Efficient WEB protection - which program?

[DK]

I am looking for a porpgram that does real time browsing protection
very well. I don't necessarily need "comprehensive solution" that
covers everything and a kitchen sink - just browsing.

So far I tried, as recommended by friends, Kaspersky, AVAST and
AVIRA. None can truly handle a good but pretty straightforward
attack. Take, for example, this site (WARNING: clearly bad and
efficient malware!):

gradient-header.ru/gamma/index.php

All of the programs warn about the site containing malware, yet
before I could even do anything, the virus starts and opens all
kinds of stupid windows and none of the above programs is able
to effectively handle it once it gets going. (Other than pretending
to be a virus scanner, I am not sure what it does - I just shut off
Windows and restore disk image that I made before visiting
this "test" site - it does propagate quickly, making numerous copies).

If you know of a program that can 100% solidly detect and prevent
the execution of the malware from the above site, please indicate
what the program is. Freeware would be ideal but I am perfectly
willing to buy if it works well.

Thanks,

Dima

P.S. I got the address above from
http://www.malwaredomainlist.com/mdl.php
Great for testing purposes as it points to many different exploits.

 

[FromTheRafters]

(e-mail address removed) (DK) wrote in email.me:


Since your posted URL sounds almost guaranteed to infect my computer, I
have decided against testing it. I do have daily disk images but I prefer
not to have to spend the half hour or so it takes to restore.

Redirected to obfuscated Javascript which leads to shellcode and
exploits for Java, Flash, and Adobe Reader - has that popular version
checking routine also. My guess is Blackhole again.

[...]

 

[FromTheRafters]

I am looking for a porpgram that does real time browsing protection
very well. I don't necessarily need "comprehensive solution" that
covers everything and a kitchen sink - just browsing.

So far I tried, as recommended by friends, Kaspersky, AVAST and
AVIRA. None can truly handle a good but pretty straightforward
attack. Take, for example, this site (WARNING: clearly bad and
efficient malware!):

gradient-header.ru/gamma/index.php

All of the programs warn about the site containing malware, yet
before I could even do anything, the virus starts and opens all
kinds of stupid windows and none of the above programs is able
to effectively handle it once it gets going. (Other than pretending
to be a virus scanner, I am not sure what it does - I just shut off
Windows and restore disk image that I made before visiting
this "test" site - it does propagate quickly, making numerous copies).

If you know of a program that can 100% solidly detect and prevent
the execution of the malware from the above site, please indicate
what the program is. Freeware would be ideal but I am perfectly
willing to buy if it works well.

Thanks,

Dima

P.S. I got the address above from
http://www.malwaredomainlist.com/mdl.php
Great for testing purposes as it points to many different exploits.

NoScript could help you to avoid the vector (it uses Javascript).

 

[David H. Lipman]

(e-mail address removed) (DK) wrote in email.me:


Since your posted URL sounds almost guaranteed to infect my computer, I
have decided against testing it. I do have daily disk images but I prefer
not to have to spend the half hour or so it takes to restore.

Redirected to obfuscated Javascript which leads to shellcode and exploits for Java,
Flash, and Adobe Reader - has that popular version checking routine also. My guess is
Blackhole again.

[...]

Yes. It was a Blackhole Exploit Kit exploiting CVE-2010-0840 and there was no virus.

Efficient ?
What a strange word to apply to both the malware and an application.

Malware being "effective" and anti malware "proficient" maybe more descriptive terms.

 

[FromTheRafters]

(e-mail address removed) (DK) wrote in email.me:

I am looking for a porpgram that does real time browsing protection
very well. I don't necessarily need "comprehensive solution" that
covers everything and a kitchen sink - just browsing.

So far I tried, as recommended by friends, Kaspersky, AVAST and
AVIRA. None can truly handle a good but pretty straightforward
attack. Take, for example, this site (WARNING: clearly bad and
efficient malware!):

hxxp://gradient-header.ru/gamma/index.php

All of the programs warn about the site containing malware, yet
before I could even do anything, the virus starts and opens all
kinds of stupid windows and none of the above programs is able
to effectively handle it once it gets going. (Other than pretending
to be a virus scanner, I am not sure what it does - I just shut off
Windows and restore disk image that I made before visiting
this "test" site - it does propagate quickly, making numerous copies).

If you know of a program that can 100% solidly detect and prevent
the execution of the malware from the above site, please indicate
what the program is. Freeware would be ideal but I am perfectly
willing to buy if it works well.

Thanks,

Dima

P.S. I got the address above from
http://www.malwaredomainlist.com/mdl.php
Great for testing purposes as it points to many different exploits.

Since your posted URL sounds almost guaranteed to infect my computer, I
have decided against testing it. I do have daily disk images but I prefer
not to have to spend the half hour or so it takes to restore.

Redirected to obfuscated Javascript which leads to shellcode and exploits for Java,
Flash, and Adobe Reader - has that popular version checking routine also. My guess is
Blackhole again.

[...]

Yes. It was a Blackhole Exploit Kit exploiting CVE-2010-0840 and there was no virus.
Efficient ?
What a strange word to apply to both the malware and an application.

Malware being "effective" and anti malware "proficient" maybe more descriptive terms.

I am familiar with the usage of 'efficient' in the manner of the OP. I
think 'effective' is what is meant because the OP can have no idea of
the computing cost of producing those results.

 

[DK]

Yes, a fake AV scan executable is downloaded and run. That means one
of the exploits worked, which means you don't have the latest patches
or updates for something in the above list.

Okay, so I will have to go through all of the updates. Fine. But that
will only solve the problem until the next exploit in the next program.
And constant updates of every program on the computer eventually
bring about tons incompatibilitioes/bugs that are very hard to diagnoze.

So the real question is how come three leading software solutions,
all with "webguard" equivalents turned on, fail to intercept such
an attack??? And, going back to my original question, what software
succeeds in doing so?

Mentioned so far are Malwarebytes and NoScript. I used to have
NS installed but found it cumbersome to manage. I will try it again.
Question: will a very long white list in NoScript slow down browsing
considerably? It's going to be very long because just about every
site out there is using all these scripts for all kinds of reasons.

Dima

 

[DK]

Exploitation mitigation through software updates and patches is your best
bet against exploitation ingress of malicious code.

You can not rely on software to protect you through some kind of "webgaurd".

I would have though that if they actually worked as advertised then why
not? Definitely a better first line defence than worrying about every program
on the computer. (These days it's almost impossible to find a program
that would not want to access Internet). Well, it's NoScript for me for now.

http://secunia.com/software_inspector

Thanks! I knew I saw this page but couldn't remember it.

On a completely unrelated note, David:

Is it possible to get rid of the hard-coded C:\AV-CLS path
in multi_AV? Would it still work if I just search and replace
the string with my own path in every *.bat and *.kix file?

Dima

 

[kurt wismer]

On Jan 15, 12:09 am, (e-mail address removed) (DK) wrote:
[snip]

If you know of a program that can 100% solidly detect and prevent
the execution of the malware from the above site, please indicate
what the program is. Freeware would be ideal but I am perfectly
willing to buy if it works well.

detect and prevent? i think fundamentally you're going about this in
the wrong way.

a) it's a pretty well established concept that you shouldn't run code
from unknown/untrusted sources. unfortunately browsers are designed to
automatically run code on web pages as you browse to them. others in
this thread have suggested noscript and i will echo that suggestion.
it is one of the only ways to stop your browser from being the
equivalent of a happy-clicker.

b) no matter what detector you use, there will always be something it
doesn't detect - many somethings these days, as malware profiteers
have taken to performing malware quality assurance (whereby they test
their creations against detectors before using them to make sure they
aren't detected). you should absolutely have a plan in place for when
something gets through that kind of defense, and my suggestion would
be that all internet facing apps (and all apps opening content sourced
from the internet) run inside some kind of sandbox. there are many
different kinds with different properties, you should find the one
that suits your needs best. some internet facing apps have even gone
so far as to have sandboxing built in (like the latest version of
adobe reader).

Okay, so I will have to go through all of the updates. Fine. But that
will only solve the problem until the next exploit in the next program.
And constant updates of every program on the computer eventually
bring about tons incompatibilitioes/bugs that are very hard to diagnoze.

the fact that those programs need to be patched at all means they
already have bugs. you're basically saying that you'd rather trust the
old well known bugs that are actively being exploited by criminals
over possible new bugs that may or may not be introduced. this is one
situation where "the devil you know" is *not* preferable.

as for patches only solving things until the next exploit, see my b)
paragraph above. a sandbox can help. it's still best to remove the
vulnerability as soon as possible, though, or maybe even remove that
part of your attack surface. for example, people should really
consider dumping java if they don't need it because it's so frequently
exploited.

 

[Virus Guy]

I am looking for a program that does real time browsing protection
very well.

Windows 98se, fortified with KernelEx.

Then watch a lot of malware just bounce off it and die as they thrash
around looking for NT exploits.

 

[DK]

Yes. It was a Blackhole Exploit Kit exploiting CVE-2010-0840 and there was no
virus.

I guess it depends on one's definition of "virus" but under my definition it was
definitely a virus: it created several instances of a file with names [rubbish]exey,
each of which was trying to access Internet (firewall blocked them).

Dima

 

[Virus Guy]

Yes. It was a Blackhole Exploit Kit exploiting CVE-2010-0840
and there was no virus.

I guess it depends on one's definition of "virus" but under my
definition it was definitely a virus: it created several instances
of a file with names [rubbish]exey, each of which was trying to
access Internet (firewall blocked them).

These exploits ARE viral in nature.

The broader concept of a virus is external code that takes control of a
system in order to put the system to it's own use, to re-configure the
system to allow for future exploitability, or leverage the resources of
the system. That concept works equally well if we're talking about a
biological system or computer system.

it created several instances of a file with names [rubbish]exey,
each of which was trying to access Internet (firewall blocked them).

Yes, I encountered another spam on Friday that had a link pointing to a
black hole exploit server.

The "exe" that was delivered had a slightly different characteristic
than the previous ones: The file did not end with ".exe" but with
"(numbers).exey" - or perhaps just "(numbers)exey".

When submitted to Virus Total, the exe had only 1 or 2 positive
detections.

BTW, when did VT change the look and feel of their website?
I notice they no longer allow for anonymous comments. Was that
being abused?

And on my Win-98 system, the file either did not execute (because I
replaced my regsvr32.exe with another program with the same name that
logs regsvr32 attempts) or it did not execute because it was expecting
to find itself running on the more vulnerable NT-based windoze
platform. Instead - it crashed and burned on my win-98 system.

 

[G. Morgan]

Mentioned so far are Malwarebytes and NoScript. I used to have
NS installed but found it cumbersome to manage. I will try it again.

You may also want to use another DNS server that offers some extra
protection. http://www.opendns.com/

 

[kurt wismer]

These exploits ARE viral in nature.

The broader concept of a virus is external code that takes control of a
system in order to put the system to it's own use, to re-configure the
system to allow for future exploitability, or leverage the resources of
the system.  That concept works equally well if we're talking about a
biological system or computer system.

someone with the name "virus guy" really ought to have a better handle
on the definition of virus.

a virus is a self-replicating program. if your definition doesn't
include "self-replicating program" then you're doing it wrong.

the malware in question is not a virus. it is not OK to call it a
virus just because someone's malware lexicon may be too small to
include what it actually is. it is fundamentally non-viral malware.
from what has been discussed in this thread it is an exploit kit that
installs scareware on the victim machine. if someone dealing with this
thing doesn't have those terms in their lexicon then they need to
learn them. calling all malware "virus" is about as useful as calling
all gadgets "dohickies".

don't pander to ignorance. educate and empower.

 

[DK]

a virus is a self-replicating program. if your definition doesn't
include "self-replicating program" then you're doing it wrong.

Google "replication-deficient virus".

No definition is ever precise and absolute and splitting hairs
about definitions serves no useful goal.

The end user cares about *infection* not the definition
of the infectious agent.

 

[Bear]

Google "replication-deficient virus".

No definition is ever precise and absolute and splitting hairs
about definitions serves no useful goal.

The end user cares about *infection* not the definition
of the infectious agent.

I agree...though those in the technical environment do care...obvious
huh! Most people say their computer is "infected with a virus"
regardless of what it is. At the least it is "infected."

 

[kurt wismer]

Google "replication-deficient virus".

in the world of computer viruses that would be known as an intended
virus.

No definition is ever precise and absolute and splitting hairs
about definitions serves no useful goal.

the term "computer virus" was formally/mathematically defined in the
early to mid 80's. it is precise.

The end user cares about *infection* not the definition
of the infectious agent.

non-viruses do not infect. that is just another sloppy terminology
misuse that many people fall into.

what you're trying to suggest, i think, is that end users care about
the fact that their system has been compromised, not about what did
the compromising. however, since different types of malware have
different properties and capabilities, recovering from a compromise
requires the knowledge end users supposedly don't care about.

even restoring from a clean drive image doesn't take care of
everything. some require you to change passwords for online services,
get a new credit card number, etc.

 

[Bear]

From: "DK" <[email protected]>

| In article
<[email protected]>, kurt
wismer

|
| Google "replication-deficient virus".
|
| No definition is ever precise and absolute and splitting hairs
| about definitions serves no useful goal.
|
| The end user cares about *infection* not the definition
| of the infectious agent.
|

The difference is effect and erradication as dealing with a virus needs
extra attention and detail than a trojan. For example media that may
have been used during the infection that now needs to be scanned and
cleaned or a reinfection is a probable outcome.

So defining the infector is important in respects to dealing with the
infection.

Ya but ya gotta agree that is for the technically empowered folks who
have the ability to de-code eh, which most people are not. Most people
will try a few scanners or the such and yell for help...that is unless
they have a clean image, then they won't need help.

 

[kurt wismer]

On Jan 15, 6:11 pm, "David H. Lipman" <[email protected]>
wrote:
[snip]

Trojans can and does infect.
A trojan will infect the computing system.

infection is a viral concept. suggesting that non-viral malware
"infects" breeds confusion over the distinction between viral and non-
viral malware. an infectious agent is one that a person intuitively
knows can spread, but since non-viral malware does not spread it
should not be confused for an infectious agent.

A trojan that prepends, appends or cavity injects code into a legitimate
file becomes an infected file.  The difference is that the now trojanized
file is unable to autonomously spread the infecttion to another file or
system.  If it did, then it would be deemed a virus.

is the file an "infected file" or a "trojanized file"? it seems to me
you've already proposed the correct terminology, and "infected" isn't
it.

 

[Bear]

From: "kurt wismer" <[email protected]>

| On Jan 15, 6:11 pm, "David H. Lipman" <[email protected]>
| wrote:
| [snip]|
| infection is a viral concept. suggesting that non-viral malware
| "infects" breeds confusion over the distinction between viral and non-
| viral malware. an infectious agent is one that a person intuitively
| knows can spread, but since non-viral malware does not spread it
| should not be confused for an infectious agent.
||
| is the file an "infected file" or a "trojanized file"? it seems to me
| you've already proposed the correct terminology, and "infected" isn't
| it.

I disagree. A human get get infected with a fungus/yeast/mold, bacteria,
virus anmd/or paraiste. A computer can be infected in like.

As long as the invader overwhelms the systems protection schemes the
system becomes infected.

I often parallel the an aujtomobile (which most have an understanding
of) and a computer as they are both a system of systems.

One can say that if you have a scratch that the body (the system) is
open to an ifection as theire is a breakdown in the systems defenses.

Likewise if rubber coverr to a ball joint fails and craks open, it
leaves the joint open to dirt and water and thus that susb-system can
fail. I will admit that you wouldn't call this an ifection but the
actions and results parallel in modeling.

Since eearly days of computing when the virus was the malware de jour,
the objective was to parallel the computer to an animal infection and
thus a trojan does indedeed infect the system. It is an invader that has
overwhelmed the system's defenses thus degrading the overall "health" of
that system. When a trojan "trojanizes" (some call it patching) a
legitimate file it does the bidding of the malicious actor and the file
is infected as it has code injected into it where it doesn't belong.

I strongly believe a system is infected if malicious software (an
invader) gets into the computer and acts maliciously. Like a biological
system the infection must be cured. In the mechanical system of an
automobile if sand gets into the ball-joint it must becured only in that
case, of a mechnical system, the terminology of infection is not apropos.

David, I'm liking you more and more. Don't get giddy!

 

[Virus Guy]

a virus is a self-replicating program. if your definition doesn't
include "self-replicating program" then you're doing it wrong.

How does "code that takes control of a system in order to put the system
to it's own use" not include replication as an example of said desired
use?

the malware in question is not a virus.

The old, quaint, pre-internet definition of computer virus is out of
date.

I suggest you (and others) abandon that antiquated and at this point
useless definition.

Broadly speaking, any code from an external source that runs on a system
without the owner's knowledge (or permission, or desire) is viral code.

What you call replication can also mean to change into a different
form. A first-stage infector that opens channels to obtain a new or
different agents is a form of replication.

The goal is always the same: To gain control of a system to utilize
it's resources, and to actively maintain that control.

And we have lots of examples where a so-called "non-virus" leads to a
system that actively probes it's own local or extended network so as to
"replicate" itself to other vulnerable systems. How is that NOT
classical viral behavior?

don't pander to ignorance. educate and empower.

Don't be a slave to the narrow lexicon of the extinct past.