R
Ron Reaugh
Jim Byrd said:
I understand completely and agree with your thinking....BILLY PLEASE SAVE US
AGAIN.
I understand completely and agree with your thinking....BILLY PLEASE SAVE US
AGAIN.
R
Ron Reaugh
Roger Wilco said:
The existence of which is a Cartesian impossibility.
Can you say heuristic?
D
David W. Hodgins
The virus definitions may have been updated.
The date on the file may not reflect it's actual creation date.
Keep in mind that on access scanning, does not normally scan non-executable
files. On demand scanning, only does so, if you specify it in the configuration
settings.
As to the question, of when to format/reinstall, it's easier to describe when it
isn't needed.
If you know what malware was installed, how it got installed, can be confident that
that's the only malware that was installed, and that malware does not provide
remote access, then it's safe to just clean it using whatever tools are most
suitable.
Otherwise, you should assume all executables (including macros etc), are compromised.
You could boot from a known clean boot media, and compare every executable, to the
files from the installation sources, but it's usually faster to just reinstall.
In most cases, just using an appropriate anti malware tool, to remove the infection,
will be effective, but you cannot/should not count on it. If the pc is used for
any financial activity (online banking, etc), failing to wipe/reinstall, and change
all passwords, could be expensive. Same with failure to remove a dialler, if you
have a regular modem connected to a phone line. Remote access tools can also get
your account terminated for sending spam etc, or cause reputation loss, if everyone
in your address book gets spammed with malware, from your computer.
Regards, Dave Hodgins
R
Ron Reaugh
David W. Hodgins said:
R
Roger Wilco
Ron Reaugh said:
Yes with worms, viruses, and mass distributed trojans which become
noticeable very quickly. Not all malware will be that blatant.
[snip]
Having so many of those scanners FP on that file (if that is what is
happening) is very disappointing.
Oh well - it was worth a try.
R
Roger Wilco
Ron Reaugh said:
Ok, W.O.R.M media then - and I did say it was highly subjective (below).
)Yes I can - but that is beside the point. Heuristics still deal with
what is known.
R
Ron Reaugh
Roger Wilco said:Ron Reaugh said:
Yes with worms, viruses, and mass distributed trojans which become
noticeable very quickly. Not all malware will be that blatant.
[snip]
Having so many of those scanners FP on that file (if that is what is
happening) is very disappointing.
It's NO FP. A2 flags it also. It's for real. The designer may have been
targetting the margin between the real and the false positive in various
scanners. It's something new apparently. I may have been an early/alpha
case. It appeared on my system from thin air seemingly and on the same day
that AVG started seeing it....just a coincidence.....
R
Ron Reaugh
Roger Wilco said:Ron Reaugh said:
Ok, W.O.R.M media then - and I did say it was highly subjective (below).
Yes I can - but that is beside the point. Heuristics still deal with
what is known.
What is known is that it exists.
R
Roger Wilco
In some cases they could add detection for exploit code which was
published and have detection in place before some malware author
actually used it in a program. But most often the malware program's
release prompts the creation of the detection update after some time
elapses. This gives active or autoexecuting exploit based worms the time
they need to spread fairly widely - but for the "click required" worms
and viruses it shouldn't be a problem because there is really no good
reason for a user to execute every damned executable they see when they
could wait a reasonable amount of time for the malware fighters to add
detection capabilities to their scanners.
model?
The current model only enables users to get by without proper safe
practices. I like the old model better - you know, the one where AV was
a tool to help you to climb to better security instead of a crutch to
help your muscles atrophy. Too many people depend on AV to protect them
while they engage in risky behavior when a simple change in behavior
would leave little for the AV to do.
R
Roger Wilco
I think Zvi nailed this one (we'll see when he again responds). You
probably have a program running that wants to hide its messages from
your view by redirecting any echoes destined to the console to the nul
device. The programmer mispelled nul as null and as a result the file is
created (or overwritten) whenever the program is run. Now you will need
to find out what program is creating (or overwriting) this file.
R
Ron Reaugh
Roger Wilco said:
Are you visiting Neverland? That file REALLY IS a trojan. And A2 confirmed
that. And it's detection
seems to have been triggered by some I/O to c:\null from left field. Maybe
something penetrated my Belkin wireless router and then ZA? OR maybe
somebody close has broken my 26 hex char WEP key and come in that way. OR
maybe there is still some undetected infection that happened to trigger at
that moment the spawning of the real trojan c:\null.
R
Ron Reaugh
analysis?Zvi Netiv said:
DONE!
It appears to be an executable.
K
kurt wismer
[snip the rest of the integrity checker discussion]Ron said:
google on "integrity checker" and you'll find plenty... back in the day
(before windows) i rather liked integrity master and advanced disk
infoscope... i just did a status check on them (i *neglect* to use
integrity checkers myself, but there are mitigating circumstances there)
and although integrity master doesn't seem to be handling current file
systems all that cleanly, adinf (http://www.adinf.com) seems to have
been kept sufficiently up to date to be usable on xp...
K
kurt wismer
Ron said:
there will always be occasional failures, it's just a fact of life...
to try and deal with the failures in preventative measures one must
realize there's more to security than just preventative measures, and
there's more to preventative measures than just using the best scanner...
within the realm of preventative measures there's OS hardening and
keeping your applications/OS up-to-date and patched... there's process
whitelisting (i don't know about other software firewalls but kerio
personal firewall has something called application launch control which
is sort of along those lines)... also, on the behavioural side there's
the simple avoidance of new executable material (ie. keep your playing
around with new software/cracks/keygens/whatever to a bare minimum)...
besides preventative measures there are also detective and restorative
measures... detective measures include virus detectors (we actually use
their detective capabilities to try an implement a preventative measure)
but also change detectors (integrity checkers),
network/registry/filesystem/process monitoring tools, so-called rootkit
detection software, an observant user, etc... restorative measures are,
of course, the various backup facilities that are available, the
dedicated malware removal tools when available, and detailed manual
removal instructions when available...
when gauging how effective your security response to an incident was you
need to look at the whole picture, not just part... so your preventative
measures failed - how quickly were your detective measures able to sound
the alarm and how easy was it to recover?
if the only issue is the frequency of preventative failures then look at
exactly what security (not necessarily software) vulnerability is
involved in those failures and tighten that up...
Z
Zvi Netiv
Ron Reaugh said:
Got the sample, and found interesting things in it.
I am writing the follow up, but it will take a few more hours as all three
computers are now taken for my grandchildren games. They gave me just a couple
of minutes to post this message.
Regards, Zvi
G
Gabriele Neukam
On that special day, Roger Wilco, ([email protected]) said...
Create a dummy file with the name "example.txt.pif", and then try to
find it in the Windows Explorer.
You won't see the "pif" in the name. Not if you don't change the
setting in the registry by hand, at HKEY_CLASSES_ROOT, and put
NeverShowExt to zero. Yet, any executable can be renamed as
"pif", and if you double click it, it will be /run/, as the command for
the piffile is "%1" %*.
A good deal of the Netsky worms abuse this Microsoft "feature"
Gabriele Neukam
(e-mail address removed)
Create a dummy file with the name "example.txt.pif", and then try to
find it in the Windows Explorer.
You won't see the "pif" in the name. Not if you don't change the
setting in the registry by hand, at HKEY_CLASSES_ROOT, and put
NeverShowExt to zero. Yet, any executable can be renamed as
"pif", and if you double click it, it will be /run/, as the command for
the piffile is "%1" %*.
A good deal of the Netsky worms abuse this Microsoft "feature"
Gabriele Neukam
(e-mail address removed)
Z
Zvi Netiv
Ron Reaugh said:
A quick and partial analysis of the "NULL" sample yields interesting findings:
Although the file has the structure of a 32 bit executable, it isn't one and
won't execute even if assigned an executable extension (.exe for that matter).
This confirms my previous statement that the detection as Qdown.s or whatever
ARE false alarms!
Digging in the sample code reveals that the use of the NULL file name is
deliberate. The code also suggests that the NULL file may be renamed at some
stage through the Wininit procedure, probably to QDOWAS2.DLL. What's clear
beyond doubt is that NULL per se isn't a Trojan.
For the sake of completeness, I suggest that you look with Notepad in your
%Windir%\WININIT.BAK file (it contains a backup of the last instructions
executed by Wininit.exe). If your NULL file was involved in the installation of
anything through Wininit, then you will find there traces in Wininit.bak of what
it did, in plain text. The time and date of Wininit.bak will also tell when
this happened.
I also suggest that you search for a file named Qdowas2.dll, just in case.
[...]
You are asking the wrong questions and looking in the wrong places for answers.
For starters, on-access AV aren't supposed to check non-executable files, even
if they have an executable structure! Doing so would yield excessive false
alarms (just demonstrated!) and would slow down processing considerably.
If curious what drops the NULL file on your drive then get InVircible, set a
trap for "NULL" in its blacklist, and you'll know the moment anything attempts
dropping that file again, including the name of the parent process that induces
the creation of the file. A by-product would be gaining a sound real-time
defense! For the sake of full disclosure, pay attention to my signature, below.
Note that you should not run more than *one* on-access AV defense on the same
PC, at any given time!
Notepad opens by default files with the .TXT extension. Therefore, if you run
NOTEPAD C:\NULL then it will look for a file named null.txt and nothing will
happen. The dot after null is a delimiter that instructs NOTEPAD to interpret
the argument as "null" plain, with no extension.
[...]
Because KAV is also susceptible to false positives, although less than some
mediocre scanners in the first group.
What I am saying is that you are overly confident in scanners reliability.
There sure is, and I explained how to find out. Speculating on scanners
reliability won't get you to the bottom of this. A systematic approach, will.
Regards, Zvi
R
Roger Wilco
That file may be a malware related file, but it itself is not malware
(it is not executable and as such is not a threat) and any scanner that
detects it as such is wrong (but some would do so purposefully to get
better scores in AV comparative tests - like detecting boot sector
viruses in "files" like .bak backup files.. The only way it could be
executable is if it is an OLE2 filetype (.doc) that has been renamed
extensionless. It is a good idea for scanners to completely ignore
extensions and determine filetypes by their internal structure - but
this adds too much scanning time I suppose.
R
Roger Wilco
Ron Reaugh said:
It's not magic, it is only a way to trade accuracy for time. A little
less accurate, but much quicker. It still requires that a known thing
(or known things) be looked for and a judgement made. If you knew for
instance that it was a virus you were looking for, there are known
attributes of previous viruses that can be looked for. When you start
with a complete unknown you have nothing to go on. Do you think
heuristics can detect a retrograded patch level?
R
Roger Wilco
Gabriele Neukam said:
Yeah, and that "clickme.txt .exe" thing
too.
A good point - I should have said also that they needn't open every
unsolicited e-mail's attachment.
The fact remains that most people don't even have to be tricked into
doing stupid stuff.