Seeking opinions about combination antivirus/firewall products

[Darwin]

Thanks Lusher - just to confirm, this affects only the Avast forums hosted on wilderssecurity, not all wilderssecurity hosted threads, right? Didn't want to click on the link, just in case, and don't want to risk visiting the forums at them moment!

[Lusher]

Thanks Lusher - just to confirm, this affects only the Avast forums hosted on wilderssecurity, not all wilderssecurity hosted threads, right? Didn't want to click on the link, just in case, and don't want to risk visiting the forums at them moment!

-Darwin (August 25, 2007, 03:43 PM)

No. No. Wilders is not affected at all. That is a link to the discovery and discussion on Wilders security forum. Wilders does not host AVAST forums.. You can visit the link i posted without problems..

The affected site is on AVAST's own servers...

[Darwin]

Ah, thanks for replying so soon, Lusher. Right, off to do some reading... 

[PhilB66]

BTW guys visiting AVASt! forum in the last 24-48 hours should be careful, apprently the forum was hacked and it was trying to infect people via a iframe and security exploit...

http://www.wildersse...wthread.php?t=183634

Do a full scan just in case.

-Lusher (August 25, 2007, 03:05 PM)

Thanks Lusher. BTW, only ie (+ie clone) browsers were affected.

[Lusher]

Actually Darwin, the site also fed a different exploit if you were using firefox or opera.

[Lusher]

The next one hacked is spyware terminator forums...

http://forum.spyware...x?g=posts&t=3036

http://www.wildersse...wthread.php?t=184968

Who's next?

[System32]

No. No. Wilders is not affected at all. That is a link to the discovery and discussion on Wilders security forum. Wilders does not host AVAST forums.. You can visit the link i posted without problems..

The affected site is on AVAST's own servers...

-Lusher (August 25, 2007, 03:47 PM)

Hi everyone,


I'm a former active member of the avast! forum and I just want to clear some stuff up regarding about the mess Alwil had to deal with:

Neither Alwil nor avast! were hacked by this exploit.  It was the forum software that was hacked.  Currently avast! forum is now safe to enter. If you want more information about it you may read what VLK posted here
or

1. The attacker used a vulnerability in SMF version 1.1.12 (the forum software that was in use when it happened).

2. The attack was led from Russia

3. The attack consisted in adding an iframe to each and every page of the forum. The iframe led to a remote site.

4. The remote site hosted an exploit for IE and an exploit for Firefox (both benign if an up-to-date version of the browser was used).

5. Avast was able to block the IE exploit directly, and also blocked the EXE that was downloaded by means of the Firefox exploit

6. This suggests that it was not a targeted attack (specific to avast forum) - it would be hard to believe that the attacker wouldn't have checked that the malware was undetected by avast

7. It took us about 12 hours to clean the forum and restore it to the original state (Saturday August 26). We also upgraded the forum software to the latest version (which has the vulnerability fixed). Unfortunately, the initial cleaning attempt wasn't perfect so the attacker, in a much smaller extent, was able to carry out another attack a couple of days later. This time, it was quite an easy (and quick) "fix", though.

8. No data was lost from the forum database

9. It is hard to say if the attacker stole any data from the database. It seems unlikely, but unfortunately, it cannot be guaranteed. That would mean mainly the email addresses (the passwords are not stored in the db - just their hashes).

10. It was a good lesson for us. We apologize for any inconveniences this might have caused to you.

Cheers
Vlk

If you use AVG Antispyware or Dr. Web, you should be able to detect the exploit for Firefox.   

[PhilB66]

Thanks System32.

[Lashiec]

I'll try to put the thread back on topic, as Scot Finnie released his latest newsletter, and seems like some people in the forums of his site didn't think like him regarding Comodo. He ended agreeing with them in one thing: Comodo slows down Windows.

Funny comments from Comodo managers. Comodo 2 was advertised in lots of sites as having a HIPS integrated, and now they say it's coming in version 3! It seems security software developers like to play with the meaning of concepts such as "firewall" and "HIPS", oh boy... For now, the thing is exactly the same, something that our own Wordzilla can assess .

I want that Eset Smart Security to be final now... and eagerly waiting for avast! Firewall as well.

EDIT: Writing posts at 4 AM is a synonym of mistakes

[Armando]

Thanks Lashiec.
I agree that Comodo is not perfect.
My experience has been better than with other FW though.
I mentionned here some problems I've had with it, and the (acceptable, IMO) workarounds.

PS : I'm intrigued by Eset's firewall too...

[Lusher]

No. No. Wilders is not affected at all. That is a link to the discovery and discussion on Wilders security forum. Wilders does not host AVAST forums.. You can visit the link i posted without problems..

The affected site is on AVAST's own servers...

-Lusher (August 25, 2007, 03:47 PM)

Hi everyone,


I'm a former active member of the avast! forum and I just want to clear some stuff up regarding about the mess Alwil had to deal with:

-System32 (September 10, 2007, 02:54 PM)

Finally some attempt at damage control.

Neither Alwil nor avast! were hacked by this exploit. 

A half truth. Hint look at the domain name.... The fact is Alwil was responsible for the forum and they screwed up.

It was the forum software that was hacked. 

No one implied otherwise.

[Lusher]

Prevx Computer Security Investigator (CSI)

Our FREE Prevx CSI scanner allows you to benefit from the knowledge gained from our vast community of users. Prevx CSI scanner is click-and-go, requires no installation or reboot, which means it's quick and easy to use. Its small size allows you to take it anywhere and use it as many times as you like, and even copy it to your friends.

http://www.prevx.com/freescan.asp