the other process (which won't be restarted, since the process that restarts it is suspended), and then kill the first process.

Of course, there's nothing saying that a malware process can't either kill Process Explorer as soon as you run it, take steps to keep itself off the process list, masquerade as a necessary process, unsuspend its codependent process, etc.

Re:They forgot one! (1)

sexybomber (740588) | more than 6 years ago | (#19734623)

Of course, there's nothing saying that a malware process can't either kill Process Explorer as soon as you run it, take steps to keep itself off the process list, masquerade as a necessary process, unsuspend its codependent process, etc.


Actually, before I made The Switch, I encountered a piece of malware that did kill Process Explorer right after you opened it. Luckily, it was not very well-written, because if you could kill it within about a half-second, it would not reappear.

I was quite proud of myself when I finally succeeded :^D

Re:They forgot one! (0)

Anonymous Coward | more than 6 years ago | (#19732211)

there is an easy work around for that if you have XP pro or *nix like system.
1. Take ownership
2. Remove all permissions. If you want to be paranoid, you can explicitly deny read & execute rights.
3. Reboot
4. Delete
For Home edition, you will have to get some 3rd party utility to mess around with ownership and permissions.

btw you forgot to mention those dlls (or so) that load at system start and can't be killed because they are not processes by themselves. above trick takes care of that too.

Polymorphic virus experience (0)

Anonymous Coward | more than 6 years ago | (#19731737)

I run a 'mom & pop' type computer store and recently came across what I can only imagine was a polymorphic virus. Norton was installed on this PC and would bring up a warning upon each bootup about a virus in a DLL file. As with all virus-infected systems I removed the HDD from the machine, hooked it up to our tech bench PC (a known-good system) and scanned the disk 'off-line'. This method works well 99% of the time. The scanner detected the DLL virus and removed it. Within a few minutes of booting the PC back up however, the virus was back, the PC was isolated at this point (no network connection), so it had to have come from the PC itself. I repeated this process a few times, just to be sure, but each time the scanner removed the DLL, and each time it booted back up the virus reappeared. I came to the conclusion that another executable was hiding the virus, probably using encryption, and was replacing it during bootup. I tried using file and process monitors to find what was replacing the virus, but I couldn't figure it out. In the end I had to reformat the disk and reinstall, which I hate having to do.

Excellent article! (-1, Redundant)

Anonymous Coward | more than 6 years ago | (#19731793)

nt

Kallus2 (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#19731933)

CPS3 EMU TEST RELESASE V3 EL SEMITRUCK ASS -NT_ CUM NUTTS

Reason: Don't use so many caps. It's like the JEWS DID WTC.

Malware Experience (1)

Renraku (518261) | more than 6 years ago | (#19732027)

A few days ago I was infected with PurityScan, several droppers, and a trojan or three.

I have no idea how they got there, but all I saw was a command prompt window pop up for a half a second and then I started getting IE popups (I used Firefox).

A virus scan/adaware/spybot would remove them, but they'd reappear on the next reboot.

A safemode scan of those would remove them, but they'd reappear on the next reboot.

As a result I formatted my Windows drive and reinstalled.

There's no telling how many root kits were hiding in my kernel, all for that might advertising dollar or chance at identity theft.

Any company caught using malware (I'm looking at you, PurityScan) should face charges for criminal trespass and breaking/entering if it turns out they were seeking out services from these contractors.

Re:Malware Experience (1)

deftcoder (1090261) | more than 6 years ago | (#19732517)

Or you can *drumroll* stop running Windows from an account with Administrator privileges.

Re:Malware Experience (1)

Renraku (518261) | more than 6 years ago | (#19733439)

Running in an admin mode is only dangerous for this reason. Most exploits can find admin mode anyway, if you're in it or not.

Re:Malware Experience (1)

Vexorian (959249) | more than 6 years ago | (#19733627)

I guess/hope vista fixed this. But I actually found a USB virus that runs automatically thanks to one of XP's 'features' (even if you got autorun disabled...) Then it copies itself to certain location I won't ellaborate about since I don't want more deadly viruses spread, it causes itself to be executed with admin rights the next boot (awesome isn't it?)

Once you try to clean it, it becomes a biotch , if it detects the string ".exe" in any title bar, it will send the OS a reboot command, this kind of makes you unable to use any tool that can get you rid of it manually.

I had to boot on linux and enable ntfs write support to clean it, it was hard even though (thanks to file dates) I was able to detect ALL the files it installed, I needed such an strange method to boot (recovery mode would equally fail) .

These things are getting worse and worse, the other day I could notice another virus copied itself to my USB flash device (the time with the other virus was my brother's mp3 player which got infected) It looks like simply inserting an USB disk to a computer will get it infected and it will infected any other computer from which you open the USB disk, and how about anti virus software? It certainly doesn't work, I tried the disk on many computers with Mcfee, AVG, and Panda and all the three got infected by just inserting the disk.

I had to use Linux to clean the virus so when I used the disk it in windows it didn't infect my computer

Group Policy as a solution? (1)

Anomalyst (742352) | more than 6 years ago | (#19734465)

Hopefully, in a corporate setting, having machine group policies to prevent execution from a USB driver, even better, restrict execution to designated drives and directories would stop this infection from spreading.

I don't get it... (2, Funny)

disasm (973689) | more than 6 years ago | (#19732037)

I thought these problems ended years ago when the year of the linux desktop came and everyone stopped using windows... You mean there are still poor souls out there that don't use linux or mac?

Sam

Good Technical Article, Bookmark IT. (1, Informative)

Anonymous Coward | more than 6 years ago | (#19732265)

FTA

| ...The earliest signature-based detection methods focused on searching for exact byte sequences... Later heuristic detection methods also used file code. ... |

  result evil hacker just wrote

|...polymorphic code is a highly time-consuming task ...|

minor really point, better tools are out now with complete tools and associated databases (see mesasploit and ruby)

Actually until Microsoft (since they own 90% of the computer OS's out there) gets rid of the "Hide everything from the User" the status quos will continue.

It creates a "trust me" mentality which is exploitable.

Draconian Policies like the System Registry, automatic System Updates, hidden DLL substitutions, My Stack is better than your Stack, and general lack of internal documentation make it almost impossible for the average MCSE let alone the average user to deal with these kinds of threats. All this junk doesn't help matters either.

Good Technical Article and good website to bookmark...

To bad for MS, but this will not make them change.

Viruses can't defend themselves against.. (1, Insightful)

Sloppy (14984) | more than 6 years ago | (#19732577)

..people who decide to not run them. Whenever someone emails you a virus, or offers you a virus on their webpage, if you decide to not save it, chmod +x it, and run it (whether as root pr your usual level of access), then for some geeky technical reason I don't understand, its defense code fails to activate.

He's saying, Keep your mouth shut (1)

iminplaya (723125) | more than 6 years ago | (#19732785)

I challenge cybercriminals and conceptualists to reconsider their intentions and motives behind publishing a PoC that will only add fuel to the fire.

In other words, security by obscurity is still best. Well, I still believe that exposing the flaws is the best way to protect ourselves. Too many programs "phone home" and contain other spyware as it is. Proof of concept also helps to protect us from that.

Answer (1)

not_hylas( ) (703994) | more than 6 years ago | (#19732883)

Here is Fred Cohen's take on the general subject:

http://all.net/resume/bio.html [all.net]

http://all.net/journal/newsletter/index.html [all.net]

http://all.net/Analyst/index.html [all.net]

Ref.

http://all.net/ [all.net]

Paper:
An Undetectable Computer Virus

http://www.research.ibm.com/antivirus/SciPapers/VB 2000DC.htm [ibm.com]

Could this be the end of the Mac - PC flamewar?

Logic:

"... we can't stop here, this is bat country."

Fear and Loathing in Las Vegas, A Savage Journey to the Heart of the American Dream
Hunter S. Thompson

Bootable ClamAV image? (0)

Anonymous Coward | more than 6 years ago | (#19733059)

What I want is a bootable CD that will then scan a system for malware.

Once the malware 0wns your comp, it can play all kinds of games to hide from the anti-malware software. The only sure way to find everything is to boot from a known safe OS image, like a CD, and then scan.

We should be able to do this today with ClamAV, but I just did a Google search and didn't find anything.

I also did a Google search for a good explanation of how to make your own bootable linux CD but the pages I found seemed pretty old. If you know a good HOWTO page for making a bootable CD please share thanks.

Death Penalty for Malware Writers (-1, Troll)

tjstork (137384) | more than 6 years ago | (#19733139)

I've had enough of this arms race. I think we need to start executing some of these people. If ya get caught writing a virus, you should be whacked. If you are not a US citizen, then you should be on your way to Gitmo, to get whacked.

I've just had enough. No mercy.

God I hate articles w/o print links!!! (2, Informative)

taosk8r (56641) | more than 6 years ago | (#19733355)

Please, there oughtta be a law that multi-page articles with text squeezed between massive, obnoxious graphics, have a PRINT FRIENDLY LINK!! ARGH!

And the collateral damage of this' war'... (5, Interesting)

rickb928 (945187) | more than 6 years ago | (#19733811)

...extends beyond poor performance, spam, cost of software, etc.

We got hit here with a collateral listing of one of our tools as 'spyware'.. It shut down our software across the U.S.

We used a toolkit from a vendor to encrypt and compress files for transmission and for patch distribution. It was slick, lightweight, and sufficiently secure. it was also a commercial product, and was sold to another publisher who used it in their software.

One of their packages is an IM logging and monitoring tool. Good for AOL IM, and others. You have to either download it as shareware, or buy it outright, and then you have to install it, with the usual requirement that you actually have access to the PC. It's not and has never been distributed as 'spyware' in the sense of an unexpected or unsolicited install, nor was it ever distributed from a website or as part of another package - unless you repackaged it yourself. The biggest users were corporate IT departments monitoring IMs for compliance, and parents/spouses/etc snooping on others.

Not what I think of as 'spyware'. But someone else thought differently.

The IM logger got reported to either Trend Micro or McAfee as 'spyware' more than a year ago. Sporadic reports continued, until the latest (?) release came out and got popular. Then the flood of reports ensued. And when I say 'flood', I mean 'dozens'. I suspect some HijackThis logs started showing it, and after a few more reports, it was assumed by someone that this application was part of other kits. Listing the application by one anti- company leads to everyone else listing it. No one wants to be left behind, and none of the 'security' companies wants to be the one that lets bad stuff in, just because they actually evaluated the listing. No, it got listed by everyone.

And the controls along with it. Including the one we used for everyday, legitimate encryption and compression.

Our customers started reporting failed installs and reinstallations. One reported they got a virus alert. We looked things over. Why now? We hadn't changed anything substantial in years.

Then, on a whim, I Googled for it. BAM! Our control was listed as malware. WHA?

We figured it out an an hour. I asked around some of the contacts I knew at Symantec, etc. Their advice was simple - give up. Go get a new tool, recode, and move on. Surrender. Even though the module we used was by itself harmless, it was guilty by association. So we did. So far as I know, the company that produced these tools & modules is struggling with this. After all, their code signatures are now officially 'malware'. Kinda like banning drills 'cause someone drilled a hole in their finger by accident. Pretty soon, nothing gets drilled. Not a good state of affairs for the drillmakers.

And not a good state of affairs for drill users, either.

That IM logger that started all this? It was commercial software, and other than being highly annoying for kids who value hiding their IMS from snooping parents ("Hey, who's paying the Internet bill around here?"), or spouses caught on dating sites, the businesses forced by law to treat IMs as if they were business correspondence found this to be a good tool. Not so good any more. About the only way to use this is to keep writing exceptions to your anti- software. If you can. And keep re-writing these exceptions every damned update. Maybe more than twice a day.

It looks like this application is dead. Kinda sad.

We survived, though some of our customers did get concerned. In our business, being labelled as 'spyware' could cause massive problems, beyond the usual. It could be front-page of the fishwrap stuff.

In the midst of the virus/spyware/malware/anti- battle, this is one small story of how unintended consequences have real costs. We had to scurry to buy new stuff, re-code, and distribute. Our original tool vendor has had to give up on a good product, through no fault of their own. The application vendor that 'started' all this? A legitimate product now labelled as malware. Dead.

Those of you who are morally opposed to IM loggers, etc, please resist the urge to flame on. The IM logger was never marketed as anything but, had to be paid for, and installed 'in the open'. It hid itself during operation to avoid the obvious circumvention by targets, but it was never, so far as I know, part of any kit that installed under false pretenses. And there are legitimate uses for such a tool.

It's not even as simple as paying for software you shouldn't need, or being saddled with slow systems, or the flood of crap that comes from compromised machines. Every once in a while, the whole war takes unsuspecting casualties.

Darn.

Problem is getting harder to fix (2, Interesting)

sherriw (794536) | more than 6 years ago | (#19734031)

Cleaning out a virus/trojan problem has become close to impossible for the average person. Most people and even actual computer service shops just format and re-install.

I have only moderate PC service skills and this weekend my family's computer popped up a AVG warning that a Trojan was detected. This is not my computer but it shares my net connection via wireless. When I saw that detection warning I pulled the plug on it's net connection and then investigated. My brother had been downloading wma to mp4 converters. And bingo! On top of that, no one was keeping the AVG up to date or doing regular scans. Apparently everyone assumes I'll clean up their messes for them. Pisses me off.

So, guess how hard it is to clean out a Trojan these days? Guess what, your anti-virus is useless! It may detect the virus, and clean it, but it re-installs itself.

Get ready for a loooooong process involving:

-Disable system restore and remove all restore points.
-Reboot in safe mode, run anti-virus /spyware scan.
-Use Autoruns or any other startup/running processes program.
-Write down what is being run on startup and what is currently running.
-Hop on Google to find out which of those are legitimate processes.
-Remove the bad-uns.
-Look for a cleaner program for your specific Trojan/Virus. Careful to get it from a reputable site.
-Run the special cleaner program in safe mode and regular mode.
-Grab output from HijackThis and use google to research any suspicious entries.
-Do all this without connecting the infected computer to the net. (PAIN!!!)
-Profit!!!! (I couldn't resist saying that)

So, then you cross your fingers for a few weeks waiting to see if your AV pops up another warning. All the while doing manual updates of your anti virus. Keep it in quarantine a while longer. Then, cautiously re-connect to the web and HOPE it's clean. Then YELL at your family to stop downloading crap, and make a "nice" desktop wallpaper in msPaint to drive home the rules.

*sigh* it's a huge pain, especially for people like me that need to research every process because they don't know what's legit or not. Not to mention that my sister does her online banking on that computer, and I've had to tell her to go change her passwords, get a new CC number, and inform her bank to put a watch on her account for any suspicious activity.

I really wish these virus writers would fry.

No wonder people just format and re-install.

virus vs. antivirus (1)

jon_joy_1999 (946738) | more than 6 years ago | (#19734971)

it's darwinism at it's finest!
sort of like why antibacterial soaps are bad -- doesn't kill 0.01% of germs. if you have a surface with 100 000 000 germs on it [not so far-fetched with counter tops], you're stuck with 10 000 of the hardcore baddies. sure, it seems harmless, but what happens when those 10 000 become 100 000 000 again?
is it me, or is this starting to sound familiar?
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...