Desktop antivirus - it's dead

[Virus Guy]

kurt wismer wrote:

> > I don't recall that it was ever shown that any AV product
> > prevented, for example, IE from crashing when exposed to
> > test samples of the VML vulnerability.
>
> i don't recall it either, but that doesn't mean it didn't happen..

Why don't you try something then.

Swap out your patched vgx.dll for an older one, then try this page:

http://209.85.165.104/search?q=cache...lnk&cd=1&gl=ca

It's the google cached version of this:

http://zert.isotf.org/testvml.htm

or this:

http://www.isotf.org/zert/testvml.htm

Which doesn't seem to exist any more, but was designed to trigger the
VML vulnerability.

Presumably NOD-32 should intercept the code before IE is crashed by
it.

[What's in a Name?]

After much thought,Virus Guy came up with this jewel:

> kurt wismer wrote:
>
> > > I don't recall that it was ever shown that any AV product
> > > prevented, for example, IE from crashing when exposed to
> > > test samples of the VML vulnerability.
> >
> > i don't recall it either, but that doesn't mean it didn't happen..
>
> Why don't you try something then.
>
> Swap out your patched vgx.dll for an older one, then try this page:
>
> http://209.85.165.104/search?q=cache...sotf.org/testv
> ml.htm+testvml.htm&hl=en&ct=clnk&cd=1&gl=ca
>
> It's the google cached version of this:
>
> http://zert.isotf.org/testvml.htm
>
> or this:
>
> http://www.isotf.org/zert/testvml.htm
>
> Which doesn't seem to exist any more, but was designed to trigger the
> VML vulnerability.
>
> Presumably NOD-32 should intercept the code before IE is crashed by
> it.

I just checked it out (with an unpatched W2K) and Nod alerted and
blocked loading of page! I guess it works!

max
--
Virus Removal Instructions http://home.neo.rr.com/manna4u/
Keeping Windows Clean http://home.neo.rr.com/manna4u/keepingclean.html
Change nomail.afraid.org to gmail.com to reply. nomail.afraid.org is
specifically setup for USENET.Feel free to use it yourself.

[Virus Guy]

What's in a Name? wrote:

> > Why don't you try something then (VML exploit test)
> >
> > Presumably NOD-32 should intercept the code before IE is
> > crashed by it.
>
> I just checked it out (with an unpatched W2K) and Nod alerted
> and blocked loading of page! I guess it works!

All right, very good then.

What other AV software currently performs the same feat?

[kurt wismer]

What's in a Name? wrote:
> After much thought,Virus Guy came up with this jewel:
[snip]
>> Swap out your patched vgx.dll for an older one, then try this page:
>>
>> http://209.85.165.104/search?q=cache...sotf.org/testv
>> ml.htm+testvml.htm&hl=en&ct=clnk&cd=1&gl=ca
>>
>> It's the google cached version of this:
>>
>> http://zert.isotf.org/testvml.htm
>>
>> or this:
>>
>> http://www.isotf.org/zert/testvml.htm
>>
>> Which doesn't seem to exist any more, but was designed to trigger the
>> VML vulnerability.
>>
>> Presumably NOD-32 should intercept the code before IE is crashed by
>> it.
>
> I just checked it out (with an unpatched W2K) and Nod alerted and
> blocked loading of page! I guess it works!

thanks for the verification... i think it's safe to say now that nod32
qualifies as a first line of defense at the end-point
(http://anti-virus-rants.blogspot.com...oint-anti.html)

--
"it's not the right time to be sober
now the idiots have taken over
spreading like a social cancer,
is there an answer?"

[Virus Guy]

kurt wismer wrote:

> > I just checked it out (with an unpatched W2K) and Nod alerted
> > and blocked loading of page! I guess it works!

Just to make things clear - even if NOD displayed a detection message
- did IE crash, or did it give a "page not found" error? What exactly
was IE's behavior when it was pointed at that page?

> thanks for the verification... i think it's safe to say now
> that nod32 qualifies as a first line of defense at the end-point

Does anyone else find it interesting that Google served up that page
without any warning, especially since it came from their own cache?

It's sad that after all this time, that Google still has little to no
ability (or they choose not to deploy) more sophisticated exploit
detection and warning mechanisms on their search page.

[What's in a Name?]

After much thought,Virus Guy came up with this jewel:

> kurt wismer wrote:
>
> > > I just checked it out (with an unpatched W2K) and Nod alerted
> > > and blocked loading of page! I guess it works!
>
> Just to make things clear - even if NOD displayed a detection message
> - did IE crash, or did it give a "page not found" error? What exactly
> was IE's behavior when it was pointed at that page?


IE did not crash,but I do not remember what was displayed. I use the
mvp hosts file and get a lot of "page not found" in the ad boxes. Sorry
but I let the auto-updater run last night.

> > thanks for the verification... i think it's safe to say now
> > that nod32 qualifies as a first line of defense at the end-point
>
> Does anyone else find it interesting that Google served up that page
> without any warning, especially since it came from their own cache?
>
> It's sad that after all this time, that Google still has little to no
> ability (or they choose not to deploy) more sophisticated exploit
> detection and warning mechanisms on their search page.

I don't think it is feasible for google to check on every link provided
in a search,nor do I want them to.

max
--
Virus Removal Instructions http://home.neo.rr.com/manna4u/
Keeping Windows Clean http://home.neo.rr.com/manna4u/keepingclean.html
Change nomail.afraid.org to gmail.com to reply. nomail.afraid.org is
specifically setup for USENET.Feel free to use it yourself.

[Virus Guy]

What's in a Name? wrote:

> > It's sad that after all this time, that Google still has little
> > to no ability (or they choose not to deploy) more sophisticated
> > exploit detection and warning mechanisms on their search page.
>
> I don't think it is feasible for google to check on every link
> provided in a search,nor do I want them to.

What do you think Google and it's army of web robots do all day?

They scour the internet day and night. Their machines vacuum up every
piece of net-available content they can find.

If they can put up a list of results to a search, they certainly have
the ability to check the underlying code for the presence of exploits
in those results.

And even if they didn't, they could at least be more of an active
participant at discovering and sharing exploits with AV companies.
I'm not aware if they do that - or not.

If anyone is in a position to offer web security software products, it
would be a search engine company, and google is the biggest and best
funded of them all. It's strange that they don't leverage their
talent and their assets more effectively. Not only are they in an
incredibly good position to discover web-based exploits in a near
real-time manner, but they could integrate those discoveries into a
commercial browser-security add-on product, and could update domain
blocking lists on a dynamic basis.

[What's in a Name?]

After much thought,Virus Guy came up with this jewel:

> What's in a Name? wrote:
>
> > > It's sad that after all this time, that Google still has little
> > > to no ability (or they choose not to deploy) more sophisticated
> > > exploit detection and warning mechanisms on their search page.
> >
> > I don't think it is feasible for google to check on every link
> > provided in a search,nor do I want them to.
>
> they could at least be more of an active
> participant at discovering and sharing exploits with AV companies.

Tell them what you think. Call it "Google Safe"!
http://labs.google.com/why-google.html
They're always looking for ideas.

max
--
Virus Removal Instructions http://home.neo.rr.com/manna4u/
Keeping Windows Clean http://home.neo.rr.com/manna4u/keepingclean.html
Change nomail.afraid.org to gmail.com to reply. nomail.afraid.org is
specifically setup for USENET.Feel free to use it yourself.

[Michael Arends]

kurt wismer answered:
> What's in a Name? wrote:
>> After much thought,Virus Guy came up with this jewel:
> [snip]
>>> Swap out your patched vgx.dll for an older one, then try this page:
>>>
>>> http://209.85.165.104/search?q=cache...sotf.org/testv
>>> ml.htm+testvml.htm&hl=en&ct=clnk&cd=1&gl=ca
>>>
>>> It's the google cached version of this:
>>>
>>> http://zert.isotf.org/testvml.htm
>>>
>>> or this:
>>>
>>> http://www.isotf.org/zert/testvml.htm
>>>
>>> Which doesn't seem to exist any more, but was designed to trigger the
>>> VML vulnerability.
>>>
>>> Presumably NOD-32 should intercept the code before IE is crashed by
>>> it.
>> I just checked it out (with an unpatched W2K) and Nod alerted and
>> blocked loading of page! I guess it works!
>
> thanks for the verification... i think it's safe to say now that nod32
> qualifies as a first line of defense at the end-point
> (http://anti-virus-rants.blogspot.com...oint-anti.html)
>
I know i'm coming in to the conversation late. But NOD alerted ME too.

--
*..· ´¨¨))
¸.·´ .·´¨¨))
((¸¸.·´ .·´-:¦:-((¸¸.·´(º·.¸(¨*·.¸ ¸.·*¨)¸.·º)
«.·°·. Michael .·°·-:¦:-

[kurt wismer]

Virus Guy wrote:
> kurt wismer wrote:
>
>>> I don't recall that it was ever shown that any AV product
>>> prevented, for example, IE from crashing when exposed to
>>> test samples of the VML vulnerability.
>> i don't recall it either, but that doesn't mean it didn't happen..
>
> Why don't you try something then.
>
> Swap out your patched vgx.dll for an older one, then try this page:
>
> http://209.85.165.104/search?q=cache...lnk&cd=1&gl=ca
>
> It's the google cached version of this:
>
> http://zert.isotf.org/testvml.htm
>
> or this:
>
> http://www.isotf.org/zert/testvml.htm
>
> Which doesn't seem to exist any more, but was designed to trigger the
> VML vulnerability.
>
> Presumably NOD-32 should intercept the code before IE is crashed by
> it.

yeah, well, since i'm not a nod32 user the above experiment won't really
tell us anything...

--
"it's not the right time to be sober
now the idiots have taken over
spreading like a social cancer,
is there an answer?"