topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • Saturday December 14, 2024, 6:36 am
  • Proudly celebrating 15+ years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Last post Author Topic: Antivirus companies support virus writers?  (Read 22970 times)

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 11,190
    • View Profile
    • Donate to Member
Re: Antivirus companies support virus writers?
« Reply #25 on: February 19, 2010, 12:11 PM »
"Drive-by" a really cute buzzword loved by paranoid people since it means WHATEVER amount of common sense you have, you can still be screwed! = BUY a sucurity package, you MUST. Almost entirely BS...

Scary in it's coincidence, but I almost got screwed by a drive-by this morning.  AVG saved me from it... so I don't know about that BS claim.  It was my first time running afoul of a virus in a long time, and I hate to think what would have happened had I browsed to the site on my desktop that doesn't have AV software installed...

Bamse

  • Supporting Member
  • Joined in 2009
  • **
  • Posts: 410
    • View Profile
    • Donate to Member
Re: Antivirus companies support virus writers?
« Reply #26 on: February 19, 2010, 12:29 PM »
I am not sure about it either but know I will visit any url on the internet with the exception of those containing pdf, flash exploits. I will not exclude problems with those 2 though most are harmless as long as updates are in place. Javascript turned off in Adobe might help too. Many stretch "drive-by" term just a little bit. Like fake av-scanners are also drive-by etc. They do that for a reason and that is BS. Seems a bit desperate to me but of course you need updated browser, updated everything. Not like nobody is trying to attack.

Well you can fire up any http/web scanner and it will get triggered! Matter of time. What the deal is you will have to find out for your self. Iframe, javascript, can be anything. Msg. from AV are not always that constructive.
« Last Edit: February 19, 2010, 12:31 PM by Bamse »

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: Antivirus companies support virus writers?
« Reply #27 on: February 19, 2010, 12:40 PM »
Drive-by, by my definition, only covers exploits that can target you without any intervention. I do my daily surfing habits in FF with Adblock and Noscript, with UAC turned on, so I should be mostly safe. But I often forget uninstalling olde JRE versions when a new update has been installed, and I honestly don't remember keeping flash up to date... The day one of my whitelisted sites are hacked (thankfully not just a banner server used by whitelisted site, as I run ABP) I could get hit by malware. Combine that with a successful privilege escalation, and I'd end up rootkitted.
- carpe noctem

Bamse

  • Supporting Member
  • Joined in 2009
  • **
  • Posts: 410
    • View Profile
    • Donate to Member
Re: Antivirus companies support virus writers?
« Reply #28 on: February 19, 2010, 01:07 PM »
Good that Java updates now patch old version and you no longer has to remove leftovers.

I am hysteric with updates. Usually get them few hours after release. Secunia rules :)

Try turn it 180 degrees. Look at webservers, webscripts like Wordpress. Huge problems if stuff is not updated. Majority have no clue so say thanks to autoupdate there as well.

This afternoon I was testing Filezilla server. 10 min. after it was active I noticed activity. A known brute force IP from China tried to log in, like for 45 min :) I watched all the time. Now I did set pword but what if I did not. Was just testing. May be I had to get a beer and forgot. One must think security all the time without getting all crazy. Also take notice and learn. I had no clue a ftp-server could be target so fast.

« Last Edit: February 19, 2010, 01:11 PM by Bamse »

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: Antivirus companies support virus writers?
« Reply #29 on: February 19, 2010, 01:18 PM »
Bamse: thing is, you and I and a whole bunch of other people around here are power users - regular users can't really be expected to be as cautious. As for 10mins before automated ftp exploit attempt, that's not superfast really... the net is full of garbage traffic, NAT'ing routers =  :-*. Try putting an unpatched XP box in your DMZ... I'll be surprised if it lasts 10min before being rooted :)
- carpe noctem

Bamse

  • Supporting Member
  • Joined in 2009
  • **
  • Posts: 410
    • View Profile
    • Donate to Member
Re: Antivirus companies support virus writers?
« Reply #30 on: February 19, 2010, 01:47 PM »
Yes but I think my point was I was not that cautious. Underestimated threat, was not able to make any reasonable evaluation of risk or why am I surprised of this? I did not say my pword was rather weak or that I gave account access to whole C: drive did I, heh. Was actually just testing memory usage not ability to keep IPs out. Anyway, nice with a wake up call to "common sense" defense. Also why I sometimes test malware and visit the not so recommended sites.

Stoic Joker

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 6,649
    • View Profile
    • Donate to Member
Re: Antivirus companies support virus writers?
« Reply #31 on: February 19, 2010, 03:40 PM »
Seems like we got half a plant full of script kiddies running port scans for targets to run dictionary attacks against. Our FTP server here has been attacked as many as 10 times in one day...which is quite a bit considering they're sustained 2hr attacks. I just snicker as the logs scroll by and wait for some one to complain that their account is locked out.

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: Antivirus companies support virus writers?
« Reply #32 on: February 19, 2010, 03:43 PM »
Stoic Joker: it's beyond script kiddies, and has been so for ages... it's automated botnet sweeps these days, which is far scarier than a little zitty kiddie in his parents' basement. (Not saying you didn't know that, just pointing it out to the rest of the world). And what's also pretty nasty is that automated SSH probes have lowered their rate a lot - enough to not get caught by stuff like fail2ban. At least the sweeps hitting my server.
- carpe noctem

Stoic Joker

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 6,649
    • View Profile
    • Donate to Member
Re: Antivirus companies support virus writers?
« Reply #33 on: February 19, 2010, 03:55 PM »
And what's also pretty nasty is that automated SSH probes have lowered their rate a lot - enough to not get caught by stuff like fail2ban. At least the sweeps hitting my server.

I'm not familiar enough with that combo to gauge how low that would be, can you put a number on it for me? I keep the account lockout threshold pretty tight because the company is small enough that I don't mind manually unlocking an account if need be. But if it's going slow enough to get under/past that ... I may consider worrying.

JavaJones

  • Review 2.0 Designer
  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 2,739
    • View Profile
    • Donate to Member
Re: Antivirus companies support virus writers?
« Reply #34 on: February 19, 2010, 07:17 PM »
Recently I've heard of malware that actually cleans systems of other malware so that it gets exclusive access to system resources. One wonders about the possibility of software that replicates and distributes like a virus, but only does removal of other nasties...

- Oshyan

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: Antivirus companies support virus writers?
« Reply #35 on: February 20, 2010, 04:04 PM »
Iirc the default is 5 retries in a 10min period, followed by a 10-minute IP ban (using iptables)...

I just realized that fail2ban had been updated and was now monitoring the wrong log file, d'oh. I've repointed it from /var/log/sshd.log to /var/log/auth.log , so should see entries in /var/log/fail2ban.log again :)
- carpe noctem

Dmytry

  • Participant
  • Joined in 2010
  • *
  • default avatar
  • Posts: 9
    • View Profile
    • Donate to Member
Re: Antivirus companies support virus writers?
« Reply #36 on: March 04, 2010, 04:50 AM »
"Drive-by" a really cute buzzword loved by paranoid people since it means WHATEVER amount of common sense you have, you can still be screwed! = BUY a sucurity package, you MUST. Almost entirely BS...

Scary in it's coincidence, but I almost got screwed by a drive-by this morning.  AVG saved me from it... so I don't know about that BS claim.  It was my first time running afoul of a virus in a long time, and I hate to think what would have happened had I browsed to the site on my desktop that doesn't have AV software installed...
Use firefox, keep it up to date, its usually fixed for exploits sooner than any use of exploit appears in the wild (which is also sooner than antivirus responds). Geez.
Fixing security holes with a third party code blacklist for known uses of that security hole in the wild, that's just wrong. It's like you have a  digital lock on your door, with password code, and instead of updating lock's firmware you also install second lock that has camera that blocks entry for people whom look like known criminals.
« Last Edit: March 04, 2010, 04:54 AM by Dmytry »

Dmytry

  • Participant
  • Joined in 2010
  • *
  • default avatar
  • Posts: 9
    • View Profile
    • Donate to Member
Re: Antivirus companies support virus writers?
« Reply #37 on: March 04, 2010, 05:07 AM »
Also as for whitelisting only known software - again, that's extortion. Norton's upcoming rating based whitelisting scheme in particular. If your software is not rated up, it's not whitelisted, and will not be rated up. How will you get it whitelisted, well, some paid certifications or other crap.

Ditto by the way for digital certificates and 'certificate authorities'. Extortion scheme, pure and simple, not very effective for protection because it is possible to steal certificate, but extremely effective for having various people make billions by doing very little. Everyone who doesn't pay up is subject to plain libel delivered when user tries to run the application* The libel also devalues genuinely useful warnings.
[edit: *or enter ssl site with self-signed certificate. Notably, there's no warning for non-SSL site at all. A somewhat more secure site generates scary warnings which less secure site doesn't! To make warnings go away you must regularly pay hefty sum of money to the big name racketeers to keep your cert up to date - else you lose certain small but substantial percentage of users. Paying money to racketeers is immoral; the money get used for harm. The only thing that certificate certifies is fact that you bulged in to the racket and you're paying ~$100 to racketeers each year; it does not verify that you're well intentioned, that your site was not hacked, and so on, it does not even verify that you are who you say you are].
« Last Edit: March 04, 2010, 05:36 AM by Dmytry »

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: Antivirus companies support virus writers?
« Reply #38 on: March 04, 2010, 05:34 AM »
Use firefox, keep it up to date, its usually fixed for exploits sooner than any use of exploit appears in the wild (which is also sooner than antivirus responds). Geez.
The browser is only one part of the exploit vector equation - you're forgetting flash and java, which aren't always fixed in a timely fashion.

Fixing security holes with a third party code blacklist for known uses of that security hole in the wild, that's just wrong. It's like you have a  digital lock on your door, with password code, and instead of updating lock's firmware you also install second lock that has camera that blocks entry for people whom look like known criminals.
A decent anti-malware product wouldn't just be blacklisting static code sequences, though, so this comparison doesn't really work. A better one would be a cop stopping a guy pulling a gun before he pulls the trigger.

Ditto by the way for digital certificates and 'certificate authorities'. Extortion scheme, pure and simple, not very effective for protection because it is possible to steal certificate, but extremely effective for having various people make billions by doing very little. Everyone who doesn't pay up is subject to plain libel delivered when user tries to run the application* The libel also devalues genuinely useful warnings.
Unfortunately there's too many CAs and some have been way too lax on security... but how do you propose to secure things without a CA?
- carpe noctem

Dmytry

  • Participant
  • Joined in 2010
  • *
  • default avatar
  • Posts: 9
    • View Profile
    • Donate to Member
Re: Antivirus companies support virus writers?
« Reply #39 on: March 04, 2010, 05:53 AM »
Use firefox, keep it up to date, its usually fixed for exploits sooner than any use of exploit appears in the wild (which is also sooner than antivirus responds). Geez.
The browser is only one part of the exploit vector equation - you're forgetting flash and java, which aren't always fixed in a timely fashion.

Fixing security holes with a third party code blacklist for known uses of that security hole in the wild, that's just wrong. It's like you have a  digital lock on your door, with password code, and instead of updating lock's firmware you also install second lock that has camera that blocks entry for people whom look like known criminals.
A decent anti-malware product wouldn't just be blacklisting static code sequences, though, so this comparison doesn't really work. A better one would be a cop stopping a guy pulling a gun before he pulls the trigger.

Ditto by the way for digital certificates and 'certificate authorities'. Extortion scheme, pure and simple, not very effective for protection because it is possible to steal certificate, but extremely effective for having various people make billions by doing very little. Everyone who doesn't pay up is subject to plain libel delivered when user tries to run the application* The libel also devalues genuinely useful warnings.
Unfortunately there's too many CAs and some have been way too lax on security... but how do you propose to secure things without a CA?
How do you propose to secure things with CA?
In case of SSL certificates, you know, there's no bigass warning for  real spoof site. The only warning you have for real spoof is lack of tiny yellow lock icon. The bigass warning is mostly shown to customers of legitimate businesses whom forgot to pay racket money (forgot to renew certificate).

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 11,190
    • View Profile
    • Donate to Member
Re: Antivirus companies support virus writers?
« Reply #40 on: March 04, 2010, 09:04 AM »
"Drive-by" a really cute buzzword loved by paranoid people since it means WHATEVER amount of common sense you have, you can still be screwed! = BUY a sucurity package, you MUST. Almost entirely BS...

Scary in it's coincidence, but I almost got screwed by a drive-by this morning.  AVG saved me from it... so I don't know about that BS claim.  It was my first time running afoul of a virus in a long time, and I hate to think what would have happened had I browsed to the site on my desktop that doesn't have AV software installed...
Use firefox, keep it up to date, its usually fixed for exploits sooner than any use of exploit appears in the wild (which is also sooner than antivirus responds). Geez.


I *am* using firefox, and it *is* up to date, and my OS is patched for every known exploit that I know of.  I think that's an assumption fail.

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: Antivirus companies support virus writers?
« Reply #41 on: March 04, 2010, 06:07 PM »
How do you propose to secure things with CA?
I'm not proposing to "secure things with CA" - but SSL certs (and code signing certs) need the CA system unless you want to rely on self-signed certs (and how do you verify the validity of those, then?).

In case of SSL certificates, you know, there's no bigass warning for real spoof site. The only warning you have for real spoof is lack of tiny yellow lock icon.
Which is enough for power users (the ones that be keeping their software up todate, unlike regular users). Authentication isn't the only thing SSL does, though, confidentality and tamper-resistance are just as important.

The bigass warning is mostly shown to customers of legitimate businesses whom forgot to pay racket money (forgot to renew certificate).
And I do believe this is a problem. SSL certs and code signing certs are a bit on the expensive side. Code signing certs are slightly difficult to obtain, but that's mostly a positive thing, though.
- carpe noctem

Dmytry

  • Participant
  • Joined in 2010
  • *
  • default avatar
  • Posts: 9
    • View Profile
    • Donate to Member
Re: Antivirus companies support virus writers?
« Reply #42 on: March 05, 2010, 03:54 AM »
I'm not proposing to "secure things with CA" - but SSL certs (and code signing certs) need the CA system unless you want to rely on self-signed certs (and how do you verify the validity of those, then?).
Ok, let me rephrase that. You're implicitly assuming that CAs provide authentication. <a href="http://www.schneier....impressive_phis.html">They don't</a>. If you ever read legal disclaimers made by CAs, you may notice that they are not claiming to provide authentication, but rather disclaiming this.
The whole situation is extremely ridiculous. The only real difference between CA-signed and self-signed certificate is that CA-signed certificate leaves you a few bucks poorer.
A bank could issue me with instructions for checking certificate signature. In person. (The bank, in fact, already gives me password generator device. What bank actually needs is good old simple shared secret cryptosystem - using this generator's code as shared secret. SSL doesn't support anything of that sort, and using SSL in this context is like hammering in screws because all we got is a hammer and a screw looks similar enough to a nail)
In case of SSL certificates, you know, there's no bigass warning for real spoof site. The only warning you have for real spoof is lack of tiny yellow lock icon.
Which is enough for power users (the ones that be keeping their software up todate, unlike regular users).
Don't you see what's ridiculous here? The only warning for real phishing victims is absence of yellow lock icon. Yet the browser displays extreme warnings for self signed certificates.
Authentication isn't the only thing SSL does, though, confidentality and tamper-resistance are just as important.
Indeed. What we have in practice is that a lot of sites which need confidentiality and tamper-resistance but not so much authentication are not using SSL at all because a browser displays scary warnings for self signed or expired certificate but no warnings what so ever for unsecured site.

The bigass warning is mostly shown to customers of legitimate businesses whom forgot to pay racket money (forgot to renew certificate).
And I do believe this is a problem. SSL certs and code signing certs are a bit on the expensive side. Code signing certs are slightly difficult to obtain, but that's mostly a positive thing, though.
There's been no known case of use of expired certificate by malicious party. Yearly expiration is only good for CA revenues, as means of protection it is laughable. On average, there will be 6 months from leak of current certificate to it's expiration; surely, the certificate should be revoked much sooner.

edit: to make it clearer.
Browser behaviour for increasing security level:
0: No SSL: absence of tiny yellow padlock icon [that's all the warning most phishing victims get].
1.0: SSL with no 'authentication' or expired certificate: extremely scary warnings [which no phishing victims ever see].
1.1: SSL, CA-issued certificate (very insecure authentication by CA): no warnings.[some phishers obtain CA-issued certificate]
End result: level 1, which most often is good enough against plausible attacks (sniffing) is unusable; a lot of sites which should use level 1 use level 0; a few use level 1.1, providing immense revenues for CAs.
« Last Edit: March 05, 2010, 04:13 AM by Dmytry »

CodeTRUCKER

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 1,085
    • View Profile
    • Donate to Member
Re: Antivirus companies support virus writers?
« Reply #43 on: April 30, 2010, 03:18 PM »
Ok, it's been a few weeks since this thread was bumped, but I did have some thoughts on the original subject...

"The best defense is a good offense."

I do not know the original author of this wisdom, but it does apply here.  Also, I have no first-hand or second-hand knowledge of the business dealings of the A-V/Security software houses, but I am a businessman. 

If I were in the business of A-V products I would be a fool not to at least consider gaining the advantage of hiring virus authors to my R & D initiatives.  It does not necessarily follow that I *must* enhance my profits by adding threats to the "wilderness."  Just because a virus is authored does not require it to be released.  As a responsible businessman it would be incumbent on me and my principals to insure that any creations must be indefinitely quarantined.

Just out of curiosity, has anyone ever heard any of the A-V houses state unequivocally they do not employ the dark talents of virus hackers?  I have not.

Given the above, I am persuaded that malware authors must be included in the business models of *all* the A-V vendors as it would self-inflict an anemia within their R & D wings that would subordinate their developments to competitors if they did not, but my persuasions must halt on this point.  Like many things in business, morality and integrity can only be as strong in commerce as it is in the  characters of the corporate executives.