Author Topic: Anti Virus and Anti Spyware (Read 1786 times)

Vulcan · « **Reply #30 on:** November 07, 2007, 02:23:30 PM »

llama, I've had this discussion many times before.... look at this thread (me on a NZ bbs I haunt):

http://www.gpforums.co.nz/showthread.php?s=&threadid=285280&perpage=25&pagenumber=4

Mid this-av-discussion I found a link to a NZ Audio retailers website in another thread. Low and behold that retailer had a framed link for a banner advertiser who had been comprimised and was trying to install malware via java (which would've worked in non-IE browsers).

In my role I've designed, deployed, and configured 1000-2000 seat sites (thats reletively big for the NZ market). This includes configuration of boxes from Sonicwall, Juniper, Foundry, Aventail, etc. Guiding the users through how their system works and observing behaviour post configuration on live large sites. Several of these sites give me unfettered access so that if they have an issue/question I can look into the problem and advise on it.

Yesterday I was slipping in a secondary Sonicwall Pro 5060 (~2Gbps firewall) in as a HA Failover unit to a site yesterday. I also probably have one of the only Sonicwall E7500's in the southern hemishere (~5Gbps firewall) - currently registered as Marks Home Firewall much to my bosses consternation

I have a lot of experience and have observed a lot of real world activity. I've seen how dumb users, how browsers are used by the majority (how usually turn security way down to get various apps to work right).

So I disagree with you.Unless you get your hands dirty with this technology you're always second guessing what is really going on.

So I have a lot of hands on experience.

edit: one question for you llama, no googling allowed, how much do you know about the storm worm?

llama · « **Reply #31 on:** November 07, 2007, 06:29:39 PM »

The w32/storm.exe virus sent as email attachments, the Storm Worm-based botnet in general, or the Storm Worm "infected" websites with the IFRAME inject? Either way, lots.

I'm not really sure what we're debating here.

My argument is that, assuming you have an up to date alternative browser like Firefox or Opera, you should feel free to visit what I call "non-risky" sites protected with something free like AVG without significant fear.

I guess you're saying "Not so fast, even 'safe' sites can have risk. You should always have something more serious than AVG."

And I suppose if I didn't have to deal with budgets that can't afford virus-sensing "smart" firewalls, I might have have that attitude too. Security is always a cost/benefit analysys, and in the Aces High world, decreased game performance due to "too much security" is a cost that must be balanced in addition to financial ones.

But getting back to your example of the Storm Worm infected sites - as I recall (again, no Googling), the IFRAME attack targeted only those browsers not up to date. In fact, I seem to recall the patch that blocked the automatic download had been released more than a year (two years?) after the GOP's site was one of the first that was compromised this past August or September. Patched browsers were presented with a "Do you want to download patch.exe? Yes/No" warning, as I recall.

I cannot recall of ANY reports were a current browser automatically downloaded anything related to Storm.

Now I'm checking google...

Well, as of October 2007, the Safari 3 beta is automatically downloading exes. Sigh. IE and Firefox dont. This comes from TrendMicro. (http://blog.trendmicro.com/zero-day-flaw-in-safari-3003-web-browser-for-windows/)

My argument to that big AV company, and to you too, is that if a user can't be bothered to keep their browser up to date, then I think it's very unlikely that they'll keep their AV up to date, ESPECIALLY after that first's years definitions have started to get old because they don't want to pony up for another year's subscription. And, at least for drive by downloads, an updated browser is the best defence, IMO.

I have enough test machines (real and virtual) and security software licenses that I can pretty much check out any site with drive-bys and see what happens and report back here. Please send me some so I can test.

PM is fine if you don't want these URLS out there for anyone to click.

I seriously want to report on what's best for my clients and for the readers of CPU, and you've given me plenty to think about. However, you honestly haven't convinced me. Your credentials are impressive, but from what you've said so far, it seems your focus is blocking malware at the firewall level, but for all of my clients (and certainly, everone here on the AH forums), such blocking is done via software at the PC level (excluding the consumer-grade NAT firewall, of course), which is the same level at which the browser interacts with the data stream. Different focus.

-Llama

Vulcan · « **Reply #32 on:** November 07, 2007, 06:50:34 PM »

My focus isn't just at a firewall level. UTM firewalls are not 100% assured to block virus's or malware. In a commercial situation I push a 3 tiered approach. Both a UTM firewall and good desktop AV/malware protection, coupled with proper reporting/alerting functionality (you'd be suprised at how many skip the 3rd bit when it is the easiest and cheapest bit of all - usually free).

For private user I push a reasonable firewall (SPI at least) plus good AV. AVG in my books is bad for two reasons, it has high false positives, and it has low proactive hits on new malware. AVG scores extremely badly on new stuff. Whereas products like NOD score very well (McAfee does 'ok').

I have absolutely no faith in a browsers ability to keep a user protected. I also have no faith in a user being smart enough to not click on a link emailed to them and enter sensitive credentials. I've been having a 'discussion with our Mac guys about the new apple malware. They seem to think that having to enter a username/password negates the malware entirely. They have no idea how unaware users of what this can me, and how readily users will enter that information to be able to see some sort of (porn) video.

Between all the browsers exploits come and go, and between user ignorance, I have no faith. That is why I push a good commerical AV solution.

Now, as for 'smart' UTM firewalls. How much do you think one costs?

You can by a Sonicwall TZ-150 Wireless TotalSecure bundle for ~US$340. That gives you a UTM Layer7 firewall, with 4 switch ports, built in wireless b/g AP, 1 Year of Gateway Antivirus, Intrusion Prevention, Gateway Antispyware, Web Content Filtering, and ViewPoint reporting software (as well as the enhanced warranty). Given what some people spend on PC's, accessories etc. Thats not that expensive. And if you have kids the content filtering is a great bonus. Sonicwall even have a lower end AV/IPS/Spyware only gateway (no idea on $$$).

So what I push/preach is not out of reach for small business or even home users.

MrRiplEy[H] · « **Reply #33 on:** November 08, 2007, 12:39:54 PM »

Is there a way to reroute the filtered content to yourself? If so, I'm sold!

llama · « **Reply #34 on:** November 08, 2007, 01:37:39 PM »

Vulcan,

You've been supplied with ample evidence that suggests my claims are on the mark, including:

* The software engineers and the marketing flack of a major AV company demonstrating that their drive-by-downloader protector doesn't get activated when the browser is current.
* The Storm Worm IFRAME flaw stories all around the Net, stating that older, unpatched browsers are affected and vulnerable, but patched, current browsers aren't.
* The TrendMicro link I provided a few posts ago.
* My main PC, running without AV for 3 years, and visiting thousands of typical sites, is uninfected, as verified by Kaspersky and NAV2008 5 weeks ago, while using a current browser.
* JB73 Reports the same thing. (these last two are anecdotal, of course, but at least they are actual, specific examples)

I have asked, repeatedly, for EVIDENCE that shows the vulnerability you assert that patched, up-to-date browsers have. I've asked for URLs to test. I've thus far seen none.

I'll now settle for published reports that make this claim.

When I'm saying that "I'm not convinced," I am asking that you convince me. Present evidence. Please. I'm shooting for the truth here. It doesn't serve my clients or my readers if I am wrong, and my goal is to learn what's true.

Simply stating "I know what I'm talking about" isn't evidence. Even someone with the best credentials could be wrong. *I* could be wrong.

And finally, thanks for the heads-up on the Sonicwall TZ-150. That's a very fair price point for all those features. I can think of one client already who would probably want one. Heck, *I* want one.

Anyway, the whole point of this post is: "Evidence, Please."

-Llama

JB73 · « **Reply #35 on:** November 08, 2007, 02:25:21 PM »

to add fuel to the anecdotal evidence I will admit a few things that I wouldn't normally as things for your guys to check on.

I sometimes go to adult sites found via google that require joining, and have multiple pop-ups even with firefox. I until a few months ago used "Ares" to DL music, sometimes even "recent" pop hits for my friends wife (they are so bad browsing they actually got a BHO, a keylogger, a trojan, and a virus using firefox all in 1 week). I also download torrents.

I am also lax in my actual windows updates. I do them about every 6 months.

Now I will call myself smart for conversation lol, but say I get a pop up that looks like a windows message I know that if the cursor is a "hand" it is not a real windows message. things like that are so common it scares me. I know when "your PC may be infected!!!111" is fake, as I don't have software running to watch that. I keep a pretty close eye on my services running, and use cprocess to see actual modules under a process. when I do my yearly or so inspection I download the latest ad-aware, spybot, hijack this, and avast on a separate machine, jump drive it to the pc, install it and download any updates. once ready I disconnect the network, boot to safe mode, and spend 3 hours searching the system.

most recently all I found was 22 tracking cookies from the usual ad sites, nothing special. most of them were from the past week's browsing, and I knew they were there I was just to lazy to bother getting rid of them.

For what you guys are debating I have a perfect example. A guy I know as a friend of a friend has asked for my help a few times fixing his PC. after the first time I stopped returning his calls. This guy spent a 1/2 hour explaining how "the FBI was looking at his temp files" and the "virus alerter" told him to get a temp file cleaner because he was looking for "teen thumbnails".

after not even being able to install ad-aware after 2 hours of working on downloading it I told him I had to re-format his PC. he said that wasn't possible as his wife's nursing school stuff was on the PC, and their kids had spilled soda in the CDR drive so we couldn't even back up anything.

Some people are, and forever will be helpless when it comes to this stuff. I don't care what you sell them, they will kill their systems, and perpetuate the cycle of malicious stuff on the internet. that I can guarantee from actual experience.

Vulcan · « **Reply #36 on:** November 08, 2007, 04:40:38 PM »

Quote

Originally posted by llama
I have asked, repeatedly, for EVIDENCE that shows the vulnerability you assert that patched, up-to-date browsers have. I've asked for URLs to test. I've thus far seen none.

Try some yl18.net URL's, they're in strife at the moment.

Oh and: http://www.kb.cert.org/vuls/id/715737

Quote

Vulnerability Note VU#715737
Mozilla Firefox jar URI cross-site scripting vulnerability
Overview
Mozilla Firefox contains a vulnerability that may allow an attacker to execute code, or conduct cross-site scripting attacks.
I. Description
The jar protocol is designed to extract content from compressed files. Mozilla based browsers include support for jar: URIs that are of the form jar:http://![filename path] From the GNUCITIZEN blog, jar: content run within the scope/origin of the secondary URL. Therefore, a URL like this: jar:[url]https:// example.com/test.jar!/t.htm, will render a page which executes within the origin of https://example.com.
To successfully exploit this vulnerability, an attacker could place a specially crafted archive file on a vulnerable site and convince the user to open the file with a Mozilla based browser. An attacker could use sites that allow user-submitted content distribute malicious archived files.
II. Impact
This vulnerability may allow an attacker to execute cross-site scripting attacks on sites that allow users to upload pictures, archives or other files. If the user opens the malicious URI with a Firefox Addon, an attacker might be able to execute arbitrary code.
III. Solution
We are currently unaware of a practical solution to this problem.

llama · « **Reply #37 on:** November 08, 2007, 05:01:33 PM »

Vulcan,

Thanks. I'm at a clients' now, so I obviously can't test. I'll check it out on some test systems tonight.

-Llama

JB73 · « **Reply #38 on:** November 08, 2007, 05:06:32 PM »

pandora jar

err, oops lol. was a jar that would grab the songs you listened to off pandora. what a PITA to get it going though. have to manually write a batch file, jump through this and that hoop, glad I stopped bothering with it almost a year ago.

oh and thanks for the notice vulcan, I always keep noscript going and up to date, that should help the article says.

llama · « **Reply #39 on:** November 08, 2007, 05:51:23 PM »

Vulcan,

Thanks for the link. I don't think you're gonna like my findings.

First of all, the news is 2 days old, and most of the yl18.net files are no longer working (I'm remoting into my home test machine - I'm just too curious to wait, trying to find some live ones - no luck yet). The best I can do right now is to read the security forums of two days ago, when people were actually able to check out the sites live. There are few screenshots, but this is an interesting one:

(http://www.iamthellama.com/yl18.png)

It shows IE7 (which i am going to assume is fully patched, but you never know) rejecting the automatic download of stuff. Yes, the user is prompted to do something. Foolish users can and will allow for it to download and run, but many (most?) AV products will prompt the user anyway. Changing the prompt from the browser to the AV app isn't necessarily better security. I know norton would probably automatically block it, and I hope others would do, but I'm guessing there's probably a lot of prompting going on from various AV programs.

I'm searching for infected sites with:

http://www.google.com/search?hl=en&hs=ciV&q=%3Cscript+src%3D%22http%3A%2F%2Fyl18.net&btnG=Search

and I must admit that the hacking is spread over a broad swath of the internet, ranging from real estate agents, tire stores, the Cincinatti Rodeo (I had no idea there was such a thing), so there's no doubt that "typical" websites can be compromised.

However, can up to date browsers let in malicious code automatically? It doesn't seem so.

The hackinthebox post you directed me to even alludes to this:
"...This code downloads, without prompting, a small number of executable droppers, and executes them on vulnerable systems ." (my emphasis)

This is typically weaselly journalism that can be interpreted ambiguously, probably because the writer didn't fact check it properly. Is only execution possible on vulnerable systems? Downloading and executing? The sentence could be read both ways.

The screenshot suggests BOTH downloading and executing are only possible on vulnerable systems.

Thoughts?

-Llama

llama · « **Reply #40 on:** November 08, 2007, 05:59:20 PM »

Whoops. It occurs to me that the screenshot only shows ONE thing being blocked. There were probably many things that needed blocking. How many actually were? I dunno. I wasn't there and the forum poster didn't say.

Hmmmm.....

Llama

Vulcan · « **Reply #41 on:** November 08, 2007, 06:28:46 PM »

You underestimate the stupidity of users and social engineering. Most would look at the download prompt and see Microsoft Corporation and click on OK.

I know plenty who refuse to use IE7 as well (it has its own issues). And as you can see above other browsers are not flawless. Usually there is enough time between flaw discoveries and flaw fixes to release valid exploits.

Unless a user gets a prompt saying "OI STUPID THIS IS A VIRUS!" they will click on "OK run it". As the mac community is currently finding out.

Your faith sits on the browser being up to date and the user being knowledgeable enough not to click.

My focus is on providing automated solutions which intervene on user action so that when the user clicks on OK run it the AV steps in and sorts em out (or in the case of a 'smart' firewall the content never gets to the user to ask them to run it in the first place).

Vulcan · « **Reply #42 on:** November 08, 2007, 06:31:27 PM »

Oh and I usually monitor here for 'stuff' thats going on: http://isc.sans.org/

llama · « **Reply #43 on:** November 09, 2007, 04:32:48 PM »

Vulcan,

So here we are, a few days later, and I think we're losing sight of the original discussion. When asked what security software I recommended, I said (copy and paste follows):

AV: Kaspersky 2007 or NAV 2008
Spyware: NOTHING if you're having no problems. If you suspect problems, then Spybot Search & Destroy and Ad-Aware for cleaning (both are free). If Spyware continues to trouble you, then SUPERAntiSpyware to clean the system and to try to keep new stuff out.
Firewall: Nothing or WinXP's, plus a hardware firewall. If you insist on outbound blocking, then Comodo.

Browser: Firefox. Blocks a lot of crud that IE is happy to let in.

And Windows Update turned on to full automatic mode.

and I wrote one post later:

Merely visiting "bad websites" and not getting infected is really a function of the web browser's security, or perhaps your AV software (in some cases).

I think we've both established that modern patched browsers (usually - I guess we could debate that too) block drive by downloads, but can be made to present "socially engineered text" that manages to trick users to allow the downloads to happen anyway. You say a good AV software is vitally necessary to then prevent the downloads to run after the user is tricked.

So do I. Note the recommendation of NAV2008 or Kaspersky 2007. And yet despite this, my description of "not getting infected is really a function of the web browser's security, or perhaps your AV software" still stands.

I think the only point of contention we have here my saying that some users visiting "typical sites" with updated browsers are "good enough" with AVG. I think if the user in question is aware of the attempt that will be made to trick them into agreeing to download stuff, then AVG is fine.

I agree with you, however, that if the user is more likely to "click first and ask questions later" (and we both know all about those users - my business is ultimately based on them), more robust AV software is necessary.

Another Example: a very good friend of mine, who is a fairly good PC consultant, just let me look over his notebook this morning, because it was acting very very VERY slow (80% CPU utilization at idle). Totally rootkitted. He was running AVG and using IE6 (why?! why?! Oh God Why?!?!) to check out some security sites in China earlier this week (he never got more specific, and I don't need to know.) Clearly, AVG with an older, unpatched browser is not enough.

But I never said it was...

-Llama

MrRiplEy[H] · « **Reply #44 on:** November 10, 2007, 03:59:39 AM »

Quote

Originally posted by Vulcan
Unless a user gets a prompt saying "OI STUPID THIS IS A VIRUS!" they will click on "OK run it". As the mac community is currently finding out./B]

First of all, I'm writing this on a macbook pro of all things..

I'm not really an Apple fan, but got this for a tool now so I got to deal with it. I've found that most Apple users have been lulled down to a false sense of security. They really believe Mac is invulnerable to viruses and malware because they have been so rare in the past.

I know at least a couple users who would still click the link if it shouted 'this is a virus do not click' on their face. My mom is one of them. Sometimes she calls me for help, I ask her to repeat to me what it says on the screen (firewall msg etc) and this solves the problem. She's literally so panicked with the box that her brain refuses to even consider she could solve the problem by reading the message and instructions on the screen.