Jump to content


Welcome to Tech-101 Free Computer Support

Welcome to Tech-101 Free Computer Support, join us now to get access to all our features. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, and so, so much more. It's also quick and totally free, so what are you waiting for?

>Register Now or >Sign In.
Guest Message by DevFuse
Photo
- - - - -

Security threats evolving at breakneck pace


  • Please log in to reply
7 replies to this topic

#1 jobeard

jobeard

    Site Admin

  • Administrators
  • 2,009 posts

Posted 18 August 2010 - 11:52 AM

17 August 2010
The most recent threat landscape report from Forrester claims the gap between hacker threats and suitable security defenses is widening, at a faster pace than ever before.

...threats are coming from “highly organized, well-funded” crime networks, or even state-sponsored actors. ... “The attacks are much more targeted, sophisticated, and resourceful” ...

“Attackers go after the network, then the applications, and then the data, covering all traces of their presence as they penetrate”, the authors noted, adding that “the ultimate goal is to modify the application in some way so that [attackers] get a consistent source of revenue”.

... it acknowledged that “security technology vendors in general have overpromised and underdelivered”. Instead they advocated for a layered security defense that does not rely on any one particular technology to address a single risk area.


The >Infosecurity Article is available for your review

J. O. Beard; you + tech-101.com => synergism. Secure your system now


#2 Bobbye

Bobbye

    Site Admin

  • Administrators
  • 992 posts

Posted 20 August 2010 - 06:29 PM

There is a really nasty variant of the Saily Virus very active now. I'm seeing it with Win32/Heur and this family has many of the same characteristics of Virut. This is the one exploiting the LNK Vulnerability- "currently unpatched Windows shortcut vulnerability". Microsoft reports a surge in related attack traffic generated by threats from the Sality family of malware.

The virus also includes an autorun worm component that allows it to spread to any removable or discoverable drive. In addition, Sality includes a downloader Trojan component that installs additional malware via the Web.

Edited by Bobbye, 31 August 2010 - 08:32 AM.
sp


#3 Blind Dragon

Blind Dragon

    Site Admin

  • Administrators
  • 1,733 posts
  • Memory:Crucial 16GB (4GBx4) DDR3-1600
  • Hard Drives:500GB Western Digital SATA 3 - 6Gb/s
  • Motherboard:Asrock X79 Extreme 4

Posted 22 August 2010 - 12:57 PM

Best bet with these is to format/reinstall for 2 main reasons:

1) File infector's such as Sailty or Virut can cause the system to become unbootable, better to backup and format before it's too late.


2) Once they infect a legitimate file, they will invalidate that file's digital signature.

That means that ANY program file on this machine will NOT verify as signed my microsoft after a sality infection.

With any Backdoor Trojan:
If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infections can be identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with these type of trojans, the best course of action would be a reformat and reinstall of the OS.

#4 jobeard

jobeard

    Site Admin

  • Administrators
  • 2,009 posts

Posted 22 August 2010 - 03:45 PM

Many experts in the security community believe that once infected with these type of trojans, the best course of action would be a reformat and reinstall of the OS.

IMO, it can easily be a massive overkill and extremely disruptive and induce massive losses.

The proper configuration of a G O O D firewall will allow monitoring of ALL sessions, including all outbound connections.
  • disconnect from the Internet
  • set the FW to ASK for all outbound connections
  • reset all 'approved applications' which will force your approval for every outbound connection
  • look for connections to unknown sites or ip addresses.
Most keyloggers will use email, ftp, or http connections to 'phone home'
(ports 25, 21, 80 respectively) and you only need to understand

did I initiate this action?

For those who are careless enough to access the Internet using a login with Admin priv's - -
then perhaps you need to take extremely disruptive action.

Again, personally, with financial and business data on the system,
Wipe Clean and Start Over is a 0.001% probability for me and this
would be at least two levels of embarrassment:
  • that I was infected at all and ...
  • I had no means to control the network data flow which would allow further exposures.
Please pull the level on the trap door and just hang me on the spot.

In the commercial world, a person from the Help Desk department might be asked to stop by to resolve a problem from time to time.
If I ever heard the comment that the recommended action was to re image the system (aka; wipe and start over) I would ask them to leave and tell them flatly,

If you can't solve the problem the please don't compound the situation . . . I'll learn how for myself even if it causes me extra hours w/o pay.

Invested some time (ie learned a lot) but never suffered the pain of wipe and reinstall either.

J. O. Beard; you + tech-101.com => synergism. Secure your system now


#5 Blind Dragon

Blind Dragon

    Site Admin

  • Administrators
  • 1,733 posts
  • Memory:Crucial 16GB (4GBx4) DDR3-1600
  • Hard Drives:500GB Western Digital SATA 3 - 6Gb/s
  • Motherboard:Asrock X79 Extreme 4

Posted 23 August 2010 - 07:11 PM

We would not be infected in the first place, and if by some chance you were, your information would still be secure. Many of the logs posted here on the site show gaping holes in the users security.

I would prefer they have appropriate protection ahead of time, and follow all of the security guides we have posted, but the fact is many user's won't find us until after the fact.

For these users, I am not saying they can't backup data, but as stated above with these particular infections ANY program file on these machines will NOT verify as signed my microsoft after a sality infection. With virut the infection spreads faster than can be contained by any antivirus. It's a file infector, which infects legitimate files.

More specifically, all programs and zipped files need removed, as well as the operating system itself. You can backup your documents, images, music, ect.

1) How comfortable would you feel knowing you couldn't verify signatures on those files?

2) Had you preformed internet banking, made a purchase with credit card, or revealed other sensitive info over the web while infected, what's to say your information has not already been compromised.

I'll learn how for myself even if it causes me extra hours w/o pay.

In my opinion, it's better safe than sorry. Plus, how long does it take to backup your data and format/reinstall? Last time I did it (not due to infection), it took less than an hour. I personally don't keep important data on the same drive as my OS on any of my systems.

#6 Bobbye

Bobbye

    Site Admin

  • Administrators
  • 992 posts

Posted 25 August 2010 - 05:16 PM

knoI don't know whether to laugh or cry at what some think they need for security! I almost always find one of three situations in a malware log:

1. There is no antivirus and/or firewall-or-FW is incoming only.
2. There is too much security. Especially multiple AV programs and multiple suites.
3. The majority of users don't understand what they need or how to use it! Most common is complaint is of security 'blocking' sites> don't understand the difference between incoming and outgoing> don't understand that blocking bad sites is a good thing> or that they have a button they can click on for 'Don't show me alerts'.

It is a very scary place on the internet when so many readily admit 'I don't know anything about computers.'!
And so few ask 'how can I learn?' It's a big soap box stance for me.

Edited by Bobbye, 30 August 2010 - 08:05 PM.
Correction


#7 jobeard

jobeard

    Site Admin

  • Administrators
  • 2,009 posts

Posted 25 August 2010 - 06:56 PM

As can be expected;

YOU ARE SPOT ON in your observations

I'm equally dismayed to see how so many are naively using their Admin Login to surf the net!

J. O. Beard; you + tech-101.com => synergism. Secure your system now


#8 Bobbye

Bobbye

    Site Admin

  • Administrators
  • 992 posts

Posted 30 August 2010 - 08:06 PM

This is one area I wouldn't mind being proven wrong! But I don't see it happening.