Problem with Malware

[Fats]

This is an answer to your question in very simple terms (cause I am simple
<G). While the typical Trojans,etc are still out there, up until
recently they have been designed to do "bad" things and are usually a pain
in the a@@ to remove. But the newer types of threats
stem from rootkit/malware. These attacks are very sophisticated and usually
with one goal...to steal your personal information without
you being aware its happening. They don't use cutesy names, create obvious
signatures, etc. They rely on stealth and watchdogs.. A little
clarification...stealth
actually means modifying the system tools to prevent you from discovering
the attack.. For instance, code is often injected into task manager (and
other tools )
that prevent task manager from displaying the process. You go out and use
task mgr to check your running processes, and the results look as
expected...EXCEPT the attacking process doesn't show up!! So you think
everything is kewl..not. And lets say you determine a specific process is an
attack, and you kill it..BIG mistake.
Additional processes are running who's sole purpose in life is to monitor
the attacking process, and if it is killed, start it up again.
So you would see the process go away and within a second or two come right
back. And now the watchdogs have been alerted someone is trying to kill the
attacker.
And so it goes.... Unless a particular attack can be given a signature (and
it probably can't) Virus programs are all but useless in identifying the
attack, let alone removing it
Probably the most important thing you can do to keep from being infected is
to stay away from the obvious sources of infection..Porn sites, MySpace,
etc. In other words,
any site you visit while behind closed doors <G>

 

[David H. Lipman]

From: "Fats" <Vegas@Nevada>

| This is an answer to your question in very simple terms (cause I am simple
| <G). While the typical Trojans,etc are still out there, up until
| recently they have been designed to do "bad" things and are usually a pain
| in the a@@ to remove. But the newer types of threats
| stem from rootkit/malware. These attacks are very sophisticated and usually
| with one goal...to steal your personal information without
| you being aware its happening. They don't use cutesy names, create obvious
| signatures, etc. They rely on stealth and watchdogs.. A little
| clarification...stealth
| actually means modifying the system tools to prevent you from discovering
| the attack.. For instance, code is often injected into task manager (and
| other tools )
| that prevent task manager from displaying the process. You go out and use
| task mgr to check your running processes, and the results look as
| expected...EXCEPT the attacking process doesn't show up!! So you think
| everything is kewl..not. And lets say you determine a specific process is an
| attack, and you kill it..BIG mistake.
| Additional processes are running who's sole purpose in life is to monitor
| the attacking process, and if it is killed, start it up again.
| So you would see the process go away and within a second or two come right
| back. And now the watchdogs have been alerted someone is trying to kill the
| attacker.
| And so it goes.... Unless a particular attack can be given a signature (and
| it probably can't) Virus programs are all but useless in identifying the
| attack, let alone removing it
| Probably the most important thing you can do to keep from being infected is
| to stay away from the obvious sources of infection..Porn sites, MySpace,
| etc. In other words,
| any site you visit while behind closed doors <G>

I guess you never heard of an AV applicatuion with IDS or Exploit code.

Exploit code cen vbe detected with signature and heuristics and the IDS module will detect
so-called "attacks".

So before you make a broad statement like... "Unless a particular attack can be given a
signature (and it probably can't) Virus programs are all but useless in identifying the
attack, let alone removing it"

BTW you don't "remove" attacks. You block or mitigate them.

 

[Fats]

I guess you never heard of an AV applicatuion with IDS or Exploit code.

Bad guess...I've heard of both terms. So what?

Exploit code cen vbe detected with signature and heuristics and the IDS
module will detect
so-called "attack"

Yeah right..

http://aviv.raffon.net/2006/09/25/VMLExploitVsAVIPSIDSSignatures.aspx

Heuristics is just a BS word equating to "experience". It became popular
when AI was the big thing...backward chaining, forward chaining, heuristics,
Lisp,
Prolog, etc. A lot of jargon that sounded like something magic was going on.
Anyway your statement shows me you are a virus prevention salesman's wet
dream.
And your lack of knowledge about Rookits is apparent. Take a free lesson..
Mark Russinovich's "Advanced Malware Cleaning" (Free)

http://www.microsoft.com/technet/sysinternals/markswebcasts.mspx

So before you make a broad statement like... "Unless a particular attack
can be given a
signature (and it probably can't) Virus programs are all but useless in
identifying the
attack, let alone removing it"

Read my email again...I wrote it in SIMPLE (apparently not simple enough for
some) terms (and so stated) because the target is not into tech stuff.
My message to him was trying to say that just because you have a zim-boo-bah
antivirus program doesn't mean you can't get infected
with rootkit/malware attacks...and they are ATTACKS.

BTW you don't "remove" attacks. You block or mitigate them.

Why in the world would I want to mitigate them .... do you even know what
that means?
Your playing word games..attack can be a noun, verb or adjective . If a
program is attacking my system I can remove the attack by removing the
program.

I've just been reminded we have tickets to go see Pam Anderson in a magic
show. Somehow your less important..

 

[David H. Lipman]

From: "Fats" <Vegas@Nevada>

||
| Bad guess...I've heard of both terms. So what?|
| Yeah right..
|
| http://aviv.raffon.net/2006/09/25/VMLExploitVsAVIPSIDSSignatures.aspx
|
| Heuristics is just a BS word equating to "experience". It became popular
| when AI was the big thing...backward chaining, forward chaining, heuristics,
| Lisp,
| Prolog, etc. A lot of jargon that sounded like something magic was going on.
| Anyway your statement shows me you are a virus prevention salesman's wet
| dream.
| And your lack of knowledge about Rookits is apparent. Take a free lesson..
| Mark Russinovich's "Advanced Malware Cleaning" (Free)
|
| http://www.microsoft.com/technet/sysinternals/markswebcasts.mspx|
| Read my email again...I wrote it in SIMPLE (apparently not simple enough for
| some) terms (and so stated) because the target is not into tech stuff.
| My message to him was trying to say that just because you have a zim-boo-bah
| antivirus program doesn't mean you can't get infected
| with rootkit/malware attacks...and they are ATTACKS.
||
| Why in the world would I want to mitigate them .... do you even know what
| that means?
| Your playing word games..attack can be a noun, verb or adjective . If a
| program is attacking my system I can remove the attack by removing the
| program.
|
| I've just been reminded we have tickets to go see Pam Anderson in a magic
| show. Somehow your less important..


Oh boy... Where should I start

Email ?

You posted to a News Group via the Network News Transfer Protocol (NNTP) via TCP port 119
from Cox in the Las Vegas area. You did NOT send email via the Simple Mail Transport
Protocol (SMTP) TCP port 25.

You show a URL that mentions the VML in HTML Buffer Overflow Exploit. It was thanks to me
and my peers that submitted samples of the exploit code to the varios vendors. The same
goes for the WMF, ANI and other exploits.

As for RootKits I have read Marco G's. "The strange case of Dr.Rootkit and Mr.Adware" and I
handle many RootKits and ADS files on a regular basis. I have dealt with Haxdoor, Gromozon
and Goldun to name a few. Maybe a should have Gmer post a few words here on the subject.
Even though he's polish his ability to describe the subject matter in English is better than
most English only speaking people.

As for "attacks".
RootKits are not "attacks". RootKits are planted. They are complex Trojans that use
exploitation code, Social Engineering, or some other methodology to get "rooted" or gain
access to the lowest level of the Kernel or the "root" of the OS where that have complete
control over their actions.

DDoS/DoS are attacks. The act Hacking is an attack. Acts of Hacktivism are attacks.
Internet worms spreading through protcols such as TCP port 445 and 135 may be considered
attacks. Trojans do NOT attack.

Of course you want to mitigate all threats including attacks.
* Patch the vulnerabilities.
Most just think about Microsoft software. Well there's vulnerabiliies in; RealAudio,
QuickTime, Sun Java, FireFox, Opera, etc, etc. All must be kept up-to-date to "mitigate"
threats and maintain the information assurance level f any given platform.
* Close ports that don't need to be open.
* Reduce your platform(s) visibility to the Internet.
* Practice Safe Hex
* Use a good anti virus application (does NOT include MS OneCare)

You said "My message to him...". From what I see you didn't reply to any post or thread and
tghus replied to nobody. From what I see you posted a new topic and ceated a new thread

Finally, according to Microsoft (if you believe their BS) Vista doesn't get infected with
malware. < ROFLOL >