ironwalker
World Renowned
Premium,MVM
join:2001-08-31
Keansburg, NJ
clubs:
 ·Optimum Online
| reply to Smokey Bear
Re: Cnet tells users 100% guarantee infection
said by Smokey Bear  :said by DarkSithPro :cnet.com Under lock and key No matter how savvy of a computer user you are, your computer will be the victim of malware or a virus at some point. Pretty bold statement from cnet. What do you guys think? As long people don't download malware from CNET/download.com servers there is a possibilty they remain clean. CNET still offer malware for download..... Edited: typo Agreed!
Why people use these 3rd party download offers is beyond me.
I always go to authers site or company's site and if the 3rd party links are affiliated with them I use them, but, only if on the auther/company's site. |
|
Kiwi
Premium
join:2003-05-26
USA | reply to DarkSithPro
I considered the OP topic amusing, as I used to use the CNET downloads to verify new malware, they allowed on their site. Nothing much has changed, it's still malware hell; I suggest they lock their site up and throw away the key. |
|
FunnyBones
Premium
join:2004-01-22
usa | reply to Nanoprobe
I know someone who only uses a live dvd for online with no drives mounted so I agree BS. 
--
Are you part of the cattle? |
|
kpatz
MY HEAD A SPLODE
Premium
join:2003-06-13
Manchester, NH
| reply to DarkSithPro
Of course, how do they define "infection?" Someone could have inactive malware sitting in their browser cache, for example. Does that count as "infection" by CNet?
I for one have never had any of my systems infected, except for one time with adware (due to someone else using the computer). And I've had my AV flag things in my browser cache during a scan, but nothing was active. So, would I be part of that "100%"? 
--
To ISPs: Leave our ports alone! If I want ports blocked, I'll do it myself, thank you. |
|
VirtualLarry
Premium
join:2003-08-01
| reply to Woody79_00
said by Woody79_00 :The gist of the matter is that the checking of Software Restriction Policy is done in USER MODE in the process which issued the CreateProcess/LoadLibrary call. This means that the current process can patch itself so that SRP isn't correctly verified. Mark did this by intercepting reads to the Registry (where SRP policies are stored) and returning fake results, Didier did this by searching the registry key names and replacing them with bogus ones (so registry reads would fail. Mark Russonivich wrote a program that would allow the disabling of Software Restiction Policy by a "Limited User" without admin rights required But how can a process patch itself, if it isn't running? The point is, somehow, code has to execute, in order to patch around, the code that blocks code from executing.
It seems like a catch-22 to me.
If you want to run proof-of-concept code, fine, but that requires a program that is already allowed to run.
Are those programs accessable from the internet in some way that would allow that code to run, when prompted by a remote source? If not, then I would say that SRP is very secure.
For example, assume (I didn't read it) that the program that Mark wrote to bypass SRP was itself an executable. As a limited user running under SRP, how are you going to get that .exe to run, in order to patch SRP, to allow .exes to run? You can't execute it directly out of any directories that you have write access to, and only an admin has write access to the Program Files and Windows directories. |
|
Smokey Bear
veritas odium parit
Premium
join:2008-03-15
Annie's Pub
| reply to dadkins
said by dadkins :Yes! Exactly! Adware, not "dishonest adware", is a part of many people's daily life. In and of itself, "adware" is not malicious and therefore not malware. Now, some are more agressive than others, but I am OK with FlashGet as they/it provide(s) a way to turn it off. Like you say, concerning FlashGet it isn't "dishonest adware" or "unwanted software", especially not because you was informed about the adware in it and accepted it as part of the "deal".
--
Smokey's Security Forums »www.smokey-services.eu/forum/
Smokey's Security Weblog »smokeys.wordpress.com/
Site Member ASAP - Alliance of Security Analysis Professionals |
|
dadkins
Can you do Blu?
Premium,MVM
join:2003-09-26
Hercules, CA
·Comcast
2 edits | reply to Smokey Bear
Yes!
Exactly!
Adware, not "dishonest adware", is a part of many people's daily life.
In and of itself, "adware" is not malicious and therefore not malware.
Adware is more in the class of shareware than anything bad.
Free with advertisements as opposed to popup adware/redirects/hijackers that is only there to deliver ads.
»en.wikipedia.org/wiki/Adware
"Adware or advertising-supported software is any software package which automatically plays, displays, or downloads advertisements to a computer after the software is installed on it or while the application is being used."
Now, some are more agressive than others, but I am OK with FlashGet as they/it provide(s) a way to turn it off.
--
Think outside the Fox... Opera |
|
Nanoprobe
Crunching in subspace
Premium
join:2003-05-11
Crab Nebula
clubs:
 ·Skype
·magicjack.com
 ·AT&T Southeast
| reply to DarkSithPro
said by DarkSithPro :cnet.com Under lock and key No matter how savvy of a computer user you are, your computer will be the victim of malware or a virus at some point. Pretty bold statement from cnet. What do you guys think?
--
Two things are infinite: the universe and human stupidity; and I'm not sure about the universe. Albert Einstein
|
|
Woody79_00
join:2004-07-08
united state
| reply to Blackbird
No Blackbird, i wasn't directing thart assertion at you in particualr, i just happen to click your name on the reply button. You brought up some very good points blackbird and I don't disagree with them at all.
you smart enough to know that it takes "layers" to do the best you can to prevent it, some folks belive otherwise but you are not 1 of those folks I can clearly tell.
Virtual Larry:
The gist of the matter is that the checking of Software Restriction Policy is done in USER MODE in the process which issued the CreateProcess/LoadLibrary call. This means that the current process can patch itself so that SRP isn't correctly verified. Mark did this by intercepting reads to the Registry (where SRP policies are stored) and returning fake results, Didier did this by searching the registry key names and replacing them with bogus ones (so registry reads would fail.
Mark Russonivich wrote a program that would allow the disabling of Software Restiction Policy by a "Limited User" without admin rights required
»blogs.technet.com/markrussinovic···ser.aspx
Didier Stevens took this to the next level as recently as March of 2008
»blog.didierstevens.com/2008/03/0···disable/
»blog.didierstevens.com/2008/02/2···ool-kit/
»hype-free.blogspot.com/2008/10/l···ion.html
Software Restriction Policies are just a layer..execution prevention is not the end all protection...once it becomes popualr enough that Malware Authors have to take it into account, it can be bypassed like anything else.
even on the Nix boxes I maintain for I know there are ways around the firewalls, no firewall is full-proof, The recent router crash test is an exmaple of this.
I am just saying once you become aware of the realitty of the computer world it gets much easier...
I think the best rule of thumb is to always use your computer with the mindset that you "may" be compromised...this will promote safer computing practices overall. that's the only point I am trying to make.
No matter what OP system you use, you should always use layers...layers are like locks...make them go though a few hoops to get in...but locks on computers are like locks in reali life. Locks only keep honest people out. If some bad guy wants in bad enough, he will get in...its just the nature of the world.
Good reads nonetheless |
|
Smokey Bear
veritas odium parit
Premium
join:2008-03-15
Annie's Pub
1 edit | reply to dadkins
Wikipedia definition malware:
Malware, a portmanteau from the words malicious and software, is software designed to infiltrate or damage a computer system without the owner's informed consent. The expression is a general term used by computer professionals to mean a variety of forms of hostile, intrusive, or annoying software or program code.
Many computer users are unfamiliar with the term, and often use "computer virus" for all types of malware, including true viruses.
Software is considered malware based on the perceived intent of the creator rather than any particular features. Malware includes computer viruses, worms, trojan horses, most rootkits, spyware, dishonest adware, crimeware and other malicious and unwanted software. In law, malware is sometimes known as a computer contaminant, for instance in the legal codes of several American states, including California and West Virginia.
Malware is not the same as defective software, that is, software which has a legitimate purpose but contains harmful bugs.
»en.wikipedia.org/wiki/Malware
--
Smokey's Security Forums »www.smokey-services.eu/forum/
Smokey's Security Weblog »smokeys.wordpress.com/
Site Member ASAP - Alliance of Security Analysis Professionals |
|
33591094
join:2002-11-19
Canada | reply to DarkSithPro
I haven't been gotten to yet, cnet... |
|
dadkins
Can you do Blu?
Premium,MVM
join:2003-09-26
Hercules, CA
·Comcast
| reply to james
ONOES!!1 Ads! | 
Turn off ads and use program anyways. ;-) |
said by james :I'd say it's a safe statement to make. Who here can honestly say they have NEVER had to remove a virus or adware from one of their computers? If they were claiming that every computer was at this moment infected, then they'd be wrong. Me! Never had a virus. Period.
Adware? Hell, I have purposely installed adware, some adware is pre-installed by computer manufacturers.
The page doesn't say adware, it's malware.
"No matter how savvy of a computer user you are, your computer will be the victim of malware or a virus at some point."
--
Think outside the Fox... Opera |
|
VirtualLarry
Premium
join:2003-08-01
| reply to Woody79_00
said by Woody79_00 :As recently as October of 2008 Windows Software Restriction Policies and Programs like Faronics Anti-Executable can be bypassed by Malware Via "Patching in memory" certain functions and key values in kernel32.dll amongs others, in turn "intercepting" the point of the check and giving errors or "fake values" allowing the executable to run.It still hasn't been patched. But doesn't it require admin privs for that process, to do the in-memory patching of kernel32.dll?
IOW, if you're running as admin, and malware gets a chance to execute on your machine, you're hosed and likely need a rebuild of the OS to ensure you got rid of it.
But running as a limited user, in conjunction with Software Restriction Polices, can form a virtually bullet-proof shield against malware getting in in the first place. And that's the whole point.
So I think that you are spreading FUD by suggesting that these very valid security procedures are useless. |
|
Blackbird
Built for Speed
Premium
join:2005-01-14
Fort Wayne, IN
·Verizon Online DSL
4 edits | reply to Woody79_00
said by Woody79_00 :No computer is 100% secure... Even though Linux is the most secure of the 3 mentioned, it can be compromised like any other operating system if a person is not careful. I do find it humerous though how many people believe that Software Restriction Policies, and certain programs like Faronics Anti-Executable and other execution protection softare will protect them from all danger... If you're directing that latter assertion at me, it's not what I said - or at least, it's not the meaning I intended to convey. My intended point was that there are a number of layered tools and practices (which I consider to fall under the umbrella of "safe hex") that acting together render penetration extremely unlikely... of which using a Deep-Freeze kind of tool happens to be a significant one (but by no means the only one - your Tripwire approach being an alternative case in point). And I don't use either product. Frankly, my core belief is that how a person uses a computer and what he does with it will have far more influence on infectability than anything else. There have been a number of posts in this thread already by users who have used computers for years and never been infected; and there's nothing yet in this thread to cause me to believe that will all suddenly change for them over the next month, or year, or even decade. And it must change if the article's statement is correct.
Stating that users' computers will all eventually be infected (as the article essentially does) is a far different thing from stating, as you did, that "no computer is 100% secure". No car is 100% secure against theft either, yet not all will be stolen. No house is 100% secure against burglary, yet not all will be victimized. No encryption scheme is 100% secure from cracking, yet most encrypted information will not be compromised. What would be an accurate statement is that computers, rarely being 100% secure in and of themselves, are far more likely to be infected than computers operated with knowledgeable and secure methodologies, using a variety of well-reasoned protective tools - either hardware or software.
Terms like never, always, 100%, "will" - these are categorical expressions, and lend themselves more to hype and hysteria than to reasoned comparisons and evaluations. To falsify the article's statement, I need only to place a pristine computer disconnected from any wiring into a sealed container, surround it with concrete, and have somebody dig it up in 100 years... I feel completely safe in stating it will still be uninfected. Absurd? Certainly. But it's all about context, isn't it? And context dissolves and undercuts categorical "certainty"...
--
If God wanted us to work with electrons, He'd make them big enough to see... |
|
EGeezer
Go Bobcats
Premium
join:2002-08-04
Country!
·Callcentric
·RoadRunner Cable
·AT&T CallVantage
| reply to HFB1217
said by HFB1217 :A new form of birth control don't let Bill find out or he may charge for it as well. It could give a whole new meaning to trojans and infections...
--
The greatest dangers to liberty lurk in insidious encroachment by men of zeal, well-meaning but without understanding. -- Justice Louis D. Brandeis |
|
Its a Secret
Whatever
Premium
join:2008-02-23
U B Funny
·Shaw
| reply to Smokey Bear
Re: Cnet download
said by Smokey Bear :...how many other malicious programs are offered by CNET? That's a very good question. I haven't DL'd from cnet/ download.com in years, but I know people who do. I'll have to let 'em know.
But it is very irresponsible to allow this to happen.
--
"In the future, that which is not mandatory will be illegal" |
|
Woody79_00
join:2004-07-08
united state
| reply to Blackbird
Re: Cnet tells users 100% guarantee infection
No computer is 100% secure. Not Linux, not Windows, and not MAC. Even though Linux is the most secure of the 3 mentioned, it can be compromised like any other operating system if a person is not careful.
I do find it humerous though how many people believe that Software Restriction Policies, and certain programs like Faronics Anti-Executable and other execution protection softare will protect them from all danger...when Mark Russonvich proved this not to be the case at all and quite some time ago
As recently as October of 2008 Windows Software Restriction Policies and Programs like Faronics Anti-Executable can be bypassed by Malware Via "Patching in memory" certain functions and key values in kernel32.dll amongs others, in turn "intercepting" the point of the check and giving errors or "fake values" allowing the executable to run.It still hasn't been patched.
you can read bout this here.
»hype-free.blogspot.com/2008/10/l···ion.html
the findings are quite telling...how do you know a piece of malware hasn't done this allready? many keyloggers or postloggers(A key logger that actually takes screen shots of your entire screen) will NOT:
1. slow down your system
2. leave any trace whatsoever they are even present
The malware that Symantec, McAfee and other deem of a quality of "software engineer" are not going to be detected or noticed very easily if at all.
IMO the only way to reliably detect malware on a system is to throw out signatuares and heuristics and go to "port monitoring"
In other words, all maware listens to or talks though a port...the security vendors need to focus on this aspect more than anything...even a rookit malware needs to talk on a port or it is useless
why doesn't Windows have something like Tripwire for Linux? if "anything" has been changed, you will know about it...this is more important then anything else
I run Tripwire and build my hashes
I check them once a day
Before I do a patch update, I run Tripwire and check it
If vlaues come back ok, I patch my system
I then rebuild my tripwire database
this way if "anything" has changed that I did explicitly change, I will know about it....and that is how I can tell if I have been had...Windows has no such thing
When I 1st started using Linux, I got hacked when I 1st started learning Apache Web Server, didn't have it configured correctly....but since then, I run a few of them for folks and have had no such issues, but I do maintain them..but even with it, its a constant battle
It would be nice if windows had something like Tripwire..where you could
1. Install clean OS.
2. Patch and update all apps
3. Build tripwire data base
Every month before patching run tripwire and if all is A ok, patch then rebuild your data base
This would be the 1 sure fire way to be sure your not compromised, not to mention RKHunter and ChkRoot kit also look for ports that are listening and such and give you a good indicator of where you stand
Windows needs something like this! I don't just mean netstat, ipconfig or any of that...but something like Tripwire |
|
Smokey Bear
veritas odium parit
Premium
join:2008-03-15
Annie's Pub
| reply to FiOS Dan
Re: Cnet download
said by FiOS Dan :Damn disturbing about cnet. I always assuming they screened software before offering it on their site.  Apparently not. Many people rely on and trust CNET/download.com, obvious all the time they are wrong with their confidence. And now the main question: beside Intelinet Internet Security rogue anti-spyware, how many other malicious programs are offered by CNET?
--
Smokey's Security Forums »www.smokey-services.eu/forum/
Smokey's Security Weblog »smokeys.wordpress.com/
Site Member ASAP - Alliance of Security Analysis Professionals |
|
james
join:2001-02-26
antarctica | reply to DarkSithPro
Re: Cnet tells users 100% guarantee infection
I'd say it's a safe statement to make.
Who here can honestly say they have NEVER had to remove a virus or adware from one of their computers?
If they were claiming that every computer was at this moment infected, then they'd be wrong. |
|
FiOS Dan
Premium
join:2001-07-06
Redondo Beach, CA
 ·Verizon FIOS
| reply to Smokey Bear
Re: Cnet download
Damn disturbing about cnet. I always assuming they screened software before offering it on their site.
--
Courage is being scared to death but saddling up anyway.
|
|
