Lyrics & Knowledge Personal Pages Record Shop Auction Links Radio & Media Kids Membership Help
The Mudcat Cafemuddy

Post to this Thread - Sort Descending - Printer Friendly - Home


Tech: Info on Malware for All.

JohnInKansas 21 Aug 12 - 11:01 AM
Ole Juul 21 Aug 12 - 04:03 PM
GUEST,leeneia 22 Aug 12 - 09:14 AM
GUEST,Charles Macfarlane 22 Aug 12 - 09:37 AM
GUEST,leeneia 22 Aug 12 - 11:23 AM
GUEST,Charles Macfarlane 22 Aug 12 - 12:50 PM
Ole Juul 22 Aug 12 - 02:04 PM
GUEST,mg 22 Aug 12 - 10:49 PM
Ole Juul 22 Aug 12 - 11:16 PM
JohnInKansas 23 Aug 12 - 09:56 AM
GUEST,leeneia 23 Aug 12 - 10:06 AM
JohnInKansas 23 Aug 12 - 10:16 AM
JohnInKansas 23 Aug 12 - 12:56 PM
Share Thread
more
Lyrics & Knowledge Search [Advanced]
DT  Forum
Sort (Forum) by:relevance date
DT Lyrics:





Subject: Tech: Info on Malware for All.
From: JohnInKansas
Date: 21 Aug 12 - 11:01 AM

Although the "news" is about a month old, it's still something of which ALL kinds of users should be aware:

Web-based malware determines your OS, then strikes

F-Secure

New malware that is spread via the Web, and is operating system-agnostic, has been discovered by researchers at F-Secure.

The malware uses social engineering by showing this "warning" (top version shown here is for Windows, the bottom is for Mac) when a user visits the tainted page and gets the "warning." [images at the link]

It doesn't matter which operating system you're using, says F-Secure; the file first "checks if the user's machine is running in Windows, Mac or Linux then downloads the appropriate files for the platform."

The payload? "Once it has found out which operating system you are running, the Java class file will download the appropriate flavor of malware, with the intention of opening a backdoor that will give hackers remote access to your computer," writes Sophos Security's Graham Cluley on that company's blog.

Topher Kessler of CNET's Blog Network notes that if "at any point you see a program, applet, or other resource attempt to use a self-signed certificate, then be sure you personally trust the source before using it (i.e., it is from a server you own or manage)."

Legitimate vendors will "use certificates signed by an authority like VeriSign, which authenticates to the root certificates in your system to ensure applets and other transactions with the service are legitimate and secure," he writes.

Cluley notes that this "isn't, of course, the first cross-platform malware that we have seen. For instance, in 2010 we saw the Boonana malware which similarly used a malicious Java applet to deliver a cross-platform attack that attempts to download further malware on Windows, Unix and Mac OS X."

With more malware attacks on Apple's OS in the past year, and ongoing strikes against Windows-based systems, "although the amount of malware written for different operating systems can vary, it's becoming increasingly hard to argue on any OS that it's safe to surf the Web without anti-virus protection," Cluley wrote. And it's hard to argue with that.

[end quote]

Note that this is the second fairly recent exploit that attacks ALL OPERATING SYSTEMS, and that has been in wide enough circulation to merit serious concern. While the malware probably has to include separate payload versions for each OS, the ability to determine what OS you're running is pretty simple, and Java (and some other "new" stuff people are experimenting with) probably makes it simpler for even the "script kiddies" to come up with this kind of attack. Expect more of the same.

Safe browsing habits are important for all, and are the "first line of defense. For those fools people who don't believe they need anti-malware defenses, AT THE VERY MINIMUM they should find a place to get a good AV scan and know how to get to it if their machine ever shows signs of being infected. And remember that an AV program is useless unless it's kept up to date, or can be downloaded "new and current" when needed.

A different malware form has also been reported recently that "steals all your information and then deletes everything" that is particularly malicious; but at present it's been found almost exclusively in "Arab countries" and hasn't been considered much of a threat in western regions. Since most malware takes extreme measures to avoid detection, the purpose of this one - that makes it rather obvious when an attack has occured - is still mostly unknown. The biggest hazard with it is that it only needs to get on a few machines that "talk to" machines in other places in order to spread everywhere, so watching for further reports is probably a good idea.

John


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: Info on Malware for All.
From: Ole Juul
Date: 21 Aug 12 - 04:03 PM

. . . it's becoming increasingly hard to argue on any OS that it's safe to surf the Web without anti-virus protection," Cluley wrote. And it's hard to argue with that.

No, it is not hard to argue with that. He is selling something. It is indeed possible to write viruses for *nix systems, but when people like him talk about exploits, they neglect to say that it only works if you have physical access to the machine or know the root password - in which case the OS is not the problem. I am well aware of the value of the "never say never" meme, but Cluley is just another one of the Windows apologists / salesmen.


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: Info on Malware for All.
From: GUEST,leeneia
Date: 22 Aug 12 - 09:14 AM

I consider that article kind of strange. Surely a well-known virus has been assigned a name. (Preferably an unromantic set of numbers and letters.) Given the name, I can obtain software to scan for it and remove it.

So far, all that F-secure has done is scare me without offering any suggestions on how to improve my situation.

What's my situation? My computer has slowed down, it doesn't respond well to the mouse, and nobody can find a reason.


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: Info on Malware for All.
From: GUEST,Charles Macfarlane
Date: 22 Aug 12 - 09:37 AM

Need to know more specifics to help you - what type of computer, what operating system, what type of mouse, and how connected, what hardware checks have you done such as trying a different mouse, did the problem begin with some identifiable occurrence, such as visiting a particular website or installing a particular program?


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: Info on Malware for All.
From: GUEST,leeneia
Date: 22 Aug 12 - 11:23 AM

Thanks for your kindness, Charles, but I've done a lot of stuff. including buying a new mouse, malware scans and system restore. All I'd like now is the name of the malware described in the article.

My backup plan is that a friend who is a computer professional has offered to come over and have a look at my machine. But if I can solve this without imposing on her, it would be nice.

Meanwhile, just watch. I'm supposed to have a fast system, but I'll click Submit and it will take ten seconds for this message to go.


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: Info on Malware for All.
From: GUEST,Charles Macfarlane
Date: 22 Aug 12 - 12:50 PM

> From: GUEST,leeneia
>
> Meanwhile, just watch. I'm supposed to have a fast system, but I'll click Submit and it will take ten seconds for this message to go.

For me, that's about normal for loading any page from Mudcat. I suspect it's the advertisement blocking I have in place.


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: Info on Malware for All.
From: Ole Juul
Date: 22 Aug 12 - 02:04 PM

Lots of things can cause a machine to be slow. I don't know much about MS-Windows, but I've noticed that people sometimes have pending upgrades and "call home" type things that take control (and bandwidth) away from the user. Also, I note that Mudcat has been very slow the last couple of days and I too have seen up to ten seconds response time. It seems pretty good now though.


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: Info on Malware for All.
From: GUEST,mg
Date: 22 Aug 12 - 10:49 PM

My mouse is acting odd too and I have something called Babylon that takes over web browsing. I have free support through my host and they were supposed to have cleaned it b ut it still seems to be on.


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: Info on Malware for All.
From: Ole Juul
Date: 22 Aug 12 - 11:16 PM

You can do a net search on the term "how to remove babylon" and do it yourself. You will find hundreds of sets of directions, including numerous videos. Good luck. :)


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: Info on Malware for All.
From: JohnInKansas
Date: 23 Aug 12 - 09:56 AM

Mudcat has been a little slow for me recently, but other sites respond normally. That could be because of something at mudcat, or with a relay server that it uses often, but since it's just mudcat I can be pretty sure it's not on my computer.

You can get similar assurance by checking whether it's just one site that's doing something unusual, or if it's all of them. If everything is slow, you probably have a problem with your own machine.

Malware removers often just delete or quarantine the file that contains a particular bit of code that the remover recognizes, but the malware may also have added other files that are not in themselves capable of doing anything much. Checking for instructions for removing the malware, as already suggested, may let you get rid of a lot more of the junk associated with the malware.

Occasionally the malware may modify an existing file that your computer needs to use, and quarantine or deletion of the infected file can muck things up. The complete removal instructions you'll find should tell you if you need to replace a file "damaged" by the particular malware. Your service is unlikely to do this for you.

Your mouse and keyboard most likely are connected via USB, even if they're "wireless" ones. USB sometimes gets confused. A procedure that sometimes helps is to:

1. shut down the computer.
2. disconnect all USB devices.
3. restart the computer
4. plug in ONE device at a time and let the computer's PNP recognize it and connect it up before you plug in the next thing.

This works better if you get into Control Panel and delete all the existing USB connections before the shutdown, but that can cause problems you likely will want on-site help with from someone more experienced. (Like how do you shut down properly if you've deleted both mouse and keyboard connections, and how to you log back on with no keyboard connected?)

John


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: Info on Malware for All.
From: GUEST,leeneia
Date: 23 Aug 12 - 10:06 AM

thanks for the info about Babylon and USB's.


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: Info on Malware for All.
From: JohnInKansas
Date: 23 Aug 12 - 10:16 AM

Surely a well-known virus has been assigned a name.

The reason for no name is that the news report describes a usage of a "normal process" that can be used to try to get any kind of malware on your computer, but isn't itself a real malware form.

Any site you connect to can tell what browser you're using, and with very little more effort can tell what OS you use. That's a normal function.

In the past, few malware designers have used the method to "tailor" their payload of junk. Some of them are doing it now, and that's what the report wants you to know.

As to the immunity of 'nix systems, the operator sitting at the keyboard has direct access to the computer and must have some privileges in order to be able to do much of anything. IF THE PERSON AT THE KEYBOARD does something stupid, the computer must follow instructions, and it doesn't much matter what OS is being used.

Much of the malware currently in circulation attempts to get ONE PERSON to compromise personal information, so that they can steal from that person. They DON'T WANT SMART PEOPLE since their success depends on the operator being induced to make additional mistakes.

As long as there's one fool (or careless/distracted genius) left in the world, any system can be compromised. For most currently active malware, they don't care about getting into the entire system. They only want the keyboard where the "vulnerable person" sits.

John


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: Info on Malware for All.
From: JohnInKansas
Date: 23 Aug 12 - 12:56 PM

Not an immediate hazard, but on the subject, as above, of the use of normal processes for malicious purposes, a couple of researchers have produced a demonstration that an "innocent script" (containing no identifiable malware) could be used to assemble bits and pieces from the perfectly good (and otherwise safe) programs on your computer, to produce something that performs malicious actions.

This is (for now) a "concept" only, and there's been no known use of the idea; but it may give an idea of what could come along eventually. (Eventually could be fairly soon, of course.)

'Frankenstein' virus could assemble itself from app snippets

[quote]

Many malware and viruses can be identified by detection software because of known bits of malicious code. But what if there was a virus compiled from little bits of programs you already had installed? That's just what two security researchers are looking into.

Vishwath Mohan and Kevin Hamlen at the University of Texas at Dallas are interested in how malware disguises itself in order to propagate more widely. After all, with virus detectors and operating systems getting frequent updates, any positively identified virus will be destroyed on sight around the world soon after.

Malware authors and security experts have tried different ways to camouflage malicious code, like encrypting it or adding garbage data to confuse the scanners. But Mohan and Hamlen take it a step further: their virus builds itself out of pieces your computer knows to be safe — bits of applications like your word processor, image editor or Web browser.

Appropriately enough, they call it Frankenstein, and although right now it's still just a proof of concept, it's an indication of one avenue hackers might take in the future. Why bother sending out a whole application stuffed full of code that could be identified as bad news when you can just send a "blueprint" of what it needs, and let it assemble itself on-site, as it were?

Their Frankenstein is a "toy" version, which means it does not propagate itself onto other computers, but it can make variants of itself by stealing different code from different programs. That means that every "mutant" version it creates of itself will be significantly different, but still check out when looked at piece by piece for suspicious functions.

And there's no shortage of the snippets of code, which they call "gadgets." As they remark in the paper describing their work:
The results show that even with the limited capacity of our prototype, 2–3 binaries are sufficient to bring the number of gadgets above 100,000. On average we discovered about 46 gadgets per KB of code, finding approximately 2338 gadgets per second.

In other words, just a few basic applications rendered thousands of pieces to use. That many spare parts could keep the virus scanners busy for quite some time, though there is always the risk that they could be trained to look for the "blueprint" instead of the resultant patched-together virus. But that too could be made to look legitimate.

Mohan and Hamlen hope that being aware of camouflaging systems like this will make virus detection stronger and better; after all, if they didn't invent it, some less well-meaning person might have instead, and it would be at large instead of in a paper.

The research was supported by Air Force and National Science Foundation grants. The paper, "Frankenstein: Stitching Malware from Benign Binaries," is available for free download here, as well as the slides from Mohan and Hamlen's presentation at the USENIX security workshop.

[end quote]

There's a nice picture of Frankie at the link, and links to where you can download the full report if that's of interest to anyone.

(Happy browsing.)

John


Post - Top - Home - Printer Friendly - Translate
  Share Thread:
More...

Reply to Thread
Subject:  Help
From:
Preview   Automatic Linebreaks   Make a link ("blue clicky")


Mudcat time: 19 April 3:21 PM EDT

[ Home ]

All original material is copyright © 1998 by the Mudcat Café Music Foundation, Inc. All photos, music, images, etc. are copyright © by their rightful owners. Every effort is taken to attribute appropriate copyright to images, content, music, etc. We are not a copyright resource.