I thank you for your detailed post and will come back and reread it some more in the future. It has some interesting links that I'd like to follow up on.
I hope you do come back to refer to this topic as I have been working on a response that has turned into a small book that has taken me a week to write. As I said, I am slow--slower than molasses at the south pole. But I felt some things needed to be addressed so I hope you will take your time to read thru it all. Just consider yourself forewarned...
Well, I think you are still missing the point and, no offense but much of your reasoning is flawed and/or shows a lack of knowledge. I still hope to correct the last part--I used to have this quote in my signature from Will Rogers: "We are all ignorant, just on different subjects."
Let me review in general what we have been talking about, then I hope to go over specifics point by point.
Your original question is how do you know you are getting the authentic GMER download and in general how do you know any unsigned software is authentic? It is basically a question of trust.
My answer to that is that you can trust the software from legitimate sites, especially when it comes to software that is primarily designed to find and remove malware.
You have basically rejected that advice and contend that you can't trust any software that isn't digitally signed. And it becomes clearer that the whole reason for your question is that you are concerned about unsigned software because it could be an entry point to your system that could jeopardize sensitive information stored on your computer and which could ultimately lead to identity theft. Which actually changes the whole question into--What is the best way to protect my computer so that I don't get attacked/infected and fall victim to identity theft
, which I will try to go into answering later.
It seems to be your contention that you can trust software that is digitally signed and can't trust that which isn't. Which leads me to believe that you are looking for black and white answers in an endeavor in which there are many gray areas. There is no magic bullet--security is a matter of risk reduction, not risk elimination. Another major point is that good security is not convenient--so security done quickly is not often of good quality. It is the need for speed that gets many infected in the first place.
Your concern over and presentation of scenarios to show that malware or hackers/crackers could use GMER or other security software as a clever means to gain entry into a system is really just begging the question and leads me to believe you don't have enough knowledge of how security software works and what is happening in the real world of malware/security threats.
At this point, let's be clear on some terminology, specifically, Entry Point
. In the security field (not to be confused with the same term used in computer programming), an Entry Point
is the method or technique used to gain entry to one's computer system and/or network--also known as an attack vector. In other words, how an infection or hacker/cracker "got in" in the first place. A good analogy would be a doorway. In the large majority of cases, because of the use of social engineering, the door is inadvertently opened so that the malware is basically invited in. And a large percentage of these are not targeting any one individual or organization so this is what I think of as a generalized or randomized attack--much like the old door-to-door salesman using all the tricks they know to get invited in.
Obviously, not all attackers are invited in, they may get thru a door you neglected to close or simply break in thru brute force. These can be random also, but more often they are targeted attacks
--they are gaining entry because they know you have something they want.
I think you have heard of and are more concerned about and focused on targeted attacks. Which is fine, as a good security game plan will protect you as much as possible against all types of threats. Having a natural distrust puts you one step ahead of the rest, it's just my opinion you need to think a little harder when determining who and what it is that you can trust.
A point I have failed to make so far that might have made all this a bit clearer and easier is that calling GMER and similar programs and thinking of them as protection
is a big mistake. In the strictest sense of the word any on demand scanner is not protection
. The sole purpose is to find and possibly remove infections after
they already have gained entry. In a vague sense such scanners are protection because they will prevent further threats from what was removed--like saving your little brother from a bully; you have protected him form getting hurt anymore, but the damage--such as a black eye and broken teeth--has already been done. To me, protection is preventing the bully from attacking in the first place. GMER won't do this, and neither will most of the removal tools used in the malware removal forum. Because they are designed to help remove, not to protect.
This ties in to your new question. If you know how security software works, then you will know why you don't need more than one antivirus (AV) with on access/real time scanning at a time and no more than one firewall at a time.
Again let's define what we are talking about here.On Demand Scans:
You are probably somewhat familiar with these as it relates to antivirus (Norton, McAfee, AVG, AntiVir, etc.) and other anti-malware programs (SuperAntiSpyware, MalwareBytes AntiMalware, etc.). They are called on demand because you control (have command over) when and what to scan. As I've described a bit already, in the case of AV's and anti-malware programs these work by testing against a set of definitions that you must keep up to date. They will also attempt to repair affected files, move them to a quarantine or simply delete.
But there are also On Demand Scanners
, such as GMER and HijackThis, to name just a few, that are primarily diagnostic tools. They may have some "fixing" ability, but their main purpose is to search the system for data that meets its search criteria so that a human can analyze what that data means and if it is a threat or not. For GMER and HijackThis and similar tools that mostly means that they look for areas of your registry and system that allow malicious files to load into memory--so that a file becomes a process. The one weakness of any malicious file is that it has to run--just as if you had double-clicked it--every time you boot into Windows, else it is just a dormant piece of code. This is why programs like GMER are much smaller than your AV--they don't have near as much area to cover nor do they need to perform as many functions as an AV.
Malware removal tools also fall into this category and are also small and light wieght because they usually focus on one infection or family of threats. These can have both diagnostic and removal functions.
The main point of all this is that On Demand Scanners
do not proactively protect your system--their main purpose is not to block any entry points--just find and remove what is already there.On Access/Realtime Scanners:
This is your proactive protection feature of any full-featured antivirus and is what conflicts with other full-featured AV's when you have more than one installed. These are also known by various and sundry other terms, some proprietary to the AV vendor--Guard, Monitor, ActiveShield, AutoProtect, etc. I like to refer to them as On Access because it best describes how they work. As already mentioned, a file has to be executed/loaded into memory/running to have any affect on your system, i.e., deliver its payload. An On Access
scanner will block your access to the file so that you don't open/execute/run it. It will warn you that the file has been positively identified as a threat or possible threat. Then you must decide what to do with the file--attempt repair, delete, quarantine, etc.
The main point here is that this is what primarily blocks Entry Points
. Because opening email attachments is still a very common entry point method, lets use that as an example. Let's say you receive an email that has an infectious executable file attached. If you don't try to open that attached file, your On Access
scanner does nothing and you could have it sitting harmlessly in your inbox. But when you try to open the file, your On Access
scanner intercepts your command and tells you it is a malicious file--it's basically a file filter. If you tell the On Access
scanner to delete the file, then the infection has failed to gain entry. If you quarantine it, then you have a dormant copy--basically a backup--sitting on your hard drive; again the infection has failed to gain entry. For the sake of argument, let's say you tell the On Access
scanner to allow access or ignore their warning--you have just allowed entry to your system so that the infection can proceed to install and do its dirty work--you just opened the door to let it in.
By design and necessity your AV's On Access
scanner must run in the background and so is represented by an icon in your System Tray. That is your protection against infection, not a removal diagnostic tool like GMER. And tho they aren't perfect, they actually work pretty well.
Here is why you should not run two AV's with On Access
scanners at the same time:
One, it makes your system unstable--that is the main reason. AV's are very large, complicated programs that dig deep into your system just like malware does in order to root it out. I liken it to a rat terrier that has to go down into the rat hole to rid you of a rat problem. The bigger the program the more bugs and even by itself an AV can cause instability. I have worked many HijackThis logs where a person has more than one AV with protection running and having all kinds of problems as a result, so that they are convinced they are infected. When we get them straightened out so that they are running just one AV with protection, the instability goes away and they find they were never infected in the first place.
Even tho you say you don't experience "conflicts" I think if you look closer you will find some stability issues. The AV's you mention do include On Access
scanners. I could see it if you ran more than one AV that are On Demand only, such as the free version of Bit Defender and ClamWin--you should be able to install as many On Demand scanners that you want. Even then you should use the scanners one at a time, as scanning is very taxing on your system's resources. I've also heard some people claim that they've run AntiVir as a second AV with no problems--it has always had a light footprint, and probably still is the lightest, altho version 9 is heavier now.
I have a hard time believing that McAfee gets along with any other AV--it's the worst at flagging other security utilites as malware instead of warning that it may be something that either malware or a good guy could use.
A second reason is that, like a rat terrier going down a rat hole, On Access
scanners exhibit some of the same behaviors that malware does. So the heuristic abilities of these scanners will have them flagging and attacking each other for suspicious behavior. This is also a distraction and the end result is less security instead of more.
My question to you would be, why would you want to run more than one AV? Do you think that makes you doubly protected? It has been my experience that it doesn't. I get that experience from years of working these forums, including working or reviewing HijackThis and other diagnostic logs that show a small snapshot of what is running on a person's system--plus I have tried out most free AV's and Firewalls along with a couple of commercial AV's. And I have seen the recommendation against more than one from the AV vendors and Microsoft that Quietman7 has linked you to in that other thread.
You aren't the first person to think you are being smart by having more than one AV. I do understand to an extent why some will reach that conclusion. No one AV is going to catch everything--there is just too much out there now for definitions to keep up with. So getting a second opinion is not only a good idea it is encouraged--you just don't need to install
two AV's to do that. There are several online AV scanners that you can easily remove the parts of when they are done--obviously these are On Demand only. Here are just a couple--the first is diagnostic only, the second can also remove found threats:Kaspersky Online ScannerTrend Micro's HouseCall
And supplement your AV scans with a few anti-malware programs like SuperAntiSpyware and MBAM
Granted thes are not On Access scanners, but should give some peace of mind if you suspect that yours has failed. It's my considered opinion that you should trust your one AV On Access scanner will do it's job the best it can and that job is only one part of an overall security strategy. If you think having two AV's and firewalls has you covered so that you can "set it and forget it" then you have decreased your security because you are now wholly dependent on those programs and will be caught with your pants down when they fail.
The biggest threat to security is your own behavior. Knowing best surfing and computing practices and being ever vigilant will protect you much more than any bit of programming code. Combine computing code with your acquired knowledge and you will achieve a much higher risk reduction. I know you already know much of this, but as a starting point, read the pinned topics in this forum, especially the ones by harrywaldron
and this one: http://www.bleepingcomputer.com/forums/t/2520/how-did-i-get-infected/
I would put much more emphasis on keeping Windows up to date as well as commonly used third party software and plugins such as Adobe Reader, Flash and Java as well as your browsers. A great deal of threats get past AV protection by exploiting unpatched holes in Windows and these programs.
Otherwise, combine good behavior with one AV, one firewall and perhaps a HIPS like WinPatrol--altho most third party firewalls include HIPS as well--and you will be very well protected.
One last point on the new question. What do you hope to accomplish having more than one firewall? In basic terms a firewall just closes/blocks open ports and stealths them so no potential attacker knows they are there. If a port is already closed and stealthed, what good is a second firewall going to do you?
Now I have brought all this up to make one simple point. Your scenarios of a fake GMER being substituted at the legit website as a possible Entry Point shows that you are worried about a betrayal of trust from an entity that you would expect to trust the most--a sort of blue-light rapist
. That is certainly possible, but it only holds water if the program you are worried about is a protection program such as an AV with an On Access scanner. In the case of GMER and similar programs, it doesn't hold water because it isn't a protection program--no On Access scanner so no trust to betray in the first place.
And, as I have been trying to convey to you, GMER won't be used as a lure to an entry point, because it is a tool used for removal of what has already gained entry. When most people have a need for GMER they are already past the point of worrying about malware getting in--they are lured by GMER's purpose--to find and remove any rootkits that may be present.
And thirdly, code signing has very little weight for any freeware. When you don't pay anything then you don't have to worry about getting what you paid for from who you pay it to. Because no money changes hands, no general malware is going to bother with a Blue Light Rapist scenario.
So to conclude this, you are correct that there are some very nasty threats out there to worry about. I hope you can see now that you have one less thing to worry about. You should trust the people who make tools that find and remove malware. I hope you are not like the rare individuals we come across that distrust the very people who are trying to help them. I hope you will trust me when I tell you that you can trust GMER and similar removal aids. I know what to trust after years of dealing with real people and if you couldn't trust GMER--which is both the name of the program and the screen name of the person who coded it, it wouldn't now be part of BC's Preparation Guide
. <--Please read this link instead of telling me you will read it later.
Please don't misunderstand, I am all for checking credentials and verififcation so I think you are being well served by checking the certificates of code, but only to code where that security measure applies, which would be commercial applications that you will be paying for. A blue light rapist scenario is almost reasonable for something like Norton AV/Norton Internet Security, or any other well known security suite. But as I've already explained, this is not likely to happen at all when you deal with the official website--any hacking into a website will be very temporary and not worth the malware author's effort. That is more of a paranoid fantasy akin to believing that AV vendors and malware authors are in cahoots.
What does happen along these lines is people will crack the license of legit popular AV's--let's use Norton as an example because I've seen it happen with them. They then make the cracked software or keygen available to download--often thru a P2P file sharing network like Limewire--for free or much cheaper than the legit version, but it includes a trojan--there is your entry point.
And one last general point that is a bit of an aside: Microsoft has released a security advisory for SSL TDL because it found a vulnerability that is as yet unpatched. MS says this vulneability is not being exploited that they know of and doesn't appear to be very severe. As I understand it, encryption is not affected so encrypted info is safe, but it affects negotiation/identity verification. So don't be ultimately dependent of this technology.
Also note this toward the end of the article:
To improve security protections for customers, Microsoft provides vulnerability information to major security software providers in advance of each monthly security update release. Security software providers can then use this vulnerability information to provide updated protections to customers via their security software or devices, such as antivirus, network-based intrusion detection systems, or host-based intrusion prevention systems. To determine whether active protections are available from security software providers, please visit the active protections Web sites provided by program partners, listed in Microsoft Active Protections Program (MAPP) Partners.
The MAPP page is here: http://www.microsoft.com/security/msrc/col...pppartners.aspx
So there is another way to determine who you can trust--I suspect all products from these companies are digitally signed (also notice there are no "partners" that offer freeware only products). On the other hand these would be candidates for a blue light rapist scenario.
The only thing I want to get from signing is a confirmation that I got something from GMER for example. I understand that if GMER themselves decided to put a malware in their software (on purpose or maybe by being infected), that I would then still be infected.
I've gone over why the website attack won't be effective ad nauseum so no need to continue with that--I want you to know that you can trust that GMER will not ever intentionally infect his own removal program. I know there are exceptions to every rule so never say never but this kind of thing just doesn't happen in the malware removal community that has developed over the years at sites like BC. It is a tight-knit community and takes a special bred of individual to volunteer to rid folks of nastiness on their computers--all for little or no compensation other than thank yous. This bred of people just doesn't go over to the dark side like that.
I can understand some distrust from people on the outside looking in. Try to look at it from the perspective of those of us on the inside looking out. This is analogous to an episode in golfing history where a security person would not allow Tiger Woods onto the course because he didn't have his credentials. To us GMER is like Tiger Woods--we have watched him for years and know who and what he is.
I also understand that a lot of attacks are done via social networks and I am not using signing for that protection.
First, I have not mentioned social networks
at all so you may be confusing social engineering
with social networking. Tho somewhat related they are two entirely different things. Social networks in a strict sense are sites like Facebook and Twitter, just to mention a very few, where people connect to interact with each other. In a loose sense, forums like BC are social networks and actually the entire internet could be considered a social network--you can be social with anyone in the world.
Social engineering is a technique used by malware authors to trick you into allowing an entry point into your system. Phishing emails are social engineering but I think the best example is the old technique of sending an email or IM message with a link to pictures of a naked Anna Kournikova--most men, especially young ones, are puerile enough to open the file/website that infects their system even when they may know better and some will tell their On Access scanner to take a hike when it warns them against what they are about to do.
Even if you meant to say social engineering instead of social networking, this is something you should be worried about as social engineering is the primary way general malware gains entry points. And the best protection against this is the good use of your gray matter.
Regarding your comment that many people use unsigned software as long as it solves the problem, I can only say that I am more worried about attacks that I cannot identify as a problem then the ones I can. In other words, the most damaging kind of attack is the one you never find on your computer but the one that sends you banking passwords to the hackers. So once it hits, all you will know is that your money got withdrawn from a bank. You may not even know whether this was due to malware on your computer, or some other way of hackers getting into your account.
I think you mean, the most dangerous
kind of malware
you will never find on your computer--instead of the most damaging kind of attack
. What you are describing is a truly stealthed attack and you are entirely correct that they are pretty scary. Password stealing and general information stealing malware, which is also known as surveillance software--which is the ultimate spyware, include components known as keyloggers, as well as routines that will take screenshots and anything else you can think of that will yield the desired information. Using a rootkit to hide the keylogger and other information stealing components makes it a stealthed attack. If that was all the malware did it would be truly stealthed. In the case of generalised malware, they get greedy and include other money making components whose symptoms give them away, such as pop up ads and pay per click schemes that redirect to certain search engines.
A targeted attack is more likely to be truly stealthed. In fact that is what keyloggers were originally designed to do. They have been around for a long time, typically installed by jealous spouses to spy on their significant other or by office managers to make sure employees are following company policy on company owned computers. So of course they are more effective if the person being spied on doesn't know they are present. And like many other programs they can also be used by those with malicious intent. Both by generalized malware that may give itself away or by a "hacker" that has targeted you personally--just like a spouse targets their significant other.
So yes, a keylogger hidden by a rootkit is scary. That is why, if you were in the shoes of those who have been hit by one, you wouldn't worry about checking the certificates of GMER--you just want it to find that rootkit so you can get that bully off you--only then can you begin the process of rebuilding your credit or reporting the potential loss of identity to the proper authorities. For one thing GMER will reveal more than one of the signed apps you mentioned--F-Secure's Blacklight. When Blacklight first came out we used to use it a lot to help others--now we use GMER because it is a better ARK. Same thing with SysInternal's Rootkit Revealer.
So your statement is very ironic--it is like saying you don't care about your neighbor's house being broken into, you are just worried about the police investigating it breaking into your house.
As far as not knowing, with computers, you can find the keyloggers and rootkits and whatever if you look hard enough and know what you are doing. However, it can be like searching for a needle in a haystack--not impossible, but very difficult. But you are correct that, when you have suffered having your bank account cleaned out, that could have happened many ways besides online banking. I believe waiters that take your credit card and keep the number are still more dangerous than that information being lost to generalized keyloggers. The waiter may use the stolen info immediately for their own gain. Generalized malware that steals such information is mostly automated (read up on BotNets and how they work) and builds an inventory that gets sold to someone else on underground IRC chat channels. That stolen info may have gone stale (you change your credit card number) or just simply doesn't get sold at all--this you won't ever know about if you ever get that kind of malware on your system.
To use your own example, that pcbutts1 guy could have embedded a silent password-stealer into the legit software and the signature would be the only way to know you got the wrong file.
He could have but he didn't--as far as I know the removal tool worked as well as one downloaded from the official site. He could have charged for the tool, but he didn't do that either. His motivation is purely driven by ego--stealing a reputation that he didn't earn. The point is that it is incorrect to say the only way to tell is to check the code signing--if you get the tool from the official site that is recommended by reputable people, then there is nothing to worry about.
This is also why if I were a hacker I would have redirected you to real GMER site - so you would NOT be able to realize you are on some suspicious chinese site. You see my point?
No, because if you were a hacker you would be broke. It would be like a burglar looking to break into a house that has already been broken into and cleaned out--lea =ving you with nothing but perhaps a few dregs. Plus if I were on the official GMER site then I wouldn't be on a suspicious Chinese site. Again, it's begging the question and missing my point that website security is much more dynamic and so safer and more efficient than code signing.
The goal of the hacker who is really after money is to make sure everything looks and in fact IS as legitimate as possible with one small silent never-noticeable password-stealer, preferably the one that can even remove itself form the system once it gets the goods...
You have a valid point that so far we don't know about such attacks much. But from my readings we are well on the way to that kind of world.
Again I believe you are focused on one type of attack, targeted attack from a human being behind a keyboard. Cyber Criminals have more goals than just to make money and those wanting to make money can do it in ways other than stealing banking information. You should really look up backdoors and botnets. Once there is a backdoor on your system a hacker or bot can do anything on the computer that you can do--as if they were sitting behind the keyboard. A bot will start downloading and installing information stealing applications that I have mentioned, install a mailer daemon to start sending out spam to all your address book contacts, cause your browser to redirect to pay per click search sites, install a engine so that you suffer from massive pop ups, and various other goals, including holding your files for ransom that I mentioned earlier. This is not to even mention the most common attack now which is to install a fake security program that tries to fool you into believing you are infected and must pay to remove. How is this not really being after money? Some automated attacks do limit themselves to stealing passwords, but not to banking accounts. In MMORPG games like World of Warcraft and Lineage, people earn virtual gold and goods by performing certain tasks and achieving certain goals. Some malware authors, mostly out of China, have found out that some people will pay real money for those virtual goods (it's called cheating) and so the bots they design just steal the passwords to a player's MMORPG game account so that they can steal the virtual goods and sell them on the black market. So the goals and ways t make money are many and vari--and there is nothing stopping an individual hacker from using these tools and methods to target you personally.
Even if there is a individual hacker targeting you, they may have goals other than making money. It's not unheard of for hackers to use the storage space on your hard drive to store files that could be used as evidence against them, such as a bookie--if they get arrested their computers get confiscated.
I'm puzzled why you think we don't know much about such attacks--and that you concede to me a "valid" point I never made. The kind of attack you mention has happened before and will happen again. What you describe is much like a cat burglary--you don't realize a cat burglar has been there til what was stolen comes up missing. But that doesn't mean we don't know what a cat burglary itself is. And we are not headed to this kind of world, it is already here. We just have to protect ourselves to the best of our ability thru risk reduction.
With all due respect, I think you might also be biased towards the more traditional attacks that you have seen over years and on this kind of forums - but those people that get attacked in the way I described don't need a cleaning software - they are well beyond that point. If you ever find the kind of attack I mentioned, you would not be cleaning your computer - you would be reinstalling from scratch and hoping the bank would give you some of your stolen money back.
I'm not sure what you mean by "traditional" attacks, but it seems obvious to me that you have been grossly misinformed about what goes on in the malware removal forum. The forums were initiated because of a need for dealing with new attacks. Anti-virus and anti-malware either weren't dealing with them because there were so new that definitions had not come out or because completely automated removal is dangerous and needs a human to ensure the safest procedure possible. Cutting edge malware often gets discovered here first and removal procedures get developed here before they become common elsewhere. So any traditions and conventions are developed over time thru trial and error.
As far as not needing a removal tool for your attack scenario, you actually have a valid point, but let me clarify it for you.
Any time you have been backdoored is a very serious issue--your computer's security has been completely compromised. It doesn't matter what the goal of the attacker was or if it was completely stealthed. Just the fact that the attacker has complete control over your system and the possibility that your sensitive info is in the hands of cyber criminals is a serious matter if you engage in online banking and other financial transactions. Rootkits themselves are usually an indication of a backdoor situation but any time we discover that someone has been backdoored, we strongly suggest that they do a reformat. As already mentioned, we may be able to find and remove the rootkit and most of the infection but there may be parts left behind that means it is still compromised so it it very difficult to find and remove it all. This is a decision that a computer user must make themselves tho. Many will chose to try removal instead, some because they don't do financial transactions on their computer--perhaps it's dedicated to gaming or something else.
And as you mentioned, it's possible the remote access program has been deleted and the hacker has left your computer and all evidence it had been there--just like a cat burglar. If that were the case what good would reformatting do? Still I believe it is better not to take the chance that it will happen again--the sooner you quit fooling around with it and get your computer back to normal, the sooner you can begin the process of recovery from Identity Theft and its effect on your credit rating.
In my opinion, with some of the serious malware that is out there now, I would still go with a reformat even without a situation where online banking is involved. Not only does the more automated malware not clean up after itself, it leaves a big mess behind--changed permissions, orphaned reg entries, stray files, damaged Windows utilities like Task Manager, regedit, etc., and crippled if not completely killed antivirus and other security programs. Repairing all the damage can be more of a hassle than a reformat, tho neither is very much fun.
So in conclusion, take counsel of your fears; that's how your learn to protect yourself from all the nasty stuff that is out there. Worrying doesn't do you any good if you don't do anything to prevent what you are worrying about from happening. And try not to find other things to worry about that isn't necessary--we all have enough to worry about as it is.
Edited by Papakid, 14 February 2010 - 11:23 AM.