Efficient WEB protection - which program?

[FromTheRafters]

Yes. It was a Blackhole Exploit Kit exploiting CVE-2010-0840
and there was no virus.

I guess it depends on one's definition of "virus" but under my
definition it was definitely a virus: it created several instances
of a file with names [rubbish]exey, each of which was trying to
access Internet (firewall blocked them).

These exploits ARE viral in nature.

Not unless they infect or modify preexisting programs in such a way as
to cause them in turn to infect others in the same manner, recursively.

[...]

 

[FromTheRafters]

Google "replication-deficient virus".

No definition is ever precise and absolute and splitting hairs
about definitions serves no useful goal.

The end user cares about *infection* not the definition
of the infectious agent.

Yeah, I usually let it pass or just add it in as extra information.
Sometimes it really does matter whether or not a virus is involved.
Different things have to be considered if a malware instance really *is*
viral.

 

[DK]

non-viruses do not infect. that is just another sloppy terminology
misuse that many people fall into.

You must have the strangest possible definition of "infection"
in mind.

 

[FromTheRafters]

Virus Guy wrote:
[...]

I suggest you (and others) abandon that antiquated and at this point
useless definition.

Eh, that ain't gonna happen - not just because someone calling himself
Virus Guy doesn't understand why it remains an important distinction.

Broadly speaking, any code from an external source that runs on a system
without the owner's knowledge (or permission, or desire) is viral code.

That comes very close to the definition of a trojan, which some
taxonomies treat as a superset of virus. If it (a trojan) replicates
itself via infecting programs with copies of itself, it is termed a
virus because additional tools must be brought to bear - it is that much
more important that its viral aspect be addressed that it necessitates
making that distinction with the terminology.

What you call replication can also mean to change into a different
form.

You may be thinking about polymorphism here, but it is an important
thing for the virus that the new set of form be functionally equivalent.
It can't be a different program, just a different way to achieve the
program's same functions.

A first-stage infector that opens channels to obtain a new or
different agents is a form of replication.

Network replication is another matter entirely. By virtue of the virus'
ability to make a copy of its own viral function, it has the ability to
place that code within preexisting programs (file infectors for
instance) - programs that use network replication only, can't do this.

The goal is always the same: To gain control of a system to utilize
it's resources, and to actively maintain that control.

....or so it seems from recent history.

Some virus' only goal was to use those resources to replicate, and
perhaps help distribute a data diddling payload.

 

[kurt wismer]

From: "kurt wismer" <[email protected]>


| [snip]>> Trojans can and does infect.
|
| infection is a viral concept. suggesting that non-viral malware
| "infects" breeds confusion over the distinction between viral and non-
| viral malware. an infectious agent is one that a person intuitively
| knows can spread, but since non-viral malware does not spread it
| should not be confused for an infectious agent.
|>> A trojan that prepends, appends or cavity injects code into a legitimate
|
| is the file an "infected file" or a "trojanized file"? it seems to me
| you've already proposed the correct terminology, and "infected" isn't
| it.

I disagree.  A human get get infected with a fungus/yeast/mold, bacteria,
virus anmd/or paraiste.  A computer can be infected in like.

all of those things reproduce, so it is not unreasonable to call them
all infectious agents. in computers, only viral malware reproduces, so
only viral malware can be called an infectious agent.

As long as the invader overwhelms the systems protection schemes the system
becomes infected.

if i puncture your spleen with a screwdriver, the screwdriver has not
infected you, you are not infected with screwdrivers regardless of the
fact that it has overwhelmed the protective covering known as skin.

the system may become infected, but not all invaders are infectious
agents.

I often parallel the an aujtomobile (which most have an understanding of)
and a computer as they are both a system of systems.

One can say that if you have a scratch that the body (the system) is opento
an  ifection as theire is a breakdown in the systems defenses.

Likewise if rubber coverr to a ball joint fails and craks open, it leaves
the joint open to dirt and water and thus that susb-system can fail.  Iwill
admit that you wouldn't call this an ifection but the actions and results
parallel in modeling.

since there is no circumstance under which an automobile would be
considered infected (except perhaps by computer viruses in more modern
ones), the automobile analogy really seems like a non-starter.

Since eearly days of computing when the virus was the malware de jour, the
objective was to parallel the computer to an animal infection and thus a
trojan does indedeed infect the system.  It is an invader that has
overwhelmed the system's defenses thus degrading the overall "health" of
that system.  When a trojan "trojanizes" (some call it patching) a
legitimate file it does the bidding of the malicious actor and the file is
infected as it has code injected into it where it doesn't belong.

a trojan no more infects a system than a hypodermic needle infects a
body. it may carry an infectious agent, but it is not itself one.

I strongly believe a system is infected if malicious software (an invader)
gets into the computer and acts maliciously.  Like a biological system the
infection must be cured.  In the mechanical system of an automobile if sand
gets into the ball-joint it must becured only in that case, of a mechnical
system, the terminology of infection is not apropos.

infection is absolutely an analogy to biological systems, but not all
things that act in or on biological systems are infectious agents.

 

[kurt wismer]

How does "code that takes control of a system in order to put the system
to it's own use" not include replication as an example of said desired
use?

this question doesn't make sense. it is trivial to write code that
takes over a system without being capable of self-replication.

The old, quaint, pre-internet definition of computer virus is out of
date.

I suggest you (and others) abandon that antiquated and at this point
useless definition.

if your malware lexicon is so small that it is useless to you, my
condolences. but don't project your own limitations onto others. it is
not useless. things that fall outside that definition have the
distinction of having other names. those names impart meaning that is
lost when you call everything a virus, just as the concept of
identification would be lost if we called everyone bruce.

Broadly speaking, any code from an external source that runs on a system
without the owner's knowledge (or permission, or desire) is viral code.

when speaking broadly, the umbrella term you're searching for is
malware.

What you call replication can also mean to change into a different
form.  A first-stage infector that opens channels to obtain a new or
different agents is a form of replication.

no, to 'open channels to obtain a new or different agent' is to be a
downloader trojan. that is not self-replication. even if the file it
downloaded was identical to it (which would be pointless), it would be
making a copy of it's twin, not of itself.

The goal is always the same:  To gain control of a system to utilize
it's resources, and to actively maintain that control.

just because the goal is always the same, doesn't mean the actor is
too.

And we have lots of examples where a so-called "non-virus" leads to a
system that actively probes it's own local or extended network so as to
"replicate" itself to other vulnerable systems.  How is that NOT
classical viral behavior?

since i'm unclear on how you're using "replicate" here, i can't really
answer your question. i suspect, however, that since you felt the need
to put it in quotation marks it probably would be something that
doesn't qualify as self-replication.

Don't be a slave to the narrow lexicon of the extinct past.

narrow? one of us has a 'word bag' that only has one word in it
("virus"), and it isn't me.

 

[kurt wismer]

You must have the strangest possible definition of "infection"
in mind.

i'm certain that i could come up with a stranger (albeit wrong) one.
therefore the one i have in mind is not the strangest one possible.

 

[DK]

i'm certain that i could come up with a stranger (albeit wrong) one.
therefore the one i have in mind is not the strangest one possible.

No. Equally strange (wrong) - yes, plenty. Stranger (more wrong) -
no, other than something completely nonsensical, it would be
practically impossible to have one.

 

[kurt wismer]

No. Equally strange (wrong) - yes, plenty. Stranger (more wrong) -
no, other than something completely nonsensical, it would be
practically impossible to have one.

the definition i have in mind is:

the process of playing host to an agent which spreads from one host to
another.

you really think it wouldn't be stranger if i found some way to
incorporate papa smurf or strange quarks? (or papa smurf AND strange
quarks?)

 

[David H. Lipman]

On Jan 15, 6:11 pm, "David H. Lipman" <[email protected]>| wrote:

[snip]>> Trojans can and does infect.
A trojan will infect the computing system.

infection is a viral concept. suggesting that non-viral malware
"infects" breeds confusion over the distinction between viral and non-
viral malware. an infectious agent is one that a person intuitively
knows can spread, but since non-viral malware does not spread it
should not be confused for an infectious agent.
A trojan that prepends, appends or cavity injects code into a legitimate
file becomes an infected file. The difference is that the now trojanized
file is unable to autonomously spread the infecttion to another file or
system. If it did, then it would be deemed a virus.

is the file an "infected file" or a "trojanized file"? it seems to me
you've already proposed the correct terminology, and "infected" isn't
it.

I disagree. A human get get infected with a fungus/yeast/mold, bacteria,
virus anmd/or paraiste. A computer can be infected in like.

all of those things reproduce, so it is not unreasonable to call them
all infectious agents. in computers, only viral malware reproduces, so
only viral malware can be called an infectious agent.

As long as the invader overwhelms the systems protection schemes the system
becomes infected.

if i puncture your spleen with a screwdriver, the screwdriver has not
infected you, you are not infected with screwdrivers regardless of the
fact that it has overwhelmed the protective covering known as skin.

the system may become infected, but not all invaders are infectious
agents.

I often parallel the an aujtomobile (which most have an understanding of)
and a computer as they are both a system of systems.

One can say that if you have a scratch that the body (the system) is open to
an ifection as theire is a breakdown in the systems defenses.

Likewise if rubber coverr to a ball joint fails and craks open, it leaves
the joint open to dirt and water and thus that susb-system can fail. I will
admit that you wouldn't call this an ifection but the actions and results
parallel in modeling.

since there is no circumstance under which an automobile would be
considered infected (except perhaps by computer viruses in more modern
ones), the automobile analogy really seems like a non-starter.

Since eearly days of computing when the virus was the malware de jour, the
objective was to parallel the computer to an animal infection and thus a
trojan does indedeed infect the system. It is an invader that has
overwhelmed the system's defenses thus degrading the overall "health" of
that system. When a trojan "trojanizes" (some call it patching) a
legitimate file it does the bidding of the malicious actor and the file is
infected as it has code injected into it where it doesn't belong.

a trojan no more infects a system than a hypodermic needle infects a
body. it may carry an infectious agent, but it is not itself one.

I strongly believe a system is infected if malicious software (an invader)
gets into the computer and acts maliciously. Like a biological system the
infection must be cured. In the mechanical system of an automobile if sand
gets into the ball-joint it must becured only in that case, of a mechnical
system, the terminology of infection is not apropos.

infection is absolutely an analogy to biological systems, but not all
things that act in or on biological systems are infectious agents.

Sorry....

I disagree with you so we will agree to disagree.

 

[villandra]

From: "kurt wismer" <[email protected]>

From: "kurt wismer" <[email protected]>
[snip]>> Trojans can and does infect.
A trojan will infect the computing system.
infection is a viral concept. suggesting that non-viral malware
"infects" breeds confusion over the distinction between viral and non-
viral malware. an infectious agent is one that a person intuitively
knows can spread, but since non-viral malware does not spread it
should not be confused for an infectious agent.
A trojan that prepends, appends or cavity injects code into a legitimate
file becomes an infected file.  The difference is that the now trojanized
file is unable to autonomously spread the infecttion to another fileor
system.  If it did, then it would be deemed a virus.
is the file an "infected file" or a "trojanized file"? it seems to me
you've already proposed the correct terminology, and "infected" isn't
it.
I disagree.  A human get get infected with a fungus/yeast/mold, bacteria,
virus anmd/or paraiste.  A computer can be infected in like.

all of those things reproduce, so it is not unreasonable to call them
all infectious agents. in computers, only viral malware reproduces, so
only viral malware can be called an infectious agent.

if i puncture your spleen with a screwdriver, the screwdriver has not
infected you, you are not infected with screwdrivers regardless of the
fact that it has overwhelmed the protective covering known as skin.

the system may become infected, but not all invaders are infectious
agents.

since there is no circumstance under which an automobile would be
considered infected (except perhaps by computer viruses in more modern
ones), the automobile analogy really seems like a non-starter.

a trojan no more infects a system than a hypodermic needle infects a
body. it may carry an infectious agent, but it is not itself one.

infection is absolutely an analogy to biological systems, but not all
things that act in or on biological systems are infectious agents.

Sorry....

I disagree with you so we will agree to disagree.

--
Dave
Multi-AV Scanning Tool -http://multi-av.thespykiller.co.ukhttp://www.pctipp.ch/downloads/dl/35905.asp- Hide quoted text -

- Show quoted text -

I love it! Someone asks a good question, and instead of anyone
answering it. we have an idiotic semantic argument on what's a virus.

If it's nasty, as far as I'm concerned, it's a virus. You can call
it what you want to! When someone else uses the term virus, you know
perfectly well what they mean.

Now. I too want to know what anti-virus program can spot viruses.

Yours,
Dora

 

[FromTheRafters]

villandra wrote:
[...]

I love it! Someone asks a good question, and instead of anyone
answering it. we have an idiotic semantic argument on what's a virus.

It was answered long ago, and "WEB protection" and "antivirus" are
entirely different things despite user's desire to gloss over the
differences.

The OP provided an example malware that he desired protection from, he
got several good answers and picked one already.

If it's nasty, as far as I'm concerned, it's a virus. You can call
it what you want to! When someone else uses the term virus, you know
perfectly well what they mean.

Usually not until we identify what it *really* is can we address how to
protect yourself from it. Chances are *very* good that a virus is not
involved, and that simplifies matters considerably.

The term 'virus' for some reason has popular appeal where the correct
term of 'malware' is rather dull. It doesn't matter what you call a
virus at your dinner table, but it matters here.

Now. I too want to know what anti-virus program can spot viruses.

That's an entirely different question from the one the OP asked. "All of
them" is the answer, that's why they call them anti-virus programs. Good
WEB protection can come from anti-malware programs (which in turn do not
specifically target viruses).

I use Avira Free Antivirus, and don't use any web protection thingies.
Another computer I have running Avast! Antivirus (free).

None of those will stop Javascript from running, which is what the OP
really needed anyway IMO.

 

[DK]

I use Avira Free Antivirus, and don't use any web protection thingies.
Another computer I have running Avast! Antivirus (free).

None of those will stop Javascript from running, which is what the OP
really needed anyway IMO.

No, not just any "javascript" but, very clearly, the javascript that installs
and runs malware. Both of these programs are advertised to stop such
attacks and, in fact, are supposed to be able to do it - based, at the
very least, on the file execution real time protection (OK, so in my
case it was aided by some other program's security hole but the
fact is that a malicious EXE with a code normally detected by both of
the programs was allowed to be run). That's a big FAIL for these
antivirus products.

Dima

 

[kurt wismer]

I love it!  Someone asks a good question, and instead of anyone
answering it. we have an idiotic semantic argument on what's a virus.

and i love how people with no appreciation for the meanings of words
use "semantic" like it's a slur.

If it's nasty, as far as I'm concerned, it's a virus.   You can call
it what you want to!  When someone else uses the term virus, you know
perfectly well what they mean.

no, actually we don't know perfectly well what they mean. we'd have
only the barest inkling of what they mean.

ignoring the difference between viral and non-viral malware is like
ignoring the difference between a sprain and a broken bone. unless you
treat them both with amputation, recovery depends on knowing what
you've actually got.

 

[kurt wismer]

You're wasting your time complaining about it, I remember when Usenet
was full of pedants making the same distinctions about spam.

it hardly takes a pedant to recognize that there's no such thing as an
infection that doesn't spread.

 

[Bear]

it hardly takes a pedant to recognize that there's no such thing as an
infection that doesn't spread.

How does it get to your computer?

 

[Bear]

How does it get to your computer?

Maybe this can be solved easily. Your computer gets "sick" rather than
"infected" and leave the rest to the "doctors."

Of course I don't go to the doctor every time I get sick.



Are there any Doctors in the house?

 

[kurt wismer]

Malaria is an infection but it is spread by mosquitos, not by people
passing it on to others.

and? it still spreads. it still reproduces, even if it uses an
intermediary.

 

[kurt wismer]

How does it get to your computer?

non-viral malware can BE spread (like manure) but it doesn't spread
itself (like an infectious disease).

it gets on your computer by way of being purposefully placed somewhere
(by a human being) where you (or some automated part of your computer)
are likely to run it.

the key difference between viral and non-viral malware is that
dependance on intentional malicious action by a person. after a virus
is released into a population, it just keeps going and going
autonomously without interference, but non-viral malware doesn't go
anywhere without someone laying some sort of trap.

and the reason that's important is because autonomous action can (in
theory) be mitigated with autonomous defenses, but human action cannot.

 

[FromTheRafters]

No, not just any "javascript" but, very clearly, the javascript that installs
and runs malware. Both of these programs are advertised to stop such
attacks and, in fact, are supposed to be able to do it - based, at the
very least, on the file execution real time protection (OK, so in my
case it was aided by some other program's security hole but the
fact is that a malicious EXE with a code normally detected by both of
the programs was allowed to be run). That's a big FAIL for these
antivirus products.

Dima

The initial URL used Javascript to read, write, and compare cookies. The
result of the comparison was to redirect to another URL with more
Javascript else to "Bing". Some of the 'more Javascript' was obfuscated,
but obfuscation in and of itself is not a sign of maliciousness.

Every such "protection" program can be expected to miss some of the many
different forms that even one malware can assume through polymorphism of
one type or another.

I never asked about what kind of "Web Protection" was envisioned by the
OP, but one kind I can think of is basically a black list of domains
known to be currently (or recently) serving up malware (sort of like the
'hosts' file so often touted). Such 'protection' doesn't even look at
files at all. *Viruses* have to be looked at, you generally can't
protect yourself from them without having the ability to inspect within
program files for their signature(s). That ability is quite a bit more
complicated than most people realize.