 sj |
||
|
||
Tech: Slightly Different Virus Threat
| JohnInKansas | 13 May 04 - 08:47 AM | |
| The Fooles Troupe | 13 May 04 - 09:08 AM | |
| Rapparee | 13 May 04 - 09:14 AM | |
| JohnInKansas | 13 May 04 - 09:48 AM | |
|
|
|
||||||||||||||
|
Tech: Slightly Different Virus Threat
|
Share Thread
|
|||||||||||||
|
Subject: Tech: Slightly Different Virus Threat From: JohnInKansas Date: 13 May 04 - 08:47 AM In a slightly different sort of warning, a "friendly hacker" has advanced the claim that the "web scan" programs of all AV providers includes a "hole" that could be used by a malicious hacker. No use is known, thus far, but since the existence and general nature of the problem has been published, it might be expected that someone will try. When you go to an AV providers web site and "have your system scanned" a small program is downloaded to your machine, and the "bot" that's downloaded is the program that actually runs the scan. The "bot" remains on your machine after the scan is finished. The claim is that the "bot" can be accessed, and a buffer overrun created, that allows the malicious hacker to access most of your machine. Symantec (Norton) maintains that the buffer size exceeds what can be loaded, and plans no fix. McAfee admits that the buffer "load" to create the overrun is quite small, and has produced a fix. Other AV vendors are varied in their response to this. McAfee specifically recommends that if you have used their "webscan" at any time in the past, you should return to their site and have your machine "re-scanned." When you rescan, their "new and improved bot" will replace the one on your machine. This recommendation applies if you have used their scan, whether or not you use McAfee AV. Similar procedures apparently may be needed if you have used the "free scan" via web hookup from almost, possibly all, AV suppliers. If you can remember who's facility you have used for a "free web scan," it might be well to visit the site and see if they have a fix, or words of reassurance about this. If you used McAfee, they specifically recommend "getting fixed" by getting a fresh scan. John |
|
Subject: RE: Tech: Slightly Different Virus Threat From: The Fooles Troupe Date: 13 May 04 - 09:08 AM So how we do remove these bots? |
|
Subject: RE: Tech: Slightly Different Virus Threat From: Rapparee Date: 13 May 04 - 09:14 AM Which is why I buy an antivirus program and load it myself. |
|
Subject: RE: Tech: Slightly Different Virus Threat From: JohnInKansas Date: 13 May 04 - 09:48 AM Foolstroupe - I don't know whether the AV guys will tell you the filenames for their bots. They're probably buried somewhere in System32 or in a folder with the AV supplier's name, or the like. They assume that you'll probably want to come back for another scan, and it's "convenient" (for them?) to leave the bot in place. The bot IS NOT A VIRUS. It's a small program that happens to have a "vulnerability" that someone could use to get into your machine. Lots of programs that you know, love, and use every day have similar "holes." This is just one that can be patched now. There are similar things being "studied" with the implication being that nearly all "multimedia players" need similar patch jobs. Real-Player is one that's admitted a problem exists, and has some updates out. The problem is that their "hype" is so heavy you can't tell what's their fix and what's a sales pitch for a "$better ver$ion.$" The AV people haven't published a "consensus opinion" on whether Real-Player has fixed it, or on which specific other programs need to be "repaired," so there's no real incentive to patch at present. Some other media player programs are "nervous," but the situation just isn't well enough known to make recommendations yet. As described by the guy who brought the AV hole up, nearly all "web scan" utilities by all AV producers are to some extent susceptible. It appears that a "generic" virus could attempt to exploit the hole, and it would succeed regardless of what AV webscan you had used if they have a small buffer, and would simply fail for those with protected or very large buffer defs. That makes a "large target" that could be attacked. Several AV makers may have fixes. McAfee happens to be the only major one who has publicly recommended rescanning to get the old bot replaced. Norton is about the only major one who has publicly declared that they don't see a need in their program, and don't intend to change their program. John |
| Share Thread: |