The new forums will be named Coin Return (based on the most recent
vote)! You can check on the status and timeline of the transition to the new forums
here.
The Guiding Principles and New Rules
document is now in effect.
[Computer Security Thread] CVEs, or "Crap! Vulnerabilities! Eughhhhh..."
Posts
You saw nuthink!
Just kidding. Link should be fixed. Sorry, just a brain-fart on my part.
Splunk pulls together all of your syslogs (and can do WMI events), stores them in a fairly fast database (proprietary) and allows you to search on nearly anything in those logs very quickly. I've got a Cisco Pix 501 and I've turned remote logging on so it's feeding the Splunk db as well as my Win32, Solaris 10, and RHEL machines. Any peculiar events I can look at and drill down on.
A lot of times these days a site will get malicious code injected onto their server, or in a malicious banner ad, then the bot will use their tricks to get it to show up near the top of search engine rankings. I've seen this several times at work with people doing google searches for something innocuous, usually a recent news event, and one of the top links will be a site that brings these "security" scareware popups. After digging around on my PC I found that many times these sites are completely legit but have nothing to do with the search term, they just had their website compromised. Running with AdBlock in FireFox will stop many of them, NoScript should take care of the rest. If you can find a contact info for the webmasters of those sites, they usually appreciate getting a heads up, since oftentimes it's not an actual page on their site that is infected, simply a fake page inserted on their server which is only reachable via those bogus search results.
I guess I should clarify. It depends on what you use it for. In general "registry cleaners" "registry boosters" and the like are either malware, crap enough to make things worse, or just don't do anything useful. The best bet is to remove old programs via Add/Remove. Watch the stuff you install. Windows disk cleanup is usually fine for reclaiming space.
Absolutely correct. This is one that's quickly on the rise, and is probably the leading vector for malware today. Either iFrame injections into trusted sites, or more often exploits hidden in rotating banner ads, are being used more and more to deliver the payload these days. The days of getting malware through email are down. Now it's being served up on your trusted sites. Our servers where I work just got hit with tiny injection scripts to do this, and it was a horror to clean up.
Usually, as Tofystedeth pointed out, these things are fake security popups. They run in javascript (not java) and mimic your OS (sometimes dynamically!) to convince you they're performing a scan. The trick is, sometimes that's enough to hit you hard. The latest wave of PDF exploits that Adobe took a month to patch were delivered in this way - If you were running the vulnerable software and one of these things hit, that was it, infected. Most of the time the javascript window is just a ruse to lure you into downloading the payload. The trick is, clicking anywhere delivers it, so the red 'X' in the upper left and the 'No' or 'Cancel' button will initiate download and try to find other holes for execution. If you ever see one of these fake windows, call up task manager and kill your browser immediately. Then do a MBAM scan to sweep out the cache, to be safe.
Javascript whitelisting and ad blocking (whatever you method and browser of choice) are the best lines of defense against these attacks. Even if a trusted site gets hacked, or an injection attack works, usually all you'll find is a redirection link that points you toward a malicious domain. If that domain doesn't have javascript enabled, the attack has no teeth. At least, until the bastards find out some other way to make our lives miserable.
Edit: Ah here it is.
The malicious code only executes if GIS is the referer.
I keep all my shit locked down at home and at work, but since nothing I've used out there includes functionality for deciding who can and can't change the settings, I end up just letting other users' machines slide and give them a disclaimer about keeping anything vital on their system. When one gets screwed up, I just re-load the image and go on.
This is a problem with our Win2k3 Terminal Server though. Even with locked down user accounts and policies I have things that manage to get installed or infected regardless, and am running scans and uninstalls weekly to keep it clean.
Didn't know about DropMyRights, though. Hoping that will clear up some of it.
PSN: Beltaine-77 | Steam: beltane77 | Battle.net BadHaggis#1433
I swear, between adword poisoning, blackhat search engine optimization, and now this, Google is quickly becoming a primary vector for malware. Though in this case, it's certainly not Google's fault at all.
You said you're running with locked down user accounts and policies. If you have limited user accounts already in place, have you tried implementing SRP (Software resistrction policy)? Combined with limited user accounts it's supposed to be pretty potent. There's a good article on it here, and Microsoft has an article about setting it up on Win2k3 here. People over at Wilders swear by this implementation, above and beyond any kind of protective anti-malware or anti-virus software.
Next time I rebuild a machine, I think I'll try to implement SRP. But for personal/gaming use it feels like such a hassle, particularly with patches and updates.
Why not make a good system image and lock the registry?
Also testing MSE on our netbooks. We have Vexira antivirus because it is/was cheap but it really dogs the little netbooks we use for student labs.
Have also been wanting to buy a corp license for MBAM, but the doofuses won't return my calls/emails.
PSN: Beltaine-77 | Steam: beltane77 | Battle.net BadHaggis#1433
My condolences. Unfortunately, at this point, Ripley's advice might be the best course of action: Nuke it from orbit - Reformat, reinstall. It can be a pain, but on the bright side, you'll have that fresh computer feeling!
I'm going to a LAN party next month with some friends. Personally I've never been to one or had my personal computer hooked into a LAN network.
Is there anything I should do security wise to protect myself while I'm connected to hundreds of other computers? Is there even a risk that comes with being connected like this?
My computer is running AVG and (I think) has the default firewall disabled and no other firewall on the computer
Dissects a little bit how SQL injection makes good sites go bad.
Thanks for the link, certainly. A good, and terrifying, read. It really drives the point home that there's no such thing as a safe website anymore.
Just because I'm dense: Does anyone know how these droppers work, at least to the point where you can prevent them? Let's say a trusted website you visit - one that needs javascript active to function correctly - has been compromised to serve up malware. Is it usually just a redirect script on the compromised website that points you toward another server, or is the payload actually distributed from the original landing point at the compromised website? Virtualized browsing sounds better and better these days.
Ick. From what I can see on various site that have any information about WinNT/Rustock.gen!B, it looks like this piece of garbage drops a kernel-level driver. Even if you remove the immediate threat, there's no way to clean this with any certainty without starting fresh.
Reformatting and reinstalling your OS would be an excellent idea. Ninite will make your life easier in this. Make sure to scan your backups and disable autorun before you restore your data.
edit: also I haven't typed in any passwords or anything since I've installed what I think would've given me the keylogger, so I'm not worried; I just want secure knowledge whether I have it or not and which applications to use for that sort of definitive answer.
True, but that specific file listed above (the rudely named scvhost.exe in a Temp directory) is very likely not the heart of the matter. From what I found my Googling the threat name, it sounds like a kernel-level driver with rootkit like behavior. The issue is likely to replicate itself over and over, because the true infection is hidden in a place most scanners won't be able to touch / see. I could be wrong about this, though! I'm no expert, it's just my opinion.
Don't feel it rude at all - It's what the thread is here for!
A MBAM scan and a MSE scan (both full) are good places to start. In my experience there are certainly a number of things that you can do to get a second opinion on the matter (as far as other scanners), but it all depends on your level of paranoia. Unfortunately it's hard to prove a negative - The sad thing is that a clean result doesn't promise a clean system. Do you mind my asking what leads you to surmise you have a keylogger, though?
Give this free trail a try. http://www.pctools.com/spyware-doctor-antivirus/
Ah, well a file I hastily downloaded from a dev that I trusted and ran was in about 10 minutes reported for having a keylogger by someone else whose email started sending out spam emails -- however both scans came back clean. I think the other user had some sort of other problem and cried wolf, and at this point I'm not too paranoid as no one else using this build of the software has said they had a keylogger or virus of any kind for that matter, and others have been posting clean scans from various virus and malware suites and websites. Seems like I'm in the clear at this point, so no more panic.
edit: Nail in the coffin: user who reported keylogger reported a different md5 hash than the one the dev distributed. Confusing as to how that happened for that user, but my md5 matches up with the dev, so I'm good.
This.
SQL Injection is something that's pretty well documented and good developers are aware of it- the problem comes from rushed jobs or code that doesn't have any kind cleaning or checks.
Quick note: A recent trend in the social engineering vector has been to target forums of all kinds recently. Wilders has been cropping up with reports on this. Basically, someone will compromise an Admin account on the forums, and then use that account to start sending PMs to all users on the forum warning them that their computers are 'infected'. Of course, the helpful message also includes a link to a scanner - which is unsurprisingly the real infection. Nothing terribly new at the core, here, but it seems that the social engineering aspect of these attacks is trending more and more toward finding 'trusted' people to hijack/impersonate so as to lure in victims. I guess people are learning not to trust unsolicited messages these days.
Also, malware authors have recently used the Virustotal name in their obfuscating approach to distributing scareware. Sophos wrote a decent article about it here.
A valuable lesson learned from the story of little Bobby Tables.
I work as a DBA and that comic got printed out a couple of months ago and sits upon my monitor. Generally I consider xkcd to be very hit and miss, that one was a definite hit though.
To be fair, this one is pretty lame. It only impacts 2000, XP, and 2k3 server, so Vista and 7 are safe. That being said, this line of attack requires the user to push F1 to access Windows Help in order to deliver payload. Seems very specific, but Microsoft has said that they are "concerned that this new report of a vulnerability was not responsibly disclosed, potentially putting computer users at risk." Which may indicate that this is in the wild.
Edit: This threat also seems to be IE specific. ("The vulnerability exists in the way that VBScript interacts with Windows Help files when using Internet Explorer")
With the release of 10.5 less than a week ago, Secunia have already found a highly critical vulnerability in the browser. There's no mitigation known, so if you're using Opera chances are you want to be highly careful. This may impact earlier versions as well.
Also, if you've upgraded to 10.5, note that Opera's keeping ports open on your computer for the silliest, goose-iest of reasons. In 10.1 the Opera Unite webserver options still 'listened' and 'broadcasted' despite turning them off in the GUI. In order to terminate those features, you had to use the opera:config menu and drill down to find the webserver options. In 10.5, it's not possible to close the UDP ports that Opera opens for this purpose. You can find out more here.
Late Edit: Holy shit, but the Opera forums are a seething cesspool of nasty fanboys. Not only has opera at this point denied that the buffer overrun is a security problem, but members of their forums are outright belligerent toward anyone suggesting this security issue is critical.
The new Microsoft security advisory explains it better than I can. Bottom line: Don't use IE 6 or IE 7. There's really no reason to anymore - And if there is, there's something wrong with the websites you're relying upon.
Update: I don't know if anyone's been following the Opera vulnerability debacle, but it's taken an interesting turn. After 10.5 was released, someone disclosed the buffer overrun described above. Opera's official response to the community was "This isn't a security issue - it only causes a crash". Secunia posted the issue as a vulnerability anyway, which prompted Opera to request additional information. Afterward, Secuina elaborated with this statement, basically saying "No, really, you guys have a buffer overrun that can cause remote code execution". Opera devs respond accordingly by saying it will be handled in due time.
Instinctively, I closed the original popup, but I did check MSE, which had the notification. I'd never seen this upgrade screen before, so it's surprising.
They had previously contacted Secunia after the advisory was released with their position that it wasn't a security vulnerability, and as per the linked article asked Secunia to either a) revise it, or b) "provide them with additional information." Secunia chose the second option, and the Opera devs changed their position on the matter.
Ok. I revised my statement to reflect this.
I haven't been able to access Windows Update for a few months without using TOR. Should I be worried that a malicious man in the middle might be poisoning my downloads? I know the possibility exists, but WU should have checksums and such to verify updates, right?