Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: How did they slip past AVAST?

11 Sep 2013   #1

Windows XP Pro SP3, Windows 7 Pro 32-bit, Windows 7 Ultimate 64bit, Windows XP Home SP3
 
 
How did they slip past AVAST?

i'm looking at the worst case of infection I've seen in 3 years - basically it is a nuke/redo.
This is a lightly-loaded and lightly-used PC, has little on it other than wildlife photos from a hunting ranch, a few programs like for Garmin GPS and adobe reader, etc, and outlook [may be the path?].

this thing has a zw java exploit rootkit of some variant, along with several trojan droppers, ransomware, and other things I'm sure I haven't found yet. the top layers were easy to disarm but the rootkit[s] at bottom eluded both the popular TDSSKiller and Malwarebytes later entry into the Rootkit find/disarm game - both came up clean and so did routine AVAST scans although the full scan of the latter noted some password protected javascript files that would seem to be innocuous but I don't trust them given the primary exploit. Microsoft's aging rootkit revealer found a number of problems - quite a list. and Trend Micro's beta RootKitBuster found a couple of dozen entries that it could not deal with [log: "unable to fix"]

QUESTIONs: what do you think was the door-opener? the machine did have old Java 6 - i believe the updates were through 24 or 25.
HOW did it slip past the AVAST, which was full install, updated/latest, and all scanners running including mail scanner.???
The user's primary browser has been Chrome, at my suggestion! not IE very much other than one or two cranky secure sites that don't play nice with chrome.

sign me baffled... bewildered. My guess, based on some comments by the user, is that this all started with a mail attachment from "a friend", later finding out that the friend's email account had been hijacked. How many times do we have to tell people: DO NOT CLICK.

My System SpecsSystem Spec
.

11 Sep 2013   #2

Microsoft Community Contributor Award Recipient

Win 7 Pro 64-bit
 
 

My usual disclaimer: I'm not an expert at anything!

If I had to take a guess I'd say that Java 6 is a likely candidate. Back in January (and for the next few months if I remember correctly) Java 6 and the first few releases of Java 7 were being exploited big time. Seemed like new releases were coming out weekly.

Quote:
This vulnerability was mainly being exploited by exploit packs, which are crimeware tools made to be stitched into Web sites so that when visitors come to the site with vulnerable/outdated browser plugins (like this Java bug), the site can silently install malware on the visitorís PC. Exploit packs can be just as easily inserted into legitimate, hacked Web sites as they can be stitched into porn sites . All it takes is for the attackers to be able to insert one line of code into a compromised Web site.
Source

Additional Source

Most, if not all, of the consumer security experts who post on this Forum agree that no anti-malware program will be 100% effective 100% of the time. If there was such a product we'd all be using it. Avast is a well respected product but it's not infallible. If Java was the open door that let the malware in, it's possible that who ever coded the malware was familiar enough with all the major anti-malware products to get past any of them. And your guess that a friend's hijacked email account may have played a part in all of this is equally possible.

Once a computer is infected I don't think I could ever be 100% sure that something wasn't left behind ... no matter how many scans I run that come back clean. For that reason I have several system images available so I can restore a known clean copy of everything on the hard drive in less than an hour. As compared to doing a clean install that can take many hours (or days) to get everything tweaked back to the way it was.
My System SpecsSystem Spec
11 Sep 2013   #3

Windows XP Pro SP3, Windows 7 Pro 32-bit, Windows 7 Ultimate 64bit, Windows XP Home SP3
 
 

certainly is a good summary. the java exploit was certainly there: I've run so many tools I forget which one identified it but it was early-on in the cleanup.
i finally bailed and am reinstalling the os from scratch. there was just too much core damage done - unnecessary chances for an issue.

i was mainly hoping to learn enough to help people avoid such in the future. I guess the anti-mal business is like the so-called Terror war: the preventors must be right 100% of the time - a real "iron dome" on all/every level. the bad guys get to pick their battle ... cherry-pick in fact
My System SpecsSystem Spec
.


11 Sep 2013   #4

Microsoft Community Contributor Award Recipient

Win 7 Pro 64-bit
 
 

Quote:
I guess the anti-mal business is like the so-called Terror war: the preventors must be right 100% of the time - a real "iron dome" on all/every level. the bad guys get to pick their battle ... cherry-pick in fact
Very well said.
My System SpecsSystem Spec
11 Sep 2013   #5

Windows 7 Pro. 64/SP-1
 
 

Just a thought.
I would check what programs you use and see if they even need Java.
Many systems don't need Java and don't install it. If you do need Java I would check for updates daily.
My System SpecsSystem Spec
12 Sep 2013   #6

Win-7 Home Prem 64-bit 7601 Free SP1
 
 

My System SpecsSystem Spec
12 Sep 2013   #7

Win 7 Ultimate 64 bit
 
 

I'm still amazed by the number of people who still recommend MSE. It consistently rates lower on AV reviews than most of the other free AVs with the exception of McAfee (that one stays close to the bottom of all reviews). MSE's claim to fame is its light footprint, ease of setup, few or no popups, and ease of use.

The light footprint is a moot point anymore since most systems today can handle the "heavier" AVs, including resource hogs like Norton.

Setup takes place only once so ease of setup shouldn't be a criteria for choosing an AV unless it is really obtuse.

Most free AVs, such as Avast, can be set to have few or no popups. Some popups are desirable, such as notification that a nasty has been blocked, but one can set them however they want.

Most free AVs are just as easy to use as MSE, in some cases, easier.
My System SpecsSystem Spec
12 Sep 2013   #8

Microsoft Community Contributor Award Recipient

Win 7 Pro 64-bit
 
 

Just a general observation and I'm not directing my opinion at anyone. The choice of AV product is very subjective. Maybe someone's teacher, parent, friend, etc recommended something and that's why it's being used. Maybe someone has had good results (no infections) and continues to use a particular product regardless of where it ranks in a review. And maybe a highly rated product just doesn't play nice on someone's machine whereas a lower rated product does. FWIW, I believe that using something is better than using nothing at all.

Now ...

My System SpecsSystem Spec
12 Sep 2013   #9

Microsoft Community Contributor Award Recipient

Windows 7 Home Premium x86 Service Pack 1 - Linux Mint Mate 14 x64
 
 

Quote   Quote: Originally Posted by Lady Fitzgerald View Post
I'm still amazed by the number of people who still recommend MSE. It consistently rates lower on AV reviews than most of the other free AVs with the exception of McAfee (that one stays close to the bottom of all reviews). MSE's claim to fame is its light footprint, ease of setup, few or no popups, and ease of use.

The light footprint is a moot point anymore since most systems today can handle the "heavier" AVs, including resource hogs like Norton.

Setup takes place only once so ease of setup shouldn't be a criteria for choosing an AV unless it is really obtuse.

Most free AVs, such as Avast, can be set to have few or no popups. Some popups are desirable, such as notification that a nasty has been blocked, but one can set them however they want.

Most free AVs are just as easy to use as MSE, in some cases, easier.
I've seen avast! cause so many BSODs, and I never really trust reviews at all, the authors are usually paid by companies to give good reviews about their products. The experiences from actually users is what counts.

Sorry for taking this thread slightly off topic
My System SpecsSystem Spec
12 Sep 2013   #10

Win 7 Ultimate 64 bit
 
 

OK, I've never had a BSOD caused by Avast. The only problems I've had with Avast was the current version would disable IE10 (I just rolled back to the previous version to fix that) and the Web Rep tool was causing IE 10 to crash frequently, probably because it was clashing with WOT. Since I prefer WOT, I just disabled the Web Rep tool. Those are nothing compared to the problems I had with MSE.
My System SpecsSystem Spec
Reply

 How did they slip past AVAST?




Thread Tools



Similar help and support threads for2: How did they slip past AVAST?
Thread Forum
slip stream MS window8 usb 3.0 driver into window 7 install CD Installation & Setup
Slip streaming Updates for W7 and Office 2010 -- can it be done. General Discussion
6 monitors... 2 slip into COMA Graphic Cards
Avast System Security
Avast 5 or MSE System Security
Can I use Avast with Norton 2010?Is Avast is light AV? System Security
Programmer slip-up produces critical bug, MS admits System Security

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd

All times are GMT -5. The time now is 01:34 PM.
Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App
  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33