Slashdot Mirror
Fake Antivirus Peddlers Outpacing Real AV Firms
An anonymous reader tips a writeup at KrebsOnSecurity.com detailing how purveyors of fake antivirus or 'scareware' programs have aggressively stepped up their game to evade detection. The posting is based on a report from Google's malware detection team (PDF). "Beginning in June 2009, Google charted a massive increase in the number of unique fake antivirus installer programs, a spike that Google security experts posit was a bid to overwhelm the ability of legitimate antivirus programs to detect the programs. Indeed, the company discovered that during that time frame, the number of unique installer programs increased from an average of 300 to 1,462 per day, causing the detection rate to plummet to below 20 percent. ... In addition, Google determined that the average lifetime of sites that redirect users to Web pages that try to install scareware decreased over time, with the median lifetime dropping below 100 hours around April 2009, below 10 hours around September 2009, and below one hour since January 2010."
There are a number of well known AV software providers out there that have been around since the dawn of time (relatively speaking). F-Prot, Command, etc are all very good products and cost a few sandwiches a year.
"Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
Step 1: Create a better scareware vector with a higher infection rate.
Step 2: ?????
Step 3: Profit!!!!
Seriously. There are incredibly lucrative incentives inherent in this kind of scam. No surprise they're spreading and getting smarter.
"We have to go forth and crush every world view that doesn't believe in tolerance and free speech." - David Brin
nt
I envision it as a desk with a computer and an infinite stack of virus infected floppies. :)
If I were God, wouldn't I protect my churches from acts of me?
I wouldn't go that far. I'd just give them a desktop with Windows.
We've had a couple of these at work - not fake AVs, but some weird thing that seems to change the Active Desktop so that it looks like there's an antivirus window.
The funny thing is that they look a lot more like an anti-virus program than our actual antivirus. They have this really slick fake "scanning" window that looks like something Apple would come up with if they had to design an AV scanner, while our real AV software looks like a piece of junk some poor Russian hacker cobbled together. It's sad really; the fake AVs have Symantec beat in everything from total resource usage to looks.
So it's like fake dope dealers are outpacing true dope dealers.
Fuck systemd. Fuck Redhat. Fuck Soylent, too. Wait, scratch the last one.
I know people who have two different malware scanners installed at the same time, plus a third-party firewall which also comes with malware protection. Needless to say, they're not happy with the performance of their computers.
and no lube...
I still cannot find the droids I am looking for...
I discovered Krusnikov's Virus No-Having 2007 over three years ago and it's been running in my system tray ever since, without issue.
Does this include McAfee? It seems to be a fake anti-virus, holding critical system files hostage.
And all the floppies have their write-protect switch set the wrong way and you just clipped your fingernails so you can't get your nail to catch on that stupidly annoying little slider.
Can Some one please tell me how this installs automatically and runs on my computer just by visiting a site like the piratebay?
I know not to download/install unsafe stuff and I know not to click on pop ups and I always try to stay safe but by just visiting the piratebay on IE8 and not downloading any torrents or anything I get this fake AV.
Visiting the site on Chrome I dont get this fake AV.
We keep ignoring the lessons the past by using discretionary access controls instead of capability based security at our own peril. The users have no way of telling what the side effects of a program are going to be, nor do we have any way of limiting them. This is a spiral downward that will eventually force everyone to learn about capabilities and cabsec.
xkcd #694 or #350.
The "scan" window pops up and tells them that they've been infected BUT IT IS OKAY because all they have to do is click here and the nice software from the friendly company will remove the nasty viruses for them.
Yay!!!
This is just a side effect of the "real" anti-virus/security businesses having no interest in reducing/mitigating the "virus" threat. It makes too much money for them.
1. Education that Windows users need AV software has been overwhelmingly successful.
2. People are too cheap to go buy a boxed copy, and like in-your-face downloads (many ISPs offer AV, but you have to go hunt for it)
3. Internet Explorer and Windows are still terminally broken out-of-the-box.
My dad actually fell for it and bought one of these for $50! He has AVG on the computer and that is all he needs, but he freaked out and did this before asking me first.
That was $50 lost that he'll never see again.....as we as the credit card that was canceled.
I use Linux - the family never listens to me.
I work at a fairly small university, and at least once a week we have a faculty member's PC get infected by a fake AV. The most recent the professor had paid for the "full" version, then a week later e-mailed the "company" because he was unsatisfied with the AV and couldn't uninstall it. The company then e-mailed him with a link for a program to uninstall the fake AV, which of course didn't work, and then he decided to call us; still not realizing that the AV was fake.
Pardon me, sir, but I would be remiss if I didn't inform you that you have clearly contracted a rare disease that will kill you painfully in short order UNLESS you pay me to inject this substance into you. You can trust me, I'm a doctor.
....
Why is it that virtually nobody would fall for that in meatspace, but innumerable people fall for it online? It's just like the 419 scams. What is it about THE INTARWEBS that makes people exponentially more gullible than they would be to a random person on the street?
I support the Slashcott and will not be reading or commenting from 2/10/14 to 2/17/14. Beta is steaming pile of dog shit
I have informed everyone I do family and friends tech support for... they must either switch to linux or a Mac with OSX. the new internet security 2010 is an evil bastard that even kills the safe mode so you have to use a Bart PE to run combifix first and then reinstall AV and run a clean.
Screw it, I'm done. Mac mini's are as cheap as a dirt cheap dell PC. and I'll install linux for them. I am done with windows support.
Do not look at laser with remaining good eye.
My wife's machine got hit last week.
No idea where it came from.
Been running for years with no problem.
(NetGear router seems to keep the baddies out.)
All of a sudden there's a dozen dialogs flashing dire warnings about viruses and trojans and keyloggers and malware and insisting that we "register" our copy of XP security.
Pulled the network cable and started googling (from a linux box). .exe registry keys so that it gets control each time any program is run, and takes the opportunity to spawn a new copy of itself, with new dialog boxes and systray icons.
The thing is pretty nasty.
It scatters pieces of itself around the file system with random names.
Then it hooks the
After you delete the program files, nothing runs at all, because the .exe keys are still trying to redirect through the files you just deleted. .exe (and related) keys by hand.
(Hint: right click -> run as).
Then I fixed all the
There's quite a lot of them, because it is really important for each user on a windows box to have their own semantics for running a program.
(Removal instructions on the web don't generally find them all.)
Finally (should have done this long ago) created an admin account and knocked all the user accounts down to user privilege level.
I still think there should be a course given for a Internet License. This way if you dont base your not aloud to go on the internet. Well atleast in large corperations/government facilitys. cough cough (where i am). These people just can't stop clicking on stuff. They never read just click
Hey I was just informed by Mr Naroob Jahoni (son of the former finance minister to Nigeria who was tragically killed in a car crash) that he has 14 Million dollars is a suitcase ready to transfer to my account. Thank goodness this popup came up and let me know there are TONS of viruses which are now being cleaned, totally free, by this awesome company. I would hate for anything to interrupt my communications with Mr Jahoni as he said I could have a rather large commission upon my submission
and they're on fire.
This ain't rocket surgery.
I always find it funny when I get a popup from my browser on Linux asking if I would like a anti-virus scan. Sometimes it will show me how my C: drive is corrupted and would I like to pay for a version of their anti virus software. One of these even offered to replace my system32.dll . This just shows how fake these scans really are
Instead of listing all the bad programs, why don't they list all the good programs? If a virus has a lifespan of a few hours, the only way to prevent it other than figuring out how they are changing, is to white list all the good programs.
They have a free scanner now. It's not the best AV, but it's good and no cost. I also recommend it because it is something users will trust. I mean after all, you pretty much have to trust your OS company, they could own your computer through any number of ways, they wouldn't need to use an AV program.
Doctors, celebrities, what's the difference in the consumer's mind? Case 1: Dr. Dre. Case 2: "Of course Hugh Laurie is a doctor. He plays one on House M.D." Case 3: People with a doctorate in something other than medicine or osteopathy.
its not fair and i think you re really mean!
like Mcaffee are so much more reliable aren't they...
And a desk with an old Packard Bell Pentium II and a copy of Windows ME.
Faster! Faster! Faster would be better!
my mom's pc got one of these over the holidays while a teen cousin was surfing flash game sites. the pop-ups would not go away. at boot up pages wouldn't load because the warning box insisted on a click before progressing further. anti-malware had no effect, neither system restore nor anything else i could think of was successful.
even the computer shop was at a loss. after ten days the os required re-installation with a resultant loss of all data.
don't make the mistake of thinking this is merely an issue of rubes accepting come-ons from scareware vendors. it's beyond that now. these apps are injected instantly via poisoned sites and your pc is compromised well before you "accept" any blackmail terms. we found to our dismay nothing for sophisticated users nor technicians to fix.
thanksgiving was a real eye opener for me.
i surf exclusively with adblock and noscript now. no ads. no scripts. period.
until site owners deal with this i won't do otherwise.
-js.
I'm not convinced that licensing will help. Some people are just ripe for manipulation by marketing and scams.
Take some of my fellow amateur radio operators, for instance. These are supposed to be a bunch of hard-core techies who have to pass a test and be licensed before they can go on the air, yet a whole lot of them will pay out good bucks for fancy-looking antennas that are advertised to have a flat 1:1 SWR across the entirety of the amateur radio bands in a unit the size of a breadbox with "no lossy traps." Yeah, right, ain't gonna happen, the laws of physics prevents it and the small amount of antenna knowledge required to refute these ridiculous claims is on the test the ham had to pass to get his ticket. Still, a lot of them still fall prey to magical thinking.
This ain't rocket surgery.
Something like clamwin is sufficient for the periodic scan (infact ClamAV it's based on is rather good). Not clicking on dancing bunnies eliminates the need for on-access scanning.
After logging in slashdot still does not take you back to the page you were on. It's been that way for 20 years.
I'm a keyboard monkey at a three-man retail computer / repair shop. In the last week, literally every PC that's came in to get cleaned up has had a copy of "Security Tool" installed. The fix is quite easy - download process explorer, rename it to iexplore.exe, run it, kill 08732030.exe (Or whatever random number it's used this time), then install & Scan with Malwarebytes Anti-Malware, and a couple others. But it's obscure enough that nobody can do it, so we can charge our standard 1 hour to clean it up. I wish I could meet the guys who wrote this and buy them a drink. They've been paying my cheque for about 6 months now.
Why spend 10 years trying to identify all the "bad" code when it should be far easier to identify the apps that you want to allow to run on your machine?
http://www.mcafee.com/us/about/corporate/mcafee_Solidcore.html
Story about malware links to PDF? Nothx.jpg!
-]Phreak Out[-
They must want money at some point right? How are they expecting to get paid and why can't the cops at
least freeze their visa account?
The same with the online pharmacies.
I use Linux - the family never listens to me.
Well, then stop using Linux!
I am the richest astronaut ever to win the superbowl.
99%+ of scareware is from the same exact kit, and installs the same core exe program, (AV.EXE) in one of three fixed locations. (as super-hidden) This article itself is scareware. The av companies can detect every one of these every time they pop up, there's no "trying to keep up" with this. That's what happens when malware goes commercial as this has. Anyone happen to know offhand who's the source of this malware kit? (url?) I'd be curious to know how much such a kit sells for. Must be cheap if there's 1400 new customers a day.
Give us the meaningful number of unique, new scareware products a day. Or a week or a month. Betting somewhere under 10/month. And if they can't keep up with that, waaaaaah.
I work for the Department of Redundancy Department.
I previously worked in a company that ran mostly on ad revenue. Ads are a lot more complicated than "show user a picture and/or text, wait for him to click and buy."
Most of them do things like:
a) Track impressions: How many times a given ad is shown. Advertisors pay for a given number in a given period of time
b) Tracks clicks (of course), and track which impressions lead to clicks which lead to sales
c) Note the general location of the user. Some ads only target users of a certain region. It doesn't make much sense to advertise a product only available in the US to some dude in Australia. Advertisers also want to know what areas are more or less interested in their product
d) Lots, lots more
Now if a company is dealing with third-party adservers, many issues come up when you run into certain unsavory types. Where I previously worked, we were quick to track them down and cut off that advertiser. Often enough it was an advertiser who in turn carried ads for another network (and so on) until somewhere along the line somebody slipped a bad one in. Just as often ads were blamed when it was actually a user with an infected computer (and the virus was showing ITS ads) or somebody had slipped in a naughty link somewhere with some script that got past validation.
And how would NYT track the content of a third-party. The third-party is being used specifically because they know more about handling ads than NYT, and they control what goes out?
Take off and nuke it from orbit... It's the only way to be sure.
If I were God, wouldn't I protect my churches from acts of me?
...if you're a Windows user who never has the intention of being a Linux user, at least take some good advice from we Linux users:
1. Don't use any Internet applications that embed themselves too deeply within the OS - this means *DEFINITELY* avoiding Internet Explorer and getting rid of Outlook where possible.
2. Stop using your PC with full admin rights - create a restricted user account for normal day-to-day stuff like surfing the Internet. If you don't have the permission to make big changes to Windows then just about anything you run shouldn't be able to either.
3. Use Firefox and install the "NoScript" addon - fairly self-explanatory but at least you can limit Javascript to only the sites you trust.
Gentoo Linux - another day, another USE flag.
People lose all common sense when they're dealing with something they think they're incapable of understanding.
It's not true, by and large, that people would be incapable of understanding if they sat down to take the time to figure it out, but in the cases of such an unequal informational playing field (you and your doctor, you and your mechanic, grandma and her computer tech) people are paying not just for service but for expertise, and that makes them vulnerable to this kind of exploitation.
a few months ago. Did some googling but nothing really seemed to kill it. Fortunately it only infected her profile, so I just backed up her data and created a new account for her, and congratulated myself for not giving her admin rights.
Never let a lack of data get in the way of a good rant.
This is the main problem we see under Windows: the users like to run with ADMIN privileges all the time. Unix users (which obviously include Linux users) are educated enough to run as ROOT only when needed, and that counts a lot to the overall security. People need to help the system to be secure, not running as ADMIN to browse the internet. And... stop downloading everything they find "for free".
When I first got a my job where I work right now (how's that for vague), I performed a desktop and laptop fleet software audit among other things to find out the state of things. One particular user was exceptionally proud of how they had managed their system (long and another story why they allowed admin access locally for users). They proclaimed "my computer is the most secure here!". I asked them why they though that, and they made a point of telling me they were running 23 different anti-virus programs. So, aghast, I take a look. It was 23 different rogue AVs. They'd given their company Amex number when "registering" the software and a further audit of records showed over $3000 in unauthorized transactions had been made against the card.
But, wait, it gets better. I, for the sheer morbid curiosity, decide to do the rkill + MBAM route, and MBAM finds 26 THOUSAND infected registry keys/files on the system. We wiped and reinstalled, and returned the system to the user. They complained to management that they didn't have enough protection, they could tell because their system booted "too fast", that they hardly even had time to grab coffee.
"Never attribute to malice that which can be attributed to ignorance." -Some dude
I deal with this stuff on a daily basis. I had a customer just the other day go home with a clean machine, with the latest version of Avira, AntiMalwarebytes, and SuperAntiSpyware installed and updated. All windows patches and updates installed. He was back two hours later. Surfing the web looking for UFC videos. Google served up a paid ad at the top of his search with his search terms. Of course he clicked it, and a with a bit of Adobe Flash magic, he had the Security Tools infection installed and his Avira broken.
The problem with anti-virus programs is that they're still "negative file" systems, using blacklists. We now need systems where nothing executable gets downloaded until some respectable services have checked it and determined that it's not hostile.
Anti-virus programs ought to work that way. If you try to download something, it goes into quarantine until the remote checking system has run it in a virtual machine for a while to see what it does, or its hash exactly matches previously approved software.
As a technician, I come across a lot these almost everyday since December 2009. At first, they were hard to figure out how to remove them, but eventually I figured it out.
If it weren't for these bad programs I would not know how to maneuver around Windows registry without fear of damaging something (of course I always make a clone-backup of the HDD before I mess with it).
I can effectively remove the major files these programs install all over the hard drive to the point where programs like MalwareBytes, and Avira, can effectively run and even download latest updates to remove any other infection.
I've come across a really bad one where Combofix, rkill, and all of these programs that a lot of other techs swear by simply do not work. So, I go to the registry and delete any entries that do not belong.
I've saved a lot of systems from having to be formatted/reinstalled and reconfigured.
The New York Times and Boston.com websites have been infected before. It's just a matter of time before these things become more like ransomware.
Clicking on a link and getting infected as a result IS an example of a drive-by infection. It doesn't matter whether it involves video and/or Flash; If viewing a web page can cause an infection then its a drive-by.
Also, your nick is misspelled.
Awww gee, poor widdle AC who spams is getting upset!
Oh no he even added Doche to part of my nick, my oh my how will I cope? (:
Fun fun fun on a rainy Adelaide day!
1. The Advertising Industry is greedily accepting money to push browser attacks on unsuspecting people.
2. They are out of control. When was the last time a website banned an ad service because of malware? Why are the suits in this product-propaganda chain so unresponsive?
3. Browsers and operating systems lack methods to reliably provide visual context cues for network objects (like web pages). Yes, the browser window is there with its untouchable bits (address bar etc), but a web page can contain an element that looks like another window.
3a. Even with that window-like appearance, they are limited to using either drive-by or trojan techniques and the user probably is already familiar with what download and run-program warning dialogs look like in the case of trojans. So we are probably not dealing so much with user naivete as with system shortcomings. For the record, most Windows techs I know periodically get malware on their own systems.
4. Cybercrime has become incredibly entrenched and resourceful.
"I qualified as a Telecommunications tech in 1979" by FalconDOUCHE (1289630)
on Tuesday April 27, @11:42PM (#32008806)
LMAO -> http://slashdot.org/comments.pl?sid=1619750&cid=32008590 see subject above, read url, and rinse-lather-repeat, falconDOUCHE... how stupid can you be? LOL, I bet you did that MERE TECHIE job on lol, telegraphs. I mean based on your dimwit reply in the url above, where you called others names no less?? Please, falconDOUCHE - do you think ANYONE believes that which I quote of you above, after reading the URL below it? LOL, not.
If you are still using floppies, you could always use your AARP card to move the slider....http://www.aarp.org/
LMAO - you're right about 1 thing: I didn't HAVE to "land a blow" as you called it - YOU DID THE JOB FOR ME (lmao), read on to those reading... this is "vintage Professor 'FalconDOUCHE'" @ his finest below, lol:
"you do realise that there was no email in 1979 dont you? Oh of course being 10 you wouldnt" by Falconhell (1289630)
on Wednesday April 28, @12:35AM (#32009320)
Dimwit, there's been email systems since before ARPANET http://www.nethistory.info/History%20of%20the%20Internet/email.html ... utterly unbelievable: Here's a quote from said "HISTORY OF EMAIL":
***
Email is much older than ARPANet or the Internet. It was never invented; it evolved from very simple beginnings.
This is why Ray Tomlinson is credited with inventing email in 1972
***
LMAO, wait wait... it gets BETTER next, below (so "play it again, SAM"):
"I qualified as a Telecommunications tech in 1979" by FalconDOUCHE (1289630)
on Tuesday April 27, @11:42PM (#32008806)
LMAO -> http://slashdot.org/comments.pl?sid=1619750&cid=32008590 see subject above, read url, and rinse-lather-repeat, falconDOUCHE... how stupid can you be? LOL, I bet you did that MERE TECHIE job on lol, telegraphs.
I mean based on your dimwit reply in the url above, where you messed up on the fact that hotmail does give away your IP address, and where YOU called others names no less?? LMAO!
(Man - Please, falconDOUCHE - do you think ANYONE believes that which I quote of you above, after reading the URL below it? LOL, not! LMAO... you can't even get email right (see url to anyone reading, lol), so you're far from a "telecom tech").
Just a trollin the troll.
If you dont know how to do it
I will show you how to troll the troll!
(To the tune of walking the dog)
Not a blow landed yet kindy boy, but you get more frustrated each slighjtly changed copy/pasta you post.
"you do realise that there was no email in 1979 dont you? Oh of course being 10 you wouldnt" by FalconDOUCHE (1289630)
on Wednesday April 28, @12:35AM (#32009320)
Dimwit, there's been email systems since before ARPANET http://www.nethistory.info/History%20of%20the%20Internet/email.html ... utterly unbelievable: Here's a quote from said "HISTORY OF EMAIL":
***
Email is much older than ARPANet or the Internet. It was never invented; it evolved from very simple beginnings.
This is why Ray Tomlinson is credited with inventing email in 1972
***
LMAO, wait wait... it gets BETTER next, below (so "play it again, SAM"):
"I qualified as a Telecommunications tech in 1979" by FalconDOUCHE (1289630)
on Tuesday April 27, @11:42PM (#32008806)
LMAO -> http://slashdot.org/comments.pl?sid=1619750&cid=32008590 see subject above, read url, and rinse-lather-repeat, falconDOUCHE... how stupid can you be? LOL, I bet you did that MERE TECHIE job on lol, telegraphs.
I mean based on your dimwit reply in the url above, where you messed up on the fact that hotmail does give away your IP address, and where YOU called others names no less?? LMAO!
(Man - Please, falconDOUCHE - do you think ANYONE believes that which I quote of you above, after reading the URL below it? LOL, not! LMAO... you can't even get email right (see url to anyone reading, lol), so you're far from a "telecom tech").
About "landing a blow"? Hell, I didn't even HAVE TO TAKE A SWING, lol... you KNOCKED YOURSELF RIGHT OUT with what's above, lmao!
"Process Explorer and a few hours later I was back to normal (protip: malware "watcher" processes usually aren't smart enough to realize when they've been suspended. Comes in handy.)" - by RulerOf (975607)
on Tuesday April 27, @05:03PM (#32004704)
This bloke obviously only read what was written in this guide for securing Windows, and its virus removal section in post point #20 http://www.tcmagazine.com/forums/index.php?s=610624dd0ca744a1833203a79296f8ee&showtopic=2662&st=0 or in the other forums where it's posted. The bloke who posted it did it all over the bloody web and though that's rather gauche, it's good he did. I say that because others are starting to realize the value of its points, such as the usage of Process Explorer for hunting and killing off malware. Use that guide, and Bob's your Uncle.
(This is not new news on that guide though, it is many years old now, and others are learning by it in how to use Process Explorer for malware removals. Nothing interesting whatsoever in what RulerOf did or used, because the information's been out there on it for years now).
Bloody hell, the way RulerOf's using Process Explorer could be done with taskmgr.exe instead (killing first level executables).
The true value of Process Explorer in these cases is to use it to find processes that hide themselves under other running processes (such as libs/dlls loaded in other apps like Explorer.exe, which taskmgr.exe will not show) or underneath services (like svchost.exe, which does not expose what its running beneath itself in taskmgr.exe in Windows 2000, XP, Server 2003 at least).
"It used the AT command to get what it wanted in terms of privileges and so on, and went to town on my local security policy." - by RulerOf (975607)
on Tuesday April 27, @05:03PM (#32004704)
Bloody hell, perhaps you did not read that guide in that url above for how to secure windows after all. It covers securing the AT command, by its usage of the CIS Tool (this damn tool's incredible in that capacity and many more). Then again, once a bloke knows what CIS Tool covers, it's cake to put it into your regedit.exe favorites or to make custom MMC.exe for policy settings and again, Bob's your Uncle.
the post I was replying to was blaming it on out of date, poorly maintained PCs. I'm telling you that a completely up to date and well protected machine can get hit just as easily! And it was a google sponsored advert that infected him!
There's plenty of popups in Windows, people are annoyed and dont
bother reading anything, they click just to get rid of it.
They assume they're safe bacause they have AntiVirus and Firewall.
In fairness, last week i accidently infected my test-machine
by running a setup.exe. Avira scan didnt find anything. But a second
after i ran the exe it found virus and promptly deleted the setup.exe.
But obviously i was already infected. And moments later it Disabled
Avira.
I later scanned another copy of the same setup.exe on virustotal.com
and none(!) of the scanners found anything.
(This will be a fond memory to look back on. After i've switched to Linux)
I have had to deal with a lot of rogue security software at work. A lot of the cases were driveby installations on up-to-date computers protected by antivirus. Often, the users were infected by googling a legitimate topic and clicking on one of the resulting links.
So, you can't blame the problem solely on naive users. You can get infected by clicking cancel or even closing a popup from a malicious site. The best thing to do is to use task manager to kill the browsing session. These attacks are getting extremely sophisticated. They typically include rootkits, backdoors, and other components beyond the annoying fake antivirus warnings.
The true value of Process Explorer in these cases is to use it to find processes that hide themselves under other running processes (such as libs/dlls loaded in other apps like Explorer.exe, which taskmgr.exe will not show) or underneath services (like svchost.exe, which does not expose what its running beneath itself in taskmgr.exe in Windows 2000, XP, Server 2003 at least).
Indeed, and I used it in such fashion.
I find that Process Explorer's best feature in these situations is it's signature verification. Suspending processes that don't pass signature verification, irrespective of whether or not they're malicious, is a great place to start when rooting out malware.
Bloody hell, perhaps you did not read that guide in that url above for how to secure windows after all. It covers securing the AT command
I know that the AT command grants SYSTEM by default. Funny thing is that the task scheduler in Vista and later has a little link "control usage of the AT command" or some such. It prompts for an account to use and when I first saw that I said, "Oh, that's convenient" and of course, never did anything with it. Oh well.
Thanks for the links, though, I've never read any of those guides, just had a lot of experience dealing with this kind of bullshit on behalf of others. Though I have read plenty of articles by the great Russinovich himself. Now those are some good reads.
Boot Windows, Linux, and ESX over the network for free.
I still think there should be a course given for a Internet License. This way if you dont base your not aloud to go on the internet. Well atleast in large corperations/government facilitys. cough cough (where i am). These people just can't stop clicking on stuff. They never read just click
Such poor spelling, punctuation and grammar skills and you're working in a government facility? Man, I can only hope it's not my government you're working for.
Dude, he's working for a RUSSIAN government facility. But he had sufficient knowledge to answer here in English. After all, it's not his first language. Oh yes- he also speaks Polish, French, and German. So how many languages do YOU speak, besides 'merican? Do you even know of many foreign countries? Say isn't Korea near France?
.
- aqk
F U
Dude, he's working for a RUSSIAN government facility
Okay, that's what was saying--I hope he wasn't working for my government. Slashdot is an American-oriented site, after all.
So how many languages do YOU speak, besides 'merican?
English, Spanish and a bit of Italian. You?
Do you even know of many foreign countries? Say isn't Korea near France?
Don't be silly. Korea is one of those islands out in the ocean somewhere, isn't it? ;-)
This ain't rocket surgery.
An infected website will infect use your browser add-on and infect you without authorization. My customers commonly say they did not click a thing. They did not click run or accept. Most of the customers are not current on patches, adobe reader version, java etc. Most tend to run with local administrator rights. None of the above is best practice but these are random customers who call when they have trouble, not when they want patches installed. One customer even had their ftp password sniffed from contribute and had their website html updated remotely from some robot with an obfuscated javascript embed request.
it'll come 2 me...some kinda fruit store...
Thanks for the links, though, I've never read any of those guides, just had a lot of experience dealing with this kind of bullshit on behalf of others. Though I have read plenty of articles by the great Russinovich himself. Now those are some good reads.
The bloke who wrote the guide used to work alongside Dr. Mark Russinovich for the same company (Sunbelt) in the same period in the 1990's and the bloke even actually corrected 'the great Russinovich himself' in code, believe it or not http://www.pcmech.com/article/defragging-the-windows-page-file/ when he found that Dr. Russinovich had actually hardcoded the path to C: drive in pagedefrag.exe for the location of the pagefile.sys and to the eventlogs and registry hives (all can be moved to other drives to lessen the work C drive does, provided a user has multiple disks) and from what I read at Windows IT Pro, Dr. Russinovich even thanked him in email for it. That bloke posts here as anonymous coward, and signs his posts as 'APK'. His guide (cut from his post I found and bookmarked it here as) for securing Windows turns up results like this for users (quoted):
HOW TO SECURE Windows 2000/XP/Server 2003, & even VISTA/Windows 7 (+ make it "fun-to-do" via CIS Tool Guidance & beyond):
http://www.tcmagazine.com/forums/index.php?s=568d95985ad83ef4add94de09f6026d3&showtopic=2662
----
It works, & is based on the concept of what many computer security folks the past few years have been calling "LAYERED SECURITY"...
PROOFS/EXAMPLES OF ITS EFFICACY? Ok, below:
----
http://forums.theplanet.com/index.php?s=80bbbffc22d358de6b01b8450d596746&showtopic=89123&st=60&start=60
"the use of the hosts file has worked for me in many ways. for one it stops ad banners, it helps speed up your computer as well. if you need more proof i am writing to you on a 400 hertz computer and i run with ease. i do not get 200++ viruses and spy ware a month as i use to. now i am lucky if i get 1 or 2 viruses a month. if you want my opinion if you stick to what APK says in his article about securing your computer then you will be safe and should not get any viruses or spy ware, but if you do get hit with viruses and spy ware then it will your own fault. keep up the good fight APK." - Kings Joker, user of my guide @ THE PLANET
AND
http://www.xtremepccentral.com/forums/showthread.php?s=672ebdf47af75a0c5b0d9e7278be305f&t=28430&page=2
"I recently, months ago when you finally got this guide done, had authorization to try this on simple work station for kids. My client, who paid me an ungodly amount of money to do this, has been PROBLEM FREE FOR MONTHS! I haven't even had a follow up call which is unusual." - THRONKA, user of my guide @ XTremePcCentral
AND
"APK, thanks for such a great guide. This would, and should, be an inspiration to such security measures. Also, the pc that has "tweaks": IS STILL GOING! NO PROBLEMS!" - THRONKA, user of my guide @ XTremePcCentral
AND
http://www.xtremepccentral.com/forums/showthread.php?s=672ebdf47af75a0c5b0d9e7278be305f&t=28430&page=3
"Its 2009 - still trouble free! I was told last week by a co worker who does active directory administration, and he said I was doing overkill. I told him yes, but I just eliminated the half life in windows that you usually get. He said good point. So from 2008 till 2009. No speed decre
Very neat stuff.
;-).
Reading stuff like this (and understanding it so well) has often made me consider learning more and specializing in security administration, because it's just so damned intriguing. Alas, though, I find implementation to be my strongest suit (a-la infrastructure admin/management) and what I prefer to deal with that it's where I'm pointing my career. Nonetheless, I still like to have a healthy knowledge of security principles, in spite of the fact that I'm waaaay too lazy to implement them at home
For what it's worth though, my own desktop has been running on the same Vista install for over two years now. No slowdown there without this guide either. I am going to bookmark it though, and, time permitting, likely implement it.
I'm not a fan of hosts file blocking though, I prefer to do things on my local DNS server.
Again, great links! Also, you seem to know a lot of blokes.
Boot Windows, Linux, and ESX over the network for free.
#1. Don't pay sprocket any mind, he is a bullshit artist. #2. http://slashdot.org/comments.pl?sid=1293667&cid=28621185 where sprocket was totally "perfectly" (the word he refused to define along with his evading all questions put to he) blown away by his own dyslexic mind due to -> #3. Sprocket also likes to put words in others mouths they never even said and tries to state they "implied it" when his dull brain obviously cannot interpret written english properly because when asked by the person replying if sprocket could find where said person supposedly stated what sprocket said he did? Sprocket ran or evaded all questions there. I bookmarked that for everyone's reference so this no mind Sprocket could see it again and regret his stupidity in being a wanna be computer expert (not). He certainly got his ass handed to him there. Read it yourselves, and decide how "expert" sprocket really is.
#1. Don't pay sprocket any mind, he is a bullshit artist. #2. http://slashdot.org/comments.pl?sid=1293667&cid=28621185 where sprocket was totally "perfectly" (the word he refused to define along with his evading all questions put to he) blown away by his own dyslexic mind due to -> #3. Sprocket also likes to put words in others mouths they never even said and tries to state they "implied it" when his dull brain obviously cannot interpret written english properly because when asked by the person replying if sprocket could find where said person supposedly stated what sprocket said he did? Sprocket ran or evaded all questions there. I bookmarked that for everyone's reference so this no mind Sprocket could see it again and regret his stupidity in being a wanna be computer expert (not). He certainly got his ass handed to him there. Read it yourselves, and decide how "expert" sprocket really is.