A cautionary note for the free AV Users
Thread Starter
Join Date: Aug 2002
Location: Earth
Posts: 3,663
Likes: 0
Received 0 Likes
on
0 Posts
A cautionary note for the free AV Users
Picking up on a comment from Mike-Bracknell in another thread ...
This is not necessarily true, particularly for zero-day emerging threats that require more than just the correct hash signature to be in the AV database.
I thought it would be good to show a real-life example.
Case in point, I received a suspicious attachment in by inbox today.
First scan at around 08:00 UTC revealed only 4/43 anti-virus packages picked up the virus, four hours later at 12:00 UTC, we're only up to 7/43 packages.
At 12:00 UTC, all of the packages that pick it up continue to be commercial products :
Commtouch
F-Prot
Fortinet
K7
Kaspersky
Sophos
Symantec
None of the common free ones picked it up as a virus on their latest definitions as of 12:00 UTC.
The moral of the story is, be careful out there. The second moral of the story is that mike's assumption of safety in numbers is wrong.
Edit:
For the technically inclined who want to know what to look out for....
SHA1(Delivery_Information_No#7082.zip)= 2565b27b881bebb94fb60d21d0bc170556f58b8
MD5(Delivery_Information_No#7082.zip)= 6bd53a62c768f7ce8663310ed404b89c
Its a trojan that installs a backdoor (hey... we were talking about this the other day.... a way to bypass NAT....
)
if you pay for your package you need to understand that the virus definitions are likely to have been gleaned from others who will have paid for their package....and given that the FAR greater number of people who DON'T pay for their package are the ones who will be providing the free AV vendors their definitions, you can see why it would be better (and cheaper) to go free.
I thought it would be good to show a real-life example.
Case in point, I received a suspicious attachment in by inbox today.
First scan at around 08:00 UTC revealed only 4/43 anti-virus packages picked up the virus, four hours later at 12:00 UTC, we're only up to 7/43 packages.
At 12:00 UTC, all of the packages that pick it up continue to be commercial products :
Commtouch
F-Prot
Fortinet
K7
Kaspersky
Sophos
Symantec
None of the common free ones picked it up as a virus on their latest definitions as of 12:00 UTC.
The moral of the story is, be careful out there. The second moral of the story is that mike's assumption of safety in numbers is wrong.
Edit:
For the technically inclined who want to know what to look out for....
SHA1(Delivery_Information_No#7082.zip)= 2565b27b881bebb94fb60d21d0bc170556f58b8
MD5(Delivery_Information_No#7082.zip)= 6bd53a62c768f7ce8663310ed404b89c
Its a trojan that installs a backdoor (hey... we were talking about this the other day.... a way to bypass NAT....
)
Join Date: Jun 2003
Location: EuroGA.org
Posts: 13,787
Likes: 0
Received 0 Likes
on
0 Posts
It's easy to bypass NAT if you send somebody an email and they click on the attachment 
IIRC, that is how somebody stole a list of AOL customers, a few years ago.
Whether they used an .exe attachment or some more subtle method like a malformed Jpeg, I don't know.
But the basic principle is that if you can get somebody to execute code of your choice, then (assuming the "somebody" has access to the internet) all the firewalls in the world are worthless.
IIRC, that is how somebody stole a list of AOL customers, a few years ago.
Whether they used an .exe attachment or some more subtle method like a malformed Jpeg, I don't know.
But the basic principle is that if you can get somebody to execute code of your choice, then (assuming the "somebody" has access to the internet) all the firewalls in the world are worthless.
Thread Starter
Join Date: Aug 2002
Location: Earth
Posts: 3,663
Likes: 0
Received 0 Likes
on
0 Posts
True to a certain extent.
There are exploits out there that use javascript, java or active-x in your web browser to bypass NAT too.
"I'll just disable javascript" you say ? They say "We'll use a browser quirk that delays the rendering of images".
Watching the timing differences enables the attacker to derive which ports are open and which aren't, and build upon that.
There's also another variant out there what makes use of CSS (code that's commonly used by websites to layout their user interfaces).
Time to consider a text only web browser such as Lynx perhaps .....
There are exploits out there that use javascript, java or active-x in your web browser to bypass NAT too.
"I'll just disable javascript" you say ? They say "We'll use a browser quirk that delays the rendering of images".
Watching the timing differences enables the attacker to derive which ports are open and which aren't, and build upon that.
There's also another variant out there what makes use of CSS (code that's commonly used by websites to layout their user interfaces).
Time to consider a text only web browser such as Lynx perhaps .....
Join Date: Jun 2003
Location: EuroGA.org
Posts: 13,787
Likes: 0
Received 0 Likes
on
0 Posts
That's quite clever...
I admire the hacks which grab snapshots of video memory, to grab the stupid onscreen keyboards which the banks love so much...
The problem with disabling scripts (I use No-Script in FF) is that most websites stop working, many of them stop working to an extent sufficient to render the relevant content invisible, and any online shopping site is a no-no because you just get the payment failing when the damned thing redirects you to the payment processor.
In practice, 99% of web users will never bother with that.
Which makes it kind of tricky...
I admire the hacks which grab snapshots of video memory, to grab the stupid onscreen keyboards which the banks love so much...
The problem with disabling scripts (I use No-Script in FF) is that most websites stop working, many of them stop working to an extent sufficient to render the relevant content invisible, and any online shopping site is a no-no because you just get the payment failing when the damned thing redirects you to the payment processor.
In practice, 99% of web users will never bother with that.
Which makes it kind of tricky...
