Our new Indie Games subforum is now open for business in G&T. Go and check it out, you might land a code for a free game. If you're developing an indie game and want to post about it,
follow these directions. If you don't, he'll break your legs! Hahaha! Seriously though.
Our rules have been updated and given
their own forum. Go and look at them! They are nice, and there may be new ones that you didn't know about! Hooray for rules! Hooray for The System! Hooray for Conforming!
[Shields Up] Computer Security Thread
Posts
Getting people to stop using IE6 is something we can all agree with.
Also since the release of IE7 & Vista MS hasn't so intertwined IE & OS. With Win7 IE is not integrated into the OS at all.
I do recognize that newer IEs are better than older versions though.
One of the largest vectors of attack for IE is activex. MS did right by enhancing the control and usage of it to make the browser more secure. Things like per site activex and preventing controls from getting admin access go a long way to making ie more secure. I haven't checked into what other things they have accomplished because I am no longer really interested in it as an application. It took too long for them to get their act together so I limit my knowledge on it to what I need for work.
With IE7 MS changed the default settings so IE would no longer auto run ActiveX. In IE8 on Win7 the settings have changed a bit but it remains the same, you're prompted to run installers first and then you still have to allow them to run after they're installed. And by default the ActiveX are required to be signed to even prompt for install or activate. Basically ActiveX is not the giant target it once was by a long shot.
In IE6 I used to easily change the ActiveX settings to prompt so ActiveX controls from web sites couldn't run automatically on the PCs. IE7 made securing things faster & easier. I also use a reg hack to speed up IE's rendering speeds. http://enhanceie.com/ie/tweaks.asp
Smitfraudfix and Combofix have been added to a new Anti-Malware category called 'Removal tools'. I also included a link to ESET's list of standalone removal tools, which includes a Rogue AV Remover. Chatter on Wilders is that the Rogue AV tool isn't great for day-0 stuff, but older threats it might be effective for.
I peruse Wilders on a regular basis myself, and believe me when I say that it's very much a place for the tinfoil hats! My paranoia jumps a level or two just reading their forums. Still, it's a really good source of information, if you can separate the wheat from the chaff.
AVG had an identity crisis and became bloat ware.
All the security in the world cannot protect stupidity. A reasonable effort at trying to remain secure should protect most people out there.
Even though it wil ltake a little time check out the comments. Some of them are truely great.
None of those are surprising. Adobe has had insecure products for years and all the of the video players are targeted because it is a very easy entry point. It's far too easy to get someone to watch a free clip of porn (graphic violence, accidents, sex, etc...). Peal player in particular has always had a pos, insecure code base. Quicktime for windows was awful for the longest time as well. WMP had several open vectors for the longest time until MS started getting their act together. I can't think of a player out there, other than the unpopular, non internet streaming versions that didn't have some vulnerability.
Sans has an informative article detailing how application holes are now outnumbering os holes and why it could be bad news.
On another topic, MS is being a bit shady regarding Windows 7 security. If you go through the list of security advisories there are plenty there that affect vista x64 sp2 but have no listing for Win7. If you dig further into the actual advisories, each one will be patching multiple vulnerabilities (MS has done this for ages, possibly to group like vulnerabilities as well as lower the number if issues they have to make), and if you check those lists, Win7 will be listed, but with no advisory links (ms-whatever articles). If you go to a site like the one listed above, you won't see any vulnerabitlities for Windows 7 relating to Kernel or IE8, but they do exist.
If I could give an aware for biggest security headache of the year, I'd give it to Flash, specifically for allowing the advent of malvertisments.
I think there's some really bad misconceptions out there that the operating system is the only thing that matters. I've heard more than one person go on about how 64-Bit Windows 7 is safe because there are "no viruses" for it. And I had a very unpleasant conversation with a friend of mine this past weekend that basically started with his saying, "Oh, I can't get Phished. I use a Mac."
Tzuk has been firmly against x64 Vista and Windows 7 for their inclusion of PatchGuard, and prior to today has claimed implementing Sandboxie on those platforms would not be possible/worth his time.
Hacker pierces hardware firewalls with web page
Router attack discussion on Wilders
By and large this type of attack is uncommon these days, but as time goes on I have a suspicion that this technique will become more prevalent. Silent router infection seems like a sweet plum for Phishers, so I'd except them to jump all over it. So, in the meantime, remember that 'admin' is not a secure password.
Aside: Firewall maker Comodo seems to have landed itself in some trouble a while ago, and I'm only now learning about it. An article from May of last year seems to indicate that Comodo have engaged in sale of SSL certificates to know malware distributors. Additional bundling of the ASK toolbar apparently had them classified as malware by some vendors.
I'm torn - I certainly don't want to leave Comodo on the list if they're being underhanded, but I'm not sure if this is FUD or not. Any opinions?
It's very likely to be old hat, and I'll admit that I don't quite understand all of it myself. I just found it interesting, since lately there's been a lot of talk about attacking the router as opposed to attacking any system. Most end-users have access to software that allows them to check their system for infection, but checking a route might be more difficult for them.
Still from what I understand, this attack still requires you to open the door, so to speak, to let the intrusion occur.
The OP was very helpful along with the pages of comments for semi-computer literate shmucks like me.
In short: Thank y'all.
As a semi-computer literate schmuck myself, I'm very glad that the thread was of assistance! If there's anything about the OP you'd like elaborated or felt needed highlighting/clarification, please don't hesitate to give feedback.
Unrelated news: Seems like the nasties are at it again hijacking Google Ads. In this latest bit of news they used Google Ads to lure people to a Fake CNET Download.com page, with the promise of downloading the latest version of WinRAR. The files served, of course, weren't what was expected. A full copy of WinRAR was installed, but infected executables that did some nasty things to HOSTS files, dropped some malicious files. It's actually pretty goddamn crafty - The malicious files start spamming the user with pop-up boxes that contain a keyword. Searching the keyword online will verify to the user that infection has occured, from various forum posts and whatnot. However, when the user then searches for a solution by visiting security vendor sites, the modified HOSTS file redirects them to rogue A/V software, instead of legit solutions.
The larger point here is that social engineering once again emerges as the favored tool of the malware author. All the security software in the world can't do much to protect against user consent. My over paranoid advice on this point is: Always be aware of what domain you're visiting. Also, ignore Ads all together. Since this was a Google Adword sponsored link, I'm unsure of whether or not Noscript would have been of any help.
Adobe finally patched Acrobat and Reader yesterday. If you're using those products, gogogo right now and patch them.
The gaping vulnerability was bad enough to begin with, but the literally weeks of lag time until the patch was issued seems like fantastic motivation to move away from Adobe. Unless you're locked into Acrobat, I'd highly recommend an alternative PDF viewer.
I just looked that up, and being Polish may I just give some fucking respect to the astounding Polishness of the author's name.
Motherfuck.
Now, no program I have can access the internet. Firefox just comes up with the "cannot connect" message, or just a blank page. Nothing else can connect either.
Now, I'm no networking guru, but I've checked out what I can on my network, and there doesn't appear to be any reason why it's not working. I'm stumped.
As an aside, I also can't reach my router from this computer. Just a blank page in Firefox when I try 192.168.1.1.
I'm going to try the Safe Mode scans and such to see if there's anything else causing problems, do you think this will work? Does anyone else have an idea as to how they might have disabled my internet and how I can fix it?
There are a couple of possibilities here, and I'll admit this is really perplexing. Some ISPs will sever your connectivity if they detect you've been infected, but they'll usually let you know right away by some means. Also, the fact that you can't contact your router is more unsettling. This seems almost contrary to the MO of most infections these days - if you're truly cut off from the net, then there's no potential to get anything of value from you. I think there's a chance you might've been hit by one of these nasty polymorphic bugs (something like Vundo or Virut), which tend to damage the system indiscriminately. Do you remember what the infection was, when you rooted it out?
If you don't want to rebuild the system, there are a couple of options. Starting with a MBAM scan (normal mode first, then in safe mode afterward) is probably your best bet, then follow up with an AV scanner like MSE - But without net access it's going to be hard to update the defs. If you think something is lurking on there still (I mean, if you're really sure), you might throw Combofix at it, which has the added advantage of not needing up to date defs. Just be careful with that piece of kit. It's strong medicine.
Running ESET's Sysinspector might give you a good idea of deeper issues. It's hard to parse, though, if you're unfamiliar with the software. It's like Hijackthis on steroids. The advantage to looking at Sysinspector is that it will examine your HOSTS file on a per-entry basis, basically looking for any redirects. It's a common trick that malware uses, though usually it doesn't point you toward a blank page.
I'm going to issue a warning here (and bold it for emphasis): You're obviously going to have to use a USB stick or some other means to get the files onto the afflicted computer. If you're still harboring nasties on there, you have a high chance of infecting that USB stick when you do so. I'd recommend burning a CD instead.
Lastly, and most importantly, I'm going to go ahead and recommend that you take the easy route out if you can. If you are willing: Forget the headache, forget what I said above. Back up your files, reformat the system, reinstall. It may prove easier in the long run. EDIT: In fact, if you indeed were hit by trojans, I'd recommend this course of action from the start.
I am under the impression that when an ISP cuts you off that all addresses will resolve to page stating this along with instructions on how to get help.
1.Run a system scan for a file called hosts (no extension). Make a backup copy first then open the original file in notepad. Delete anything but the first line which should start with localhost. If you don't find anything out of the ordinary delete the file you just changed and restore your old hosts file.
2. Make a system restore point, and try downloading and running the tool called WinSockFix.
3.Restore the point and do a recovery install with your windows disc.
4.If you get here then you are better off just wiping windows and starting from scratch.
I'm always hesitant to go the format and reinstall direction because I'm afraid I won't be able to find a driver disc or something, and end up with an expensive paperweight.
But it sounds like that might be the best solution at this point, so I'll give it a whirl after trying a few things.
EDIT: oh, and I'm certain my ISP hasn't cut me off, since my other computer (connected to the same router, but with no viruses whatsoever go figure) connects just fine. I disconnected it from my network just in case, though.
Open a command prompt, check your current ip settings (ipconfig /all) and make certain they jive with what the router should be giving you. Make sure the gateway, netmask, and dns servers are all correct. Then ping the router. If you can get that far, chances are it is something simple like proxy settings / hosts file take over. Check the proxy settings in your apps (internet options in control panel so you don't accidentally load a bad IE activeX control) and tools -> options -> advanced tab -> network tab -> settings button and make sure there are no proxy settings in there.
Failing those, I would try the above - winsockfix, etc... However, I would also destroy all restore points before making a new one. Plenty of malware likes to hide there. Boot to safe mode, scan the system, disable the system restore to wipe it, and then boot normally, and turn it back on.
Note that it's not a cleaning tool, but rather one that will allow the launch of other cleaning tools in difficult cases and infected systems.
I am currently using W764bit with Avira 32 bit 9 free.
Should I stick with it or switch to MSE?
I KISS YOU!
If you're using the free version you can go ahead and switch. MSE will be less of a hassle to you.
If you can download, run, and update MBAM, I'd highly recommend a scan with that software.
As a quick test, try downloading Process Explorer. If you're running Vista/Win7, run the Process Explorer task as Administrator. This will basically give you exactly the same information as the task manager, plus extra info. Take a good look at the list to see if anything looks suspect - As an added bonus, Process Explorer will show you the publisher name, so if something looks fishy and is digitally signed by Microsoft, it might be a system process.
If you're unsure of the running tasks, someone might be able to take a look at a HiJackThis log for you.
AVG especially needs a note in the OP: "Adds 30 seconds to the boot time of the average PC, installs a really shitty firefox extension without asking and, when uninstalled, will make your PC feel like new again." AVG 8 is as bad as Norton ever was.
I can't speak to AVG specifically, but I'll tell you this much: With MSE or ESET NOD, if you're noticing a slow down, the problem is probably your computer rather than the software.
Most modern AV software has a very small footprint. The only time I've ever noticed a slowdown with NOD over the last four years is when it's preforming a scheduled full-system scan and I'm trying to run something like Crysis in the background. Whatever you choose, just have it do scheduled scans when you're not gaming. The resident AV that's always running in the background won't give you any hassle - Particularly MSE.
It sort of takes the place of Defender..
http://social.answers.microsoft.com/Forums/en-US/msestart/thread/5309cb8d-02e1-40e8-974f-0dcedb9ab9fd
I KISS YOU!