|
Softpanorama |
||||||
| Contents | Bulletin | Scripting in shell and Perl | Network troubleshooting | History | Humor | |
Introduction to the topic became too big and was converted into a separate article on Dec 1, 2012. See Architectural approaches for increasing Windows resistance against malware:
|
|
||||
| Bulletin | Latest | Past week | Past month |
|
|
Microsoft is closely monitoring the situation, and is committed to helping customers have a safe, enjoyable computing experience. From the quotes of the day |
|
|
“the Windows dominance produced a computer monoculture with all the same problems as other monocultures.” "Anti-virus companies have always been seen as ambulance chasers, and sometimes, it's true," said Dan Schrader, the chief security analyst at Trend Micro. "Because this is an industry that has been built on hype and alerts and pretensions of being good citizens, the industry doesn't have a lot of credibility." |
|
| The preoccupation with computer "hacking" is a way for physically unattractive males to enter the mainstream of society.
Anonymous |
| 2013 | 2012 | 2011 | 2010 | |||||||
| 2009 | 2008 | 2007 | 2006 | 2005 | 2004 | 2003 | 2002 | 2001 | 2000 | 1999 |
Bloomberg
Microsoft Bugs
Microsoft Corp. (MSFT), the world’s largest software company, provides intelligence agencies with information about bugs in its popular software before it publicly releases a fix, according to two people familiar with the process. That information can be used to protect government computers and to access the computers of terrorists or military foes.
Redmond, Washington-based Microsoft (MSFT) and other software or Internet security companies have been aware that this type of early alert allowed the U.S. to exploit vulnerabilities in software sold to foreign governments, according to two U.S. officials. Microsoft doesn’t ask and can’t be told how the government uses such tip-offs, said the officials, who asked not to be identified because the matter is confidential.
Frank Shaw, a spokesman for Microsoft, said those releases occur in cooperation with multiple agencies and are designed to give government “an early start” on risk assessment and mitigation.
In an e-mailed statement, Shaw said there are “several programs” through which such information is passed to the government, and named two which are public, run by Microsoft and for defensive purposes.
Willing Cooperation
Some U.S. telecommunications companies willingly provide intelligence agencies with access to facilities and data offshore that would require a judge’s order if it were done in the U.S., one of the four people said.
In these cases, no oversight is necessary under the Foreign Intelligence Surveillance Act, and companies are providing the information voluntarily.
The extensive cooperation between commercial companies and intelligence agencies is legal and reaches deeply into many aspects of everyday life, though little of it is scrutinized by more than a small number of lawyers, company leaders and spies. Company executives are motivated by a desire to help the national defense as well as to help their own companies, said the people, who are familiar with the agreements.
Most of the arrangements are so sensitive that only a handful of people in a company know of them, and they are sometimes brokered directly between chief executive officers and the heads of the U.S.’s major spy agencies, the people familiar with those programs said.
... ... ...
Committing Officer
If necessary, a company executive, known as a “committing officer,” is given documents that guarantee immunity from civil actions resulting from the transfer of data. The companies are provided with regular updates, which may include the broad parameters of how that information is used.
Intel Corp. (INTC)’s McAfee unit, which makes Internet security software, regularly cooperates with the NSA, FBI and the CIA, for example, and is a valuable partner because of its broad view of malicious Internet traffic, including espionage operations by foreign powers, according to one of the four people, who is familiar with the arrangement.
Such a relationship would start with an approach to McAfee’s chief executive, who would then clear specific individuals to work with investigators or provide the requested data, the person said. The public would be surprised at how much help the government seeks, the person said.
McAfee firewalls collect information on hackers who use legitimate servers to do their work, and the company data can be used to pinpoint where attacks begin. The company also has knowledge of the architecture of information networks worldwide, which may be useful to spy agencies who tap into them, the person said.
McAfee’s Data
McAfee (MFE)’s data and analysis doesn’t include information on individuals, said Michael Fey, the company’s worldwide chief technology officer.
“We do not share any type of personal information with our government agency partners,” Fey said in an e-mailed statement. “McAfee’s function is to provide security technology, education, and threat intelligence to governments. This threat intelligence includes trending data on emerging new threats, cyber-attack patterns and vector activity, as well as analysis on the integrity of software, system vulnerabilities, and hacker group activity.”
In exchange, leaders of companies are showered with attention and information by the agencies to help maintain the relationship, the person said.
In other cases, companies are given quick warnings about threats that could affect their bottom line, including serious Internet attacks and who is behind them.
... ... ...
The information provided by Snowden also exposed a secret NSA program known as Blarney. As the program was described in the Washington Post (WPO), the agency gathers metadata on computers and devices that are used to send e-mails or browse the Internet through principal data routes, known as a backbone.
... ... ...
MetadataThat metadata includes which version of the operating system, browser and Java software are being used on millions of devices around the world, information that U.S. spy agencies could use to infiltrate those computers or phones and spy on their users.
“It’s highly offensive information,” said Glenn Chisholm, the former chief information officer for Telstra Corp (TLS)., one of Australia’s largest telecommunications companies, contrasting it to defensive information used to protect computers rather than infiltrate them.
According to Snowden’s information, Blarney’s purpose is “to gain access and exploit foreign intelligence,” the Post said.
It’s unclear whether U.S. Internet service providers gave information to the NSA as part of Blarney, and if so, whether the transfer of that data required a judge’s order.
... ... ...
Einstein 3
U.S telecommunications, Internet, power companies and others provide U.S. intelligence agencies with details of their systems’ architecture or equipment schematics so the agencies can analyze potential vulnerabilities.
“It’s natural behavior for governments to want to know about the country’s critical infrastructure,” said Chisholm, chief security officer at Irvine, California-based Cylance Inc.
Even strictly defensive systems can have unintended consequences for privacy. Einstein 3, a costly program originally developed by the NSA, is meant to protect government systems from hackers. The program, which has been made public and is being installed, will closely analyze the billions of e-mails sent to government computers every year to see if they contain spy tools or malicious software.
Einstein 3 could also expose the private content of the e-mails under certain circumstances, according to a person familiar with the system, who asked not to be named because he wasn’t authorized to discuss the matter.
AT&T, Verizon
Before they agreed to install the system on their networks, some of the five major Internet companies -- AT&T Inc. (T), Verizon Communications Inc (VZ)., Sprint Nextel Corp. (S), Level 3 Communications Inc (LVLT). and CenturyLink Inc (CTL). -- asked for guarantees that they wouldn’t be held liable under U.S. wiretap laws. Those companies that asked received a letter signed by the U.S. attorney general indicating such exposure didn’t meet the legal definition of a wiretap and granting them immunity from civil lawsuits, the person said.
Slashdot
"What is your computer actually DOING when you click on a link in a phishing email? Sherri Davidoff of LMG Security released these charts of an infected computer's behavior after clicking on a link in a Blackhole Exploit Kit phishing email. You can see the malware 'phone home' to the attacker every 20 minutes on the dot, and download updates to evade antivirus. She then went on to capture screenshots and videos of the hacker executing a man-in-the-browser attack against Bank of America's web site. Quoting: 'My favorite part is when the attacker tried to steal my debit card number, expiration date, security code, Social Security Number, date of birth, driver's license number, and mother's maiden name– all at the same time. Nice try, dude!!'"
3.5 stripes
Well, you were dumb enough (Score:1, Insightful)
to click on the attachment in the first place, you've already set the bar for your intelligence
minstrelmike
Re:Well, you were dumb enough (Score:5, Insightful)
Actually, there are two different populations of phish messages going around now. One of them surprisingly enough is full of misspellings and odd grammar in a tale about a Nigerian prince. If folks click on that, the senders know they have a live one.
But the other phishing schemes are subtle. I think reasonably intelligent folks who skim emails (instead of read them), especially on a tiny smart-phone/blackberry screen, are just liable to click to someplace nasty. After all, ain't no one 100% right 100% of the time.
Reply to This Parent Share Share on Google+ Flag as Inappropriate
Synerg1y
Re:Well, you were dumb enough (Score:4, Insightful)
There's a very basic question that needs to be asked by people: why am I getting this email? If you can't figure it out, a siren should go off in your mind as to what this could be.
I do feel bad for anybody that's been caught by this, technical ineptitude is not a valid reason to get your money stolen, especially considering the average age of the victims (it's up there).
Kenja
Re:Nice try? (Score:4, Informative)
BofA actually has VERY good online security.
If setup right, you should be shown a picture you choose to confirm that you are on the legit site. Then in addition to your password, you can setup a system where a six digit numeric token is sent to your cell phone which is also needed to authenticate.
Anonymous CowardIt's Quite A Bit More Than That (Score:1)
So a link in a malicious email can compromise my Windows box and cause my web browser to navigate to addresses in a local hosts file. Welcome back to 1997.It's quite a bit more than that. Perhaps you should RTFA.
- The infection vector does not have to come via email. It can just as easily infect via drive-by on a web page.
- No hosts file involvement is necessary.
- It injects malware into the system and browser.
- The malware is self updating, to stay current and evade detection.
- The malware in the browser inserts itself into your normal online banking activity.
- It looks 100% legitimate, except for the nature of the "security verification" questions which are too far reaching to be real.
stewsters
Re:Most of the exploits.. (Score:5, Informative)
Don't use IE6. Don't use IE7. Don't Use IE8. Its 2013. Use Chrome, Firefox, or IE 10+
Install chrome, chrome://plugins/ , block automatic execution of java and flash. Make it so you need to click. Install an adblocker to reduce driveby downloads. Install noscript + ghostery if you are wearing aluminum foil on your head.
Auto install security updates. If something disables it most likely you have a virus. Keep everything up to date. Don't install toolbars or weather apps from unknown sources.
CAOgdin
I Fixed One Of These Recently (Score:5, Interesting)
This malware (which puts up the appearance of a credit/debit card and asks for all you information) calls a server in the Ukraine. It was delivered by eMail (to a naive user) and intercepts attempts to reach your financial institution via their website. It presents, after login (did they capture the login info?), a panel looking like the credit/debit card, asking for the user to fill in all information, including account number, CVC, address, and other personal information (why anyone would fill in that data is beyond me!)
After much gnashing of teeth, I discovered it was undetectable by any known virus checker I use (AVG, Malwarebytes, Spybot), so I had to dig deeper. It turned out that the malware was using any references to 127.0.0.1 (local machine) for it's hook. All I had to do was edit the HOSTS file and add the domain names of the miscreant with a reference to a different IP address that is known to be a deadend (you could, for example, use 127.7.7.7).
When the malware couldn't execute, it couldn't disable the various malware detectors, and several files were then identified and removed.
May 25, 2013
An anonymous reader writes "When it comes to spotting malware, signature-based detection, heuristics and cloud-based recognition and information sharing used by many antivirus solutions today work well up a certain point, but the polymorphic malware still gives them a run for their money. At the annual AusCert conference held this week in Australia a doctorate candidate from Deakin University in Melbourne has presented the result of his research and work that just might be the solution to this problem. Security researcher Silvio Cesare had noticed that malware code consists of small "structures" that remain the same even after moderate changes to its code. He created Simseer, a free online service that performs automated analysis on submitted malware samples and tells and shows you just how similar they are to other submitted specimens. It scores the similarity between malware (any kind of software, really), and it charts the results and visualizes program relationships as an evolutionary tree."
Researchers from security firm Trusteer have found a new variant of the Gozi banking Trojan program that infects a computer's Master Boot Record (MBR) in order to achieve persistence.
... ... ...
Sophisticated malware that uses MBR rootkit components, like TDL4, also known as Alureon or TDSS, are part of the reason why Microsoft built the Secure Boot feature into Windows 8. This malware is hard to detect and remove and can even survive operating system reinstallation procedures.
... ... ...
The new Gozi MBR rootkit component waits for Internet Explorer to be launched and then injects malicious code into the process. This allows the malware to intercept traffic and perform Web injections inside the browser like most financial Trojans programs do, Maor said.
Mar 20 2013 | Ars Technica
"TeamSpy" used digitally signed TeamViewer remote access tool to spy on victims.
Researchers have unearthed a decade-long espionage operation that used the popular TeamViewer remote-access program and proprietary malware to target high-level political and industrial figures in Eastern Europe.
TeamSpy, as the shadow group has been dubbed, collected encryption keys and documents marked as "secret" from a variety of high-level targets, according to a report published Wednesday by Hungary-based CrySyS Lab.
Targets included a Russia-based Embassy for an undisclosed country belonging to both NATO and the European Union, an industrial manufacturer also located in Russia, multiple research and educational organizations in France and Belgium, and an electronics company located in Iran. CrySyS learned of the attacks after Hungary's National Security Authority disclosed intelligence that TeamSpy had hit an unnamed "Hungarian high-profile governmental victim."
Malware used in the attacks indicates that those responsible may have operated for years and may have also targeted figures in a variety of countries throughout the world. Adding intrigue to the discovery, techniques used in the attacks bear a striking resemblance to an online banking fraud ring known as Sheldon, and a separate analysis from researchers at Kaspersky Lab found similarities to the Red October espionage campaign that the Russia-based security firm discovered earlier this year.
"Most likely the same attackers are behind the attacks that span for the last 10 years, as there are clear connections between samples used in different years and campaigns," CrySyS researchers wrote in their report. "Interestingly, the attacks began to gain new momentum in the second half of 2012."
They added: "The attackers surely aim for important targets. This conclusion comes from a number of different facts, including victim IPs, known activities on some targets, traceroute for probably high-profile targets, file names used in information stealing activities, strange paramilitary language of some structures, etc."
The attackers relied on a variety of methods, including the use of a digitally signed version of TeamViewer that has been modified through a technique known as "DLL hijacking" to spy on targets in real-time. Installation of the compromised program also provides attackers with a backdoor to install updates and additional malware. Both the TeamViewer technique and command servers used in the attack harken back to Sheldon. The TeamSpy operation also relies on more traditional malware tools that were custom-built for the purpose of espionage or bank fraud.
According to Kaspersky, the operators infected their victims through a series of "watering hole" attacks that plant malware on websites frequented by the intended victims. When the targets visit the booby-trapped sites, they also become infected. The attackers also injected malware into advertising networks to blanket entire regions. In many cases, much of that attack code used to infect victims was spawned from the Eleonore exploit kit. Domains used to host command and control servers that communicated with infected machines included politnews.org, bannetwork.org, planetanews.org, bulbanews.org, and r2bnetwork.org.
The discovery of TeamSpy is only the latest to reveal an international operation that uses malware to siphon sensitive data from high-profile targets. The most well-known campaign was dubbed Flame. Other surveillance campaigns include Gauss and Duqu, all three of which are believed to have been supported by a well-resourced nation-state. Last year, researchers also uncovered an espionage campaign dubbed Mahdi.
Slashdot
Researchers have unearthed a decade-long espionage operation that used the popular TeamViewer remote-access program and proprietary malware to target high-level political and industrial figures in Eastern Europe. TeamSpy, as the shadow group has been dubbed, collected encryption keys and documents marked as 'secret' from a variety of high-level targets, according to a report published Wednesday by Hungary-based CrySyS Lab. Targets included a Russia-based Embassy for an undisclosed country belonging to both NATO and the European Union, an industrial manufacturer also located in Russia, multiple research and educational organizations in France and Belgium, and an electronics company located in Iran. CrySyS learned of the attacks after Hungary's National Security Authority disclosed intelligence that TeamSpy had hit an unnamed 'Hungarian high-profile governmental victim.'
erroneus
Suspiscious based on what criteria?
We aren't allowed to use open source and so we have to "trust" every 'signed binary' which executives and leaders want to use. If we could use open source, we could at least read the source and even compile it to ensure the source we read was the binary which was compiled.
When the malware doesn't do "harm" to anything, the sympoms of malware are non-existant. No pop-up ads, no unusual crashing (see note about being unable to use open source... the 'other' operaitng system crashes often enough for inexplicable reasons that no one suspects malware as the cause any longer) and when a commonly used utility program which performs remote access is used, how can it be detected as malware?
Arguably, that it was proprietary and commercial software which was exploited is pretty disturbing. But at the same time, that software makers (and other device and product makers, and service providers too) frequently enter into deals with government to spy on people is unfortunately very common. That the "white-hat" (heh, I accidentally typed "white-hate"... apropos?) nation called the USA has compromised global communications with Echelon and more recently with the much celebrated NSA wiretapping, does not help matters.
I think no one appreciates the value of trust. Once it's lost, it's lost. What amount of trust in government... any government... may have existed, it is gone for most of us.
The unenlightened? Well... they still watch MSM (mainstream media, I have come to know these initials). What hope have they against that?
Anonymous Coward
Re:A strong push for open source in government (Score:1)
I suspect that as more malware and backdoors are discovered in systems used by government, the penny will begin to drop more frequently. Closed source is incompatible with security, by definition, since you cannot validly trust what you cannot see
Bullshit. Open or closed source has no direct bearing on the ability of an attacker to infect a binary. Open source provides more eyes on a given bug or problem, but once compiled and running its the exact same problem.
The article mentions use of a modified signed binary. So tell me how open source is going to remedy that? Unless you're recompiling from scratch (your entire tool chain, plus dependencies) on each launch, you're just as fucked as the next guy. Are you going to checksum the binary in memory each time a method is called? Are you going to encrypt/decrypt on each call? What's to stop an attacker from modifying your checksum code in the same manner as CD checks on games are trivially broken?
The only thing open source is really going to do for you is ensure that if you compile from source, the attack didn't originate from that source. So what?
Anonymous Coward
The fact it's open source IS (or can be) the pathway. If it's a small piece of software that does a specific function that's not of use to many people, your million eyeballs shrink rapidly. And what you're left with (IMO) is a handful of eyeballs thinking "I don't have the time/skills for this, it's open source, I'm sure someone will have looked over it" while no one actually does.
Or someone auditing the code but not the stuff around it, or maybe the code as distributed is clean and will compile into a clean and functioning binary, but the scripts around it actually add some malicious steps if certain criteria are met.
Open source isn't a magic bullet.
Oct 5, 2012 | www.wbir.com
Authorities are tracking a new computer virus that uses a fake “FBI” message in an attempt to extort money from its victims.
Called “Reveton Ransomware,” officials say the virus is installed on a computer when a user visits a compromised website. The computer then locks, while displaying a warning that the FBI or Department of Justice has identified the computer as being involved in criminal activity. The fake message instructs users to pay a fine using a prepaid money card service, which will unlock the computer.
The computer’s webcam is also activated, showing the user a live picture of themselves.
“We started seeing versions of this virus last year, but of course, like all scams, it morphs over time,” said FBI Supervisory Special Agent Marshal Stone, of the Knoxville Division.
Stone says FBI officials do not conduct business in that fashion, and would never demand payment to unlock a computer.
The virus has already found victims in East Tennessee. Sean Woods of “Computer Solutions” in Seymour says he has worked three cases within the past week.
“In this case, a person will lose everything that they’ve ever had. If it’s not backed up, it’s gone,” he said.
Officials have not confirmed which websites lead to the virus, but Woods says he is connecting some trends. He believes users are picking up the virus through shared files, illegal downloads, or websites commonly linked to bugs.
“You don’t know who’s going on your computer and what they’re doing,” he said, cautioning users to be careful who they share a computer with.”They download content such as music… they’re out there for you to go view, this is where you’re getting hit.”
Woods says users should also keep their virus protection software up to date.
The FBI encourages any victims of the virus to file a complaint with the Internet Crime Complain Center at www.ic3.gov.
02/15/13
"Sebastian Holst makes yoga mobile apps with his wife, a yoga instructor. The Mobile Yogi is sold in all the major mobile app stores. But when someone buys his app in the Google Play store, Holst automatically gets something he says he didn't ask for: the buyer's full name, location and email address.He says consumers are not aware that Google Inc. is sharing their personal information with third parties. No other app store transmits users' personal information to third-party developers when they buy apps, he said." Oh Google.
UltraZelda64
Hopefully this applies only when "buying" an app.
If so, then I should be safe. This kind of privacy violation is just... wrong. Google seems to think that their customers automatically trust third parties or something... if anything, this demonstrates that Google themselves should not be trusted.
darknexus
RE[2]: Obviously a bug by darknexus
"If it had been a certain fruit company everyone would be rioting.
Man, it's so hard to be persecuted, eh? "
Much as I hate to be defending Apple this time, the OP is absolutely correct. There's definitely a double standard in place for Apple in the tech media, particularly though not exclusively when compared to Google.
If Apple had been the one doing this, everyone would have been up in arms, torches lit, ready to burn down Apple HQ and any other buildings around them just to make sure the deed was done.
When Google does it, not only do we get some people giving them the benefit of the doubt but we even have some that claim Google are in the right to do this. If that's not a double standard, I don't know what is. For myself, I say no app store should give
Feb. 14, 2013 | Businessweek
-- Bloomberg Businessweek's Jordan Robertson discusses why the antivirus industry has so many customers in the face of its ineffectiveness. He speaks on Bloomberg Television's "Market Makers." (Source: Bloomberg)
February 13, 2013 | MIT Technology Review
The U.S. government is developing new computer weapons and driving a black market in “zero-day” bugs. The result could be a more dangerous Web for everyone.
Every summer, computer security experts get together in Las Vegas for Black Hat and DEFCON, conferences that have earned notoriety for presentations demonstrating critical security holes discovered in widely used software. But while the conferences continue to draw big crowds, regular attendees say the bugs unveiled haven’t been quite so dramatic in recent years.
One reason is that a freshly discovered weakness in a popular piece of software, known in the trade as a “zero-day” vulnerability, can be cashed in for much more than a reputation boost and some free drinks at the bar. Information about such flaws can command prices in the hundreds of thousands of dollars from defense contractors, security agencies and governments.
This trade in zero-day exploits is poorly documented, but it is perhaps the most visible part of a new industry that in the years to come is likely to swallow growing portions of the U.S. national defense budget, reshape international relations, and perhaps make the Web less safe for everyone.
Zero-day exploits are valuable because they can be used to sneak software onto a computer system without detection by conventional computer security measures, such as antivirus packages or firewalls. Criminals might do that to intercept credit card numbers. An intelligence agency or military force might steal diplomatic communications or even shut down a power plant.
It became clear that this type of assault would define a new era in warfare in 2010, when security researchers discovered a piece of malicious software, or malware, known as Stuxnet. Now widely believed to have been a project of U.S. and Israeli intelligence (U.S. officials have yet to publicly acknowledge a role but have done so anonymously to the New York Times and NPR), Stuxnet was carefully designed to infect multiple systems needed to access and control industrial equipment used in Iran’s nuclear program. The payload was clearly the work of a group with access to government-scale resources and intelligence, but it was made possible by four zero-day exploits for Windows that allowed it to silently infect target computers. That so many precious zero-days were used at once was just one of Stuxnet’s many striking features.
Since then, more Stuxnet-like malware has been uncovered, and it’s involved even more complex techniques (see “The Antivirus Era Is Over”). It is likely that even more have been deployed but escaped public notice. Meanwhile, governments and companies in the United States and around the world have begun paying more and more for the exploits needed to make such weapons work, says Christopher Soghoian, a principal technologist at the American Civil Liberties Union.
“On the one hand the government is freaking out about cyber-security, and on the other the U.S. is participating in a global market in vulnerabilities and pushing up the prices,” says Soghoian, who says he has spoken with people involved in the trade and that prices range from the thousands to the hundreds of thousands. Even civilian law-enforcement agencies pay for zero-days, Soghoian says, in order to sneak spy software onto suspects’ computers or mobile phones.
Exploits for mobile operating systems are particularly valued, says Soghoian, because unlike desktop computers, mobile systems are rarely updated. Apple sends updates to iPhone software a few times a year, meaning that a given flaw could be exploited for a long time. Sometimes the discoverer of a zero day vulnerability receives a monthly payment as long as a flaw remains undiscovered. “As long as Apple or Microsoft has not fixed it you get paid,” says Soghioan.
No law directly regulates the sale of zero-days in the United States or elsewhere, so some traders pursue it quite openly. A Bangkok-based security researcher who goes by the name The Grugq tweets about acting as a middleman and has spoken to the press about negotiating deals worth hundreds of thousands of dollars with government buyers from the United States and western Europe. In an argument on Twitter last month, he denied that his business is equivalent to arms dealing, as critics within and outside the computer security community have charged. “An exploit is a component of a toolchain,” he tweeted. “The team that produces & maintains the toolchain is the weapon.”
Some small companies are similarly up-front about their involvement in the trade. The French security company VUPEN states on its website that it
“provides government-grade exploits specifically designed for the Intelligence community and national security agencies to help them achieve their offensive cyber security and lawful intercept missions.”
Last year, employees of the company publicly demonstrated a zero-day flaw that compromised Google’s Chrome browser, but they turned down Google’s offer of a $60,000 reward if they would share how it worked. What happened to the exploit is unknown.
No U.S. government agency has gone on the record as saying that it buys zero-days. But U.S. defense agencies and companies have begun to publicly acknowledge that they intend to launch as well as defend against cyberattacks, a stance that will require new ways to penetrate enemy computers.
General Keith Alexander, director of the National Security Agency and commander of the U.S. Cyber Command, told a symposium in Washington last October that the United States is prepared to do more than just block computer attacks. “Part of our defense has to consider offensive measures,” he said, making him one of the most senior officials to admit that the government will make use of malware. Earlier in 2012 the U.S. Air Force invited proposals for developing “Cyberspace Warfare Attack capabilities” that could “destroy, deny, degrade, disrupt, deceive, corrupt, or usurp the adversaries [sic] ability to use the cyberspace domain for his advantage.” And in November, Regina Dugan, the head of the Defense Advanced Research Projects Agency, delivered another clear signal about the direction U.S. defense technology is heading. “In the coming years we will focus an increasing portion of our cyber research on the investigation of offensive capabilities to address military-specific needs,” she said, announcing that the agency expected to expand cyber-security research from 8 percent of its budget to 12 percent.
Defense analysts say one reason for the shift is that talking about offense introduces an element of deterrence, an established strategy for nuclear and conventional conflicts. Up to now, U.S. politicians and defense chiefs have talked mostly about the country’s vulnerability to digital attacks. Last fall, for example, Defense Secretary Leon Panetta warned frankly that U.S. infrastructure was being targeted by overseas attackers and that a “digital Pearl Harbor” could result (see “U.S. Power Grids, Water Plants a Hacking Target”).
Major defense contractors are less forthcoming about their role in making software to attack enemies of the U.S. government, but they are evidently rushing to embrace the opportunity. “It’s a growing area of the defense business at the same time that the rest of the defense business is shrinking,” says Peter Singer, director of the 21st Century Defense Initiative at the Brookings Institution, a Washington think tank. “They’ve identified two growth areas: drones and cyber.”
Large contractors are hiring many people with computer security skills, and some job openings make it clear there are opportunities to play more than just defense. Last year, Northrop Grumman posted ads seeking people to “plan, execute and assess an Offensive Cyberspace Operation (OCO) mission,” and many current positions at Northrop ask for “hands-on experience of offensive cyber operations.” Raytheon prefaces its ads for security-related jobs with language designed to appeal to stereotypical computer hackers: “Surfboards, pirate flags, and DEFCON black badges decorate our offices, and our Nerf collection dwarfs that of most toy stores. Our research and development projects cover the spectrum of offensive and defensive security technologies.”
The new focus of America’s military and defense contractors may concern some taxpayers. As more public dollars are spent researching new ways to attack computer systems, some of that money will go to people like The Grugq to discover fresh zero-day vulnerabilities. And an escalating cycle of competition between U.S and overseas government agencies and contractors could make the world more dangerous for computer users everywhere.
“Every country makes weapons: unfortunately, cyberspace is like that too,” says Sujeet Shenoi, who leads the U.S.-government-sponsored Cyber Corps Program at the University of Tulsa. His program trains students for government jobs defending against attacks, but he fears that defense contractors, also eager to recruit these students, are pushing the idea of offense too hard. Developing powerful malware introduces the dangerous temptation to use it, says Shenoi, who fears the consequences of active strikes against infrastructure. “I think maybe the civilian courts ought to get together and bar these kinds of attacks,” he says.
The ease with which perpetrators of a computer attack can hide their tracks also raises the risk that such weapons will be used, Shenoi points out. Worse, even if an attack using malware is unsuccessful, there’s a strong chance that a copy will remain somewhere on the victim’s system—by accident or design—or accidentally find its way onto computer systems not targeted at all, as Stuxnet did. Some security firms have already identified criminal malware that uses methods first seen in Stuxnet (see “Stuxnet Tricks Copied by Criminals”).
“The parallel is dropping the atomic bomb but also leaflets with the design of it,” says Singer. He estimates that around 100 countries already have cyber-war units of some kind, and around 20 have formidable capabilities: “There’s a lot of people playing this game.”
Adobe Engaging in a Detestable Practice
Adobe has began a new campaign of evil. They are installing unrequested software without the user's permission. Although the software may seem fairly benign and even helpful, it isn't. It is actually fairly harmful to the computing experience.... .... ...
Please close Firefox to continue installation... flash player installed...McAfee Security Scan Plus installed....WHAT? I never gave permission to install McAfee. I watched very carefully to make sure I unchecked any boxes that asked me for permission to install additional software. Well, maybe I missed it. Besides, it sounded fairly benign. I decided to let it go.
Problems with McAfee - May Adobe Die
I began noticing some new problems with my computer. This was very strange as I hadn't tried any new programs yet. The only security that I use for my computer is WinPatrol and the only new program it showed running in the background was McAfee. Programs and sound files would freeze for about a tenth of second and I worried about a hardware problem caused by working on my computer. Even YouTube videos would stutter. I even opened up my computer again and made sure everything was seated tight and no cables bumping against the wrong thing. I couldn't find any physical problems though.
Luckily, I got around to uninstalling McAfee. It is easy to remove, just click on start, all programs tab, then McAfee tab. There will be an option to uninstall McAfee and it runs without any problems.
After removing McAfee, the next time I booted up my computer it ran perfect again. This got me curious. I went online and discovered that I am not the first to have problems with Adobe and their unwanted software. Other IT users noticed that McAfee was installed without any check boxes or warnings. It might be in the EULA, but who reads that. The EULA may protect them legally, but in my book it doesn't mean that what they are doing is moral. It only means that Adobe knows how to legally scam people while protecting itself.
I heard that McAfee has caused some serious problems on other people's computers too. Recently, it would cause computers to constantly reboot after installation. How many people would know how to fix that problem?
Why would Adobe do such a thing? Well, it turns out that the McAfee installation isn't a full working version. It may detect viruses, but you will have to pay money to upgrade to a full version that removes them. Basically, Adobe and McAfee are trying to bleed people for money.
I suspect in the long run, this will work against Adobe
... ... ... ...
Customer support criticisms
Reviewers have described customer support for McAfee products as lacking, with support staff slow to respond and unable to answer many questions.[8][9]
2010 reboot problem
On April 21, 2010, beginning approximately at 2 PM GMT, an erroneous virus definition file update from McAfee affected millions of computers worldwide running Windows XP Service Pack 3. The update resulted in the removal of a Windows system file (
svchost.exe) on those machines, causing machines to lose network access and, in some cases, to enter a reboot loop. McAfee rectified this by removing and replacing the faulty DAT file, version 5958, with an emergency DAT file (version 5959) and has posted a fix for the affected machines in its consumer "KnowledgeBase".[10][11]2012 update issues
An August 2012 update to McAfee Antivirus caused the protection to turned off and users to lose internet connections. McAfee was criticised for not notifying users promptly of the issues when they learned about it.[12][13]
Hackers said a big Happy New Year to the Council on Foreign Relations, using the organization's own website to attack unsuspecting visitors.The CFR is a non-partisan policy group, known mostly for publishing Foreign Affairs, an influential journal on the subject. The group's website was infected with malware that uses a "watering hole" attack -– waiting for users to visit the site before downloading the malware to their machines. The malware involved allows a hacker to execute code remotely on the target computer.
... ... ...
The malware only works on Internet Explorer 8 or earlier versions. The hackers altered the HTML code on the CFR's website itself and were able to remotely execute a program on any computer that accessesed the site. The malware was hidden in several pieces and stored in areas that the web page needed to go to in order to retrieve stored content such as text and pictures. "The javascript is hidden in a file on the system that is usually used for a completely different purpose," he said.
Microsoft is reportedly working on a permanent fix, and issued a security advisory on Dec. 29. In the meantime there is an automatic work-around here. The simplest way to protect oneself is to disable Javascript and Flash, according to Microsoft, but sometimes turning those two features on an off for different sites can be inconvenient.Users of Internet Explorer 9 and later aren't vulnerable.
While the particular attack on the CFR website used a previously unknown vulnerability in Internet Explorer, the "watering hole" attack is nothing new: a local government site in Maryland and a bank in Boston were hit by one called VOHO in July, which infected targeted computers with code that sent information such as keystrokes back to a server.
NYTimes.com
Consumers and businesses spend billions of dollars every year on antivirus software. But these programs rarely, if ever, block freshly minted computer viruses, experts say, because the virus creators move too quickly. That is prompting start-ups and other companies to get creative about new approaches to computer security.
“The bad guys are always trying to be a step ahead,” said Matthew D. Howard, a venture capitalist at Norwest Venture Partners who previously set up the security strategy at Cisco Systems. “And it doesn’t take a lot to be a step ahead.”
Computer viruses used to be the domain of digital mischief makers. But in the mid-2000s, when criminals discovered that malicious software could be profitable, the number of new viruses began to grow exponentially.
In 2000, there were fewer than a million new strains of malware, most of them the work of amateurs. By 2010, there were 49 million new strains, according to AV-Test, a German research institute that tests antivirus products.
The antivirus industry has grown as well, but experts say it is falling behind. By the time its products are able to block new viruses, it is often too late. The bad guys have already had their fun, siphoning out a company’s trade secrets, erasing data or emptying a consumer’s bank account.
A new study by Imperva, a data security firm in Redwood City, Calif., and students from the Technion-Israel Institute of Technology is the latest confirmation of this. Amichai Shulman, Imperva’s chief technology officer, and a group of researchers collected and analyzed 82 new computer viruses and put them up against more than 40 antivirus products, made by top companies like Microsoft, Symantec, McAfee and Kaspersky Lab. They found that the initial detection rate was less than 5 percent.
On average, it took almost a month for antivirus products to update their detection mechanisms and spot the new viruses. And two of the products with the best detection rates — Avast and Emsisoft — are available free; users are encouraged to pay for additional features. This despite the fact that consumers and businesses spent a combined $7.4 billion on antivirus software last year — nearly half of the $17.7 billion spent on security software in 2011, according to Gartner.
“Existing methodologies we’ve been protecting ourselves with have lost their efficacy,” said Ted Schlein, a security-focused investment partner at Kleiner Perkins Caufield & Byers. “This study is just another indicator of that. But the whole concept of detecting what is bad is a broken concept.”
Part of the problem is that antivirus products are inherently reactive. Just as medical researchers have to study a virus before they can create a vaccine, antivirus makers must capture a computer virus, take it apart and identify its “signature” — unique signs in its code — before they can write a program that removes it.
That process can take as little as a few hours or as long as several years. In May, researchers at Kaspersky Lab discovered Flame, a complex piece of malware that had been stealing data from computers for an estimated five years.
Mikko H. Hypponen, chief researcher at F-Secure, called Flame “a spectacular failure” for the antivirus industry. “We really should have been able to do better,” he wrote in an essay for Wired.com after Flame’s discovery. “But we didn’t. We were out of our league in our own game.”
Symantec and McAfee, which built their businesses on antivirus products, have begun to acknowledge their limitations and to try new approaches. The word “antivirus” does not appear once on their home pages. Symantec rebranded its popular antivirus packages: its consumer product is now called Norton Internet Security, and its corporate offering is now Symantec Endpoint Protection.
“Nobody is saying antivirus is enough,” said Kevin Haley, Symantec’s director of security response. Mr. Haley said Symantec’s antivirus products included a handful of new technologies, like behavior-based blocking, which looks at some 30 characteristics of a file, including when it was created and where else it has been installed, before allowing it to run. “In over two-thirds of cases, malware is detected by one of these other technologies,” he said.
|
|
||||
| Bulletin | Latest | Past week | Past month |
|
See also Note on Virus Paranoia by Nikolai Bezroukov.
An Overview of The Seventh International Virus Bulletin Conference (VB’97). v.2.01; Oct. 21, 1997 Polemics about "In the Wild List" advocates. Overview of the best presentation including:
- David J. Stang: "In pursuit of prevalence: a look at 'In the Wild'".
- Jimmy Kuo: "Free Macro Anti-virus Techniques".
- David Aubrey-Jones: "Macro Attacks on Office ‘97"
- Dmitry Gryaznov: "Scanning the ‘Net'"
- Martin Overton: "FAT32 - New Problems for Anti-virus or Viruses?
"This whole industry runs on hysteria," said Rob Rosenberger, webmaster of Computer Virus Myths. "It's just one more press release about a virus that's probably going nowhere."
A Reader’s Guide to Reviews by Sarah Tanner. Great !!!
FAT32 New Problems for Viruses or Anti-Virus -- a sober look on problems with interaction between scanners and file systems. You will never read this in ZD publications ;-)
The Virus Creation Labs - An excerpt from Dr. George C. Smith's book -- an interesting book about interaction between virus writers and AV industry (see also Crypt Newsletter) . Here is except from Rob Rosenberger (the author of False Authority Syndrome) review. In his Recommended books & publications he wrote:
The media portrays virus writers as teenage prodigies whose temper tantrums threaten the world. The media portrays antivirus companies as serious business professionals who work closely with competitors and international agencies to keep virus writers at bay. If you listen to the media, it's a World War with clear lines drawn between good & evil. The media doesn't have a clue. "Drunken brawl" most accurately describes the virus/antivirus conflict. You can't always tell the good guys from the bad guys (they occasionally switch sides) and it's every man for himself. Virus writers rarely advance the state of the art -- but antivirus firms profit by declaring them deadly computer terrorists. Few books about viruses delve into this bizarre soap opera, and most of those only cover it briefly. Crypt Newsletter editor George C. Smith's entire book exposes an insane world where everybody claws at each others' throats -- and where even the virus writers have marketing departments. 172 pages written with an utterly cynical sense of humor & irony. I read The Virus Creation Labs for the first time while sitting in an airport terminal and I repeatedly embarrassed myself with bursts of laughter.
Microsoft Office 97 Visual Basic Programmer's Guide -- one cannot understand macro virus problem without understanding VBA
Microsoft: Your one stop shop for macro viruses.
Crypt Newsletter supplied this short paper to a consumer group in Washington, D.C., that's trying to prevent the software industry from running over consumers in the area of product liability law. The industry's position is, obviously, "It's your neck if you buy, use or download our products and then wind up hosed in any way."
Most people with even half a brain grasp the point that this is a profoundly anti-consumer stance.
In America, only the computer software industry has this carte blanche ticket to screw with people unapologetically. If any other type of company in your hometown were caught ignorantly putting saltpeter into the water supply for years, you could go after them. Maybe you could even get the media outraged, too!If this analogy isn't clear enough, consider the recent case of Williamson Sales of San Diego and the distribution of hepatitis A contaminated strawberries. Now, you should know hepatitis A -- if you're going to get hepatitis -- is the hepatitis to get. The virus that causes it is, relatively speaking, mild. Some people who contract the disease often don't know they have it; symptoms vary widely and may never appear noticeably. Children, who were the consumers of Williamson's strawberries, generally don't get as sick as adults. Victims may become extremely jaundiced or not at all.
In no cases during the media firestorm over the virus-contaminated strawberries were company officials caught saying things like "It's not our fault, there's no liability, you broke the shrinkwrap and ate the strawberries," or It's just a minor hepatitis virus (not B or non-A/non-B which are extremely bad), a relative prankster, no one will get very sick, perhaps not at all." Can you imagine what would have happened if any had? A vice-president of Williamson, or it's parent, Epitope, would have been ceremonially lynched by the media.
However, the software industry lives in a kind of mystic never-never land where these conditions do not apply. By the same token, the industry is allowed to drown everyone in ads creating the impression that products will take you anywhere you want to go, educate your children, revivify your moribund career, make you more appealing to women, earn riches for you . . . well, you know the drill.
Keep in mind as you read what follows that Microsoft's distribution of Concept and Wazzu macro viruses are one reason these viruses have become two of the most widely reported macro virus infections in the wild. Keep in mind, a hundred crazed virus writers busily uploading virus-infected uuencoded binaries to alt.cracks or alt.sex.filthy.etc couldn't accomplish in five years what Microsoft facilitated in two. Keep in mind that the level of technical attention to detail and preventive measures needed to prevent these mass distributions was well within the capability of Bill Gates' minions.
That's Not a Virus! -- an important from the historical perspective paper by Chengi Jimmy Kuo, Director of AV Research at McAfee Associates (in 2996 he left McAfee's AVERT research team to join the Microsoft. He has been with McAfee since 1995, when McAfee's AVERT lab team started). Paradoxically McAfee was the best virus hype propagandist in the world and owns a large part of his fortune to it.
Mythinformed -- an interesting article on the False Authority Syndrome. See also False Authority Syndrome
Wolfgang Stiller, an internationally recognized virus expert and author of the Integrity Master anti-virus program, says "Computer security experts today--people who deserve that title--tend to have a good background on how viruses operate. They can dispense some good advice." But he chooses his words carefully when asked to comment on virus expertise among computer security personnel. "They're a little more likely than the average person to understand viruses," Stiller notes. "Some would say they're a lot more likely to understand them, but I've met a fair number who don't know a thing about viruses, or, even worse, they've got misconceptions. In light of the fact they are computer security experts, their misconceptions carry a lot more weight than the average person. Errors are much more damaging when they come out of the mouths of these people." Stiller sums up False Authority Syndrome among computer security experts by stating "Put me on a panel with a computer security person, and I won't claim to have his level of security expertise. But the computer security guy will invariably claim to have my level of virus expertise. How can you convince the audience in a diplomatic way that he doesn't?"
Adobe PDF (2.89 MB)
Several useful Microsoft papers about setting more restrictive Unix-style (root vs regular user) permissions in windows XP and 2000. The easiest way is to set them is via utility SHRPUBW that one can from RUN menu.
Office 2000 has introduced digital signatures to help users distinguish legitimate code from undesirable and viral code. If you open an Office document and see a macro security warning with digital signature information, you can feel reasonably confident that the person (or corporation) signing the macros wrote them. You can choose to trust all macros signed by this person by checking the Trust all macros from this source checkbox. From then on, Office will enable the macros without showing a security warning for any document with macros signed by this trusted source.
Office 2000 silently disables non-signed macros when the new Office 2000 Security Level feature is set to “High.” In fact, the default security setting for Word 2000 is "High." By removing the chance that a user “accidentally” enables a virus-infected document, the high security level helps reduce the spread of macro viruses. If all legitimate macros are digitally signed, then users do not even need to see the security warning without digital signature information.
FROM TUESDAY, SEPTEMBER 2, 1997
ORIGINALLY PUBLISHED IN THE NETLY NEWS
The anti-virus industry likes to think of itself as a team of collegial white knights riding to the rescue of all beset by computer viruses. In truth, it's a mutually antagonistic, factious business where everybody wakes up hoping everybody else has failed the night before. Case in point: the recent series of lawsuits between McAfee Associates and Symantec.Far from unique, such lawsuits are beginning to look like just another turd in the anti-virus industry punchbowl. The difference in this latest news is that McAfee Associates has attempted to attach a billion-dollar price tag to the squabble by suing Symantec for defamation.
While I won't go into great detail about the method Microsoft uses (alas, "the enemy" is everywhere), I can say that the SR-1 modifications are quite effective in preventing the spread of most existing Word macro viruses. The SR-1 changes stop almost all Word 97 macro virus "upconverts" - viruses originally written for Word 6 and 95 that have been automatically converted to infect Word 97 documents - dead in their tracks. Even better, the technique doesn't rely on identifying individual viruses and counteracting them; instead, Microsoft has discovered a way to prohibit the most common method viruses use to propagate. Think of it as birth control for Word macro viruses. These new anti-virus routines work not only on current viruses, but also on viruses that haven't yet been created. It's a very significant step in the right direction.
[Aug 12, 1999] A white paper on Office 2000 vulnerability
to macro
viruses.-- Symantec white paper "Microsoft Office 2000 and Security Against Macro Viruses" by Darren Chi. Local copy
Reprints/o2secwp.pdf
Office 2000 has introduced digital signatures to help users distinguish legitimate code from undesirable and viral code. If you open an Office document and see a macro security warning with digital signature information, you can feel reasonably confident that the person (or corporation) signing the macros wrote them. You can choose to trust all macros signed by this person by checking the Trust all macros from this source checkbox. From then on, Office will enable the macros without showing a security warning for any document with macros signed by this trusted source.
Office 2000 silently disables non-signed macros when the new Office 2000 Security Level feature is set to “High.” In fact, the default security setting for Word 2000 is "High." By removing the chance that a user “accidentally” enables a virus-infected document, the high security level helps reduce the spread of macro viruses. If all legitimate macros are digitally signed, then users do not even need to see the security warning without digital signature information.
Nikolai Bezroukov. Malware Defense History (slightly outdated -- I was active in virus research from 1987 till 1991 when I published Computer Virology -- one of the first academic-style books devoted to computer viruses; then I returned to this field in 1996 and generally finished my AV career in 1998 with periodic splashes of interest since then...
Office 2000 has introduced digital signatures to help users distinguish legitimate code from undesirable and viral code. If you open an Office document and see a macro security warning with digital signature information, you can feel reasonably confident that the person (or corporation) signing the macros wrote them. You can choose to trust all macros signed by this person by checking the Trust all macros from this source checkbox. From then on, Office will enable the macros without showing a security warning for any document with macros signed by this trusted source.
Office 2000 silently disables non-signed macros when the new Office 2000 Security Level feature is set to “High.” In fact, the default security setting for Word 2000 is "High." By removing the chance that a user “accidentally” enables a virus-infected document, the high security level helps reduce the spread of macro viruses. If all legitimate macros are digitally signed, then users do not even need to see the security warning without digital signature information.
The following guidelines will, one hopes, be of assistance. However, you may get better use out of them if you read the rest
of this document before acting rashly... If you think you may have a virus infection, *stay calm*. Once detected, a virus will
rarely cause (further) damage, but a panic action might. Bear in mind that not every one who thinks s/he has a virus actually
does (and a well-documented, treatable virus might be preferable to some problems!). Reformatting your hard disk is almost certainly
unnecessary and very probably won't kill the virus. If you've been told you have something exotic, consider the possibility
of a false alarm and check with a different package. If you have a good antivirus package, use it. Better still, use more than
one. If there's a problem with the package, use the publisher's tech support and/or try an alternative package. If you don't
have a package, get one (see section on sources below). If you're using Microsoft's package (MSAV) get something less out-of-date.
Follow the guidelines below as far as is practicable and applicable to your situation. Try to get expert help *before* you do
anything else. If the problem is in your office rather than at home there may be someone whose job includes responsibility for
dealing with virus incidents.
( i) What does FDISK /MBR do?
It places "clean" partition code onto the partition of your hard disk. It does not necessarily change the partition information, however. [It does sometimes, and when it does it us usually fatal (for the common user, anyway). FDISK /MBR will wipe the partition table data if the last two bytes of the MBR are not 55 AA.] The /MBR command-line switch is not officially documented in all DOS versions and was introduced in DOS 5.0
(ii) What is the partition?
The partition sector is the first sector on a hard disk. It contains information about the disk such as the number of sectors in each partition, where the DOS partition starts, plus a small program. The partition sector is also called the "Master Boot Record" (MBR). When a PC starts up it reads the partition sector and executes the code it finds there. Viruses that use the partition sector modify this code. Since the partition sector is not part of the normal data storage part of a disk, utilities such as DEBUG will not allow access to it. [Unless one assembles into memory] Floppy disks do not have a partition sector. FDISK /MBR will change the code in a hard disk partition sector.
(iii) What is a boot sector?
The boot sector is the first sector on a floppy disk. On a hard disk it is the first sector of a partition. It contains information about the disk or partition, such as the number of sectors, plus a small program. When the PC starts up it attempts to read the boot sector of a disk in drive A:. If this fails because there is no disk it reads the boot sector of drive C:. A boot sector virus replaces this sector with its own code and usually moves the original elsewhere on the disk. Even a non-bootable floppy disk has executable code in its boot sector. This displays the "not bootable" message when the computer attempts to boot from the disk. Therefore, non-bootable floppies can still contain a virus and infect a PC if it is inserted in drive A: when the PC starts up. FDISK /MBR will not change the code in a hard disk boot sector (as opposed to the partition sector). Most boot sector viruses infect the partition sector of hard disks and floppy disk boot sectors: most do not infect the boot sector of a hard disk - the Form virus is an exception.
(iv) How can I remove a virus from my hard disk's partition sector?
There are two main alternatives: run an anti-virus product, or use FDISK /MBR. Most effective anti-virus products will be able to remove a virus from a partition sector, but some have difficulties under certain circumstances. In these cases the user may decide to use FDISK /MBR. Unless you know precisely what you are doing this is unwise. You may lose access to the data on your hard disk if the infection was done by a virus such as Monkey or OneHalf. Part 4, section 14 of this FAQ contains details as to how losing data might happen.
(v) Won't formatting the hard disk help?
Not necessarily. Formatting the hard disk can result in everything being wiped from the drive *apart* from the virus. Format alters the DOS partition, but leaves the partition sector (AKA the MBR) untouched. There is usually a better way of removing a virus infection than formatting the hard disk.
It said in a review....
Reviews in the general computing press are rarely useful. Most journalists don't have the resources or the knowledge to match the quality of the reviews available in specialist periodicals like Virus Bulletin or Secure Computing. Of course, it's possible to produce a useful, if limited assessment of a package without using live viruses based on good knowledge of the issues involved (whether the package is ICSA-certified, for instance): unfortunately, most journalists are unaware of how little they know and have a vested interest in giving the impression that they know much more than they do. Even more knowledgeable writers may not make clear the criteria applied in their review.
Removing viruses
It is always better from a security point of view to replace infected files with clean, uninfected copies. However, in some circumstances this is not convenient. For example, if an entire network were infected with a fast-infecting file virus then it may be a lot quicker to run a quick repair with a reliable anti-virus product than to find clean, backup copies of the files. It should also be realised that clean backups are not always available. If a site has been hit by Nomenklatura, for example, it may take a long time before it is realised that you have been infected. By that time the data in backups has been seriously compromised. There are virtually no circumstances under which you should need to reformat a hard disk, however: in general, this is an attempt to treat the symptom instead of the cause. Likewise, re-partitioning with FDISK is unnecessary. If you use a generic low-level format program, i.e. one which isn't specifically for the make and model of drive you actually own, you stand a good chance of trashing the drive more thoroughly than any virus yet discovered.
Do I have a virus, and how do I know?
Almost anything odd a computer may do can (and has been) blamed on a computer "virus," especially if no other explanation can readily be found. In most cases, when an anti-virus program is then run, no virus is found. A computer virus can cause unusual screen displays, or messages - but most don't do that. A virus may slow the operation of the computer - but many times that doesn't happen. Even longer disk activity, or strange hardware behaviour can be caused by legitimate software, harmless "prank" programs, or by hardware faults. A virus may cause a drive to be accessed unexpectedly (and the drive light to go on) - but legitimate programs can do that also. One usually reliable indicator of a virus infection is a change in the length of executable (*.com/*.exe) files, a change in their content, or a change in their file date/time in the Directory listing. But some viruses don't infect files, and some of those which do can avoid showing changes they've made to files, especially if they're active in RAM. Another common indication of a virus infection is a change to interrupt vectors or the reassignment of system resources. Unaccounted use of memory or a reduction in the amount normally shown for the system may be significant. In short, observing "something funny" and blaming it on a computer virus is less productive than scanning regularly for potential viruses, and not scanning, because "everything is running OK" is equally inadvisable.
What should be on a (clean) boot disk?
A boot floppy is one which contains the basic operating system, so that if the hard disk becomes inaccessible, you can still boot the machine to attempt some repairs. All formatted floppies contain a boot sector, but only floppies which contain the necessary system files can be used as boot floppies. A clean boot disk is one which is known not to be virus-infected. It's best to use a clean boot disk before routine scans of your hard disk(s).
What other tools might I need?
Other suggestions have included a sector editor, and Norton Utilities components such as Disk Doctor (NDD). These are not suitable for use by the technically-challenged - any tool which can manipulate disks at a low-level is potentially dangerous. If you do use tools like this, make sure they're good quality and up-to-date. If you attack a 1Gb disk with a package that thinks 32Mb is the maximum for a partition and MFM disk controllers are leading edge, you're in for trouble.... A copy of PKZIP/PKUNZIP or similar compression/decompression utility may be useful both for retrieving data and for cleaning (some) stealth viruses. The MSD diagnostic tool supplied with recent versions of DOS and Windows is a useful addition. Heavy duty diagnostic packages like CheckIt! may be of use. There are some useful shareware/freeware diagnostic packages, too. Obviously, these are not all going to go on one bootdisk. When you prepare a toolkit like this, make sure *all* the disks are write-protected! Tech support types are likely to find that an assortment of bootable disks including various versions of DOS comes in useful on occasion. If you have one or two non-Microsoft DOS versions (DR-DOS/Novell DOS or PC-DOS), they can be a useful addition. DoubleSpaced or similar drives will need DOS 6.x; Stacked drives will need appropriate drivers loaded. My understanding of the copyright position is that Microsoft does not encourage you to *distribute* bootable disks (even if they contain only enough files to minimally boot the system) *unless* the target system is loaded with the same version of MS-DOS as the boot floppy. Support engineers will need to ensure that they are legally entitled to all DOS versions for which they have bootable disks.
What are rescue disks?
Many antivirus and disk repair utilities can make up a (usually bootable) rescue disk for a specific system. This needs a
certain amount of care and maintenance, especially if you make up more than one of these for a single PC with more than one
utility. Make sure you update *all* your rescue disks when you make a significant change, and that you understand what a rescue
disk does and how it does it before you try to use it. Don't try to use a rescue disk made up on one PC on another PC, unless
you're very sure of what you're doing: you may lose data.
Most popular humor pages:
Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : C++ Humor : ARE YOU A BBS ADDICT? : Object oriented programmers of all nations : C Humor : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor: Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : The Most Comprehensive Collection of Editor-related Humor : Microsoft plans to buy Catholic Church : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor : Best Russian Programmer Humor : Russian Musical Humor : The Perl Purity Test : Politically Incorrect Humor : GPL-related Humor : OFM Humor : IDS Humor : Real Programmers Humor : Scripting Humor : Web Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor :
Copyright © 1996-2013 by Dr. Nikolai Bezroukov. www.softpanorama.org was created as a service to the UN Sustainable Development Networking Programme (SDNP) in the author free time. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License. Site uses AdSense so you need to be aware of Google privacy policy. Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine. This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...
|
|
You can use PayPal to make a contribution, supporting hosting of this site with different providers to distribute and speed up access. Currently there are two functional mirrors: softpanorama.info (the fastest) and softpanorama.net. |
Disclaimer:
The statements, views and opinions presented on this web page are those of the author and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.
Last modified: June 14, 2013