Worst infection to date: Beware

**pbolduc** · April 16th, 2010, 12:21 PM

I definitely think this is somewhat from a java based script as I mentioned earlier my Sun Java Client went nuts just before I was immediately infected with this infection followed by massive amounts of malware and porn.

**Matridom** · April 16th, 2010, 02:19 PM

I'm just curious, why was it that you went through this cleaning process instead of just reformating the system?

**Niclo Iste** · April 16th, 2010, 02:26 PM

I'd assume for the same reasons as me. To learn from a new type of infection and to figure out another reliable way to deal with a threat when all else fails. The knowledge is useful when you are put in a situation where the client absolutely will not take reinstallation as an answer.

**Ferrit** · April 16th, 2010, 07:58 PM

Client is the one that got infected.
They may think the re installation isnt an answer.
But frankly they dont have the knowledge to make that decision.
Thats why they are coming to you.

**Niclo Iste** · April 16th, 2010, 11:13 PM

If it's a critical system to a business that needs to be operational in the same day I'd like to have the knowledge to do so. Especially if configuration, setup, and redeployment of the said system takes longer than it is to remove the infection properly. Frankly I'd rather learn from a test system I infected but sadly many writers of virri seem uninterested in offering me first crack at their infections. Mind you if we all had the notion of "bah just reinstall windows" we wouldn't have much if any antivirus software in the first place.

**Ferrit** · April 17th, 2010, 09:07 AM

You said it correctly. If it takes longer .
Either way to repair or to reinstall.
Its all about the money and whether after the
repair there is a functioning system left.

**houseisland** · April 17th, 2010, 12:40 PM

I just finished taking a vendor required cert course on Malware. I work for a VAR. VAR staff have to take cert courses to keep vendors happy. It is the way of the world.

The course material stated that there is evidence of Malware test and development labs. We are not facing script kiddies anymore. The motivation of malware is now profit. There is a lot of money to be made. The test and development labs apparently have all the latest and greatest anti-malware software from all the major vendors to test their current "product" against. At any given time, currently existing anti-malware solutions can be defeated and currently existing removal utilities can be avoided. The bad guys are always one step ahead of the good guys.

Anti-malware vendors are moving to in-the-cloud integrations that attempt to ward off drive by shootings and sources of infection by maintaining databases of known web threats. But they can't keep up. To a certain extent their efforts are and will always be reactive as much as they attempt to focus on the preventative.

Scan engines are not enough anymore. This is the weakness of vendors like Kaspersky and Eset, both of whom have absolutely el-primo killer scan engines. Stats indicate that there can be as many as 50K new malware variants detected a day. It is getting to the point where vendors cannot push large enough pattern files fast enough to PCs.

What it comes down to is that you cannot rely on any anti-malware solution. If you porn surf (particularly edgier porn), go to hacker sites, go to marginal online gambling sites, go to socially marginal sites (hate), download warez, download hacks n cracks, leave your mail client operating in HTML or RTF rather than plain text, don't block executable email attachments, don't or can't (because you are using warez) do software/OS patches, etc, etc, then your number is going to come up. Nothing is going to save you.

Even if you do everything right, you are still at risk from zero day drive by shootings.

You could switch to something like Ubuntu Linux, but even here, if you behave like an idiot, you will run into problems. And as nice as Ubuntu is, it is not Windows and you will not have the same wide range of software available to you - realities are realities.

Install and maintain a good quality anti-malware solution - unfortunately, this will needed to be more than a simple scan-engine old-school AV client. There are many good solutions. None are perfect.

Abandon XP. MS gave it an extension on life because of the unpopularity of Vista. The first nail went in XP's coffin on April 14 - the reprieve on end of main stream support was rescinded.

Keep your OS and applications patched.

Use your brain.

Before you edge out past your router/firewall, light some votive candles. I understand from Ferrit that killing a chicken as an offering works well, too.

____________________________________________

It is my pure and virtuous heart that
gives me the strength of ten!

**slgrieb** · April 17th, 2010, 05:14 PM

I read this paper by Charlotte Dunlap on TrendMicro's site recently while reading about the snafu with their toolbar. Dunlap discusses the shortcomings of current testing methods and proposes that all AV evaluations should be using tests based on "live" or realtime comparisons against malicious sites, downloaded content, etc.

In particular, she cites NSS Labs tests as the most advanced in the field, followed by Westcoast Labs. Of the two sites NSS Labs seems to offer much more in the way of immediately useful and interesting content.

I also suggest everyone take a look at AV-Comparatives' Nov. 2009 Proactive/Retrospective Test in which the product with the highest detection rate for unknown malware (Avira) only scored 74%. In fact, products that scored 50% and above were awarded an Advanced Plus Certification.