[ale] [OT] Databases of viruses/malware

Ron Frazier atllinuxenthinfo at c3energy.com
Thu Mar 3 08:11:33 EST 2011 

Hi Greg,

Your best defense against zero day is to use good firewalls (hardware 
and software), have well patched computers, and have users trained in 
safe computing. (Yeah, I know, "trained users" is somewhat of an 
oxymoron. "Trained responsible users" is really an oxymoron.) Clicking 
email links is a huge vector which is largely avoidable. They should 
understand not to invite things in through the firewall. Granted, on 
websites, you can't always tell what's malicious. They should be trained 
to avoid phishing and social engineering attacks, to the extent 
possible. Running as an average user, rather than a super user with User 
Account Control on (in Windows) or the default functionality in Ubuntu 
is very helpful if something tries to execute with elevated privileges. 
Of course, if you have the admin password, and you type it in, you're 
toast. Running with scripting disabled in the browser and in PDF files 
is very helpful, in my opinion, essential. Also, in my opinion, 
disabling autorun / autoplay for all CD / DVD drives and USB ports is a 
biggie. Firewire too, if applicable. A user in a corporate environment 
should NEVER be able to pop in his memory stick and immediately get 
infected. That is the new floppy disk, and the new vector. Viruses used 
to spread like wildfire on college campuses via floppy disk. However, he 
should still be able to use the memory stick for data storage. Likewise, 
the janitor should never be able to pop in his memory stick and infect 
the users' PC's. Of course, if he has time alone with the PC, it get's 
much harder to protect. Things like bios boot passwords, and disabling 
CD / DVD / USB boot, and physically locked cases come into play; and not 
all PC's even support those features. If you can survive a few days 
without getting the latest THING, your virus scanner(s) will probably be 
updated and will be able to scan it, at the expense of all the poor 
souls who originally caught the THING.

As I mentioned in another post, a technical college I worked for used 
DeepFreeze to return every PC to a known state every night, just by 
rebooting. I find that fascinating, but I'm not using personally because 
of frequent data that I store and frequent updates, which are a problem 
in that scenario. In any case, at the college, the lifetime of a virus 
on a frozen PC is limited to 24 hours, because the PC's always get 
rebooted or shut down at night.

This is one big reason I'm running Linux. At the moment, I'm not running 
AV on it, but that may change over time. However, the family still runs 
Windows, and I boot into Windows periodically to do things I cannot do 
in Linux, so I still have to maintain that.

I note that Firefox, and Java work the same regardless of platform, so I 
would think there is still a risk from infected web pages. (I use 
NoScript to disable scripting on all non trusted sites.)

Flash is also the same on all platforms, so all platforms may have risk. 
(Yes, I use Flash. Gotta have it for Pandora, Hulu, Youtube, and some 
web conferencing sites.)

Also, with Wine on board, I'm capable of running native Windows 
executables, so there might be a risk there too.

That brings up some Linux related questions:

1) Does the document viewer, which reads PDF's in Ubuntu, have 
JavaScript, and if so, how do I turn it off?
2) Leo Laporte, of the TWIT podcast network, recommends Foxit for 
reading PDF's rather than Adobe. It's available for Linux here:
http://www.foxitsoftware.com/pdf/desklinux/
It looks like it comes as a tarball. Does anyone know how I can install 
it through Synaptic or Apt, so I get auto updates?
3) How do I turn off autoplay / autorun in Ubuntu? I specifically DON'T 
want anything autoexecuting on insertion of CD / DVD / USB.
4) Does Ubuntu and Linux in general have Data Execution Protection?
5) Is anyone aware of studies of security risks related to Wine?

Any help with these issues is greatly appreciated.

Sincerely,

Ron


On 03/02/2011 10:44 PM, Greg Freemyer wrote:
> This is an awful long thread to not even mention:
>
> Malware factories usable by techno-phobes.
>
> The resulting 10's of thousands of unique zero day attacks per day!!
>
> Rootkits are last decade.  Zero day attacks work better and are easy to create.
>
> Standalone boot cd's are useless against a zero day.
>
> Go Linux!
>
> Greg
>
> On 3/2/11, Ron Frazier<atllinuxenthinfo at c3energy.com>  wrote:
>    
>> Pat,
>>
>> A valid question. The best way to fix a virus is never to catch one.
>> However, the post JD wrote which I replied to assumed a virus had been
>> detected and he was discussing how to get rid of it. I'll give you the
>> best answer I can. If I wipe the drive, and reinstall the system and non
>> infectable data files, then I would trust the computer. Then, I would do
>> routine virus scans, have live on the fly scanning active, and have data
>> execution protection on in the OS (if it's Windows) and the browser (if
>> it's IE). I would watch for anomalous events such as crashes, non
>> requested reboots, error messages, etc. I would watch for reports of odd
>> computer behavior from the users, missing or corrupt data, reports like
>> "I got this email from IT and clicked the link" or "what was that urgent
>> system maintenance thing yesterday (when there was none), etc. If I have
>> much probable cause at all, I'll reboot with a few different AV rescue
>> CD's and scan independent of the OS. For truly sensitive PC's and users,
>> I might wipe the drive and reinstall just based on probable cause alone.
>> Of course, I would immediately pursue and try to confirm any reports of
>> active viruses by the AV scanner.
>>
>> To actually answer your question, there is no sure fire way to detect
>> these things. Just like organized criminals, the really good ones never
>> get caught. There are millions of users with infected computers who
>> don't even know it. The virus writers use the compromised PC's to join
>> bot nets, silently commit cyber terrorism, and steal confidential data
>> which is sold on the black market.
>>
>> Security professionals feel free to jump in here.
>>
>> Sincerely,
>>
>> Ron
>>
>> On 03/02/2011 09:08 PM, Pat Regan wrote:
>>      
>>> On Wed, 02 Mar 2011 20:58:02 -0500
>>> Ron Frazier<atllinuxenthinfo at c3energy.com>   wrote:
>>>
>>>
>>>        
>>>> The problem is, you may never know if the remedy failed. If the virus
>>>> returns in a mutated form, or in rootkit form, it may not show any
>>>> evidence of it's presence until you boot another OS and scan again,
>>>> which may be weeks or months or never. In my opinion, if a machine is
>>>> compromised, the only way I can trust it again with confidential
>>>> data, for sure, is to wipe the drive.
>>>>
>>>>          
>>> How do you know when to stop trusting it again?  If it is hiding that
>>> well then how did you find it in the first place? :)
>>>
>>> Pat
>>>
>>>
>>>        
>>


-- 

(PS - If you email me and don't get a quick response, you might want to
call on the phone.  I get about 300 emails per day from alternate energy
mailing lists and such.  I don't always see new messages very quickly.)

Ron Frazier

770-205-9422 (O)   Leave a message.
linuxdude AT c3energy.com

More information about the Ale mailing list