Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: So, you think you are secure and don't need precautions

05 Jan 2010   #31
pparks1

Windows 7 Ultimate x64
 
 

Quote   Quote: Originally Posted by Carbonyl View Post
Quote   Quote: Originally Posted by pparks1 View Post
Without said checker, I would have likely just hit X on the website and went on oblivious to the fact that a malicious javascript file might have been lurking on my machine ready to install software if it was ever launched.
If you had hit the 'X', the javascript file would not have just 'lurked'. The 'X' wasn't windows dialogue box button - It was a disguised Javascript 'I AGREE TO BE INFECTED' button, which was mocked up to look like a windows dialogue button. You would have been immediately redirected to a page which would scan your system for vulnerabilities, and then would automatically deliver a payload in accord with those vulnerabilities.
Interesting. If I recall correctly, as soon as I hit the page the Trend micro popup showed up, immediately followed by a redirect to a claimed scan which said I had problems their tool could fix. Then, I got a second pop up from Trend saying it stopped issue #2. From there, I right clicked the Firefox icon on the Superbar and chose Close Window. So to me, it looks like it ran without any interaction on my part. So, I cannot be sure that I didn't click on the X to close the browser Window. It is just a force of habit since that's the way you normally do close browser Windows.

Quote   Quote: Originally Posted by Carbonyl View Post
EDIT: Additionally, in regard to the continuing conversation, you don't need to click anything to initiate the attack, either! You could be staring down one of these fakealerts just by using your bookmarks.
Like I said, I don't recall clicking on any part of the window. But as I get older my mind starts to fail me. Guess it's good that most of my surfing occurs on a Linux machine which is far more immune to this type of thing.


My System SpecsSystem Spec
.
05 Jan 2010   #32
jav

Windows 7 Ultimate x86 SP1
 
 

Quote   Quote: Originally Posted by UrbanBounca View Post

You are more than welcome to use it, but I've never had any symptom of a virus/malware. I'm not arguing they aren't getting advanced, and I'm not arguing that I'll never get one, but I can assure you, upto this point, I've never had a virus. I've used online virus scans a couple times, and I've even installed Norton and McAfee at one point, simply to prove that you don't need an AV to stay clean.
ok, couple of things:
1. Drive-by infection (dosen't require user interaction much)
2. rootkits (Rootkit - Wikipedia, the free encyclopedia)
Almost no symptoms, and I don't think you will be able to detect them with resident AV, not even saying about Online Scan.
3. Trojoan. (http://en.wikipedia.org/wiki/Trojan_horse_(computing)) almost no symptoms visible to end user.
4. Keyloggers (Keystroke logging - Wikipedia, the free encyclopedia) Symtomps?
5. Any Kernel level infections (http://en.wikipedia.org/wiki/Ring_(computer_security)) Symtomps?
My System SpecsSystem Spec
06 Jan 2010   #33
UrbanBounca

Windows 7 Pro
 
 

Quote   Quote: Originally Posted by jav View Post
ok, couple of things:
1. Drive-by infection (dosen't require user interaction much)
2. rootkits (Rootkit - Wikipedia, the free encyclopedia)
Almost no symptoms, and I don't think you will be able to detect them with resident AV, not even saying about Online Scan.
3. Trojoan. (http://en.wikipedia.org/wiki/Trojan_horse_(computing)) almost no symptoms visible to end user.
4. Keyloggers (Keystroke logging - Wikipedia, the free encyclopedia) Symtomps?
5. Any Kernel level infections (http://en.wikipedia.org/wiki/Ring_(computer_security)) Symtomps?
If you can't detect a rootkit with a resident AV, what's the point in even having one? That being said, the majority of viruses have a symptom of some sort. I have enough experience to determine whether my system has been infected.
My System SpecsSystem Spec
.

06 Jan 2010   #34
jav

Windows 7 Ultimate x86 SP1
 
 

10+ things you should know about rootkits - Strategy - Architecture - Builder AU
Quote:
Rootkits are frustrating. By design, it's difficult to know if they are installed on a computer. Even experts have a hard time but hint that installed rootkits should get the same consideration as other possible reasons for any decrease in operating efficiency. Sorry for being vague, but that's the nature of the beast.
Quote:
If the rootkit is working correctly, most of these symptoms aren't going to be noticeable.
Quote:
Polymorphism techniques allow malware such as rootkits to rewrite core assembly code, which makes using antivirus/anti-spyware signature-based defences useless. Polymorphism even gives behavioural-based (heuristic) defences a great deal of trouble. The only hope of finding rootkits that use polymorphism is technology that looks deep into the operating system and then compares the results to a known good baseline of the system.
And answering you question.
"Why to have resident AV then?"
So, as we have seen from previous posts, rootkit which is working normal is really hard to detect.
And I mean really hard even if you are expert.
And from you example it's even harder, why?
Because you don't use any detection, prevention or atleast monitoring programs, so there is almost noway for you to tell rootkit symptoms, even if you was the person who created Windows all by yourself.
So your experience isn't enough to detect rootkit which is working as intended .

But, it is a lot easier to detect rootkit before it entering system, stealthing and Polymorpming.
So rootkit should be stopped at this stage.
How?
So there comes many things, but in our case.
Atleast Resident AV, which can still detect rootkit before polymorphism.

I know you next answer, "I can detect it myself"
really?
Quote:
#3: How do rootkits propagate?

Rootkits can't propagate by themselves, and that fact has precipitated a great deal of confusion. In reality, rootkits are just one component of what is called a blended threat. Blended threats typically consist of three snippets of code: a dropper, loader, and rootkit.

The dropper is the code that gets the rootkit's installation started. Activating the dropper program usually entails human intervention, such as clicking on a malicious email link. Once initiated, the dropper launches the loader program and then deletes itself. Once active, the loader typically causes a buffer overflow, which loads the rootkit into memory.

Blended threat malware gets its foot in the door through social engineering, exploiting known vulnerabilities, or even brute force. Here are two examples of some current and successful exploits:

Instant Messenger (IM) -- One approach requires computers with IM installed (not that much of a stretch). If the appropriate blended threat gains a foothold on just one computer using IM, it takes over the IM client, sending out messages containing malicious links to everyone on the contact list. When the recipient clicks on the link (social engineering, as it's from a friend), that computer becomes infected and has a rootkit on it as well.
Rich content -- The newest approach is to insert the blended threat malware into rich-content files, such as PDF documents. Just opening a malicious PDF file will execute the dropper code, and it's all over.
Just single exemple in which cases you are unable to stop it, just by yourself.


Rootkit - Wikipedia, the free encyclopedia
Quote:
Rootkit binaries can often be detected by signature or heuristics-based antivirus programs, at least until they're run by a user and are able to attempt to conceal themselves.
and so on...
I wonder do you use atleast Firewall?

2.About your safe sites. (as if safe...)
It is possible to make sites on your bookmarks to be malicious without notice of the owner of the site.

For example:
Code injection - Wikipedia, the free encyclopedia
Remote File Inclusion - Wikipedia, the free encyclopedia
Cross-site scripting - Wikipedia, the free encyclopedia

Will not go into details as it's too long.
Anymore questions?
My System SpecsSystem Spec
06 Jan 2010   #35
Fayla

Windows 7 Professional 64 Bit SP1
 
 

Quote   Quote: Originally Posted by pparks1 View Post
I've seen numerous posts of people who don't feel that they need a virus scanner or malware scanner with Windows and that they don't need the security features like UAC because 1) they know what they are doing 2) they use common sense 3) they have never had a problem in the past 4) they only go to reputable sites.
I have all of that stuff enabled too, but I run the Microsoft anti virus instead. What happened for me was:

While visiting one of my normal web pages, next thing I know the download warning bar flashed up. Then the anti virus said it has to delete a JavaScript Trojan from my temp files.

Ended up looking through one of my favorite tech sites to see that JS is computer health risk now.
My System SpecsSystem Spec
06 Jan 2010   #36
UrbanBounca

Windows 7 Pro
 
 

Quote   Quote: Originally Posted by jav View Post
10+ things you should know about rootkits - Strategy - Architecture - Builder AU
Quote:
Rootkits are frustrating. By design, it's difficult to know if they are installed on a computer. Even experts have a hard time but hint that installed rootkits should get the same consideration as other possible reasons for any decrease in operating efficiency. Sorry for being vague, but that's the nature of the beast.
Quote:
If the rootkit is working correctly, most of these symptoms aren't going to be noticeable.

And answering you question.
"Why to have resident AV then?"
So, as we have seen from previous posts, rootkit which is working normal is really hard to detect.
And I mean really hard even if you are expert.
And from you example it's even harder, why?
Because you don't use any detection, prevention or atleast monitoring programs, so there is almost noway for you to tell rootkit symptoms, even if you was the person who created Windows all by yourself.
So your experience isn't enough to detect rootkit which is working as intended .

But, it is a lot easier to detect rootkit before it entering system, stealthing and Polymorpming.
So rootkit should be stopped at this stage.
How?
So there comes many things, but in our case.
Atleast Resident AV, which can still detect rootkit before polymorphism.

I know you next answer, "I can detect it myself"
really?
Quote:
#3: How do rootkits propagate?

Rootkits can't propagate by themselves, and that fact has precipitated a great deal of confusion. In reality, rootkits are just one component of what is called a blended threat. Blended threats typically consist of three snippets of code: a dropper, loader, and rootkit.

The dropper is the code that gets the rootkit's installation started. Activating the dropper program usually entails human intervention, such as clicking on a malicious email link. Once initiated, the dropper launches the loader program and then deletes itself. Once active, the loader typically causes a buffer overflow, which loads the rootkit into memory.

Blended threat malware gets its foot in the door through social engineering, exploiting known vulnerabilities, or even brute force. Here are two examples of some current and successful exploits:

Instant Messenger (IM) -- One approach requires computers with IM installed (not that much of a stretch). If the appropriate blended threat gains a foothold on just one computer using IM, it takes over the IM client, sending out messages containing malicious links to everyone on the contact list. When the recipient clicks on the link (social engineering, as it's from a friend), that computer becomes infected and has a rootkit on it as well.
Rich content -- The newest approach is to insert the blended threat malware into rich-content files, such as PDF documents. Just opening a malicious PDF file will execute the dropper code, and it's all over.
Just single exemple in which cases you are unable to stop it, just by yourself.


Rootkit - Wikipedia, the free encyclopedia
Quote:
Rootkit binaries can often be detected by signature or heuristics-based antivirus programs, at least until they're run by a user and are able to attempt to conceal themselves.
and so on...
I wonder do you use atleast Firewall?

2.About your safe sites. (as if safe...)
It is possible to make sites on your bookmarks to be malicious without notice of the owner of the site.

For example:
Code injection - Wikipedia, the free encyclopedia
Remote File Inclusion - Wikipedia, the free encyclopedia
Cross-site scripting - Wikipedia, the free encyclopedia

Will not go into details as it's too long.
Anymore questions?
I use the Windows firewall, with Windows updating daily. Either way, you can keep explaining how severe some viruses can be, and it won't change my opinion in that 99% of viruses can be blocked by common sense. I use Firefox, 'cause IE is a death trap. I don't click on a questionable link, such as the example you've given regarding PDF files that can execute code. Why would I open anything from a questionable link? Once again, common sense.

I've never had any reason to believe I've had a virus on my PC. I've run numerous AV's, as I've already mentioned, to prove that you don't need an AV to be safe on the Internet, and I'm still firm to my belief.
My System SpecsSystem Spec
06 Jan 2010   #37
pacinitaly

windows 7 professional & ultimate 64bit laptops
 
 

Quote   Quote: Originally Posted by Carbonyl View Post
Blackhat Search Engine Optimization ('Gaming Google') and hijacking flash banner ads ('Malvertisement') are two trends on the sharp rise. The bad guys realize that people are smarter than they used to be, and won't open those emails/go to those porn sites anymore. More than fooling people into clicking links from trusted sites, these techniques can actually inject attacks into trusted sites, period. Imagine one day that you click on a bookmark to visit your favorite blog - which just so happens to be serving up banner ads at that time with hidden nasty stuff - BAM! You've been hit.

There's no such thing as 'Safe Surfing'.

As a note: Blocking javascript and flash can mitigate these attacks somewhat. Use Noscript on Firefox, and whitelist javascript and plugins in Opera. And if you EVER see an attack like this with a fake scan, NEVER click anywhere in the browser or otherwise. Clicking the 'Cancel' button will initiate the download. Clicking the red X button will initiate the download. Always go to the task manager and kill your browser. Then run MBAM or similar to clean up the leftovers in the cache, which should be harmless.

I think you still need to accept the installation manually, but if you're not patched up to code or are hit by a day-0, you might get infected without doing anything. That's the case right now with the Adobe vulnerability if you have javascript enabled.
Quote   Quote: Originally Posted by pparks1 View Post
I've seen numerous posts of people who don't feel that they need a virus scanner or malware scanner with Windows and that they don't need the security features like UAC because 1) they know what they are doing 2) they use common sense 3) they have never had a problem in the past 4) they only go to reputable sites.

So, yesterday at work, I format my Vista Enterprise machine and load Windows 7 Enterprise. I'm on an active directory domain and my user account is a member of the local admins group. I have UAC enabled at the defaults. I've got the Windows firewall enabled. I have Trend Micro installed as this is what we use at the corporate level for AV protection. We use a checkpoint firewall device for outbound access to the internet. I use Firefox. And I'm a systems admin for a living, have been for over 10 years and manage both Windows and Linux servers and am certified on both platforms.

On my way to work today, I notice that the typical DJ's on one of the local station don't seem to be on. Going into a commercial, I head an ad which seems to indicate that there might be new personality doing the morning slot now. So, after getting settled into work for the day and a few things done..I hit google.com and search for "Deminski and Doyle" which turns up a handful of links about the DJ's leaving WCSX. So, I click on a couple of the stories to read about what happened and BLAMMMOOOO, Trend goes off, at the same time that some "security threat" website pops up claiming my machine is infected with all sorts of junk and I need to buy their product. Further looking shows numerous broken icons on my desktop that were fine when I booted up this morning.

So, there you go. Somebody who has taken precautions, knows a bit about what he is doing, is using the latest and greatest OS's with features enabled and is simply using the Internet to google something non-nefarious...and even with all that...I'm hit.

For those wondering what it was, it wasn't a big deal...it turns out to be JS_RENOS.WCF. JS_RENOS.WCF - Description and solution. According to Trend, it's non destructive and not much of a problem....but I'm still interested in my broken icons.
Quote   Quote: Originally Posted by Carbonyl View Post
Quote   Quote: Originally Posted by pparks1 View Post
Without said checker, I would have likely just hit X on the website and went on oblivious to the fact that a malicious javascript file might have been lurking on my machine ready to install software if it was ever launched.
If you had hit the 'X', the javascript file would not have just 'lurked'. The 'X' wasn't windows dialogue box button - It was a disguised Javascript 'I AGREE TO BE INFECTED' button, which was mocked up to look like a windows dialogue button. You would have been immediately redirected to a page which would scan your system for vulnerabilities, and then would automatically deliver a payload in accord with those vulnerabilities.

More than likely, and auto-download and an attempt to auto-execute would have occurred, but it's hard to say since these vectors morph on the fly to attack different systems.

I'm just pointing out that this is the new anatomy of attack. There is no 'waiting to be launched'. It'll find a way to launch itself.

EDIT: Additionally, in regard to the continuing conversation, you don't need to click anything to initiate the attack, either! You could be staring down one of these fakealerts just by using your bookmarks.

Here's a story with a recent example. In this particularly nasty situation, all someone had to do is visit one of the trusted websites afflicted, and have Acrobat installed. Bam. Infected.

It doesn't take a genius to stay safe? I'll agree with that. But it doesn't take a moron to get infected these days, either. The point here is that the bad guys are getting crafty. They are dangerous because they outstep your expectations.

WOW, I'm installing AV right now. thanks and reps to you
My System SpecsSystem Spec
06 Jan 2010   #38
jav

Windows 7 Ultimate x86 SP1
 
 

@UrbanBounca
Please don't quote whole massage.

ok, I am not trying to make you to do something.
I am just explaining my point of view.
I do respect your point of view aswell.

But..
As I have already told you it's not about questionable links anymore.

ok, it was like this (don't click on questioable links, don't open unknown emails and blah blah blah), but it was at the beginning of the last decade.
Time has changed, malware writers aren't stupid, as somebody already mentioned they can see that nobody is opening SPAMs anymore, so they developed new methods.
So now sites on your bookmarks and favourites can become malicious any day..


Regarding my PDF example, how you tell if it is questionable or not?

As I can remember you mentioned that you are studying Law Enfoecement, right?
Just imagine you are going to your some law enforcement related site, (it's not some random site, you do trust it, It's some federal government site and you know that all students get informations from here)
So you find your information, would you open it?
From my last post you can see how easy it is to attack even this kind of government sites and infect them.
(Recently there were successful attack to 3 servers of NASA)

Or you receive even just doc document from you friend, you don't have alteast AV, how you will check it.

Do you do Online banking? or buy anything online?

And for your statement "you don't need an AV to be safe on the Internet"
Yeap, one doesn't need AV to be safe.
Because there are other software which can protect you like virtualization, Anti-executables, behaviour-blockers.
Or Windows native feauters like Software Restriction Policy, Applocker, Limited User Account (don't be happy even if they are Windows native features, you are not benefiting from them as you don't use them)

Why do you think Windows, itself even warns you that your security isn't enough.


Actually.... Good luck, glad that you haven't been infected yet and wish you not to be infected.
Hopefully you will be right and stay safe

P.S. I hope you haven't been offended by my words, It was just friendly discussion and exchange of opinions. Are we ok?
My System SpecsSystem Spec
06 Jan 2010   #39
Lens Pirate

Win 7 64 Ultimate- Win 7 Home premium 64- XP- Adndroid 3.1 and 2.3 Ubantu- Vista Ultimate 64
 
 

I fall on the side of thinking that a good AV-anti-AntiMalware program is useful.

But another tool often over looked by many is simply not surfing as a Administrative user.

Our site has 3500 PC's prior to migrating to active directory and and making all of our users Restricted users ALL WE DID was remove malware and viruses.

Since making that change we almost never get hit. We layer good perimeter security, workstation firewalls, Sophos corporate security and so far that has saved us.

At home I have two accounts on my PC. 1 Admin level for making changes and one restricted user for casual surfing.

I can't help but be struck by one posters claims that while he has never had a virus or infection of any type, yet he has the experience to know if he gets infected. Where exactly did this skill come from?
My System SpecsSystem Spec
06 Jan 2010   #40
UrbanBounca

Windows 7 Pro
 
 

Quote   Quote: Originally Posted by jav View Post
@UrbanBounca
Please don't quote whole massage.

ok, I am not trying to make you to do something.
I am just explaining my point of view.
I do respect your point of view aswell.

But..
I understand you're not forcing anything on me, and your knowledge on the subject is quite outstanding. I do home banking, and I've never had a problem with my home banking. I also purchase online, but only from major retailers. If I'm visiting a government site for criminal justice statistics, I trust that the site is legitimate, and as I've previously mentioned, you can typically look at the URL and determine the legitimacy.

I've been using the Internet for quite sometime now, and have a general knowledge of trusted sites. I don't use social sites, with the exception of Facebook. I don't use Digg or any other "linking" sites for that reason, they could be malicious.

Either way, I appreciate all your knowledge on the subject. It's quite interesting, but personally, I'm ignorant, and use my own experience to my advantage.

Quote   Quote: Originally Posted by Lens Pirate View Post
I can't help but be struck by one posters claims that while he has never had a virus or infection of any type, yet he has the experience to know if he gets infected. Where exactly did this skill come from?
That's a fair question.

I've helped a few friends with their virus problems, and have seen viruses/malware to the point where reformatting the HD is the only option. I've also been on the PC daily since 1995, which is a plus.
My System SpecsSystem Spec
Reply

 So, you think you are secure and don't need precautions




Thread Tools




Similar help and support threads
Thread Forum
What precautions should I take when using a public network?
Besides using a VPN connection when using a public WIFI, what other precautions should I take? Let's say I'm connected to the WLAN but not surfing the net, is Windows firewall enough to protect me?
Network & Sharing
New CPU Any Precautions?
As the title states i'm currently running an AMD Phenom II x6 1090t AM3 and i'm purchasing an AMD FX-8350 Vishera AM3+ is there anything i should do while installing the CPU have just done straight swaps in the past but want to lower possibility of problems. I'm hoping i don't have to re install...
Hardware & Devices
Precautions before buying on line
I have had many good experiences buying from internet companies. Recently I ordered a camera from such a company. Alongside the picture of the camera was a delivery promise of 1-2 days, but when the e mailed acknowledgement came the delivery was quoted as 1-7 days. After 3 days I sent an e mail...
Chillout Room
ESD precautions advice being sought.
I know it is important to protect your PC from ESD when ever you either upgrade or do anything inside the PC, the thing is though I am not sure what best practise is or am I doing it correct. I currently only have a wrist strap but was looking at buying a ESD floor mat as well as a mat for the...
Hardware & Devices
Upgrading Hard Drive and RAM, precautions?
I am upgrading my MacBook's RAM and hard drive (from 2GB to 4GB and from 250GB to 500GB respectively), what is the easiest (and preferably most reliable) way to reinstall Windows and to restore programs, settings etc. to my new hard drive? I have backed my Windows partition up to Time Machine...
Hardware & Devices


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd

All times are GMT -5. The time now is 00:51.
Twitter Facebook Google+ Seven Forums iOS App Seven Forums Android App