Main Area and Open Discussion > General Software Discussion

Generic.dx Trojan

<< < (4/4)

mouser:
Since i have been dispensing very generic (pun intended) advice on this thread, let me continue.

Whenever you are downloading user-posted files on a community site, it pays to be cautious.  There are some general "human" heuristics that are wise to apply:

* Can you see anything about the person who posted the file? Are they long time members? If so, the odds of the file being harmful are pretty slight.
* Has the file been uploaded and available for a long time? If so, and especially if there are comments posted subsequently about it, the odds of the file being harmful are pretty slight (otherwise others would have reported it).
* If it's a brand new file uploaded by a brand new person on the site.. You may be advised to wait until others have checked it out and given it the thumbs up.

Innuendo:
All good advice, Mouser, but the OP was concerned about files downloaded from GameCopyWorld a site that doesn't have any user-posted files. All files are provided by the site owner(s).

Steven Avery:
Hi Folks,

Righteo.  The human heuristics is far more important than techie heuristics, which is an ongoing sludge-fest of Malware vs. the Organized Bureaucratic Defenders.  

Even on a defense level, the whole "anti-virus" thing is now less important than HIPS .. "do I really give access to my registry or disk to that thingamajig". It has a place, and to a large extent is still helpful, but with great caution and a bit of whimsy.  That is one reason Avira made a splash recently, low footprint, so it was less likely to get in the way.  However, it seems every single anti-virus program is gonna have a fairly substantial false positive problem today. Since they are looking at heuristics, and that always struggles against :

a) new masking attempts by the bad guys
b) real programs that do techie stuff, thus it looks like they may be the malware.
c) bureaucratic shuffling and indecision in the anti-virus companies

Granted, this is all another generic comment.  Game sites and little-known oddball utilities from Chinese-Mongolian anonymous authors (you may substitute other countries there) will always be problematic. If I used stuff like that, even I might consider a sandbox or virtual machine, as discomfiting as it seems.  Probably the only way to be close to 100% safe, once a file is under suspicion, is a sandbox-style route.  Generally I only want software from a visible company where there is public communication with the writers or at least with the company marketing or sharing. Remember I am the one who is gonna tell the firewall/HIPS that they are "trusted" .. so I want there to be a basis for that trust.

Shalom,
Steven Avery

wreckedcarzz:
All great points, Steven. As I commonly get yelled at here on the forum for this, I don't actively run A/V software - however, I do run any questionable programs through Sandboxie, as well as my own "does this look legitimate" mental check.

Example:

Last night I installed Grand Theft Auto: Vice City from an ISO backup I made a few years back (back when I had the space to do that, before games got 20GB in size). Installation went smoothly, but when I went to run the game it demanded the CD - which had been lost quite a while ago (I can thank my sister for that (and yes, she does like GTA... don't ask) :mad:). I checked for any game patches and then went on a search for a no-cd EXE for it - finding one relatively easy. Downloaded, extracted, made a backup of the original, and then moved it in and compared icons and file sizes. With fingers on Control-Alt-Delete, I started it up and all was good.

However, if the icon would have been different or the file size been larger than the original, I would have copied the game files into Sandboxie and ran it within that contained environment so that it could not do any damage outside of the sandbox (and therefore, only damage the copy of the game).

SpoilerHow Sandboxie works:




Everyone has their own approach, and I have mine. Common sense, daily scanning (w/o real time protection), Windows Firewall and Sandboxie is mine, but what works for me may not work for someone else. Pick and choose wisely, and your problems will be minimal.

Innuendo:
A lot of those programs have been UPX-packed or whatever to obfuscate the code so their "competitors" can't see how they achieve their neat tricks. Unfortunately, some AV products flag anything that's been packed like that as a generic trojan because the trojan writers like to use those packers as well.

Even Linkman, the very reputable program that's been discussed on this site throws up a "suspicious program" flag in a lot of AVs because it's been packed.

Navigation

[0] Message Index

[*] Previous page