Can jpg, mov, mpg, avi, etc files become infected if a system is infected? IOW, I have files 1.jpg through 100.jpg on my hd, and backed up to disc. Then I put files 101.jpg through 120.jpg on my HD. Then my computer becomes infected. I can delete files 1.jpg through 100.jpg with no concern since I can just put them back on from the dvd disc that they're on. But 101.jpg through 120.jpg weren't backed up . Do I need to worry that an infection may have somehow inserted itself into files 101.jpg through 120.jpg, and if I transfer them to my new installation, that they'll carry the infection over?
Short, useless, trite answer: If it can't execute, it can't infect.
Long, rambling answer: Image, video, and sound files aren't really primary vectors for infection. Their ability to deliver a payload to a system is usually contingent upon feeding malformed data to your image viewer, movie player, etc. So it typically requires you to have a nasty embedded in the jpg/mov/avi file, and then play it with the specific player that it was made to exploit. In some cases, it's specific, but in others the exploit will leverage OS defaults to make infection more prevalent. I've also never heard of an infection 'jumping' to a jpg/avi/mov file, the way they jump to infect other executables or .dlls - though I wouldn't call it impossible. Note that .doc and .pdf files are a different ballgame, in that they are primary vectors for infection, and .doc files can be 'jump' targets. They still need to be viewed/opened to cause damage, but they're just much, much more common.
Still, the idea here is that dropping the file onto the new HD isn't going to cause an infection. Even if those files were infected themselves, they shouldn't be able to infect the whole system by just being transferred or stored. They'd need to be viewed to execute their attack.
Because I am that 'paranoid' type, I will bring up the closest thing to an exception: Stuxnet. The .lnk vulnerability that Stuxnet leveraged used malformed data loaded just by viewing the shortcut of the file in question. Stuxnet vulnerabilities have been patched up pretty good by this point, though, and due to the hullabaloo it caused most major antivirus suites should catch it.
tl;dr answer: Provided that you know the file is actually a jpg, avi, or mov file (and not a deviously misnamed .exe), the chances of it being infected are low. In any case, moving it to your new HDD shouldn't immediately cause infection. If you want to be super sure, scan the files in question before moving them.
Added disclaimer: I wouldn't be so concerned about the files you want to transfer (if we're just talking jpgs) so much as the method you'll use to transfer them. Plugging a USB stick into an infected computer is a great way to infect the USB stick - which will now try to infect everything else you plug it into. I'm uncertain if burned DVDs/CDs can be hijacked in a similar manner.
Recently while browsing, I ran into one of those "Suddenly throw you into an alleged 'anti-virus scan'" traps....thanks for goddamn nothing, Firefox.
Closed out and ran MSE immediately. Didn't seem to catch anything, so I guess not all of them attempt to put something down during the 'scan'.
Most of the time those things run an immediate scan of your browser, OS, and plugins to find a known vulnerability. If you've got an unpatched exploit, it'll drop it's nasty crap before it does anything else. If you're all patched up and there are no day-0s to be had, it falls back on trying to get you to install the malware via social engineering. In the cases such as the one you encountered, the worst that usually remains on the system is a cached javascript file or somesuch. At least, that's been my experience.
And as I'm sure everyone else does, I fucking hate those attacks.
Yeah, I've reported a few of those to MS for their Smart Screen filter. I've had people call me up freaked out thinking those things were real.
MS talked about those types of attack a while back, the number of times they've been blocked is in the millions. IE's built in sandbox mode & Smart Screen Filter have made my life a lot easier.
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
edited April 2011
There's a new post over on the avast! blog detailing a pair of novel exploits for PDFs, ones that are apparently a bit broader than most. The full story is over here for those of you who wish to read it.
A new method of producing malicious PDF files has been discovered by the avast! Virus Lab team. The new method is more than a specific, patchable vulnerability; it is a trick that enables the makers of malicious PDF files to slide them past almost all AV scanners.
I admit that the reading is a bit too technical for me, and thus over my head, but the analysis seems to be pretty solid. PDFs once again serve as vectors for malware, so be sure that you do NOT have them set to open by default in your browser/reader.
I work at my university's IT drop-off center, looking for a recommendation. 75% of the work I do is boot into safe mode, install SuperAntiSpyware and Malwarebytes and remove people's malware. If they have what is perceived to be a sub-par anti-virus solution, we remove that and throw on MSE.
Basically, I'm tired of getting "repeat customers." That is, seeing the same computer come in every few weeks with infections. Are there any good anti-malware programs that actively block these threats (Like how SAS/MBAM have the option, if you pay for it) for free?
I know I can't fix user stupidity, just wondering if there were any other solid programs that could slow some of this down.
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
edited April 2011
I don't mean to sound defeatist, but there's really NO software out there that's going to prevent these infections 100% if we're talking about a active on-access scanner. The malware changes too quickly, and the software updates too slowly. Every A/V and antimalware suite is going to miss something. In addition, you'd have to rely on your users to keep any software up to date. The best option would be to use something preventative, like a limited user account in conjunction with a software restriction policy, sandboxing, or virtualization. I'm not sure that's a terribly good solution to your problem, though, since it would be hard for your customers to acclimate to. They'd see it as more of an annoyance than getting infected, I'd presume.
What I'd recommend would be at least securing their browsers to ensure they have flash and javascript blocking available. That should mitigate things, hopefully, for free. But it's not foolproof.
Unrelated: I'm sure everyone's heard by now, but on the extremely slim chance that you look at this thread and not the PSN compromise thread over in G&T, you should know the Playstation Network was recently (*snrk*) hacked. Personal information and account credentials are presumed leaked, and CC information is at possible risk. We're having a good old time freaking out and swearing at each other and Sony over here, so drop on by if you'd like details.
I work at my university's IT drop-off center, looking for a recommendation. 75% of the work I do is boot into safe mode, install SuperAntiSpyware and Malwarebytes and remove people's malware. If they have what is perceived to be a sub-par anti-virus solution, we remove that and throw on MSE.
Basically, I'm tired of getting "repeat customers." That is, seeing the same computer come in every few weeks with infections. Are there any good anti-malware programs that actively block these threats (Like how SAS/MBAM have the option, if you pay for it) for free?
I know I can't fix user stupidity, just wondering if there were any other solid programs that could slow some of this down.
Once a system is compromised you can never be sure the infection is totally gone. Who knows if your scanners just happen to miss something that then brings all the other goodies back. As such, my personal recommendation is to backup their data, erase the hard drive, and reinstall their OS.
RBach on
[SIGPIC][/SIGPIC]
0
Options
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
Once a system is compromised you can never be sure the infection is totally gone. Who knows if your scanners just happen to miss something that then brings all the other goodies back. As such, my personal recommendation is to backup their data, erase the hard drive, and reinstall their OS.
Couldn't agree more. A compromised system is always best rebuilt - reformat, reinstall, restore. The nasties are digging deeper these days, sadly.
Also, I forgot to mention this earlier when I first read the article, but apparently Dropbox uses some rather peculiar methods of authentication which render their security somewhat suspect. You can read the full analysis here, and make a judgment on what's being claimed.
Taking the config.db file, copying it onto another system (you may need to modify the dropbox_path, to a valid path), and then starting the Dropbox client immediately joins that system into the synchronization group without notifying the authorized user, prompting for credentials, or even getting added to the list of linked devices within your Dropbox account (even though the new system has a completely different name) – this appears to be by design. Additionally, the host_id is still valid even after the user changes their Dropbox password (thus a standard remediation step of changing credentials does not resolve this issue).
I work at my university's IT drop-off center, looking for a recommendation. 75% of the work I do is boot into safe mode, install SuperAntiSpyware and Malwarebytes and remove people's malware. If they have what is perceived to be a sub-par anti-virus solution, we remove that and throw on MSE.
Basically, I'm tired of getting "repeat customers." That is, seeing the same computer come in every few weeks with infections. Are there any good anti-malware programs that actively block these threats (Like how SAS/MBAM have the option, if you pay for it) for free?
I know I can't fix user stupidity, just wondering if there were any other solid programs that could slow some of this down.
Once a system is compromised you can never be sure the infection is totally gone. Who knows if your scanners just happen to miss something that then brings all the other goodies back. As such, my personal recommendation is to backup their data, erase the hard drive, and reinstall their OS.
Actually, small question about that, but what's a good program to do the aforementioned erasing of the harddrive? I'm having a situation like this myself, and while I've got the "Backing up" and "Reinstalling OS" parts down, I'm not sure what program to go get to properly nuke and reformat the harddrives in this thing, and I don't know if I trust the WinXP reformat to do a good enough job to make sure whatever nailed my system doesn't come back for a Round Two. I've heard repartitioning can do it, but I'm a little lacking in good partitioning software at the moment. So what're my options?
I work at my university's IT drop-off center, looking for a recommendation. 75% of the work I do is boot into safe mode, install SuperAntiSpyware and Malwarebytes and remove people's malware. If they have what is perceived to be a sub-par anti-virus solution, we remove that and throw on MSE.
Basically, I'm tired of getting "repeat customers." That is, seeing the same computer come in every few weeks with infections. Are there any good anti-malware programs that actively block these threats (Like how SAS/MBAM have the option, if you pay for it) for free?
I know I can't fix user stupidity, just wondering if there were any other solid programs that could slow some of this down.
Once a system is compromised you can never be sure the infection is totally gone. Who knows if your scanners just happen to miss something that then brings all the other goodies back. As such, my personal recommendation is to backup their data, erase the hard drive, and reinstall their OS.
Actually, small question about that, but what's a good program to do the aforementioned erasing of the harddrive? I'm having a situation like this myself, and while I've got the "Backing up" and "Reinstalling OS" parts down, I'm not sure what program to go get to properly nuke and reformat the harddrives in this thing, and I don't know if I trust the WinXP reformat to do a good enough job to make sure whatever nailed my system doesn't come back for a Round Two. I've heard repartitioning can do it, but I'm a little lacking in good partitioning software at the moment. So what're my options?
I use a ubuntu 10.10 live usb which has a good formatting/partitioning tool called GParted when I reformat my drives. It has a lot of options for formatting to different file systems and lets you label them so you know what you are wanting to put on each partition.
Aeyther on
0
Options
OrcaAlso known as EspressosaurusWrexRegistered Userregular
edited April 2011
I would think if you deleted (all) the partition(s), repartitioned and reformated, there's nothing that could survive, assuming it hasn't somehow managed to worm its way into your BIOS or other hardware--at which point you're pretty well boned anyway.
But I haven't heard of anything doing that on consumer, commodity hardware.
edit: at the risk of declaring the obvious, this is doing the partition thing after booting up off known safe read-only media.
I admit that the reading is a bit too technical for me, and thus over my head, but the analysis seems to be pretty solid. PDFs once again serve as vectors for malware, so be sure that you do NOT have them set to open by default in your browser/reader.
I would think if you deleted (all) the partition(s), repartitioned and reformated, there's nothing that could survive, assuming it hasn't somehow managed to worm its way into your BIOS or other hardware--at which point you're pretty well boned anyway.
But I haven't heard of anything doing that on consumer, commodity hardware.
edit: at the risk of declaring the obvious, this is doing the partition thing after booting up off known safe read-only media.
Agreed. You should be completely safe booting from, say, a Windows 7 DVD and then using the partition manager there to delete all existing partitions. Then you can create a new one and be on your way. If you really want to drop a train on the bastards, or let's say you're going to sell your computer, then you can always use Darik's Boot and Nuke. Burn the image to a disk, pop it in the drive, boot, and take a step back. It'll wipe out all data to a very secure degree. Might be a little overkill
On the topic of BIOS infections, they are possible, but from what my (limited) understanding is they all require physical access to the machine to install.
I admit that the reading is a bit too technical for me, and thus over my head, but the analysis seems to be pretty solid. PDFs once again serve as vectors for malware, so be sure that you do NOT have them set to open by default in your browser/reader.
How does one check/turn this off?
In your browser, check to see what the behavior is for PDF files. Firefox and Opera have options/preferences that will allow you to alter the behavior of the browser in response to clicking a PDF link. The preferred response would be to prompt you each time, so you have a choice as to whether or not you want to download or open the file. If someone were to throw a nasty at you that way, you could refuse the download.
The major thing to avoid, though, is setting the browser to automatically open the PDF. Additionally, check the list of plugins in your browser - if you see Adobe Reader in there disable it. Then Adobe won't open up inside your browser anymore, and you'll need to open it up deliberately to read a PDF.
Additionally, a really good idea if you're using Adobe is to disable javascript. That's under the preferences inside Adobe.
TetraNitroCubane on
0
Options
OrcaAlso known as EspressosaurusWrexRegistered Userregular
edited April 2011
My solution has been to find a different PDF reader for reading. Evince isn't bad, for example.
And if you need to author stuff, you can break out Acrobat then...
Orca on
0
Options
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
edited April 2011
Recently a rash of malware advertisements apparently hit DeviantArt. Nothing too special in terms of the attack vector or method - Looks like it was standard insertion of a redirect/hijack from flash ads and javascript ads. Still highly dangerous, to be sure, but the same game we've been playing for years now.
What disturbs me most about the incident is the response DA gave their users, which amounts to basically patting themselves on the back for catching the malware so quickly, asking users to report it when they see it, and then recommending they all install AVG or MSE.
Antivirus is an essential part of a security setup, and I won't disagree with a recommendation to install MSE. However, it's been proven time and time again that these attacks are well timed, and that the payloads are altered too quickly for standard definition based scanners to keep up. Additionally, many of the people hit by these attacks are unlikely to even realize the true extent of the infection, as usually we're talking about a rootkit dropped under a fake AV.
I know I'm being unreasonable here, but if a site like DA wants to truly protect their users, they will do something about the Ad process rather than just recommend that people install an AV. Flash is a vector, javascript is a vector. When you allow an unregulated third party (which themselves may allow yet ANOTHER unrelated party!) to put flash or javascript containing content on your webpage, you're at risk and so are your users. It's how they monetize the site, of course, so it won't change.
Still, considering the ways that hackers manage to exploit bad code to inject javascript attacks into pages they're not advertising on, giving some ad company the keys to your page content feels wrong.
Well I run IE9 and I'm going to try setting Comodo to run Adobe Flash in a sandbox. I also have a lot of restrictions on cross site loading, ad blocking, & a huge block lists so I don't notice java script ads much at all.
Well I run IE9 and I'm going to try setting Comodo to run Adobe Flash in a sandbox. I also have a lot of restrictions on cross site loading, ad blocking, & a huge block lists so I don't notice java script ads much at all.
Doing something to block javascript and flash, particularly on a domain-by-domain basis, is a really good idea. It's the best thing to do as an end-user, but of course people running the websites in question don't want you to do that, because it cuts into their ad dollars.
I love it, I've been trying IE9 since the first preview. I went through the rouble of loading the later public previews into the beta release. That was so I could run the more upto date "preview" backend with the beta's full GUI.
IE9's hardware acceleration is a God send and makes IE9 the fastest browser on my system. IE9's Tracking Protection is a great feature that blocks a lot of different ads. My only complaint is the lack of a good spell checker built in. I should also note that I have a very high end system.
Also I already have the first preview of IE10 installed.
Okay...I'm taking a bit of a gamble here, showing my naivety in this matters, but how do people feel about 1password?
There's a free one-month trial, and while it seems very pricey, it seems like a convenient alternative to my current system of maintaining my passwords in pieces of paper in my desk.
I'm a long-time user of Avira AntiVir for my personal PC, but i've been hearing some decent things about MSE as well. Does anyone here have experience with using both, and/or any solid evidence that would lead me to believe one is superior to the other?
I'm a big fan of Avira mostly because of the small resource footprint, decent detection/trap rate, very VERY few number of false positives, unobtrusive/hidden interface, and simple GUI.
My data:
WinXP Pro, Chrome browser, 2GB Ram, DualCore 2.0ghz, heavy web-surfing and some MMORPGS.
Any additional input here would be appreciated!
zhen_rogue on
0
Options
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
Okay...I'm taking a bit of a gamble here, showing my naivety in this matters, but how do people feel about 1password?
There's a free one-month trial, and while it seems very pricey, it seems like a convenient alternative to my current system of maintaining my passwords in pieces of paper in my desk.
I admit that I don't personally use a password manager, and I really can't comment on their use one way or another. Usually what I do hear about is Lastpast, though, when I hear about them at all. Hopefully a few more folks can weigh in on the issue. Given the difficulty of managing passwords, I can appreciate the use of a password manager... Then again, it does reduce your security to a single password, which if compromised, would open everything up.
I'm a long-time user of Avira AntiVir for my personal PC, but i've been hearing some decent things about MSE as well. Does anyone here have experience with using both, and/or any solid evidence that would lead me to believe one is superior to the other?
I'm a big fan of Avira mostly because of the small resource footprint, decent detection/trap rate, very VERY few number of false positives, unobtrusive/hidden interface, and simple GUI.
My data:
WinXP Pro, Chrome browser, 2GB Ram, DualCore 2.0ghz, heavy web-surfing and some MMORPGS.
Any additional input here would be appreciated!
In my opinion is is extremely difficult to judge antivirus suites against one another on issues of effectiveness. Definitions change rapidly, as do evolving malware threats. Some options are clearly bloated when it comes to resources, so they're easy to discount. When it comes to choosing between Avira and MSE, though, I wouldn't call it clear cut. Aviria was ranked extremely well in the Virus comparatives, in terms of scanning efficacy, low false positive rate, and also speed. MSE also did well, and is highly praised, but ranked slightly lower on the charts.
At the end of the day they're both very good options, so I'd say choose whichever one is best for your system and your wallet. MSE is free, and non-nagging. I'm not sure how the free version of Avira behaves.
Keep in mind, though: There are some instances where having Avira installed will protect your system, where MSE would not block the attack. There are some instances where having MSE installed will protect your system, where Avira would not. There are some instances where both would catch the threat. There are some instances where no matter the choice, malware will get through. Antivirus is essential, but should not be the only security layer on your system.
On the subject of 1Password, so far, I'm really appreciating the convenience (it's pushed me to drop Firefox, and scrub all the saved passwords I had on it), which is very good. It occasionally bugs out, but that's usually fixed by closing the browser and re-opening it.
My single greatest complaint is, for the price (it is pricey), is that it doesn't looking like they're going to support 64-bit IE9, any time soon. Or maybe ever. Kind of annoying, but I guess they have their reasons.
On the other hand, I really like the intergration with my phone, which means I can use it with my laptop (it was a bit of a pain to set up, since I hadn't used Dropbox before) and more generally on the go. I'm now coming up with much more complex passwords. I'm sure competitive alternatives exist out there (Lastpass?) but I'd need the same phone support. Lastpass has WP7 support, which I approve of, but that requires Lastpast Premium (at a paltry $1 a month--that being said, I'd much rather pay for everything upfront and be done with it).
Also, what adblock extensions do people recommend for IE9? I've got Simple Adblock installed, but it lacks the menu extension for manually blocking flash and pictures and frames. Adblock Pro seems to do all of those, but it's not free either.
Synthesis on
0
Options
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
edited May 2011
I'm going to have to look into one of these password managers, eventually. They make me slightly uneasy, due to their high-value nature, but sometimes it just gets mindboggling how many passwords I have to keep in my head.
Synthesis, I unfortunately can't speak toward a reasonable ad-blocker for IE9, as I don't use it. Dark Shroud probably has the info on that, though! Alternatively, there are solutions that are browser-independent, like HOSTS files or Admuncher. I've heard good things about Admuncher, but it isn't free at all.
Couple of interesting newsbits: TDL3 has evolved into TDL4 - one of the largest and nasties rootkits (actually bootkits) currently in the wild. TLD4 has been shown to completely bypass all Windows 7 x64 based protections, including circumventing driver signing requirements and allowing the patching of the Windows kernel. There's one writeup here, and another one here.
TDL4 infects the Master Boot Record (MBR) and effectively loads before Windows boot up. This gives so called bootkits the upper hand in countering the protection mechanisms introduced by 64-bit Windows.
...
Key survival strategy for rootkits is that they must be undetectable by antivirus software. TDL4 does so by attaching itself to the hard disk (at the lowest level) and filtering all read/write operations. When antivirus software reads data from the drive, the rootkit just serves clean uninfected data, effectively blinding antivirus and internet security software.
Some of the latest patches from Microsoft do a little to combat the ability to patch the kernel, but that's not likely to last long.
In other news: Looks like someone finally figured out how to target OS X machines with drive-by malware. There's an additional write-up over here.
Early reports show that users have been targeted as they search Google Images, one user stating that the bogus MacDefender application was automatically downloaded as he browsed images of Piranhas. Further searching through the Apple Discussion boards suggests that the malware campaign is targeting users of Apple’s Safari browser, displaying warnings that the user’s computer has been infected with viruses that only the unofficial MacDefender application can remove.
Without getting into too many details, it's a fake antivirus attack launched through Google Image Search on OS X machines using Safari. The malware itself isn't that tenacious: It's easy to remove, apparently. But what interests me more is how it exploits the mindset and expectations perpetuated by the OS X brand. The malware installs itself by exploiting Safari, which is often trusted to 'open safe files' automatically due to the perception that OS X can't be infected. The user has no warning of what's going on until the malware has been installed and launched. Combining an attack like this with the invincibility that Apple markets for their brand means that users who buy into the notion of OS X being 'uninfectable' will be much more easily fooled by social engineering. For example, many attacks on the OS X platform require the input of the administrator password to install the malware. If the end user is so confident in their security that they plug that password in without thinking, well, you can figure out what happens.
Additionally, it means that the criminals and malware engineers are starting to target OS X. Given how quickly OS X was compromised at pwn2own, I'd say that interest in attacking the mac brand is growing, and that the feat is possible.
The place I work at uses moodle, which apparently hashes passwords with MD5. Does anyone here have experience with moodle, and know how I'd be able to change that? Is that something we would need to spend money on? Is there any reason why the moodle standard would be an outdated, practically useless encryption?
Failing that I guess I'm going to have to find the config file to make sure there's a salt, because apparently by default there isn't.
AnteCantelope on
0
Options
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
The place I work at uses moodle, which apparently hashes passwords with MD5. Does anyone here have experience with moodle, and know how I'd be able to change that? Is that something we would need to spend money on? Is there any reason why the moodle standard would be an outdated, practically useless encryption?
Failing that I guess I'm going to have to find the config file to make sure there's a salt, because apparently by default there isn't.
I'll admit once again that I'm no expert in this particular area. We do have a few folks around that are well versed in the matters of hashing, salting, and cryptography, though. I certainly hope they peek in, and are of more help than I.
In terms of what I was able to find for moodle, there was an exchange on their forums in 2009 that seems to indicate that they don't plan on moving moodle past MD5.
And MD5 is only insecure after someone has got hold of the list of hashed passwords from your database. If the hacker has get that far, you are pretty screwed already.
Later in the same thread, the dev speculates about maybe moving to SHA-1 eventually, though wikipeidia seems to indicate that SHA-1 is considered insecure at this point, too. Apparently moving forward would break existing moodle setups, so they seem to favor convenience over security. My uneducated take on the matter is that a solution implementing a more secure hash would involve dropping moodle, sadly.
The place I work at uses moodle, which apparently hashes passwords with MD5. Does anyone here have experience with moodle, and know how I'd be able to change that? Is that something we would need to spend money on? Is there any reason why the moodle standard would be an outdated, practically useless encryption?
Failing that I guess I'm going to have to find the config file to make sure there's a salt, because apparently by default there isn't.
I'll admit once again that I'm no expert in this particular area. We do have a few folks around that are well versed in the matters of hashing, salting, and cryptography, though. I certainly hope they peek in, and are of more help than I.
In terms of what I was able to find for moodle, there was an exchange on their forums in 2009 that seems to indicate that they don't plan on moving moodle past MD5.
And MD5 is only insecure after someone has got hold of the list of hashed passwords from your database. If the hacker has get that far, you are pretty screwed already.
Later in the same thread, the dev speculates about maybe moving to SHA-1 eventually, though wikipeidia seems to indicate that SHA-1 is considered insecure at this point, too. Apparently moving forward would break existing moodle setups, so they seem to favor convenience over security. My uneducated take on the matter is that a solution implementing a more secure hash would involve dropping moodle, sadly.
Alright, thanks. I understand very little about this sort of thing, so it seems odd to me that MD5 would be built right into moodle, but whatever. Setting a very long and complicated salt it is.
AnteCantelope on
0
Options
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
Alright, thanks. I understand very little about this sort of thing, so it seems odd to me that MD5 would be built right into moodle, but whatever. Setting a very long and complicated salt it is.
I admit my understanding is limited too. However, despite that, I will say that it seems peculiar to me, too. I'm not sure why MD5 would be used for anything these days. That dev's attitude of "If they grabbed your hashed passwords, you're already screwed" is completely backwards to me. Isn't that exactly why you hash/salt passwords? If you're just going to lay down arms as soon as someone gets into your system, you may as well be storing stuff in cleartext. Passwords get hashed to prevent anyone from causing more damage after compromising a system.
Alright, thanks. I understand very little about this sort of thing, so it seems odd to me that MD5 would be built right into moodle, but whatever. Setting a very long and complicated salt it is.
I admit my understanding is limited too. However, despite that, I will say that it seems peculiar to me, too. I'm not sure why MD5 would be used for anything these days. That dev's attitude of "If they grabbed your hashed passwords, you're already screwed" is completely backwards to me. Isn't that exactly why you hash/salt passwords? If you're just going to lay down arms as soon as someone gets into your system, you may as well be storing stuff in cleartext. Passwords get hashed to prevent anyone from causing more damage after compromising a system.
That's exactly my thinking, especially since I imagine a lot of these people will use the same passwords on different systems.
Hey, if someone gets access to the hashed passwords, they'd theoretically also have access to moodle's config file, right? Where, in plain text, the salt is stored. So if someone is able to get in there, they'd be able to see the salt right there and then the salt is basically useless.
The computer admin says it's OK because you can't access moodle unless you've already got your username and password, but surely it's possible for some random outsider to access a file on our server, and surely it would be better for security if that file didn't have a password in clear text.
AnteCantelope on
0
Options
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
The computer admin says it's OK because you can't access moodle unless you've already got your username and password, but surely it's possible for some random outsider to access a file on our server, and surely it would be better for security if that file didn't have a password in clear text.
Back when I was an admin for a very small webserver (full admission: I should not have been an admin for even a very small webserver), we were hacked in a way I wouldn't have expected. Essentially, there's a very common PHP script called C99Madshell. There's an informative writeup of it on this page.
Basically, if you allow users to upload files of any kind, or a user finds a way to upload a file through an exploit (our case was an unpatched newsfeed), all they have to do is drop this file on your server in a web-viewable location. Then, they can use their browser to essentially see every file, and the entire directory structure - As well as copying over their own files, and downloading or deleting yours.
When we discovered this issue, we cut everything off at the border router, and I poked at the C99Madshell script for a while in an isolated environment. Freaking scary how easy it was to drop and use it. Truly a script-kiddie tool, but a powerful one.
So... Yeah. It is possible for people to get into your directory structure without authorization, and they've designed tools to aid in their ability to do that.
I'm going to have to look into one of these password managers, eventually. They make me slightly uneasy, due to their high-value nature, but sometimes it just gets mindboggling how many passwords I have to keep in my head.
Synthesis, I unfortunately can't speak toward a reasonable ad-blocker for IE9, as I don't use it. Dark Shroud probably has the info on that, though! Alternatively, there are solutions that are browser-independent, like HOSTS files or Admuncher. I've heard good things about Admuncher, but it isn't free at all.
Couple of interesting newsbits: TDL3 has evolved into TDL4 - one of the largest and nasties rootkits (actually bootkits) currently in the wild. TLD4 has been shown to completely bypass all Windows 7 x64 based protections, including circumventing driver signing requirements and allowing the patching of the Windows kernel. There's one writeup here, and another one here.
The hitman article claims their scanner can detect TDL4. I can't wait to get home and try this out. Have I been rootkit compromised this entire time? OMG, nailbiter!
Edit: Hitmanpro apparently found a rootkit virus on my computer. It deleted the file (it was a DLL in my C:\Users\[user]\AppData\Local\Temp folder), but now what?
Peter Principle on
"A man is likely to mind his own business when it is worth minding. When it is not, he takes his mind off his own meaningless affairs by minding other people's business." - Eric Hoffer, _The True Believer_
0
Options
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
The hitman article claims their scanner can detect TDL4. I can't wait to get home and try this out. Have I been rootkit compromised this entire time? OMG, nailbiter!
Edit: Hitmanpro apparently found a rootkit virus on my computer. It deleted the file (it was a DLL in my C:\Users\[user]\AppData\Local\Temp folder), but now what?
Yikes, really? Do you remember anything about the file, or have a log from Hitman? Did anything make you suspect that you were rooted to begin with at all? Also, you remember what engine it was that uncovered the file? Sometimes Hitman is a bit fussy when it comes to false positives, so when it flags something I like to upload it to VirusTotal. If Prevx is the only thing that pops up, I generally count it as a false positive.
In this case, I'm not really sure what to recommend as the best course of action. Using a LiveCD to boot into a Linux environment and scan from there might be the best way to determine if any other rootkit hooks are still hanging out. The way most rootkits operate these days, I'd expect that simply deleting a file wouldn't be enough to get rid of it - Which may mean it was a false positive, or may mean it's still hanging out in a different capacity.
Usually my number one suggestion in case of a rootkit is to nuke from orbit. If there's strong evidence of any kind of rootkit in operation, then reformating is the only way to be safe. In this case, though, I'm sort of at a loss. My apologies. I suggest you proceed with caution as best you see fit.
Edit: I'm not seeing much in the way of false positive reports over on Wilders in the Hitman thread, but there are a lot of people talking about the 121 build. I'll keep my ear to the ground on this one, in case anything develops in the thread.
It doesn't seem to indicate what engine detected the file.
There was nothing that suggested to me that my system was compromised, such as scam warnings. What might some more subtle evidence be?
Peter Principle on
"A man is likely to mind his own business when it is worth minding. When it is not, he takes his mind off his own meaningless affairs by minding other people's business." - Eric Hoffer, _The True Believer_
0
Options
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
Start up Hitman Pro again, then click the settings button in the lower left. From there, you should see a tab on the top row, with one of the options listed as "History".
Edit response: Judging by the filename and the location, I'm going to say that it's looking more and more like malware. Randomized-name DLL files hiding in temporary folders tend to be bad news. One thing you might try for more 'subtle' verification is this: Reboot your computer. When it restarts, be on the lookout for an error message about that DLL file not being loaded. If that does, in fact, happen, then something in your registry is actively trying to load that weirdo DLL - And you've got some malware on your hands.
If no errors pop up, scan with Hitman again. Rootkits typically have more than one component in operation, where component A watches B and C, B watches A and C, and C watches A and B. If one of A, B, or C get knocked out, then the other components replace it. So there's a chance that, if the infection is still active, the dll could be regenerated and Hitman will find it once more after rebooting.
Going to have to say, though, that it's sounding more and more like a reformat might be your best bet. Or at the very least, a LiveCD or RescueCD second opinion. Sorry for the downer.
Posts
Short, useless, trite answer: If it can't execute, it can't infect.
Long, rambling answer: Image, video, and sound files aren't really primary vectors for infection. Their ability to deliver a payload to a system is usually contingent upon feeding malformed data to your image viewer, movie player, etc. So it typically requires you to have a nasty embedded in the jpg/mov/avi file, and then play it with the specific player that it was made to exploit. In some cases, it's specific, but in others the exploit will leverage OS defaults to make infection more prevalent. I've also never heard of an infection 'jumping' to a jpg/avi/mov file, the way they jump to infect other executables or .dlls - though I wouldn't call it impossible. Note that .doc and .pdf files are a different ballgame, in that they are primary vectors for infection, and .doc files can be 'jump' targets. They still need to be viewed/opened to cause damage, but they're just much, much more common.
Still, the idea here is that dropping the file onto the new HD isn't going to cause an infection. Even if those files were infected themselves, they shouldn't be able to infect the whole system by just being transferred or stored. They'd need to be viewed to execute their attack.
Because I am that 'paranoid' type, I will bring up the closest thing to an exception: Stuxnet. The .lnk vulnerability that Stuxnet leveraged used malformed data loaded just by viewing the shortcut of the file in question. Stuxnet vulnerabilities have been patched up pretty good by this point, though, and due to the hullabaloo it caused most major antivirus suites should catch it.
tl;dr answer: Provided that you know the file is actually a jpg, avi, or mov file (and not a deviously misnamed .exe), the chances of it being infected are low. In any case, moving it to your new HDD shouldn't immediately cause infection. If you want to be super sure, scan the files in question before moving them.
Added disclaimer: I wouldn't be so concerned about the files you want to transfer (if we're just talking jpgs) so much as the method you'll use to transfer them. Plugging a USB stick into an infected computer is a great way to infect the USB stick - which will now try to infect everything else you plug it into. I'm uncertain if burned DVDs/CDs can be hijacked in a similar manner.
Closed out and ran MSE immediately. Didn't seem to catch anything, so I guess not all of them attempt to put something down during the 'scan'.
Most of the time those things run an immediate scan of your browser, OS, and plugins to find a known vulnerability. If you've got an unpatched exploit, it'll drop it's nasty crap before it does anything else. If you're all patched up and there are no day-0s to be had, it falls back on trying to get you to install the malware via social engineering. In the cases such as the one you encountered, the worst that usually remains on the system is a cached javascript file or somesuch. At least, that's been my experience.
And as I'm sure everyone else does, I fucking hate those attacks.
MS talked about those types of attack a while back, the number of times they've been blocked is in the millions. IE's built in sandbox mode & Smart Screen Filter have made my life a lot easier.
I admit that the reading is a bit too technical for me, and thus over my head, but the analysis seems to be pretty solid. PDFs once again serve as vectors for malware, so be sure that you do NOT have them set to open by default in your browser/reader.
Basically, I'm tired of getting "repeat customers." That is, seeing the same computer come in every few weeks with infections. Are there any good anti-malware programs that actively block these threats (Like how SAS/MBAM have the option, if you pay for it) for free?
I know I can't fix user stupidity, just wondering if there were any other solid programs that could slow some of this down.
Spybot SD's immunization feature & Spyware Blaster help block a lot of garbage from getting in. But they do not update automaticly for free.
What I'd recommend would be at least securing their browsers to ensure they have flash and javascript blocking available. That should mitigate things, hopefully, for free. But it's not foolproof.
Unrelated: I'm sure everyone's heard by now, but on the extremely slim chance that you look at this thread and not the PSN compromise thread over in G&T, you should know the Playstation Network was recently (*snrk*) hacked. Personal information and account credentials are presumed leaked, and CC information is at possible risk. We're having a good old time freaking out and swearing at each other and Sony over here, so drop on by if you'd like details.
Once a system is compromised you can never be sure the infection is totally gone. Who knows if your scanners just happen to miss something that then brings all the other goodies back. As such, my personal recommendation is to backup their data, erase the hard drive, and reinstall their OS.
Couldn't agree more. A compromised system is always best rebuilt - reformat, reinstall, restore. The nasties are digging deeper these days, sadly.
Also, I forgot to mention this earlier when I first read the article, but apparently Dropbox uses some rather peculiar methods of authentication which render their security somewhat suspect. You can read the full analysis here, and make a judgment on what's being claimed.
Actually, small question about that, but what's a good program to do the aforementioned erasing of the harddrive? I'm having a situation like this myself, and while I've got the "Backing up" and "Reinstalling OS" parts down, I'm not sure what program to go get to properly nuke and reformat the harddrives in this thing, and I don't know if I trust the WinXP reformat to do a good enough job to make sure whatever nailed my system doesn't come back for a Round Two. I've heard repartitioning can do it, but I'm a little lacking in good partitioning software at the moment. So what're my options?
I use a ubuntu 10.10 live usb which has a good formatting/partitioning tool called GParted when I reformat my drives. It has a lot of options for formatting to different file systems and lets you label them so you know what you are wanting to put on each partition.
But I haven't heard of anything doing that on consumer, commodity hardware.
edit: at the risk of declaring the obvious, this is doing the partition thing after booting up off known safe read-only media.
How does one check/turn this off?
Agreed. You should be completely safe booting from, say, a Windows 7 DVD and then using the partition manager there to delete all existing partitions. Then you can create a new one and be on your way. If you really want to drop a train on the bastards, or let's say you're going to sell your computer, then you can always use Darik's Boot and Nuke. Burn the image to a disk, pop it in the drive, boot, and take a step back. It'll wipe out all data to a very secure degree. Might be a little overkill
On the topic of BIOS infections, they are possible, but from what my (limited) understanding is they all require physical access to the machine to install.
In your browser, check to see what the behavior is for PDF files. Firefox and Opera have options/preferences that will allow you to alter the behavior of the browser in response to clicking a PDF link. The preferred response would be to prompt you each time, so you have a choice as to whether or not you want to download or open the file. If someone were to throw a nasty at you that way, you could refuse the download.
The major thing to avoid, though, is setting the browser to automatically open the PDF. Additionally, check the list of plugins in your browser - if you see Adobe Reader in there disable it. Then Adobe won't open up inside your browser anymore, and you'll need to open it up deliberately to read a PDF.
Additionally, a really good idea if you're using Adobe is to disable javascript. That's under the preferences inside Adobe.
And if you need to author stuff, you can break out Acrobat then...
What disturbs me most about the incident is the response DA gave their users, which amounts to basically patting themselves on the back for catching the malware so quickly, asking users to report it when they see it, and then recommending they all install AVG or MSE.
Antivirus is an essential part of a security setup, and I won't disagree with a recommendation to install MSE. However, it's been proven time and time again that these attacks are well timed, and that the payloads are altered too quickly for standard definition based scanners to keep up. Additionally, many of the people hit by these attacks are unlikely to even realize the true extent of the infection, as usually we're talking about a rootkit dropped under a fake AV.
I know I'm being unreasonable here, but if a site like DA wants to truly protect their users, they will do something about the Ad process rather than just recommend that people install an AV. Flash is a vector, javascript is a vector. When you allow an unregulated third party (which themselves may allow yet ANOTHER unrelated party!) to put flash or javascript containing content on your webpage, you're at risk and so are your users. It's how they monetize the site, of course, so it won't change.
Still, considering the ways that hackers manage to exploit bad code to inject javascript attacks into pages they're not advertising on, giving some ad company the keys to your page content feels wrong.
Doing something to block javascript and flash, particularly on a domain-by-domain basis, is a really good idea. It's the best thing to do as an end-user, but of course people running the websites in question don't want you to do that, because it cuts into their ad dollars.
By the way, how are you liking IE9?
IE9's hardware acceleration is a God send and makes IE9 the fastest browser on my system. IE9's Tracking Protection is a great feature that blocks a lot of different ads. My only complaint is the lack of a good spell checker built in. I should also note that I have a very high end system.
Also I already have the first preview of IE10 installed.
There's a free one-month trial, and while it seems very pricey, it seems like a convenient alternative to my current system of maintaining my passwords in pieces of paper in my desk.
I'm a big fan of Avira mostly because of the small resource footprint, decent detection/trap rate, very VERY few number of false positives, unobtrusive/hidden interface, and simple GUI.
My data:
WinXP Pro, Chrome browser, 2GB Ram, DualCore 2.0ghz, heavy web-surfing and some MMORPGS.
Any additional input here would be appreciated!
I admit that I don't personally use a password manager, and I really can't comment on their use one way or another. Usually what I do hear about is Lastpast, though, when I hear about them at all. Hopefully a few more folks can weigh in on the issue. Given the difficulty of managing passwords, I can appreciate the use of a password manager... Then again, it does reduce your security to a single password, which if compromised, would open everything up.
In my opinion is is extremely difficult to judge antivirus suites against one another on issues of effectiveness. Definitions change rapidly, as do evolving malware threats. Some options are clearly bloated when it comes to resources, so they're easy to discount. When it comes to choosing between Avira and MSE, though, I wouldn't call it clear cut. Aviria was ranked extremely well in the Virus comparatives, in terms of scanning efficacy, low false positive rate, and also speed. MSE also did well, and is highly praised, but ranked slightly lower on the charts.
At the end of the day they're both very good options, so I'd say choose whichever one is best for your system and your wallet. MSE is free, and non-nagging. I'm not sure how the free version of Avira behaves.
Keep in mind, though: There are some instances where having Avira installed will protect your system, where MSE would not block the attack. There are some instances where having MSE installed will protect your system, where Avira would not. There are some instances where both would catch the threat. There are some instances where no matter the choice, malware will get through. Antivirus is essential, but should not be the only security layer on your system.
My single greatest complaint is, for the price (it is pricey), is that it doesn't looking like they're going to support 64-bit IE9, any time soon. Or maybe ever. Kind of annoying, but I guess they have their reasons.
On the other hand, I really like the intergration with my phone, which means I can use it with my laptop (it was a bit of a pain to set up, since I hadn't used Dropbox before) and more generally on the go. I'm now coming up with much more complex passwords. I'm sure competitive alternatives exist out there (Lastpass?) but I'd need the same phone support. Lastpass has WP7 support, which I approve of, but that requires Lastpast Premium (at a paltry $1 a month--that being said, I'd much rather pay for everything upfront and be done with it).
Also, what adblock extensions do people recommend for IE9? I've got Simple Adblock installed, but it lacks the menu extension for manually blocking flash and pictures and frames. Adblock Pro seems to do all of those, but it's not free either.
Synthesis, I unfortunately can't speak toward a reasonable ad-blocker for IE9, as I don't use it. Dark Shroud probably has the info on that, though! Alternatively, there are solutions that are browser-independent, like HOSTS files or Admuncher. I've heard good things about Admuncher, but it isn't free at all.
Couple of interesting newsbits: TDL3 has evolved into TDL4 - one of the largest and nasties rootkits (actually bootkits) currently in the wild. TLD4 has been shown to completely bypass all Windows 7 x64 based protections, including circumventing driver signing requirements and allowing the patching of the Windows kernel. There's one writeup here, and another one here.
Some of the latest patches from Microsoft do a little to combat the ability to patch the kernel, but that's not likely to last long.
In other news: Looks like someone finally figured out how to target OS X machines with drive-by malware. There's an additional write-up over here.
Without getting into too many details, it's a fake antivirus attack launched through Google Image Search on OS X machines using Safari. The malware itself isn't that tenacious: It's easy to remove, apparently. But what interests me more is how it exploits the mindset and expectations perpetuated by the OS X brand. The malware installs itself by exploiting Safari, which is often trusted to 'open safe files' automatically due to the perception that OS X can't be infected. The user has no warning of what's going on until the malware has been installed and launched. Combining an attack like this with the invincibility that Apple markets for their brand means that users who buy into the notion of OS X being 'uninfectable' will be much more easily fooled by social engineering. For example, many attacks on the OS X platform require the input of the administrator password to install the malware. If the end user is so confident in their security that they plug that password in without thinking, well, you can figure out what happens.
Additionally, it means that the criminals and malware engineers are starting to target OS X. Given how quickly OS X was compromised at pwn2own, I'd say that interest in attacking the mac brand is growing, and that the feat is possible.
Failing that I guess I'm going to have to find the config file to make sure there's a salt, because apparently by default there isn't.
I'll admit once again that I'm no expert in this particular area. We do have a few folks around that are well versed in the matters of hashing, salting, and cryptography, though. I certainly hope they peek in, and are of more help than I.
In terms of what I was able to find for moodle, there was an exchange on their forums in 2009 that seems to indicate that they don't plan on moving moodle past MD5.
Later in the same thread, the dev speculates about maybe moving to SHA-1 eventually, though wikipeidia seems to indicate that SHA-1 is considered insecure at this point, too. Apparently moving forward would break existing moodle setups, so they seem to favor convenience over security. My uneducated take on the matter is that a solution implementing a more secure hash would involve dropping moodle, sadly.
Alright, thanks. I understand very little about this sort of thing, so it seems odd to me that MD5 would be built right into moodle, but whatever. Setting a very long and complicated salt it is.
I admit my understanding is limited too. However, despite that, I will say that it seems peculiar to me, too. I'm not sure why MD5 would be used for anything these days. That dev's attitude of "If they grabbed your hashed passwords, you're already screwed" is completely backwards to me. Isn't that exactly why you hash/salt passwords? If you're just going to lay down arms as soon as someone gets into your system, you may as well be storing stuff in cleartext. Passwords get hashed to prevent anyone from causing more damage after compromising a system.
That's exactly my thinking, especially since I imagine a lot of these people will use the same passwords on different systems.
Hey, if someone gets access to the hashed passwords, they'd theoretically also have access to moodle's config file, right? Where, in plain text, the salt is stored. So if someone is able to get in there, they'd be able to see the salt right there and then the salt is basically useless.
I am, apparently, going to have to focus on pre-moodle security.
Back when I was an admin for a very small webserver (full admission: I should not have been an admin for even a very small webserver), we were hacked in a way I wouldn't have expected. Essentially, there's a very common PHP script called C99Madshell. There's an informative writeup of it on this page.
Basically, if you allow users to upload files of any kind, or a user finds a way to upload a file through an exploit (our case was an unpatched newsfeed), all they have to do is drop this file on your server in a web-viewable location. Then, they can use their browser to essentially see every file, and the entire directory structure - As well as copying over their own files, and downloading or deleting yours.
When we discovered this issue, we cut everything off at the border router, and I poked at the C99Madshell script for a while in an isolated environment. Freaking scary how easy it was to drop and use it. Truly a script-kiddie tool, but a powerful one.
So... Yeah. It is possible for people to get into your directory structure without authorization, and they've designed tools to aid in their ability to do that.
The hitman article claims their scanner can detect TDL4. I can't wait to get home and try this out. Have I been rootkit compromised this entire time? OMG, nailbiter!
Edit: Hitmanpro apparently found a rootkit virus on my computer. It deleted the file (it was a DLL in my C:\Users\[user]\AppData\Local\Temp folder), but now what?
Yikes, really? Do you remember anything about the file, or have a log from Hitman? Did anything make you suspect that you were rooted to begin with at all? Also, you remember what engine it was that uncovered the file? Sometimes Hitman is a bit fussy when it comes to false positives, so when it flags something I like to upload it to VirusTotal. If Prevx is the only thing that pops up, I generally count it as a false positive.
In this case, I'm not really sure what to recommend as the best course of action. Using a LiveCD to boot into a Linux environment and scan from there might be the best way to determine if any other rootkit hooks are still hanging out. The way most rootkits operate these days, I'd expect that simply deleting a file wouldn't be enough to get rid of it - Which may mean it was a false positive, or may mean it's still hanging out in a different capacity.
Usually my number one suggestion in case of a rootkit is to nuke from orbit. If there's strong evidence of any kind of rootkit in operation, then reformating is the only way to be safe. In this case, though, I'm sort of at a loss. My apologies. I suggest you proceed with caution as best you see fit.
Edit: I'm not seeing much in the way of false positive reports over on Wilders in the Hitman thread, but there are a lot of people talking about the 121 build. I'll keep my ear to the ground on this one, in case anything develops in the thread.
ETA: here's what the history logs show:
jjk5tc6f.dll located in
C:\Users\Joel Robinson\AppData\Local\Temp
Rootkit
Wed 4 May 2011 17:47
Deleted
It doesn't seem to indicate what engine detected the file.
There was nothing that suggested to me that my system was compromised, such as scam warnings. What might some more subtle evidence be?
Start up Hitman Pro again, then click the settings button in the lower left. From there, you should see a tab on the top row, with one of the options listed as "History".
Edit response: Judging by the filename and the location, I'm going to say that it's looking more and more like malware. Randomized-name DLL files hiding in temporary folders tend to be bad news. One thing you might try for more 'subtle' verification is this: Reboot your computer. When it restarts, be on the lookout for an error message about that DLL file not being loaded. If that does, in fact, happen, then something in your registry is actively trying to load that weirdo DLL - And you've got some malware on your hands.
If no errors pop up, scan with Hitman again. Rootkits typically have more than one component in operation, where component A watches B and C, B watches A and C, and C watches A and B. If one of A, B, or C get knocked out, then the other components replace it. So there's a chance that, if the infection is still active, the dll could be regenerated and Hitman will find it once more after rebooting.
Going to have to say, though, that it's sounding more and more like a reformat might be your best bet. Or at the very least, a LiveCD or RescueCD second opinion. Sorry for the downer.