How did they slip past AVAST?

[zapp22]

i'm looking at the worst case of infection I've seen in 3 years - basically it is a nuke/redo.
This is a lightly-loaded and lightly-used PC, has little on it other than wildlife photos from a hunting ranch, a few programs like for Garmin GPS and adobe reader, etc, and outlook [may be the path?].

this thing has a zw java exploit rootkit of some variant, along with several trojan droppers, ransomware, and other things I'm sure I haven't found yet. the top layers were easy to disarm but the rootkit at bottom eluded both the popular TDSSKiller and Malwarebytes later entry into the Rootkit find/disarm game - both came up clean and so did routine AVAST scans although the full scan of the latter noted some password protected javascript files that would seem to be innocuous but I don't trust them given the primary exploit. Microsoft's aging rootkit revealer found a number of problems - quite a list. and Trend Micro's beta RootKitBuster found a couple of dozen entries that it could not deal with [log: "unable to fix"]

QUESTIONs: what do you think was the door-opener? the machine did have old Java 6 - i believe the updates were through 24 or 25.
HOW did it slip past the AVAST, which was full install, updated/latest, and all scanners running including mail scanner.???
The user's primary browser has been Chrome, at my suggestion! not IE very much other than one or two cranky secure sites that don't play nice with chrome.

sign me baffled... bewildered. My guess, based on some comments by the user, is that this all started with a mail attachment from "a friend", later finding out that the friend's email account had been hijacked. How many times do we have to tell people: DO NOT CLICK.

 

[marsmimar]

My usual disclaimer: I'm not an expert at anything!

If I had to take a guess I'd say that Java 6 is a likely candidate. Back in January (and for the next few months if I remember correctly) Java 6 and the first few releases of Java 7 were being exploited big time. Seemed like new releases were coming out weekly.

This vulnerability was mainly being exploited by exploit packs, which are crimeware tools made to be stitched into Web sites so that when visitors come to the site with vulnerable/outdated browser plugins (like this Java bug), the site can silently install malware on the visitor’s PC. Exploit packs can be just as easily inserted into legitimate, hacked Web sites as they can be stitched into porn sites . All it takes is for the attackers to be able to insert one line of code into a compromised Web site.

Source

Additional Source

Most, if not all, of the consumer security experts who post on this Forum agree that no anti-malware program will be 100% effective 100% of the time. If there was such a product we'd all be using it. Avast is a well respected product but it's not infallible. If Java was the open door that let the malware in, it's possible that who ever coded the malware was familiar enough with all the major anti-malware products to get past any of them. And your guess that a friend's hijacked email account may have played a part in all of this is equally possible.

Once a computer is infected I don't think I could ever be 100% sure that something wasn't left behind ... no matter how many scans I run that come back clean. For that reason I have several system images available so I can restore a known clean copy of everything on the hard drive in less than an hour. As compared to doing a clean install that can take many hours (or days) to get everything tweaked back to the way it was.

 

[zapp22]

certainly is a good summary. the java exploit was certainly there: I've run so many tools I forget which one identified it but it was early-on in the cleanup.
i finally bailed and am reinstalling the os from scratch. there was just too much core damage done - unnecessary chances for an issue.

i was mainly hoping to learn enough to help people avoid such in the future. I guess the anti-mal business is like the so-called Terror war: the preventors must be right 100% of the time - a real "iron dome" on all/every level. the bad guys get to pick their battle ... cherry-pick in fact

 

[marsmimar]

I guess the anti-mal business is like the so-called Terror war: the preventors must be right 100% of the time - a real "iron dome" on all/every level. the bad guys get to pick their battle ... cherry-pick in fact

Very well said.

 

[Layback Bear]

Just a thought.
I would check what programs you use and see if they even need Java.
Many systems don't need Java and don't install it. If you do need Java I would check for updates daily.

 

[ThrashZone]

Which Browser do you use ?
Good security combination,
http://www.sevenforums.com/system-security/206705-good-free-system-security-combination.html
http://www.sevenforums.com/system-security/297196-top-av-program-use-here-seven.html

 

[Lady Fitzgerald]

I'm still amazed by the number of people who still recommend MSE. It consistently rates lower on AV reviews than most of the other free AVs with the exception of McAfee (that one stays close to the bottom of all reviews). MSE's claim to fame is its light footprint, ease of setup, few or no popups, and ease of use.

The light footprint is a moot point anymore since most systems today can handle the "heavier" AVs, including resource hogs like Norton.

Setup takes place only once so ease of setup shouldn't be a criteria for choosing an AV unless it is really obtuse.

Most free AVs, such as Avast, can be set to have few or no popups. Some popups are desirable, such as notification that a nasty has been blocked, but one can set them however they want.

Most free AVs are just as easy to use as MSE, in some cases, easier.

 

[marsmimar]

Just a general observation and I'm not directing my opinion at anyone. The choice of AV product is very subjective. Maybe someone's teacher, parent, friend, etc recommended something and that's why it's being used. Maybe someone has had good results (no infections) and continues to use a particular product regardless of where it ranks in a review. And maybe a highly rated product just doesn't play nice on someone's machine whereas a lower rated product does. FWIW, I believe that using something is better than using nothing at all.

Now ...

:focus:

 

[x BlueRobot]

I'm still amazed by the number of people who still recommend MSE. It consistently rates lower on AV reviews than most of the other free AVs with the exception of McAfee (that one stays close to the bottom of all reviews). MSE's claim to fame is its light footprint, ease of setup, few or no popups, and ease of use.

The light footprint is a moot point anymore since most systems today can handle the "heavier" AVs, including resource hogs like Norton.

Setup takes place only once so ease of setup shouldn't be a criteria for choosing an AV unless it is really obtuse.

Most free AVs, such as Avast, can be set to have few or no popups. Some popups are desirable, such as notification that a nasty has been blocked, but one can set them however they want.

Most free AVs are just as easy to use as MSE, in some cases, easier.

I've seen avast! cause so many BSODs, and I never really trust reviews at all, the authors are usually paid by companies to give good reviews about their products. The experiences from actually users is what counts.

Sorry for taking this thread slightly off topic

 

[Lady Fitzgerald]

OK, I've never had a BSOD caused by Avast. The only problems I've had with Avast was the current version would disable IE10 (I just rolled back to the previous version to fix that) and the Web Rep tool was causing IE 10 to crash frequently, probably because it was clashing with WOT. Since I prefer WOT, I just disabled the Web Rep tool. Those are nothing compared to the problems I had with MSE.

 

[Layback Bear]

Well it looks to me that if we were asked for a opinion on anti viruses NOT to use we would agree a lot more.

I don't want a anti virus program or any other program that argues with Windows 7 or me.
I don't want a anti virus program that I have to keep adjusting or changing every time I want to do something.

I use to read all the reviews and then go to the store and buy the so called best anti virus program. I used a lot of different ones and I just plain got tired of arguing with them. Just for the hell of it I tried Microsoft Security Essentials and I have been using it every sense. A little over 2 years.

I'm not going back to a older version, less secure version of a program or browser just because my anti virus doesn't like the new more secure version of a program.

I think that most of us understand that no 1 security program is 100% all the time so I do use other security programs in conjunction with Microsoft Security Essentials. These other programs I use would also be used if I had another branded anti virus program installed.

If one does some reading in the BSOD and the Security sections of this Forum it won't take long to figure out which anti virus programs don't get along with Windows 7 and other legal programs. That is a must. Any program of any kind must get along with the operating system and other legal programs.

I don't believe we will ever see great reviews of Microsoft Security Essentials.
Microsoft does not spread a bunch of money around advertising for the use of Microsoft Security Essentials. It appeared to me the more money spent on advertising the higher the ratings on a anti virus program was and I would go to the store and buy it. That formula did not work for me.

I have recommend several times to try Microsoft Security Essential
with the understanding if the user doesn't like it try another anti virus program.
The two active security programs I use are Microsoft Security Essentials and Malwarebytes Anti Malware Professional.
Might not be to everybody's liking or meet their need but it does work for me.

 

[Borg 386]

HOW did it slip past the AVAST, which was full install, updated/latest, and all scanners running including mail scanner.???

It takes time for a virus to be identified.

When a new virus is released into the wild, it first has to be identified. Then, samples have to be submitted to the AV companies.

The AV companies then have to analyze the virus to find out how it works & how to identify/nullify it.

Then code has to be written & tested. After successful results, the updates to the virus defs have to be sent out. All this can take anywhere from a few hours to several days depending on the complexity of the virus. During this time, the virus is spreading to more systems.

If something new was just released 1/2 an hour ago & you come across it, chances are your AV won't flag it as a virus. (Unless it performs suspicious behavior, in which most cases an AV will flag it at the least, as a possible virus)

Nothing protects you 100%.

 

[andrew129260]

True MSE does not advertise. But non paid non profit highly respected test facilities declare MSE is pitiful.

It may be true from a bsod point, but that's like saying any program you use that isn't made from Microsoft can cause problems and bsods, so Don't use it!

I think its better to have protection thats good, (and very rarely causes some problems) compared to having a antivirus such as MSE with barely any protection. Sure you do not get bsods, but You definitely do not get any protection.
Having said that, anything is better then nothing.

But alas, its your system. Everyone will always have a opinion. The truth is, I look at facts. And the facts state that MSE is horrible for protection/detection.

For anyone that states that these testing companies get paid and are all false, then why do top brands like
Norton and such get bad ratings/scores sometimes? Avast and avg and avira are small companies, they would not have tons of money to throw their AVs higher in the results. Plus, there are more then 3 different companies that do these kinds of testing. They would not be able/want to throw money to all of these just to get a better score. The average consumer does not look at these anyway. MSE scores low on all tests. The highest marks it gets are for scanning speed and ease of use. That's great, but if your a antivirus you need to offer protection. And MSE does not offer it.

True some months are bad and some months are good for AV software. But you have to look at consistency. MSE fails in this regard almost constantly. Go to google and type in mse virus tests -lets just say the results are a bad sign. Type any other well known av and well yeah.

I always suggest checking these av testing sites once every 6 months to see if your product is going down hill and whether or not you should jump ship to a new AV.

Sources:
AV-Comparatives Comparatives & Reviews » AV-Comparatives
AV-TEST - The Independent IT-Security Institute: May/Jun 2013


@OP Avast is not a silver bullet. No antimalware program is. I also agree it was probably due to the java exploits going around.

Rule number 1 and 2 of computing:
Do not use/install adobe reader Get a 3rd party pdf reader (if you even need one, most browsers have built in support now)
Do not use/install java

 

[Layback Bear]

andrew thank you for reading my post. We don't seem to agree but that is okay. Sometimes we will agree and sometimes we will not agree.
Happy computing.

 

[ThrashZone]

Let's not forget MSE is designed around Internet explorer 9/ 10 and 11 preview..,
Because these versions have their own security features.
One would hope "grin" these would work together better without conflicting one another
"ie" Windows and Windows update friendly.

I'll get On board with Never installing Java
Reader XI ?
Disabling it works just fine for me and that goes for Flash player as well.
How to configure your Flash Player settings for maximum privacy and security

Gezz I even forgot that ie10.. also have this feature,
Where did ie 64 bit version go,
http://blogs.msdn.com/b/ieinternals/archive/2012/03/23/understanding-ie10-enhanced-protected-mode-network-security-addons-cookies-metro-desktop.aspx


http://www.sevenforums.com/tutorials/280434-internet-explorer-10-enable-32-bit-64-bit-ie10-windows-7-a.html#post2312336

 

[andrew129260]

Thank you

andrew thank you for reading my post. We don't seem to agree but that is okay. Sometimes we will agree and sometimes we will not agree.
Happy computing.

Your welcome. And your right. That's okay though. All different opinions. I personally would not recommend MSE, while others do not recommend avast. It all comes down to what the person recommends. Another argument is since there is no such thing as security, for all we know our computers could be infected at any point and time without having any clue. It happens all the time. Also, I remember reading somewhere that antiviruses typically only catch around 40% of malware, because there is so much malware that's unknown, that while these tests I listed most AV's are catching 90% of what is known. But what about unknown? Makes you think about how dangerous it is out there.
Plus the 10% it doesn't see is thousands of viruses, not a couple or a few.

Let's not forget MSE is designed around Internet explorer 9/ 10 and 11 preview..,
Because these versions have their own security features.
One would hope "grin" these would work together better without conflicting one another
"ie" Windows and Windows update friendly.

I'll get On board with Never installing Java
Reader XI ?
Disabling it works just fine for me and that goes for Flash player as well.
How to configure your Flash Player settings for maximum privacy and security

Gezz I even forgot that ie10.. also have this feature,
Where did ie 64 bit version go,
http://blogs.msdn.com/b/ieinternals/archive/2012/03/23/understanding-ie10-enhanced-protected-mode-network-security-addons-cookies-metro-desktop.aspx


http://www.sevenforums.com/tutorials/280434-internet-explorer-10-enable-32-bit-64-bit-ie10-windows-7-a.html#post2312336

This is completely true. Ever since IE10 Microsoft has finally started to take security seriously. Internet explorer is finally at a point now where I do not need to shudder and tell the user not to use it. It actually has really great protection and privacy settings and that is great news. I understand MSE works with the built in security of windows and IE and that it would work better from the maker of the software.

But when People I know/not know constantly get a bad infection, or are having major issues for the first time, I get them a better AV. Why? Because whatever there solution is now, its obviously not working.
Now no AV catches everything, but when I discover that MSE/mcafee/avg is on their machine, turned on and updated and happily says everything is okay (even after a scan), and their system is plagued with malware; it indicates to me that what they are using is not working. So what do I do? I install Avast. I also uinstall java and adobe (except flash) And guess what? The support calls go away. (for viruses and popups at least) haha. I get calls about how do I do this, or I can't burn a cd etc. But those calls are way less and more about they do not know how to do something rather then something is not actually working.

I also sometimes see malware also disabling the security software all together. That is a concern for me. One of the great things about avast is you can set a password on certain settings so should avast ask to be disabled, it will let the user know and prompt them for the password. (It lets them know regardless, password just adds a extra step) Also, avast clearly states that a program is attempting to turn avast antivirus off, do you wish to do this? It also does the dim the screen like UAC does. But the lettering is bigger. This way if the protection is turned off, its the users fault. Not the software. Avast makes sure it is running unless you disable it. Of course not saying that it could be circumvented. It can, but at least it protects itself and the system as best as it can.

 

[marsmimar]

There's one more part to this security equation ... the person using the computer.

You can have "the best" AV program installed (whatever that might happen to be on any given day of the week.) You can sandbox. You can use "the best" browser (whatever that might happen to be on any given day of the week.) You can uninstall problematic software like Java. You can do all the things that security professionals recommended. But if the user insists on going to dodgy sites; opening unknown attachments in emails; clicking on a link that says, "Your computer is infected - send $39 now and we'll fix it"; responding to every request from every Nigerian prince; letting others have unrestricted access to the machine; etc, etc. etc ....

That computer is going to get infected. Period.

 

[andrew129260]

@ marsmimar

100% correct. Couldn't have said it any better.

 

[Layback Bear]

marsmimar you are correct. Their are some people that can't be helped because they refuse to change the way they use their computer and the methods they use the internet. They will continue to get infected and spread it around the internet.

 

[LMiller7]

In recent years malware has become very sophisticated and the distributors well organized. And security experts have warned that this is only the beginning, it is going to get much worse in the future. To the authors of malware and the products that combat them this is war. One of the basic principles of warfare is - know your enemy. The authors of anti-malware understand the many methods of infection and how they may be detected. Malware authors know how anti-malware products (the enemy) work, can detect specific products, and know their strengths and weaknesses. Malware may attempt to disable known products and other tools used to detect their activities.

Some modern malware has moved into kernel mode, the realm of the OS itself. Software running in user mode (where applications run) must follow a set of rules and these are enforced by the OS. The basic concept is that no application should be able to accidentally or intentionally disrupt the actions of another. But there is always a way if you try hard enough. But in kernel mode the situation is different. When running in kernel mode the rules cant be enforced and are more like a "gentlemans agreement" which all agree to follow for the general good. But malware has a rather different view of suvh things.

Software running in kernel mode essentially becomes a part of the OS. It can monitor and modify system functions for it's own purposes, a primary one being to hide it's own presence. And as previously mentioned, those rules that do exist cannot be enforced. The detection of such malware can be very difficult, and it is only going to get worse.