Main Area and Open Discussion > General Software Discussion
Is Antivirus Software a Waste of Money?
40hz:
I suspect a lot of these things would get past most, if not all anti-viruses.
-tomos (July 29, 2014, 06:33 AM)
--- End quote ---
That seems to be the case of late with this new breed of malware.
Especially since it probably came in piggy-backed on a PDF attachment to an e-mail from a trusted sender. Her Acrobat Reader was two generations old. Everything else was fairly up to date except for her JRE which was also a full version back. So those two were the most likely initial attack vectors. At least as far as we could semi-determine (i.e. guess.) She gets a lot of company and client-generated PDF and document attachments with her e-mail.
This is the first time I've actually seen rather than just heard about a case of ransomware. And I hope it's my last. This puppy was a nasty piece of work. We couldn't sanitize her drive. And we used every trick in the book. Inside the machine the drive kept calmly reinfecting itself no matter what was done to it. You could see it spawning new processes in taskman even while the scanners were busily quarantining it. Since this was happening in safe mode, I suspect whatever it ultimately was also had a rooting capability.
Taken out and scrubbed using a non-Windows environment to recover what little data could be recovered rendered it unbootable. Whoever programmed this attack was one savvy and mean SOB, that's for sure.
Thank goodness (in her case) for a well-disciplined backup habit. If she didn't have that, it would have been really bad for her.
Stoic Joker:
She gets a lot of company and client-generated PDF and document attachments with her e-mail.
-40hz (July 29, 2014, 07:56 AM)
--- End quote ---
With the popularity of Multi Function Printers these days, many companies are going paperless-er. And it seems like a lot of the people that set these things up always leave the default subject line in the scan to email configuration. Se people being used to accepting 'Xerox/HP/Lexmark/whatever model X created document' for a subject line while dealing with 50-100 of these a day can make it easy as hell to miss a bad one. Especially if the attacker matches up the default naming convention of the manufacturer with their name ... Or picks something inconspicuous and relevant like Invoice, Receipt, or Purchase Order.
This happens mainly because nobody wants to have to stand there in front of the damn thing and type a bunch of anything in on one of those tiny assed touch screens. So default, default, default, and send it is. Every friggin time.
Anytime I have to setup scan to Email on one of these devices - which happens a lot given the business we're in - I change the subject line to something that is relevant to the sending company to avoid having their Emailed scans adding to the problem.
Given the popularity of the technology, and ease of blending in...those things can be a real bitch to spot. And as a card carrying BOFH, it truly pains me to say it ... But it's damn hard to blame the user for missing one of these.
wraith808:
Given the popularity of the technology, and ease of blending in...those things can be a real bitch to spot. And as a card carrying BOFH, it truly pains me to say it ... But it's damn hard to blame the user for missing one of these.
-Stoic Joker (July 29, 2014, 11:36 AM)
--- End quote ---
That's the sad thing. My wife was apologizing about falling for it, and I was saying that they're getting smarter, and it's harder and harder to tell the difference.
40hz:
Given the popularity of the technology, and ease of blending in...those things can be a real bitch to spot. And as a card carrying BOFH, it truly pains me to say it ... But it's damn hard to blame the user for missing one of these.
-Stoic Joker (July 29, 2014, 11:36 AM)
--- End quote ---
Agree. This particular client isn't a fool. I've worked with her for about 10 years now. She's actually one of those responsible types who made sure she was tech-saavy above and beyond the requirements of her job. And she was devastated when this thing hit. Especially once she realized just how serious it was. Being a remote-located employee made her especially vulnerable. And being a non-dork, the very first thing she did was assume she herself had done something stupid. (She didn't btw.)
To make it even more interesting, the odds are pretty good that if it actually did come in via an infected attachment (as I suspect it did), the person who sent it to her didn't know it was loaded. Her company passes a lot of attachments back and forth for follow-up work, processing, client contact, etc. Some of it originates in-house. But the rest (60-70%) is generated by their clients. So it could have come from anywhere.
What's disturbing is that their e-mail provider's security didn't twig on it either. Can hardly blame the desktop when it's not showing a blip on the server's scanners, right? Her only warnings were that (a) her machine seemed ever so slightly slower starting up roughly three mornings before everything went south (she manually reboots each morning just to make sure it's "tidy" as she puts it) - and (b) that her scheduled Windows Update check (running daily at midnight and 6:00am) failed to complete two times in a row the day it happened.
This ain't script-kiddie stuff she got hit with. This is definitely the work of pros.
Scary! And just the tip of the iceberg I'm afraid. :tellme:
tomos:
Well, the last 'thing' I got here, I dont honestly know what it was - nothing too serious, and I got rid of it fairly quickly and didnt keep a record; (anti-virus missed it; I've installed mbam since).
But what I wanted to say was that it came from an ad. I didnt even have to click anything. And that has happened me before - load a webpage and that's it: wham bam thank you ma'am...
FWIW, after getting rid of the ransomware from a friend's machine (it was the porn/police/blackmail one, not the one that encrypted all data), I removed Java completely from my main machine.
... maybe a more productive approach would be to look at what our anti-virus has stopped ???
In my experience, Avira stopped a couple of things; MSE nothing yet - but I think I've only had one attack since I started using it (probably a couple of years ago now).
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version