Virus Attack Leads To Change Of A/V

[starrin]

Friday A.M. hard drive was seized by a virus which stated I could get
a fix it for $$. Asked my tech if I should fire Norton A/V 2012 - up
to date and in use - and he said his experience was that the viruses
of this nature were changing faster than A/V folks could keep up with
it. Nonetheless, he took out Norton and installed Micrsoft Security
Essentials. Now, I can easily take it out and re-install Norton, but
thought I would give it a go. Any thoughts, opinions. I'm reading
mixed reviews - which is what I read for most A/V. I've been a reader
in this group for years
I have had Norton since my first P/C in 94, and this is the first
virus problem that I have had. Am on the PC daily as a news editor,
using sites all over the world

 

[Bear]

Friday A.M. hard drive was seized by a virus which stated I could get
a fix it for $$. Asked my tech if I should fire Norton A/V 2012 - up
to date and in use - and he said his experience was that the viruses
of this nature were changing faster than A/V folks could keep up with
it. Nonetheless, he took out Norton and installed Micrsoft Security
Essentials. Now, I can easily take it out and re-install Norton, but
thought I would give it a go. Any thoughts, opinions. I'm reading
mixed reviews - which is what I read for most A/V. I've been a reader
in this group for years
I have had Norton since my first P/C in 94, and this is the first
virus problem that I have had. Am on the PC daily as a news editor,
using sites all over the world

You likely clicked on a link that contained a Fake Antivirus...a common
issue for a while from folks PC's I've had to clean for them.
http://www.softpedia.com/get/Antivirus/Remove-Fake-Antivirus.shtml

MSSE is not the best free AV IMO. avast! or Comodo Internet Security is
much better.

However, none of those actually preclude safe hex as to what the user
clicks to allow.

https://docs.google.com/document/d/14Hh-sPdQMwmxj9-
VWG6lbpZfqrIjl9Kn024jegcWw_w/edit

shortened link:
http://goo.gl/nTr23+

--
Bear
http://bearware.info
The real Bear's header path is:
news.sunsite.dk!dotsrc.org!filter.dotsrc.org!news.dotsrc.org!not-for-
mail

 

[responder]

Friday A.M. hard drive was seized by a virus which stated I could get
a fix it for $$. Asked my tech if I should fire Norton A/V 2012 - up
to date and in use - and he said his experience was that the viruses
of this nature were changing faster than A/V folks could keep up with
it. Nonetheless, he took out Norton and installed Micrsoft Security
Essentials. Now, I can easily take it out and re-install Norton, but
thought I would give it a go. Any thoughts, opinions. I'm reading
mixed reviews - which is what I read for most A/V. I've been a reader
in this group for years
I have had Norton since my first P/C in 94, and this is the first
virus problem that I have had. Am on the PC daily as a news editor,
using sites all over the world

Sounds like the fake virus routine...

They don't really infect you but make you think they did so they can
charge you $$ for nothing.

MSE is not a bad program. I wouldn't pay for Norton.

To be safe, if you haven't already done so, download a free copy of
Malwarebytes...install it..update the anti-virus files and run it.
If it finds something, it will move it to quarantine.

 

[Virus Guy]

Friday A.M. hard drive was seized by a virus

Remove the hard drive and attach it as a slave to a known/good PC that
has several different AV programs and perform a drive scan with each of
them to indentify and quarantine suspicious files.

If the drive is primary bootable drive on the machine in question and it
contains the operating system for the machine, then consider replacing
it with a new drive and perform a full OS re-installation on the
machine, including all application software you had on that drive.

Any thoughts, opinions. I'm reading mixed reviews - which is what
I read for most A/V.

Real-time AV detection on the vulnerable like of NT-based windows
machines is practically impossible for the past 5 years.

That's why I (still) run Windows 98 - because it is significantly less
vulnerable than the NT-based versions are (and not because it is now a
rare OS to see - Win-9x/me has always had fewer vulnerabilities than
NT-based OS's at every point in time - just go to secunia.org to see the
proof).

Am on the PC daily as a news editor, using sites all over the world

Then you should know about the illusion of security that surrounds NT
and it's derivatives was just a marketing tool developed by Microsoft.

NT (2k, XP, etc). The Emperor with no clothes.

NT - made from the finest, most expensive code.

Microsoft's motto: If it works, it's not complicated enough.

 

[Bear]

If the drive is primary bootable drive on the machine in question and it
contains the operating system for the machine, then consider replacing
it with a new drive and perform a full OS re-installation on the
machine, including all application software you had on that drive.

Are you serious?

 

[FromTheRafters]

Remove the hard drive and attach it as a slave to a known/good PC that
has several different AV programs and perform a drive scan with each of
them to indentify and quarantine suspicious files.

If the drive is primary bootable drive on the machine in question and it
contains the operating system for the machine, then consider replacing
it with a new drive and perform a full OS re-installation on the
machine, including all application software you had on that drive.


Real-time AV detection on the vulnerable like of NT-based windows
machines is practically impossible for the past 5 years.

That's why I (still) run Windows 98 - because it is significantly less
vulnerable than the NT-based versions are (and not because it is now a
rare OS to see - Win-9x/me has always had fewer vulnerabilities than
NT-based OS's at every point in time - just go to secunia.org to see the
proof).

You sound so silly when you write stuff like this. Of course there would
be fewer vulnerabilities to exploit when there is no security to begin with.

[...]

 

[FromTheRafters]

Friday A.M. hard drive was seized by a virus which stated I could get
a fix it for $$. Asked my tech if I should fire Norton A/V 2012 - up
to date and in use - and he said his experience was that the viruses
of this nature were changing faster than A/V folks could keep up with
it.

It's true, there are just too many ways to alter the form in which these
"trojans" (not viruses) take.

Nonetheless, he took out Norton and installed Micrsoft Security
Essentials. Now, I can easily take it out and re-install Norton, but
thought I would give it a go.

I hear that it is better than nothing. )

Any thoughts, opinions.

I wouldn't jump from AV to AV just because of a missed sample. They will
*all* miss some. Better is to enhance your protection by supplementing
an anti-malware or anti-spyware application alongside your choice of
anti-virus application.

I'm reading
mixed reviews - which is what I read for most A/V. I've been a reader
in this group for years
I have had Norton since my first P/C in 94, and this is the first
virus problem that I have had. Am on the PC daily as a news editor,
using sites all over the world.

The choice is yours alone, different strokes and all. I used NAV 5.0 for
a long time and then went the free AV route AVG, Avast!, and Avira. All
of the free ones were adequate for my computer usage.

 

[Virus Guy]

Of course there would be fewer vulnerabilities to exploit when there
is no security to begin with.

You don't make a good counter-argument when you confuse desktop (login)
security with web-based browsing or network-based connectivity security.

The fact that NT has strong user-level login capability doesn't mean
squat in terms of how vulnerable that system is when surfing the web.

And before you post a reply, remember that there have been many
privilege-escalation vulnerabilities and exploits used against NT-based
systems for years, rendering your so-called "NT security" capability
useless.

 

[Dustin]

You don't make a good counter-argument when you confuse desktop (login)
security with web-based browsing or network-based connectivity

security.

I'll try then.

Windows 9x systems were easier to exploit from ie6 vulnerabilities (or
ie5 if they never bothered to upgrade). Depending on the network
configuration (Windows98 didn't come with a firewall) it's piss easy to
remote map drives (including root drive c with full read/write
ability. When you do this, you 0wn the system.

The fact that NT has strong user-level login capability doesn't mean
squat in terms of how vulnerable that system is when surfing the web.

Software vulnerabilities present in clients isn't the OS fault. NT in
fairness can't be held responsible if an email client renders some
crafty html with embedded javascript that does something nasty. In that
scenario, ANY os can be hassled with.

And before you post a reply, remember that there have been many
privilege-escalation vulnerabilities and exploits used against NT- based
systems for years, rendering your so-called "NT security" capability
useless.

The fact the malware had to make use of exploits to gain rights it
doesn't already have says alot about the security of NT. For example,
the old toadie virus would be trapped under UAC, but on your machine,
it's able to roam freely. In fairness, we'd leave the AV out of it and
let the host OS "security" confine the toadie.

 

[kurt wismer]

Friday A.M. hard drive was seized by a virus which stated I could get
a fix it for $$.  Asked my tech if I should fire Norton A/V 2012 - up
to date and in use - and he said his experience was that the viruses
of this nature were changing faster than A/V folks could keep up with
it.  Nonetheless, he took out Norton and installed Micrsoft Security
Essentials.  Now, I can easily take it out and re-install Norton, but
thought I would give it a go.  Any thoughts, opinions. I'm reading
mixed reviews - which is what I read for most A/V.  I've been a reader
in this group for years
I have had Norton since my first P/C in 94, and this is the first
virus problem that I have had.  Am on the PC daily as a news editor,
using sites all over the world

this is going to sound like petty semantics, but what you had wasn't a
virus.

the reason this is significant is that while automated defenses like
anti-virus programs are good enough against automated threats like
viruses, the threat you encountered had a person behind it no doubt
making sure that it could bypass automated defenses. automated
defenses aren't particularly good against people.

switching from one av to another isn't going to change the basic
problem that you face, which is that the threat (a sentient being) is
smarter than the defense (a dumb program).

there are other types of security software that can accept more input
from the user and in so doing add the user's own intellect to the
defense. software such as application whitelists where you decide
what's allowed to execute, or behavioural control systems where you
can decide what behaviours various programs are allowed to perform.

i fully expect many people to balk at the notion that they can't just
install something and have that take care of everything for them, but
there's really no way around the fact that people are better able to
outsmart machines than vice versa.

 

[Virus Guy]

this is going to sound like petty semantics, but what you had
wasn't a virus.

Doesn't matter if it technically wasn't a virus.

It most likely did cause a file to be written to the hard drive during
it's exploitation of the system (likely in a temp directory, browser
cache, etc).

And like a viral piece of code, this file could have been detected as a
threat if the AV software had its MD5 (or what-ever) in it's definition
file, or if it could detect it by some other means (packer type, other
heuristics).

the reason this is significant is that while automated defenses
like anti-virus programs are good enough against automated
threats like viruses

What this guy got was an automated threat.

The alternative to an automated thread is a manual or "in-person"
threat. So you believe that a hacker was standing over this guy's
shoulder, secretly typing commands into the system's keyboard, or
plugging a malicious thumb drive into the system's USB port?

the threat you encountered had a person behind it

There is always a person behind any and all malicious code. That code
doesn't write itself. And tell me when automated processes like
web-injection or e-mail spamming isin't used to deliver them?

 

[starrin]

Friday A.M. hard drive was seized

SNIP

What I got was three simultaneous versions of:
Exploit: Java/CVE-2010-0842.AN
-0094.ER
-5353.ABB.
He indicated the text in the exploit said it was coming from
Reuters, the European news provider. I have no reason to
believe that, but I sent the info to Reuters just in case.
In any case, Thanks to all for the input. At least no one screamed
too loud about MSE. And I have no illusions that there is one
ultimate soution to the problem.

 

[FromTheRafters]

You don't make a good counter-argument when you confuse desktop (login)
security with web-based browsing or network-based connectivity security.

I'm not making that counter-argument at all. The fact is that many of
the vulnerabilities that you count against NT are irrelevant to Win-98
because they are privilege escalation exploits. Win-98 doesn't even have
the obstacles that those exploits have to surmount.

Comparing vulnerabilities by number is just plain silly, and when you
use that as some shining example of Win-98's superior security it only
shows how much you don't know about the subject.

The fact that NT has strong user-level login capability doesn't mean
squat in terms of how vulnerable that system is when surfing the web.

Of course not, attacks against application software is not the fault of
the OS - but a good secure OS can mitigate damage by limiting scope.

And before you post a reply, remember that there have been many
privilege-escalation vulnerabilities and exploits used against NT-based
systems for years, rendering your so-called "NT security" capability
useless.

Yes, but Win-98 doesn't even try to limit scope - and you think *that*
makes it better?

 

[FromTheRafters]

Doesn't matter if it technically wasn't a virus.

It would if a virus had really encrypted his files and wanted money to
be sent in return for the key. The way the OP phrased the question it
sounded like ransomware cryptovirology while it is actually just a
simple trojan.

It most likely did cause a file to be written to the hard drive during
it's exploitation of the system (likely in a temp directory, browser
cache, etc).

It likely exploited the user using temp files in the process. Then a
download was allowed and the downloaded program was executed - all by
user consent.

Of course it *is* possible that some software vulnerability was
exploited, but the social engineering is pretty good on these.

And like a viral piece of code, this file could have been detected as a
threat if the AV software had its MD5 (or what-ever) in it's definition
file, or if it could detect it by some other means (packer type, other
heuristics).

Not really, a virus is self-polymorphic and will run through a 'space'
of different forms whereas when a trojan is being distributed by a
server-side polymorphic scheme the 'space' is much larger and the human
can even change that server-side poly at will.

What this guy got was an automated threat.

No, he got a trojan that uses a separate distribution method. There is a
person or persons behind the poly.

The alternative to an automated thread is a manual or "in-person"
threat. So you believe that a hacker was standing over this guy's
shoulder, secretly typing commands into the system's keyboard, or
plugging a malicious thumb drive into the system's USB port?

No, automated in this case means self-distributing.

There is always a person behind any and all malicious code.

But not always actively behind it and changing what it 'looks like' to
scanners.
[...]

 

[FromTheRafters]

SNIP

What I got was three simultaneous versions of:
Exploit: Java/CVE-2010-0842.AN
-0094.ER
-5353.ABB.
He indicated the text in the exploit said it was coming from
Reuters, the European news provider. I have no reason to
believe that, but I sent the info to Reuters just in case.

It is good to inform them that their name is actively being used in such
attacks.

In any case, Thanks to all for the input.

Did MalwareBytes' Anti-Malware fix it up for you?

At least no one screamed too loud about MSE.

I've heard that they have improved somewhat, but there are still some
that are consistently better.

And I have no illusions that there is one
ultimate soution to the problem.

There is, but burying the computer in concrete isn't a particularly
*useful* solution.

 

[Dustin]

Doesn't matter if it technically wasn't a virus.

Sure it does. A virus is usually more of a chore to clean up. Landmines
everywhere.

It most likely did cause a file to be written to the hard drive
during it's exploitation of the system (likely in a temp directory,
browser cache, etc).

Assuming the user didn't do something stupid, it likely exploited the
web browser, not the OS, the web browser. An important difference.

And like a viral piece of code, this file could have been detected as
a threat if the AV software had its MD5 (or what-ever) in it's
definition file, or if it could detect it by some other means (packer
type, other heuristics).

A viral piece of code? In what way is creating a file on a harddrive
alone, viral? Are you teaching your arse a new language?

What this guy got was an automated threat.

Possibly of the polymorph server side kind.

There is always a person behind any and all malicious code. That
code doesn't write itself. And tell me when automated processes like
web-injection or e-mail spamming isin't used to deliver them?

web injection? More arse speakish?

 

[kurt wismer]

Doesn't matter if it technically wasn't a virus.

it does if he's relying on defenses for viruses.

It most likely did cause a file to be written to the hard drive during
it's exploitation of the system (likely in a temp directory, browser
cache, etc).

And like a viral piece of code, this file could have been detected as a
threat if the AV software had its MD5 (or what-ever) in it's definition
file, or if it could detect it by some other means (packer type, other
heuristics).

you clearly didn't understand the part where i said people are smarter
than computers. there's no such thing as non-viral malware that
doesn't have a person pulling the strings. trojans don't spread
themselves, they are planted by people. people are notoriously
effective at outsmarting automatons like anti-malware scanners.

What this guy got was an automated threat.

not if it wasn't viral it wasn't. just because it's a program doesn't
mean it's automated.

The alternative to an automated thread is a manual or "in-person"
threat.  So you believe that a hacker was standing over this guy's
shoulder, secretly typing commands into the system's keyboard, or
plugging a malicious thumb drive into the system's USB port?

that is a strawman. a caricature of what i'm suggesting that's made so
ridiculous it's easily debunked.

there's a world of difference between someone shoulder surfing and an
automaton that hunts down new victims months or even years after it's
last input from it's creator using exactly the same algorithm it had
when it was created. the latter is well suited to anti-malware
scanners, the former is not, and neither is the case where someone
just set a new trap - which is what most non-viral malware represents.

 

[FromTheRafters]

A Tech fixed it for me. The hard drive was completely tied up. I
couldn't do a thing. I think he installed the MSE and used it. I say
that because the log for MSE is where I got the info above. It
indicated the exploits had been destroyed
I don't want to start a war, but what's better, free and paid.
The engineer who keeps our site up and who sent me to the tech, says
he uses AVG. As I said initially, I have been using Norton for years
and would have been (and may still) happy to continue with it.

This is a good source for professionally run test results.

http://www.av-comparatives.org/

But still, personal preferences rule.

My opinion, I'd stick with Symantec/Norton since you have been happy
with them thus far.