Re: Trojan horse Downloader.Generic.ML
From: Jason Edwards (none1_at_invalid.invalid)
Date: 06/17/05
- Next message: Ron Reaugh: "Re: Trojan horse Downloader.Generic.ML"
- Previous message: Zvi Netiv: "Re: Trojan horse Downloader.Generic.ML"
- In reply to: Ron Reaugh: "Re: Trojan horse Downloader.Generic.ML"
- Next in thread: Roger Wilco: "Re: Trojan horse Downloader.Generic.ML"
- Reply: Roger Wilco: "Re: Trojan horse Downloader.Generic.ML"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 17 Jun 2005 11:05:45 +0100
"Ron Reaugh" <ron-reaugh@worldnet.att.net> wrote in message
news:aSose.329095$cg1.323372@bgtnsc04-news.ops.worldnet.att.net...
>
> "Jason Edwards" <none1@invalid.invalid> wrote in message
> news:3hcuhbFgih9bU1@individual.net...
> > "Ron Reaugh" <ron-reaugh@worldnet.att.net> wrote in message
> > news:G23se.965445$w62.820769@bgtnsc05-news.ops.worldnet.att.net...
> > >
> > > "Jason Edwards" <none1@invalid.invalid> wrote in message
> > > news:3hbf5hFg0qm4U1@individual.net...
> > > > "Ron Reaugh" <ron-reaugh@worldnet.att.net> wrote in message
> > > > news:qW_re.324813$cg1.141727@bgtnsc04-news.ops.worldnet.att.net...
> > > > >
> > > > > "Jason Edwards" <none1@invalid.invalid> wrote in message
> > > > > news:3hbbasFg5jjsU1@individual.net...
> > > > > > "Ron Reaugh" <ron-reaugh@worldnet.att.net> wrote in message
> > > > > >
news:EKYre.963481$w62.31381@bgtnsc05-news.ops.worldnet.att.net...
> > > > > > > It's the file C:\NULL
> > > > > > >
> > > > > > > Suddenly shortly after cold boot my fully updated(WinUp) and
> > patched
> > > > > W98se
> > > > > > > PC reported the above noted infection. It's Grisoft free AVG
> with
> > > the
> > > > > > > latest updates. This PC is also protected by ZoneAlarm,
Belkin
> > > WiFi
> > > > > > router
> > > > > > > with firewall, SpyBot(resident).
> > > > > >
> > > > > > And do you use Internet Explorer?
> > > > >
> > > > > Yep, the very latest and fully patched/WinUp-ed version.
> > > >
> > > > Ok, so it's probably only got approximately n+100 vulnerabilities
left
> > to
> > > be
> > > > patched.
> > >
> > > Maybe but do you have any evidence that any of these has been actually
> > used
> > > in a penetration recently? OR are they all just potential?
> >
> > Sure. Some time ago
>
>
> "Some time ago" seems to be confirming what I said.
>
> Now did your test PC have a then current virus checker and a then current
> firewall?
Yes it had a virus checker with all updates.
Yes it had all Windows updates.
If by firewall you mean personal firewall software then no it didn't because
this would have made no difference.
Personal firewalls do not stop Internet Explorer downloading whatever the
user requests as far as I'm aware.
They also do not stop Internet Explorer downloading something the user
didn't request.
The only way to keep addware off Windows 98 is to stop it reaching the PC.
>
> > I was curious about strange messages with links
> > appearing in newsgroups, so I set up an isolated PC with its own
broadband
> > connection running Windows 98 with ALL updates and clicked one of the
> links.
> > This took me to a website offering adult material. I can't remember the
> > details but it had some clever way of getting me to scroll down and
click.
> A
> > quick run of hijackthis then discovered that a trojan had been planted
in
> > the startup folder and was waiting to run on the next startup.
> > The computer was then wiped and restored from a clean image.
> > I got rid of the trojan file about a week later, it was kept only to
> verify
> > that two popular virus scanners were still pronouncing it clean after a
> > week.
>
>
> OK. so I assume you finished the experiment and can tell us when "two
> popular virus scanners" DID start finding it?
As already stated the fully updated scanners were not finding anything wrong
with the file after a week.
I then decided to get rid of the file in case it was detected and frightened
anyone in the future.
I'm not in the business of collecting malware.
It would surprise me if current virus scanners don't detect it but there is
no way for me to find out.
>
> > > > > > > A normal Shutdown was done 12 hours
> > > > > > > earlier with no indication of any problems.
> > > > > >
> > > > > > There wouldn't be.
> > > > > > If something did sneak in via an IE or some other vulnerability
> then
> > > it
> > > > > > would most likely not run until the next startup.
> > > > >
> > > > > Are you saying that AVG's resident and SpyBots resident(watching
reg
> > > > > updates) wouldn't have caught it at the time of infection?
> > > >
> > > > Yes
> > >
> > > Why? If that's not what they're lookin for then what are they lookin
> for?
> >
> > I thought I'd already explained that no matter how hard they look they
> can't
> > be expected to include all malware the same day it's written. Some may
> only
> > be included months later, or perhaps never.
>
>
> "never" implies incompetence/fraud or that the infection was a very
special
> one target thing.
Using the current model of anti-virus software I don't see how any virus
scanner vendor can be expected to get an update done and distributed to
users before malware has executed on their PC.
This is simply not possible unless they turn their efforts to time travel
instead of malware detection.
I cannot recall a virus I came across this year which hadn't executed and
done damage to a user's PC BEFORE their virus scanner was updated to detect
it. The last one was due to a 12 year old using MSN messenger in an XP
administrator account. This left the user helpless because task manager
wouldn't run and IE wouldn't go to any anti-virus sites. AVG took more than
24 hours to start detecting it and I don't see how they could have done it
any faster.
Is it only me who thinks that there may be something wrong with this model?
>
> > > > > > > There are still no indications
> > > > > > > of any problems EXCEPT that AVG claims it's found this trojan.
> > > > > >
> > > > > > Sounds like an indication of a problem to me.
> > > > > > A false detection is a possibility but there is no way for me to
> be
> > > > > certain.
> > > > >
> > > > > That c:\null IS a bogus file from an unknown source suggests that
> > there
> > > > was
> > > > > no false detection.
> > > >
> > > > It does, if you are sure that C:\NULL is not part of anything
> legitimate
> > > or
> > > > anything you have done yourself.
> > >
> > > I'm sure. You ever heard of c:\null?
> >
> > Nope.
> >
> > >
> > > > > > > There have
> > > > > > > been no floppy operations/mounts, no CD operations/mounts and
no
> > > > > downloads
> > > > > > > and installs of anything since an hour before shutdown last
> night
> > > and
> > > > > now.
> > > > > >
> > > > > > But you did surf with Internet Explorer?
> > > > >
> > > > > Yep and other than the possibility that you are a FireFox drum
> beater,
> > > > the
> > > > > use of a fully updated IE generally does NOT expose one to such
when
> a
> > > > fully
> > > > > functional firewall, virus checker and spyware checker are in
place.
> > > >
> > > > I don't wish to upset you but it took me a while to stop laughing
> after
> > > > reading that.
> > >
> > > Provide some references that suggest that is not the usual and
EFFECTIVE
> > > model?
> >
> > Sure it's the usual model for a home Windows user but it is not
effective
> > for the reasons you have discovered for yourself. Personal software
> > firewalls are useless because there are many ways for malware to bypass
> > them. Malware might ride on another application such as Internet
Explorer,
> > it might answer the firewall's popup questions itself, it might shut the
> > firewall down completely, it might prevent the firewall from getting
> > updates, etc.
> > Virus scanners are useless for exactly the reason that you are
> > understandably upset about discovering for yourself. You thought you
were
> > doing everything possible but you still got a trojan.
>
>
> OK, so tell us all the secret solution save the daily clean OS install
that
> seems so popular here
There are no secrets.
Ask yourself why businesses of any size don't use (or shouldn't be using)
the current home user model.
Ask yourself why users in these businesses who have email and web browsing
access think that they have full Internet access and don't notice any
difference between Internet access at work and Internet access at home.
A few of these users may wonder why they never get any viruses at work but
can't keep viruses off their home PC.
>
> > > > > > > From the DOS prompt I can see a file C:\NULL that has a 5/5/05
> > date.
> > > > > > Since
> > > > > > > 5/5 both a full manual AVG and Trend HouseCall 6 run have been
> > done
> > > on
> > > > > > this
> > > > > > > PC finding nothing.
> > > > > > >
> > > > > > > So where and how did this file C:\NULL that AVG claims is
Trojan
> > > horse
> > > > > > > Downloader.Generic.ML appear from? Was it really there since
> 5/5
> > > but
> > > > > went
> > > > > > > unnoticed by both AVG and Trend HouseCall 6 and then this
> morning
> > > AVG
> > > > > > > suddenly downloaded a new definition file which started seeing
> > this
> > > > > > trojan?
> > > > > >
> > > > > > Virus scanners don't have any magical ability to detect trojans,
> > they
> > > > have
> > > > > > to be told what is a trojan and what isn't via the updates.
> > > > >
> > > > > Right but 5/5/05 is over 30 days old...am I some special case
alpha
> > > > > infection point?
> > > >
> > > > Nope, you're just an average Windows user who got the trojan that
> wasn't
> > > > widespread enough to be noticed immediately.
> > >
> > > I find that unlikely but barely possible.
> >
> > Barely possible would be more than enough for me. I'd rather make it
> > impossible. To do that you arrange to prevent any executable code
getting
> > where you don't want it. This is likely to be impossible with a Windows
98
> > PC connected directly to a broadband connection where everything has
> > complete access to everything else.
> > Consider an external firewall box which stops it getting to the PC in
the
> > first place.
> >
> > >
> > > > > > An anti-virus
> > > > > > vendor may manage to do an update in less that a day if the
> > > virus/trojan
> > > > > is
> > > > > > all over the news but it may otherwise take longer. Trojan
writers
> > are
> > > > not
> > > > > > under any obligation to send copies of their trojans to
anti-virus
> > > > > vendors.
> > > > > >
> > > > > > > OR did something penetrate all the firewalls and suddenly
spawn
> > this
> > > > > file
> > > > > > > which AVG quickly recognized?
> > > > > >
> > > > > > I have no idea where C:\NULL came from but if it were on my PC I
> > would
> > > > > want
> > > > > > to know what it was.
> > > > > > If I was sitting at the PC which had C:\NULL on it then I'd look
> in
> > > > > C:\NULL
> > > > > > to see what was there.
> > > > >
> > > > > After one noticed it. I don't inspect c:\ or c:\win or
> > > c:\win\system[32]
> > > > > hourly to spot undesirable files. That's what I got AVG etc. for.
> > > >
> > > > I don't either, but I don't allow additional executable files on to
> the
> > > > system in the first place, so I don't have to go file spotting very
> > often
> > > on
> > > > my own machines. I also don't need AVG.
> > > >
> > > > >
> > > > > > I'd also find out whether anything in there was referenced
during
> > > > startup.
> > > > > > For that I'd need spybot S&D in advanced mode or
> > > > http://www.hijackthis.de/
> > > > > > or just regedit.
> > > > > >
> > > > > > >
> > > > > > > What likely happened here?
> > > > > >
> > > > > > Impossible to say. One possibility is that you got something via
> an
> > > > > > unpatched IE vulnerability.
> > > > >
> > > > > I was under the impression that there weren't any of these that
have
> > > > > resulted in actual infections any time recently. Lots of new
> > > > > vulnerabilities keep being found and reported and fixed. And
that's
> > all
> > > > > before there is any infections/penetrations using them and that's
> what
> > > > I've
> > > > > been hearing for over a year.
> > > >
> > > > Who have you been hearing this from?
> > >
> > > Where have you been hearing the other from?
> > >
> > > > Ask yourself why there is a cumulative update every month.
> > >
> > > YES, please do so. Have you been reading about the intense
preemptive
> > work
> > > going on to find the holes before the hackers. From what I've heard
> > that's
> > > been effective down to with a day or two for the last year or two.
> > > References otherwise?
> >
> > How about the experiment I did with the isolated windows 98 PC described
> > above.
>
>
> "Some time ago"....
Why does it make a difference?
All Windows and anti-virus updates were in place at the time.
>
> > It may be that this hole has since been patched but it makes no
difference
> > to me, I will continue to trust no executable code unless I'm very sure
> > about where it came from and what it's going to do to my system.
> > You may say that it's difficult or impossible to keep addware off a
> Windows
> > PC. But this is not the same as asking whether or not it can be done.
>
>
> HMM, now that sounds like something I'd say.
Filter it out before it reaches the PC.
>
> > > > > > Another is that AVG is/was giving a false
> > > > > > detection. Another is that I don't have a clue what happened.
> > > > > >
> > > > > > >
> > > > > > > The operation I was in the middle of when AVG popped up was
> > reading
> > > a
> > > > > text
> > > > > > > only no attachment NG message in OE 6.00.2800.1123.
> > > > > >
> > > > > > Did this message contain a link/url that you happened to click
on?
> > > > >
> > > > > NOPE! I assume that the NG message reading had nothing to do with
> it
> > > but
> > > > > then what did??
> > > >
> > > > It is not possible for me to say for certain what did.
> > > >
> > > > If I were you I'd wipe the drive and reinstall the operating system.
> > >
> > > Clueless!
> >
> > There was a Microsoft technet article giving just this advice but I
can't
> > find it, maybe someone else can unless it's gone.
> >
> > >
> > > > There is no other way to be sure that your system isn't compromised.
> > >
> > > Now you've established your credentials.
> >
> > No. What I have established is that you are understandably upset about
the
> > fact that you did everything you thought you had to do (virus scanner,
> > personal firewall, spyware remover) but you STILL got a trojan.
>
>
> YES, now if someone would care to describe in more detail why that came
to
> pass rather than hyperbole and paranoid rantings then I'd be happy. Is
that
> protection model many are using totally bogus?
There are various reasons why the current home user model is not likely to
change any time soon.
I'll list a few of the reasons I can think of, there may be many others.
1. Cost. Proper external firewall/proxy boxes start at three figures.
2. Time and effort. Good external boxes can be made out of free software and
an old PC, but time and effort is required to set it up. A certain level of
knowledge is also required for successful configuration whether you use a
ready made solution or a free software one. You can pay someone to do it for
you but then we're back to cost.
3. Knowledge. Windows 98 is not likely to be possible to secure for the
average home Windows user if connected directly to broadband. Later versions
of Windows are better but cannot be used in a secure manner because this
breaks too many existing applications. Windows applications are still being
written which require access to more than they should be able to access if
they are to work properly. I won't bother stating that you could use an
operating system other than Windows because I've met people who think that
Windows and computers are the same thing.
Jason
>
> > It's not my fault if you would rather attack the person giving you this
> > information instead of asking yourself why the methods you've applied so
> far
> > are not working.
>
>
> HMM, am I the OP of this thread?
>
>
- Next message: Ron Reaugh: "Re: Trojan horse Downloader.Generic.ML"
- Previous message: Zvi Netiv: "Re: Trojan horse Downloader.Generic.ML"
- In reply to: Ron Reaugh: "Re: Trojan horse Downloader.Generic.ML"
- Next in thread: Roger Wilco: "Re: Trojan horse Downloader.Generic.ML"
- Reply: Roger Wilco: "Re: Trojan horse Downloader.Generic.ML"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
