A little story about Malware.....

[OVERKILL]

So the other day one of my clients gives me a call. Their ISP had pulled the plug on their Internet because they had detected malware traffic coming out of the network. I'm not going to get into the discussion about that part of their policy (the ISP's), they are the only one in this area that does it....

Anyway, so I arrive on site, call the ISP and ask them which of the four networks was the traffic coming out of. The guy said they couldn't tell. I told him he was wrong (I've dealt with them on this before). He told me that it only showed bad traffic coming from the modem. I said he was wrong. He said he'd check with a guy that knew more. 30 seconds later, he gave me the IP. This took the list of potential systems to scan from about 50 down to 8.

Now, I'm actually this place's network guy, but the finance manager likes me, so he brings me in to do other stuff.... This would be one of those times. Over a year ago I had suggested they purchase a site license for NOD32, but they didn't want to spend the money at the time.

This is not a "managed" situation, so many of the users just sort of "do their own thing", and that includes antivirus protection.....

This means the list of products on the potentially infected systems included:

1. AVG
2. Microsoft Security Essentials
3. Norton Internet Security 2011

The infection that had been the source of their disconnect was a DNSRedirector infection.

I installed Malwarebytes to see what it would find.

I found a total of ~30 different virii/trojans/Malware over a total of eight systems.

Of interest:

1x Windows XP system had a Trojan, but there was not much information on it. This computer had AVG.

1x Windows XP system had 2x BHO Trojans, 3x other Trojans, a "Malware trace", and a security override. This system had Security Essentials on it.

1x Windows XP system had 6x different Hijackers on it. This system had AVG on it.

2x Windows 7 Laptops were completely clean. They had AVG.

1x Windows XP workstation was insanely slow and had nothing of importance on it. I had a spare fresh workstation on site, so I just swapped it out and took the other to reload.

1x Windows 7 Laptop had Norton Internet Security 2011 on it. This system had 8 different infections including the DNS Redirector.........

They've decided to follow through on a NOD32 site license now.

The Norton system concerned me the most, as MWB was blasting off hits, Norton was sitting there with its big green check-mark saying everything was OK. A very false sense of security considering the severity of the infection.

 

[CivicFan]

OK, is the morale of the story to switch to a Mac?

 

[JHZR2]

I thought AVG was good. They were advertising like mad when I was driving 101 South ot of SF through SJ.

Guess not.

It seems to me that the good software keeps changing, almost like they know how to get around different detection tactics from each coder.

Out of curiosity, cant one create fake IP addresses, that would make it look like stuff was in one place but was actually another?

 

[Mark_Walk]

Originally Posted By: CivicFan
OK, is the morale of the story to switch to a Mac?


+1 I look at a computer like I look at a calculator...it's a tool and I want that tool to work without me needing to be an expert on how to repair it.

 

[LoneRanger]

Its really quite insane for an organization to not have their workstations users restricted by Group Policy or otherwise in regards to internet usage. Relying on anti virus and anti spyware applications to protect the network when the users are allowed to run amuck all over the internet is not a solid plan. Users need hard boundaries they same way a dog needs a fenced yard.

We have Symantec Endpoint Protection at my work. It does a pretty good job but is a bit of a resource hog, at least on some of the older XP machines.

 

[OVERKILL]

Originally Posted By: JHZR2
I thought AVG was good. They were advertising like mad when I was driving 101 South ot of SF through SJ.

Guess not.

It seems to me that the good software keeps changing, almost like they know how to get around different detection tactics from each coder.

Out of curiosity, cant one create fake IP addresses, that would make it look like stuff was in one place but was actually another?


This was being monitored at the network level. There are 4x external IP's at the modem, the networks behind the modem all have their own routers and are NAT'd. It is very easy to determine what IP address the traffic was coming out on.

While IP's can be "spoofed", that is not applicable to this situation.

 

[SrDriver]

Originally Posted By: CivicFan
OK, is the morale of the story to switch to a Mac?


As Apple becomes more popular we will see more problems with malware.

There has been some attacks lately although nothing like Windows which is a lot more popular operating system.

Problem with Apple is it offers many a false sense of security.

 

[OVERKILL]

Originally Posted By: LoneRanger
Its really quite insane for an organization to not have their workstations users restricted by Group Policy or otherwise in regards to internet usage. Relying on anti virus and anti spyware applications to protect the network when the users are allowed to run amuck all over the internet is not a solid plan. Users need hard boundaries they same way a dog needs a fenced yard.

We have Symantec Endpoint Protection at my work. It does a pretty good job but is a bit of a resource hog, at least on some of the older XP machines.


I agree with you completely, however there is no domain or anything inside this location. It is just a number of independent workstations on different networks. I had suggested an ASA but the price was a big turn-off for them. A number of the laptops are personal devices as well that don't belong to the company. The idea of a location-wide policy was brought up as well but was met with a lot of resistance.

In that vein, I would question as to whether the Symantec solution you guys are using would have detected this.... since Norton was oblivious to it.

 

[440Magnum]

Originally Posted By: SrDriver
Originally Posted By: CivicFan
OK, is the morale of the story to switch to a Mac?


As Apple becomes more popular we will see more problems with malware.

There has been some attacks lately although nothing like Windows which is a lot more popular operating system.

Problem with Apple is it offers many a false sense of security.


Yes, and no. There are already more malware items showing up for Mac, but the difference is that its really a lot harder for malware to usurp as many core OS functions on Unix-based OSes than it is on Windows versions prior to Win7, especially without the user's knowledge. The amount of power that an executable program had on XP and older systems really meant the OSes had their pants around their ankles in many ways that Win 7 and Unix don't.

But that's all somewhat irrelevant, because for *any* OS these days, malware creators are depending on the ignorance of the user. The days are gone when just receiving an infected disk or document guaranteed infection. Today malware authors get the guy behind the keyboard to click a link or launch an executable and give it permission to run rampant. It doesn't matter what OS you have in that case.

 

[97prizm]

For all of the apple nuts on the site, mac books now have 250,000 viruses maleware etc and have roughly 1000 new problems per month show up. Use unix or linux, easy to use, (Mint, ubuntu, fedora,). Linux has Significantly fewer virus related problems than apple. Shoot apple just just cheated and uses BSD underneath for the hard work and installed a different less sucure GUI. What a waste of money.

 

[2004tdigls]

i used to run a computer lab at a university, many of these security problems, trojans, exploits are CAUSED by the company's security policies

example: where i work i cant run windows update, automatic updates (including the monthly malware removal tool) are disabled , essentially to make the workstations "secure" they enforce a group policy stopping any .dll or .exe modification

any experienced hacker can gain admin rights silently in the background (windows power shell for example) and over ride this "security" function almost instantly(i wont tell you how)

 

[2004tdigls]

continued:
now these "secure" computers have firewall pinholes, buffer overflow exploits and other problems that you could drive a truck through; script kiddies just download an app from insecure.org and they are in your network, I suspect these infected computers a missing crtical updates and the av software is not properly configured

using a firewall router, windows firewall, automatic updates ENABLED and using microsoft security essentials (which by the way uses parts of microsoft forefront server) has left me completely without any malware, virues etc

every once in a while i run the free security scan from Norton, AVG, ect and find nothing

 

[440Magnum]

Originally Posted By: 97prizm

For all of the apple nuts on the site, mac books now have 250,000 viruses maleware etc and have roughly 1000 new problems per month show up. Use unix or linux, easy to use, (Mint, ubuntu, fedora,). Linux has Significantly fewer virus related problems than apple. Shoot apple just just cheated and uses BSD underneath for the hard work and installed a different less sucure GUI. What a waste of money.



Please explain to me how the GUI can make a system "less secure" when all the permissions are still controlled by the underlying Unix.

I'm not denying Macs can get malware. I'm questioning your logic in saying that one *nix OS is any more or less secure than another.

 

[OVERKILL]

Originally Posted By: 2004tdigls
continued:
now these "secure" computers have firewall pinholes, buffer overflow exploits and other problems that you could drive a truck through; script kiddies just download an app from insecure.org and they are in your network, I suspect these infected computers a missing crtical updates and the av software is not properly configured

using a firewall router, windows firewall, automatic updates ENABLED and using microsoft security essentials (which by the way uses parts of microsoft forefront server) has left me completely without any malware, virues etc

every once in a while i run the free security scan from Norton, AVG, ect and find nothing



Comically enough, the "bad" one of the bunch was fully updated

Go figure.

It was a personal laptop however, so no amount of corporate policy is going to change what goes on with it when he takes it home.

And you are spot-on about the ease of gaining root on a "secured" system. The supposed "logic" of disabling security updates through GPO has always baffled me.

 

[2004tdigls]

lol, bypassing admin rights passwords ect, its 2 easy

gaining admin rights or permissions on a linux or windows computer is easier than wiping your butt with cottonelle

an NO i will not tell you how

 

[440Magnum]

Originally Posted By: 2004tdigls
lol, bypassing admin rights passwords ect, its 2 easy



That wasn't my question. The question was how the MacOSX GUI changes any of that, or makes it any different from Linux.

 

[Quest]

Originally Posted By: CivicFan
OK, is the morale of the story to switch to a Mac?


LOL! You think Mac is safe?!!? Why, think again.

*hint* I work for a company that does Mac security-related developments
Q.

 

[2004tdigls]

no the mac gui does not change anything

ooops i was wrong

well it does, you get to click on a pretty icon to run an exploit instead of using a linux terminal command

 

[440Magnum]

Originally Posted By: 2004tdigls
no the mac gui does not change anything

ooops i was wrong

well it does, you get to click on a pretty icon to run an exploit instead of using a linux terminal command


See that's the thing... if you can get the USER to run the exploit, it really doesn't matter how secure everything else is.

 

[Rand]

The biggest "threat" I've been seeing lately is the fake antivirus. if you dont know what you are doing its nearly impossible to remove for normal users.
and some of them download other trojans exploits.. botnet your computer etc.