Free vs paid

[David H. Lipman]

From: "Shadow" <Sh@dow.br>

> On Tue, 7 Jun 2011 21:11:45 -0400, "David H. Lipman"
> <DLipman~nospam~@Verizon.Net> wrote:
>
>> From: "FromTheRafters" <erratic@nomail.afraid.org>
>>
>>> David H. Lipman wrote:
>>>> From: "FromTheRafters"<erratic@nomail.afraid.org>
>>>>
>>>>>> Which provides close to zero protection against the most common type of
>>>>>> current infections, the rogue security software installers.
>>>>>
>>>>> The idea is to not install them. If you go around installing malware, no firewall is
>>>>> going to save you.
>>>>
>>>> The vast majority use Social Engineering which is the human exploit.
>>>>
>>> Depending on what gets downloaded, the firewall is
>>> already defeated.
>>>
>>> I think gaz was implying that you need a better
>>> firewall to detect lame 'phone home' attempts.
>>> I am of the opinion that you've already lost the
>>> race when you have malware running behind the
>>> firewall.
>>
>> Yes. The only hope is that the FireWall detects unusual outgoing packets and blocks
>> it/them.
> The only malware I ever ran on my PC was picked up by kerio
> 2.1.5 the next day, when it tried to phone home. Antivirus firms took
> up to a month to add it to their databases. I had to remove it
> manually.
> []'s

Which "Antivirus firms took up to a month to add it to their databases" ?


--
Dave
Multi-AV Scanning Tool - http://www.pctipp.ch/downloads/dl/35905.asp

[Shadow]

On Wed, 8 Jun 2011 08:53:37 -0400, "David H. Lipman"
<DLipman~nospam~@Verizon.Net> wrote:

>> The only malware I ever ran on my PC was picked up by kerio
>> 2.1.5 the next day, when it tried to phone home. Antivirus firms took
>> up to a month to add it to their databases. I had to remove it
>> manually.
>> []'s
>
>Which "Antivirus firms took up to a month to add it to their databases" ?
Avast, for one, took 3 weeks.Others still did not detect it
after a month. I posted the trojan to you at the time.
If you are really want, it's probably in my archives,
somewhere.
[]'s

[Shadow]

On Wed, 08 Jun 2011 12:13:36 -0300, Shadow <Sh@dow.br> wrote:

>On Wed, 8 Jun 2011 08:53:37 -0400, "David H. Lipman"
><DLipman~nospam~@Verizon.Net> wrote:
>
>>> The only malware I ever ran on my PC was picked up by kerio
>>> 2.1.5 the next day, when it tried to phone home. Antivirus firms took
>>> up to a month to add it to their databases. I had to remove it
>>> manually.
>>> []'s
>>
>>Which "Antivirus firms took up to a month to add it to their databases" ?
> Avast, for one, took 3 weeks.Others still did not detect it
>after a month. I posted the trojan to you at the time.
> If you are really want, it's probably in my archives,
>somewhere.
> []'s
It is. At least my HD backup does not suffer from
Alzheimer's...

http://virusscan.jotti.org/en/scanre...7d2ccab483fa78


http://www.virustotal.com/file-scan/...8cf-1307546401

Sorry about the long links
At the time, I sent you it's MD5
Message-ID: <h720t80c4t@news3.newsguy.com>
Yes, I have;
MD5: 0x3DE68324891964BDD2227141474797BB
SHA-1: 0x5DAE0941F1818E6127729FC15897F12539ED6D5E
Filesize: 725,796 bytes

[David H. Lipman]

From: "Shadow" <Sh@dow.br>

> On Wed, 8 Jun 2011 08:53:37 -0400, "David H. Lipman"
> <DLipman~nospam~@Verizon.Net> wrote:
>
>>> The only malware I ever ran on my PC was picked up by kerio
>>> 2.1.5 the next day, when it tried to phone home. Antivirus firms took
>>> up to a month to add it to their databases. I had to remove it
>>> manually.
>>> []'s
>>
>> Which "Antivirus firms took up to a month to add it to their databases" ?
> Avast, for one, took 3 weeks.Others still did not detect it
> after a month. I posted the trojan to you at the time.
> If you are really want, it's probably in my archives,
> somewhere.
> []'s

Thanx!

--
Dave
Multi-AV Scanning Tool - http://www.pctipp.ch/downloads/dl/35905.asp

[gaz]

FromTheRafters wrote:
> David H. Lipman wrote:
>> From: "FromTheRafters"<erratic@nomail.afraid.org>
>>
>>>>
>>>> Which provides close to zero protection against the most common
>>>> type of current infections, the rogue security software installers.
>>>
>>> The idea is to not install them. If you go around installing
>>> malware, no firewall is going to save you.
>>
>> The vast majority use Social Engineering which is the human exploit.
>>
> Depending on what gets downloaded, the firewall is
> already defeated.
>
> I think gaz was implying that you need a better
> firewall to detect lame 'phone home' attempts.
> I am of the opinion that you've already lost the
> race when you have malware running behind the
> firewall.

I was thinking more, a security product that can stop these installations.
Avira is an excellent anti virus, but, like all the other anti virus and
internet security products seem to be unable to stop even malware products
which are months old.

As others have mentioned, probably a paid for malwarebytes is necessary. At
least they are quick to get on top of these infections.

[FromTheRafters]

gaz wrote:
> FromTheRafters wrote:
>> David H. Lipman wrote:
>>> From: "FromTheRafters"<erratic@nomail.afraid.org>
>>>
>>>>>
>>>>> Which provides close to zero protection against the most common
>>>>> type of current infections, the rogue security software installers.
>>>>
>>>> The idea is to not install them. If you go around installing
>>>> malware, no firewall is going to save you.
>>>
>>> The vast majority use Social Engineering which is the human exploit.
>>>
>> Depending on what gets downloaded, the firewall is
>> already defeated.
>>
>> I think gaz was implying that you need a better
>> firewall to detect lame 'phone home' attempts.
>> I am of the opinion that you've already lost the
>> race when you have malware running behind the
>> firewall.
>
> I was thinking more, a security product that can stop these installations.
> Avira is an excellent anti virus, but, like all the other anti virus and
> internet security products seem to be unable to stop even malware products
> which are months old.
>
> As others have mentioned, probably a paid for malwarebytes is necessary. At
> least they are quick to get on top of these infections.

For AV it used to be a case of which one can, and which cannot, detect a
certain virus. With simple trojans running rampant, it comes down to who
can react the fastest and get detectability to the customer quickly.
Nevermind that the trojan will be morphed into a different form the very
next day.

[Dustin]

FromTheRafters <erratic@nomail.afraid.org> wrote in
news:isols7$itq$1@dont-email.me:

> gaz wrote:
>> FromTheRafters wrote:
>>> David H. Lipman wrote:
>>>> From: "FromTheRafters"<erratic@nomail.afraid.org>
>>>>
>>>>>>
>>>>>> Which provides close to zero protection against the most common
>>>>>> type of current infections, the rogue security software
>>>>>> installers.
>>>>>
>>>>> The idea is to not install them. If you go around installing
>>>>> malware, no firewall is going to save you.
>>>>
>>>> The vast majority use Social Engineering which is the human
>>>> exploit.
>>>>
>>> Depending on what gets downloaded, the firewall is
>>> already defeated.
>>>
>>> I think gaz was implying that you need a better
>>> firewall to detect lame 'phone home' attempts.
>>> I am of the opinion that you've already lost the
>>> race when you have malware running behind the
>>> firewall.
>>
>> I was thinking more, a security product that can stop these
>> installations. Avira is an excellent anti virus, but, like all the
>> other anti virus and internet security products seem to be unable
>> to stop even malware products which are months old.
>>
>> As others have mentioned, probably a paid for malwarebytes is
>> necessary. At least they are quick to get on top of these
>> infections.
>
> For AV it used to be a case of which one can, and which cannot,
> detect a certain virus. With simple trojans running rampant, it
> comes down to who can react the fastest and get detectability to the
> customer quickly. Nevermind that the trojan will be morphed into a
> different form the very next day.

Forget the very next day, try the very next download. server side poly.


--
Why drink the water from my hand?
Contagious as you think I am
Just tilt my sun towards your domain
Your cup runneth over again

[FromTheRafters]

Dustin wrote:
> FromTheRafters<erratic@nomail.afraid.org> wrote in
> news:isols7$itq$1@dont-email.me:
>
>> gaz wrote:
>>> FromTheRafters wrote:
>>>> David H. Lipman wrote:
>>>>> From: "FromTheRafters"<erratic@nomail.afraid.org>
>>>>>
>>>>>>>
>>>>>>> Which provides close to zero protection against the most common
>>>>>>> type of current infections, the rogue security software
>>>>>>> installers.
>>>>>>
>>>>>> The idea is to not install them. If you go around installing
>>>>>> malware, no firewall is going to save you.
>>>>>
>>>>> The vast majority use Social Engineering which is the human
>>>>> exploit.
>>>>>
>>>> Depending on what gets downloaded, the firewall is
>>>> already defeated.
>>>>
>>>> I think gaz was implying that you need a better
>>>> firewall to detect lame 'phone home' attempts.
>>>> I am of the opinion that you've already lost the
>>>> race when you have malware running behind the
>>>> firewall.
>>>
>>> I was thinking more, a security product that can stop these
>>> installations. Avira is an excellent anti virus, but, like all the
>>> other anti virus and internet security products seem to be unable
>>> to stop even malware products which are months old.
>>>
>>> As others have mentioned, probably a paid for malwarebytes is
>>> necessary. At least they are quick to get on top of these
>>> infections.
>>
>> For AV it used to be a case of which one can, and which cannot,
>> detect a certain virus. With simple trojans running rampant, it
>> comes down to who can react the fastest and get detectability to the
>> customer quickly. Nevermind that the trojan will be morphed into a
>> different form the very next day.
>
> Forget the very next day, try the very next download. server side poly.
>
I've noticed that they put quite some effort into the obfuscating of the
scripts used just to get you to a friendly (SE) download ... and that's
before you even get the trojan executable itself. I've noticed
the file's random-looking name on the server, but didn't know how often
that executable itself actually changed.

[Dustin]

FromTheRafters <erratic@nomail.afraid.org> wrote in
news:isp46n$cgb$1@dont-email.me:

> Dustin wrote:
>> FromTheRafters<erratic@nomail.afraid.org> wrote in
>> news:isols7$itq$1@dont-email.me:
>>
>>> gaz wrote:
>>>> FromTheRafters wrote:
>>>>> David H. Lipman wrote:
>>>>>> From: "FromTheRafters"<erratic@nomail.afraid.org>
>>>>>>
>>>>>>>>
>>>>>>>> Which provides close to zero protection against the most
>>>>>>>> common type of current infections, the rogue security
>>>>>>>> software installers.
>>>>>>>
>>>>>>> The idea is to not install them. If you go around installing
>>>>>>> malware, no firewall is going to save you.
>>>>>>
>>>>>> The vast majority use Social Engineering which is the human
>>>>>> exploit.
>>>>>>
>>>>> Depending on what gets downloaded, the firewall is
>>>>> already defeated.
>>>>>
>>>>> I think gaz was implying that you need a better
>>>>> firewall to detect lame 'phone home' attempts.
>>>>> I am of the opinion that you've already lost the
>>>>> race when you have malware running behind the
>>>>> firewall.
>>>>
>>>> I was thinking more, a security product that can stop these
>>>> installations. Avira is an excellent anti virus, but, like all
>>>> the other anti virus and internet security products seem to be
>>>> unable to stop even malware products which are months old.
>>>>
>>>> As others have mentioned, probably a paid for malwarebytes is
>>>> necessary. At least they are quick to get on top of these
>>>> infections.
>>>
>>> For AV it used to be a case of which one can, and which cannot,
>>> detect a certain virus. With simple trojans running rampant, it
>>> comes down to who can react the fastest and get detectability to
>>> the customer quickly. Nevermind that the trojan will be morphed
>>> into a different form the very next day.
>>
>> Forget the very next day, try the very next download. server side
>> poly.
>>
> I've noticed that they put quite some effort into the obfuscating of
> the scripts used just to get you to a friendly (SE) download ... and
> that's before you even get the trojan executable itself. I've
> noticed the file's random-looking name on the server, but didn't
> know how often that executable itself actually changed.

In some cases, the differences between the executables isn't enough to
evade detection. With that said, in many other cases, it's a very
significant change to the file. Same family, but very different looking
binary as opposed to the one you downloaded moments ago. Not all sites
are serving them this way, but.. alas, some do. So the technology is
known. It's just a matter of time before it's scaled up.




--
Why drink the water from my hand?
Contagious as you think I am
Just tilt my sun towards your domain
Your cup runneth over again