Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Quick question


  • Please log in to reply
9 replies to this topic

#1 Learning123

Learning123

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:18 AM

Posted 25 January 2010 - 09:59 PM

Dear Experts,

I apologize if this is the wrong forum or if I did not find an obvious answer...

I normally try to get some indication that I downloaded a trustworthy executable for anti-malware program that I want to run. Normally, I do this by making sure signature under the file's "Digital Signatures" will tell me "Digital Signature is OK".

I'd like to run Gmer anti-rootkit tool but its download does not contain such signature. This means that if I have some malware, or if I am under a man-in-the-middle attack that I may not know about, it might have redirected me to a file, which in itself could be an even worse malware...

What's the correct way to ensure my gmer.exe is the right one? (BTW, the copy on download.cnet.com has different size and is also unsigned.)

Thank you for your help!

Please note that this is both a general question on how to authenticate validity of such software AND a specific question with regards to gmer.

Edited by Orange Blossom, 25 January 2010 - 10:08 PM.
Move to AV forum. ~ OB


BC AdBot (Login to Remove)

 


#2 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,628 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:18 AM

Posted 26 January 2010 - 01:28 PM

You can always trust the download from GMER's official website.
http://www.gmer.net/

I can understand why you might think checking digital signatures would be the way to go, but that really doesn't work. It is a good idea that is just not practical and I don't think it will ever leave the theoretic stage. Some adware and borderline adware-spyware can obtain digital signatures, altho the really evil malware probably won't. But there are many small(ish) utilities, especially among the manual malware detection and removal tools that won't get digitally signed. For the most part, the authors of such tools simply don't have the time to bother with it.

(BTW, the copy on download.cnet.com has different size and is also unsigned.)

A different size than what--or from where? I'll assume you mean from GMER's official site. Download.cnet.com doesn't have the latest version available, the GMER site does--that should explain the difference. It's also another reason to always use the official homesite of such programs. The malware removal arena is very volatile and dynamic so the tools used are constantly updated--some daily or even more than once a day. You will alwys get the latest version at official sites and download links. Otherwise you can trust the downloads from reputable download sites like cnet, softpedia, filehippo, etc.

What you have to watch out for are links from email, Instant Messaging/irc, programs bundled with other programs, etc. Also using links from search results can often be dangerous, especially if you use the sponsored links/ads.

I know this is not very re-assuring and doesn't really answer the question of how to know where to download safe files--how can you be sure it's the official site or reputable? It would be nice if there was a list of official sites somewhere but there isn't that I know of (I may get around to putting one up one day), so the only answer is to do as you have done--ask someone who has knowledge in the security field. Any time a malware removal specialist in this forum posts a link to a tool, you can trust it is legitimate. Otherwise you just have to use some common sense--if a site "feels" dodgy, then it probably is.

Now, my question to you is--do you know how to use GMER and that not everything it lists is a rootkit? GMER is a very powerful tool and can be dangerous if you don't know how to use it. In general, use of GMER is best left to having someone who has some training and knowledge in its use assist you, please ask if you have any questions at all. There are other more user friendly antirootkits out there.

The thing about people

is they change

when they walk away.--Mipso


#3 Learning123

Learning123
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:18 AM

Posted 26 January 2010 - 11:08 PM

I really appreciate your response Papakid! I guess my main issue is that while I can and in fact did go to http://www.gmer.net/ to get the latest copy, how can I be sure that there is not someone in the middle (either a malware on my computer, or somewhere else "in the midde") redirecting me to the site but supplying it's own download?

As you suspected, when I said download.cnet.com has different size, it's different from the download at the official site (if I trust it of course :-) ). I agree that most likely it's because of different versions.

I did run some other anti-rootkit tools so far including: blacklight (from F-secure) which did not find anything, Microsoft's Rootkit revealer, and McAfee Rootkit detective. I realize there could be false positives out there. In fact McAfee and Microsoft both gave me what I hope are false positives that I will list at the end of this note. (I think they are FPs since googled many of these, except McAfee one includes some without enough details to google them, but their site has general disclaimer ""This tool will detect many IAT/EAT hooks and SSDT hooks of legitimate applications.")

I am not sure why you are saying digital signatures do not work. I thought they were the same as the little lock icon for https connections, where I can click and check the certificates of the trusted site - same kind of principle should work for these digital signatures. If spyware can spoof these signatures (and https certificates for valid sites??), then indeed they are kind of useless, but my understanding is they would have to crack encryption algorithms first... ? I understand that smaller utilities may not bother with this, but I try to run only well-known enough professional software which has these signatures in place - I could be wrong though to give this much weight if it's not much of a protection.

Also, please note that the other 3 anti-rootkit tools ALL use valid digital signatures. (I am just surprised respectable software would be using them if they are not useful enough.)

Which other anti-rootkits would would you suggest? Especially if there are some without many FPs! I have a longer list I can pick from based on reading various sites - I just tried to pick most "well-known" ones I guess but in the end you are the expert, not me :-)

Again thank you for the response! I appreciate any input from the experts!

Here are the problems I got from the other anti-rootkit tools. If they look like real threats, please let me know!

Microsoft Rootkit Revealer:

HKLM\SECURITY\Policy\Secrets\SAC* 11/6/2009 12:18 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 11/6/2009 12:18 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\McAfee\VSCore\On Access Scanner\McShield\szLastScanned 1/24/2010 7:19 PM 80 bytes Windows API length not consistent with raw hive data.
HKLM\SOFTWARE\McAfee\VSCore\On Access Scanner\McShield\dwFilesScanned 1/24/2010 7:19 PM 4 bytes Data mismatch between Windows API and raw hive data.
C:\System Volume Information\_restore{818636AC-AE85-4D02-A293-C2F21933EF0E}\RP113\A0019905.RDB 1/24/2010 7:05 PM 1.65 MB Hidden from Windows API.
C:\System Volume Information\_restore{818636AC-AE85-4D02-A293-C2F21933EF0E}\RP113\A0019906.RDB 1/24/2010 7:20 PM 1.65 MB Hidden from Windows API.

McAfee Rootkit Detector:

Object-Type: SSDT-hook
Object-Name: ZwConnectPort
Object-Path: C:\WINDOWS\system32\vsdatant.sys

Object-Type: SSDT-hook
Object-Name: ZwCreateFile
Object-Path: C:\WINDOWS\system32\vsdatant.sys

Object-Type: SSDT-hook
Object-Name: ZwCreateKey
Object-Path: (NULL)

Object-Type: SSDT-hook
Object-Name: ZwCreatePort
Object-Path: C:\WINDOWS\system32\vsdatant.sys

Object-Type: SSDT-hook
Object-Name: ZwCreateProcess
Object-Path: C:\WINDOWS\system32\vsdatant.sys

Object-Type: SSDT-hook
Object-Name: ZwCreateProcessEx
Object-Path: C:\WINDOWS\system32\vsdatant.sys

Object-Type: SSDT-hook
Object-Name: ZwCreateSection
Object-Path: C:\WINDOWS\system32\vsdatant.sys

Object-Type: SSDT-hook
Object-Name: ZwCreateThread
Object-Path: C:\WINDOWS\system32\drivers\FireTDI.sys

Object-Type: SSDT-hook
Object-Name: ZwCreateWaitablePort
Object-Path: C:\WINDOWS\system32\vsdatant.sys

Object-Type: SSDT-hook
Object-Name: ZwDeleteFile
Object-Path: C:\WINDOWS\system32\vsdatant.sys

Object-Type: SSDT-hook
Object-Name: ZwDeleteKey
Object-Path: (NULL)

Object-Type: SSDT-hook
Object-Name: ZwDeleteValueKey
Object-Path: (NULL)

Object-Type: SSDT-hook
Object-Name: ZwDuplicateObject
Object-Path: C:\WINDOWS\system32\vsdatant.sys

Object-Type: SSDT-hook
Object-Name: ZwLoadKey2
Object-Path: (NULL)

Object-Type: SSDT-hook
Object-Name: ZwLoadKey
Object-Path: C:\WINDOWS\system32\vsdatant.sys

Object-Type: SSDT-hook
Object-Name: ZwOpenFile
Object-Path: C:\WINDOWS\system32\vsdatant.sys

Object-Type: SSDT-hook
Object-Name: ZwOpenProcess
Object-Path: C:\WINDOWS\system32\vsdatant.sys

Object-Type: SSDT-hook
Object-Name: ZwOpenThread
Object-Path: C:\WINDOWS\system32\vsdatant.sys

Object-Type: SSDT-hook
Object-Name: ZwRenameKey
Object-Path: C:\WINDOWS\system32\vsdatant.sys

Object-Type: SSDT-hook
Object-Name: ZwReplaceKey
Object-Path: (NULL)

Object-Type: SSDT-hook
Object-Name: ZwRequestWaitReplyPort
Object-Path: C:\WINDOWS\system32\vsdatant.sys

Object-Type: SSDT-hook
Object-Name: ZwRestoreKey
Object-Path: (NULL)

Object-Type: SSDT-hook
Object-Name: ZwSecureConnectPort
Object-Path: C:\WINDOWS\system32\vsdatant.sys

Object-Type: SSDT-hook
Object-Name: ZwSetInformationFile
Object-Path: C:\WINDOWS\system32\vsdatant.sys

Object-Type: SSDT-hook
Object-Name: ZwSetSystemInformation
Object-Path: C:\WINDOWS\system32\drivers\dsload.sys

Object-Type: SSDT-hook
Object-Name: ZwSetValueKey
Object-Path: (NULL)

Object-Type: SSDT-hook
Object-Name: ZwSystemDebugControl
Object-Path: C:\WINDOWS\system32\vsdatant.sys

Object-Type: SSDT-hook
Object-Name: ZwTerminateProcess
Object-Path: C:\WINDOWS\system32\vsdatant.sys

Object-Type: IRP-hook
Object-Name: \Driver\Tcpip->IRP_MJ_CLEANUP
Object-Path: \SystemRoot\System32\vsdatant.sys

Object-Type: IRP-hook
Object-Name: \Driver\Tcpip->IRP_MJ_INTERNAL_DEVICE_CONTROL
Object-Path: \SystemRoot\System32\vsdatant.sys

Object-Type: IRP-hook
Object-Name: \Driver\Tcpip->IRP_MJ_DEVICE_CONTROL
Object-Path: \SystemRoot\System32\vsdatant.sys

Object-Type: IRP-hook
Object-Name: \Driver\Tcpip->IRP_MJ_CLOSE
Object-Path: \SystemRoot\System32\vsdatant.sys

Object-Type: IRP-hook
Object-Name: \Driver\Tcpip->IRP_MJ_CREATE
Object-Path: \SystemRoot\System32\vsdatant.sys

Object-Type: IAT/EAT-hook
PID: 636
Details: Export : Function : kernel32.dll!LoadLibraryW => 01AD0000 + 0x4
Object-Path: 01AD0000 + 0x4
Status: Hooked

Object-Type: IAT/EAT-hook
PID: 636
Details: Export : Function : kernel32.dll!LoadLibraryA => 01AB0000 + 0x4
Object-Path: 01AB0000 + 0x4
Status: Hooked

Object-Type: IAT/EAT-hook
PID: 636
Details: Export : Function : WININET.dll!InternetReadFile => 019D0000 + 0x4
Object-Path: 019D0000 + 0x4
Status: Hooked

#4 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,628 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:18 AM

Posted 27 January 2010 - 10:31 PM

Well, perhaps I am the wrong person to be answering your question. To check the accuracy of what I've told you so far I have done a bit of research that tells me you must be running Vista or higher. Because I run XP and am not familiar with digital signatures as it relates to authenticating applications--as I understand it, that is a feature that begins with Vista and higher, and some of that is limited to 64 bit editions of those operating systems.

So some of what I've told you may be inaccurate and some of what I am about to say may sound sarcastic but I don't mean it to be. I don't do coding/programming with the exception of some very simple batch and reg files. I had heard people that do do coding mention something to the effect that some efforts to vet software aren't very effective when all one has to do is pay a fee or fill out an application. I believe there must be more to it than that so you may get a better answer from someone else. Even so I still think digital signing is not nearly as effective as you want it to be. Even the authentication of 64 bit systems can apparently be defeated--scroll down to the Vista Kernel Protection portion of this article:
http://www.viruslist.com/en/analysis?pubid=204791916

All I can tell you is, using XP, I've downloaded and installed countless programs and utility files. After about six years of working Malware Removal forums I've seen many smallish removal and diagnostic tools designed pretty much on the fly by some some pretty brilliant people. Those tools work well and most aren't signed--I know where to get the files and don't need someone else telling me who to trust. So I have no problem with not checking signatures.

Also, I could be wrong, but I think the comparison to https/SSL is a bit of of an apples to oranges kind of thing. SSL is mostly used for protecting sensitive information such as credit card and bank account numbers. That information is encrypted to prevent phishing attempts to obtain that data and other types of financial fraud. What would anyone be phishing for during a software download, especially considering that it is freeware?

What this brings to my mind, and is more comparable, would explain why those other antirootkit apps were digitally signed. Those are large companies that have products for sale. GMER is a one man show that offers its software for no charge. It is a bit comparable to how, when EV SSL first came out, it was considered more beneficial to the big guys rather than the small online business owner: http://online.wsj.com/public/article/SB116...ml?mod=rss_free

I also perhaps should have waited for an expert to answer your topic, as I don't like to use that word to refer to myself. People often have unrealistic expectations of experts. I do have some expertise but I don't know everything and I've now found out I don't know enough about digital signing of applications. I've also been simi-retired from malware removal for a year or so and so am not fully up to speed on the latest--and never was much good with rootkits, altho I am in the process of rectifying that. Those are my weaknesses. My strengths are that I use good reasoning and will share what I do know. As an example:

how can I be sure that there is not someone in the middle (either a malware on my computer, or somewhere else "in the midde") redirecting me to the site but supplying it's own download?

Why would malware want to do that?

If you have already been backdoored, malware would have complete control over your system and could download anything it wants to from anywhere it wants to.

Why would it send you to the legitimate site when all that is there is the authentic software. Rootkit based malware doesn't want you to install GMER--in reality it protects itself by attacking GMER in other ways. It may prevent you from going to the legit site by altering your HOSTS file, or alter your operating system in such a way that GMER won't install or won't run. Or do a denial of service attack on the site so that it is inaccessible.

Malware would have no interest or time to play mind games with you by substituting a fake application for the real one--some script kiddies might but I wouldn't worry about them too much. Malware authors are in it for the money so the rootkit already on your system is sucking it dry and they will move on to other systems instead of taking the time to develope a fake GMER whose only purpose would be to mess with your head--time is money.

Even if they did want to use a fake GMER, they would just get it from their own servers, not the legit site. Even if the GMER site would be hijacked--which isn't likely for the site of a security professional--you would probably know it by the symptoms of more malware being installed--not a fake GMER.

Bottom line is that I trust the downloads from the places I have mentioned in my previous post. If you chose not to trust them that is your choice, but you're restricting yourself in an area that should remain flexible, in my opinion. There is still no 100% guarantee--security is a matter of risk reduction, not risk elimination.

As far as your rootkit logs, the purpose of my question to you was do you know how to interpret them? You saying that there could be false positives indicates to me that may not, altho it is somewhat hard to tell. You have to be very careful with the diagnostic logs. Any anti-rootkit (ARK) may flag some entries as rootkits, but those should probably be called suspected rootkits. I think of false positives in the strictest sense of the phrase, i.e., that a test has been conducted against the file or entry against definitions of what constitutes identifying the malware. The test results say they have positively identified the subject as malware when in fact the identity of the subject is legitimate--in other words it has been misidentified. So a false positive in the strictest sense would only emanate from a program that includes definition files that need constant updating, such as what your antivirus uses. Most ARK's don't do this so i have a hard time thinking of any of the results as false positives.

Where many run into trouble is because some doesn't understand that diagnostic logs dump data from certain areas of the registry and system and leave it up to you to interpret what is legit and what isn't--you conduct your own tests. These are neither positive or false positive. Some people don't understand this and think everything listed is bad and that they are terribly infected. Acting on that supposition leaves them with a funny looking boat anchor. I've seen it happen with other diagnostic programs like HijackThis that also have the ability to "fix" entries.

Even trying to determine what is and isn't legit can be very tricky. In general, you can research the files that show up--usually *.sys files, since many rootkits are just driver files that run as a service. Some may look like legit files that aren't or look like suspicious files but are legit. Also, as in your log, the embedded nulls are suspicious but may turn out to be nothing to be concerned about.

So it is best if you don't have experience in dealing with rootkits to have someone assist you. If you suspect you have a rootkit infection I would strongly urge you to turn your system over to malware removal specialists by following the relevant instructions in this topic:
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

GMER and a battery of tests using other tools (most all unsigned) are often used to get to the bottom any rootkit and malware issues. Based on your embedded nulls I would suggest you do this. I am not comfortable interpreting GMER logs yet and this topic and subforum are not the place to post such logs. We can discuss security programs themselves, not practice malware removal.

If you are just running GMER and other ARK because you are curious and want to learn about them that is more than fine too. I would still suggest you talk this over with some knowledgeable friends and acquaintances if any are available. I just want you to be careful.

There is a lot of info out there on the web. I am using the following topic--and following all related links-- as a starting point to train myself about rootkits and ARK's:
http://forum.sysinternals.com/forum_posts.asp?TID=21266

There is a good bit of mention there and at Wilders of an ARK called RADIX that looks more user friendly than GMER, but I haven't tested it yet and can't give it a recommendation as of yet.

If you post your log in the malware removal forum, this topic will be closed until the process is completed. If that happens and you want to discuss this further after cleanup, ask a moderator to reopen this topic.

Or if you want to go it on your own or just want to discuss this more--with someone more expert with rootkits--don't post your log in malware removal.

The thing about people

is they change

when they walk away.--Mipso


#5 Learning123

Learning123
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:18 AM

Posted 28 January 2010 - 01:31 AM

Hi Papakid! Thanks for the reply again. I will go over some of the links you posted when I have more of a chance. For now I just wanted to quickly comment on some of your questions:

1. I am running XP Pro (SP3). You can see digital signatures of files if you right click on them in Windows Explorer, go to Properties. One of tabs there will be Digital Signatures IF the file is signed. Perhaps you are not seeing this for files that are not signed, but if you download the ARK's that I mentioned, you should see the tab and the signatures. Then you can select the signature, click on Details to see the signature, Certificates, and the Certificate chain.

2. I was making analogy to the lock icon in the browsers for https sites because it's also based on same certificates and signed using the same technology as far as I can see at least. Also, the article you mentioned does not talk about breaking encryption - I am sure well-known encryption mechanisms are secure given current technology, and that's what protects HTTPS and digital signature certificates.

3. Examples of why malware may want to get me confused about the downloaded files:
- say i run under non-admin user but I have to run anti-malware software as admin. If malware has a way of making me think i got legit anti-malware kit, it just got upgraded to admin privs
- if attack is happening from outside my computer, this is a way of getting in - like you said, if spyware hacks into gmer.net, or its download link, it just got the perfect way of getting into all those systems where people are seeking protection
- analogously, if malware hacks into my ISP and does the redirection from there, again it gets a nice way in. Imagine you are writing a spyware to steal banking info from people - what better way is there then to get into unsigned trusted anti-malware software so it runs like it normally would but then also does it's own thing? Your spyware would get to disable itself right before the scan, and then reenable itself right after. You get enough privileges. etc...

4. I figured those embedded null values in registry were fine per http://forum.sysinternals.com/forum_posts.asp?TID=12158

5. By "false positive" I only mean that it's not a real threat.

Thank you for your thoughtful and detailed response. I will come back to it later again to see if I missed anything else. I understand that this is not usually the forum for diagnosing issues. For now I am not too concerned about the items I had found but wanted to get your opinion on whether something sticks out and whether I should in fact go to the "real" forum which I am sure will involve running a bunch of other things. So I appreciate your response there.

I will look into RADIX.

Quick question: do you know how secure is following: http://www.auditmypc.com/ipsec-policy.asp ? Seems legit to me but I never heard of this site before and I would have hoped to find some similar policies in other places but can't seem to locate those. Wonder why Microsoft or other more well known security-related sites don't post some sort of "secure" policy settings that can be imported. I am probably looking in the wrong places :-(... Come to think of it I'll post this question as a new thread here.

Edited by Learning123, 28 January 2010 - 01:32 AM.


#6 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,628 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:18 AM

Posted 30 January 2010 - 11:49 PM

Hi Learning123,

Apologies for the late response. That is another reason I am not the best to answer your topic. You keep asking "quick" questions, which I think actually means you want quick answers, and I am notoriously slow at responding. But I thank you for your politeness and the fact that your topic has me thinking about several things, which means I am learning from it--that's always a good thing.

1. I am running XP Pro (SP3). You can see digital signatures of files if you right click on them in Windows Explorer, go to Properties. One of tabs there will be Digital Signatures IF the file is signed. Perhaps you are not seeing this for files that are not signed, but if you download the ARK's that I mentioned, you should see the tab and the signatures. Then you can select the signature, click on Details to see the signature, Certificates, and the Certificate chain.

Thank you for that. As mentioned I am unfamiliar with digital signatures as it relates to applications/programs, simply because I have never utilized it--and still don't feel a need to as I will explain later. To get a better grasp on the subject, searching for "digital signatures" was yielding information about information encryption and ensuring authorization; for example emails including sensitive information of which you want to be sure who the author is and the sending of sensitive finanacial data over https/SSL. Now that I've found a digitally signed application on my computer, I see that a better search term is "code signing". Now I can review the basics of this subject by referring to the following documentation, which I suggest anyone else interested in the subject should read: http://msdn.microsoft.com/en-us/library/ms...28VS.85%29.aspx

2. I was making analogy to the lock icon in the browsers for https sites because it's also based on same certificates and signed using the same technology as far as I can see at least. Also, the article you mentioned does not talk about breaking encryption - I am sure well-known encryption mechanisms are secure given current technology, and that's what protects HTTPS and digital signature certificates.

First, that is more of a comparison instead of an analogy. Second, I never said anything about breaking of encryption or that you should distrust the encryption technology of certificates--but you are correct that we are talking about the same type of authentication technology that involves encryption. The whole question is can you trust the download of GMER from its official site--and by extension, other unsigned security software. It seems you're saying that, because of a lack of code signing, you can't trust it--then we've been getting into what it is that you don't trust, instead of the why. I'm saying you can trust downloads I described earlier 99.9% of the time, even if they are unsigned.

I have been downloading and installing unsigned software for years with no problem and prefer to use my own criteria for who I can trust. Encryption has nothing to do with it. When I find security software--and most any software--I can trust, I use bookmarks to go to the site. As long as I stay uninfected that works pretty well. If something on the site doesn't look or feel right I check the domain name and the rest of the URL. If it is the exact domain name for the site I want to visit, then I trust that most of the time I am going to get the authentic software from that site--the URL could be spoofed, but it's been my experience that most of the time it isn't. Most generalized malware infection vectors (how malware gets in) involve redirection to another domain. In the case of GMER and other freeware security tools there is no great incentive to do this since no money or sensitive information is changing hands. As mentioned earlier--SSL is very effective against phishing and other forms of financial fraud by protecting your sensitive data with encryption, but there is nothing to phish for here.

So I am more concerned about the security of the website. As mentioned earlier, in the case of GMER and other security tools, hacking into the website or making it the subject of Clickjacking is going to happen rarely and if it does it will be reported and dealt with quickly. Again there is little incentive to insert a fake GMER on the official website other than, perhaps, to embarrass, but I don't think that will happen because there is not enough return on investment of the time it would take to do so.

As far as code that has been signed is concerned, let me adjust my attitude about it to a degree. It does serve a useful purpose and has its place I just think you give it too much weight--as you put it so well-- in your decision making process. We are talking about what to trust here and mainly code signing could be useful in building and relying on reputations. On the other hand, it could be used to give a trust in the reputation of someone who doesn't deserve it.

Let me give you some examples.

Back when the rogue anti-spyware family of malware that became known as scareware/fraudware--and that is so pervasive now--first came out it was given the general name of Smitfraud. A talented coder and malware fighter by the name of noahdfear developed an effective removal tool--freeware of course--relatively quickly that was, for some time, the only easy way to remove that family of malware without breaking connectivity. He called the tool SmitRem, but a low-life by the name of pcbutts1 began hosting the tool on his own site and claimed it was his own code, even replacing noahdfear's name in the file, altho he missed doing that in a few places. Word soon got out about this but I suppose code signing might have helped assure people that the file was the original authentic one coming from the actual author of the code. But this episode also proves that code signing wasn't needed--for the most part, victims of malware will use the tools recommended to them and don't care that they aren't signed as long as it works and gives them some relief--the sooner the better. And malware fighters that recommend such tools know who they can trust--if they didn't write the code themselves, they may have contributed to a tool and, if nothing else, watched as it was developed in front of their eyes.

BTW, that guy is still at it--consider yourself forewarned that you can't trust anything coming from the mouth of pcbutts1 or his aliases, even tho the name of one of his sites is "therealtruth", because SmitRem is not the only tool he has done this to: http://www.1-script.com/forums/PCBUTTS1-ou...le16263--13.htm

One could argue that the scareware programs themselves could be nipped in the bud if people would check their digital signatures or lack thereof. But here is where I question if code signing is completely trustworthy. How strong is the vetting of the software? Does the Certificate Authority (CA) actually test run the software and insure it isn't in fact malware?--I don't think it does. Bottom line, can someone with malicious intent get their software digitally signed? If so, encryption would play no role as the CA would be giving a key to the author of the software. That is what I meant by this statement:

Some adware and borderline adware-spyware can obtain digital signatures, altho the really evil malware probably won't.


In like manner, comparing to SSL again, anyone that claims to be a legitimate business could, in theory, obtain a certificate from a CA, which would mean that https would show in the address bar and your information sent is encrypted, but the person receiving the information could well be a thief that has set up shop temporarily and will fly the coop when enough info is collected. As I understand it, this could have happened before the advent of EV SSL, but for the most part the SSL system is still pretty secure--even tho, like all things computers, vulnerabilities are found from time to time that need debugging.

Even if code signing is as stringent in its vetting as EV SSL, I still think it is more beneficial for the larger software companies. It seems to be more of an adjunct to trademark and copyright protection. It is a way to build trust in a brand--you trust the brand you buy the brand and code signing gives you some assurance you are getting what you paid for.

Perhaps--going thru my notes I found the following that you should be aware of--from a newsletter from Avira published November 26, 2009:

Know-how: Warning against fraudulent anti-virus software.

The more popular and widely recognized product, the more often it will be illegally copied - this principle also applies to software on the Internet and thus to our virus protection solutions. We have learned that fraudsters are trying to make money from unsuspecting users with our free Avira AntiVir Personal program.

This is how it works: When users use a search engine to find our software, they may come across an ad offering an "AntiVirus 9.0 Download" or similar. It is indeed possible to download our free product from the relevant site, but unfortunately, without realizing it, users are often fooled into taking out a subscription, which is associated with a not inconsiderable cost.

Naturally we are doing all we can to prevent this abuse. However, we cannot put a complete stop to it. That's why we urge you: Keep your eyes open and do not use search engines to find an Avira download, but rather visit our website or, to get our free protection software, go to www.free-av.com - from here you can get Avira AntiVir through one of our download partners - at no charge and without risk.

Now at first glance it would appear that this scam would be prevented if the recipient would check the certificates but if that were the case why does Avira not mention that? Instead they recommend downloading from the official site--as I have done. The MS article says code signing ensures authenticity by assuring "where the code came from" but that doesn't mean it ties it to a particular website else it would no longer be a Portable Executable (PE) file--so this just means it is authentic code that "came from" Avira. Anyone can do as these scammers have done and copy the entire PE file to their own host server, no need to alter the code if all they want to do is sell what is supposed to be free. As far as I know, the entire architecture of Authenticode and digital signing was copied to the host server as well, so that checking the certificates is still possible.

To extend this a bit further, the forum software at the Oakland Raiders message board was compromised not long ago. While there I got one of those ads that look like a warning message from Windows that my system was infected and I needed AntiVir (which I already have installed on my system) to get rid of it. I'm sure they would have tried to sell it to me as that is whole purpose of scareware. The point is that the Windows title showed the URL and it was rom a Chinese domain, so I would have known from that alone that it wasn't authentic, even if I didn't have AntiVir installed.

One other point is that it seems to me that, aside from phishing attacks, man in the middle scenarios are more along the lines of targeted attacks as opposed the more random nature of general malware attacks. Phishing is man in the middle, one purpose of which is to allow malware to gain an entry point to your system. Phishing and other Malware entry point methods are looking for victims at random and those usually involve enticements of some kind, i.e, social engineering. When you are looking to test a program like GMER or it has been recommended to you so that you visit the official site there is no enticement involved.

if malware hacks into my ISP and does the redirection from there, again it gets a nice way in.

This shouldn't happen in the first place--if it does, change your ISP. If it did happen, why redirect to the official GMER site where it would have to go to the trouble of hacking into it so that it could insert a fake GMER. Much easier to redirect you to their own servers so they can infect you with whatever they want so I don't see this as a "nice way in". In general some people worry too much about man in the middle on the ISP level. The only ones with enough resources and permission to do that is the federal government and even they are limited to targeting individuals and organizations.

Imagine you are writing a spyware to steal banking info from people - what better way is there then to get into unsigned trusted anti-malware software so it runs like it normally would but then also does it's own thing? Your spyware would get to disable itself right before the scan, and then reenable itself right after. You get enough privileges. etc...

The better way to do all that would be to do it as they are doing it now. Through enticements and being masters of social engineering. Consider this--most of the really evil malware originates in Russia and the former Soviet Union and its satellite countries. Moscow is now home to the most billionaires of all major cities in the world. Does one have anything to do with the other?--probably, in my opinion. These malware authors are doing very well for themselves using methods already established so don't particularly need another "nice way in". Plus if it were so nice they would have exploited it by now. Other evidence of how well they are doing is the fact that BC has anywhere from 200 to 800 people with logs in the malware removal forum waiting for help, plus a little over 300 topics were posted to yesterday, which is typical, and then multiply those numbers by about 20 or so boards that work malware removal that are about as big as BC--not to mention probably a few hundred smaller forums and you will get an idea of the scope the success of malware authors to "get in", whether it is a nice way or not. This is not to mention the people who are infected that don't ever post to forums which I would think is a vastly larger percentage.

Malware authors know what type of people their social engineering tricks will work on so they target certain groups (so it's not completely random but randomized among the targeted groups). One is young people that haven't figured out yet just who they can trust and who they can't. In general they work on areas of computing that focus on entertainment--videos, music, some game sites, etc. Anywhere greed is involved--like gambling sites and cracks where you think you are getting expensive software for free, is going to be more lucrative--con men since way before computers will tell you that they would be broke if it weren't for the greed of their victims. Point being that the malware authors are playing the numbers and they know the numbers are good by targeting the groups that they do--targeting people who want to download GMER and other similar tools in order to gain entry is not going to give a very high number of results, so isn't worth their time.

say i run under non-admin user but I have to run anti-malware software as admin. If malware has a way of making me think i got legit anti-malware kit, it just got upgraded to admin privs

This doesn't make any sense to me--and probably won't to you if you think about it some more. Looks like circular reasoning, like a dog chasing its tail. You have to have admin privileges in order to download and install software on XP anyway--it doesn't matter what type of software it is. So I don't see how this is any more enticing than, say, having to download a codec (which is actually malware) in order to watch a new release movie before everyone else does. It all has to be done under an Admin account, so it doesn't matter that you are currently logged into a limited user account when you view the enticement. If you were logged in as limited and saw a legit program you wanted you would still have to log into an admin account or run as admin. I don't understand what you mean by "upgraded to admin privs". Your limited user account is not going to become an admin account automatically if you use run as admin--you should log into a password protected admin account to install software, or the default one in safe mode.

So in conclusion it is still my contention that does not have enough incentive to try to insert a fake GMER into it's own official website because there would not be enough return on investment. And it does not make sense for a computer that is already infected to redirect you to the official site with the fake GMER--because you are already infected. And otherwise there is no good reason, and is why malware on infected computers block access to sites like
GMER or block its ability to install/run. This is why programs like SUPERAntiSpyware and MBAM are coming up with alternative ways to start their programs.

Mn in the middle attacks and much of what you seem to be concerned about and using digital signatures to deal with them are more relevant to computers in a business environment. If you are discussing things like trade secret by email then you need to have those emails encrypted. Digital signatures are great for that. A man in the middle attack for the purpose of industrial espionage, needs to target one end or other of the email exchange in order to intercept or otherwise steal any information. Same for ecommerce sites that need the protection of SSL and the newer TSL. And so I see code signing as being more conducive to protecting brand names.

This is not to say that individuals won't benefit from all this digital signing technology, I just think it would be very little.

Now that I have written all this, I just looked at your other topic about security policies and see you are looking to secure computers for a bank. First I want to say I'm sorry you haven't received an answer for that yet but that could be because, like me, most here at BC are focused on security for home computing, a big part of that being malware removal. I would be doing you a disservice if I pretended to try to give you any authoritative advice about attaining your goal. I can, however, share what little I do know and make a few suggestions that might lead you in the right direction.

First, I am not familiar with that export of policies--I'm on XP Home that doesn't even have a Group Policy Editor. I do know a little bit about policies but not enough to be helpful to you, so I haven't examined the export. That being said, I imagine those would be OK--policies in the environment you're working in, if done correctly, should be a good thing.

I have run across that site before but just vaguely remember it. It was either one of the many affiliates of SpywareDoctor that gave halfbaked removal instructions for known malware and then says use their "removal tools", which is the trial version of SpywareDoctor--or one of about a dozen sites that maintained a startup database, most of which were not of very high quality (the best is here: http://www.systemlookup.com/). But looking around the site now I don't see evidence of either one of those. I don't feel anything suspicious going on, but the best thing you can do is just research those policies and determine if they are right for your situation.

Along the same lines, you might want to look into the commercial version of MBAM and its IP blocking protection: http://www.besttechie.net/2009/08/05/malwa...ing-protection/

Other than that, the only advice I can give you is you might be best served to look into corporate protection by Kaspersky. Very high quality plus excellent writeups on all things security at their Knowledge Center: http://usa.kaspersky.com/threats/reading_room.php

There was an article a few years back about ransomware that would be relevant to your situation. That's the ultimate in a targeted attack--a hacker gets into a network or system, encrypts important documents, then demands a ransom to decrypt. Kaspersky claimed they had enough computing power to defeat the encryption (I'm a bit sketchy on the details) rather quickly, tho it was getting harder every time the malware upgraded itself. Point is, I just think Kaspersky is best equipped to deal with what is out there now even tho there is a lot of good security software out there now.

Sorry the post is so long. Good luck to you.

The thing about people

is they change

when they walk away.--Mipso


#7 Learning123

Learning123
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:18 AM

Posted 06 February 2010 - 10:10 AM

Dear Papakid, thank you so much for your response. I only now was able to read it. I can see now how my other thread looks like I am setting it up for a bank, but I am not. When I said "banking purposes", I meant personal banking purposes, i.e. someone who wants to devote a computer just for doing their personal banking (but not a bank itself).

Now back to the signing question, I think I will still be putting weight on the signing. You made good points about how signing does not protect one against all kinds of other attacks, and I understand that. The only thing I want to get from signing is a confirmation that I got something from GMER for example. I understand that if GMER themselves decided to put a malware in their software (on purpose or maybe by being infected), that I would then still be infected. I also understand that a lot of attacks are done via social networks and I am not using signing for that protection. Regarding your comment that many people use unsigned software as long as it solves the problem, I can only say that I am more worried about attacks that I cannot identify as a problem then the ones I can. In other words, the most damaging kind of attack is the one you never find on your computer but the one that sends you banking passwords to the hackers. So once it hits, all you will know is that your money got withdrawn from a bank. You may not even know whether this was due to malware on your computer, or some other way of hackers getting into your account.

To use your own example, that pcbutts1 guy could have embedded a silent password-stealer into the legit software and the signature would be the only way to know you got the wrong file. This is also why if I were a hacker I would have redirected you to real GMER site - so you would NOT be able to realize you are on some suspicious chinese site. You see my point? The goal of the hacker who is really after money is to make sure everything looks and in fact IS as legitimate as possible with one small silent never-noticeable password-stealer, preferably the one that can even remove itself form the system once it gets the goods...

You have a valid point that so far we don't know about such attacks much. But from my readings we are well on the way to that kind of world.

With all due respect, I think you might also be biased towards the more traditional attacks that you have seen over years and on this kind of forums - but those people that get attacked in the way I described don't need a cleaning software - they are well beyond that point. If you ever find the kind of attack I mentioned, you would not be cleaning your computer - you would be reinstalling from scratch and hoping the bank would give you some of your stolen money back.

I thank you for your detailed post and will come back and reread it some more in the future. It has some interesting links that I'd like to follow up on. Thanks also for the good keywords to search by - good search keywords are key! :-)

I am going to post another question in a thread. I am hoping you will give me some great explanations there. Here is my question: I see in many places the recommendation to run a single firewall and a single AV program. I have run more than one at a time and not sure why it's recommended to have only one. Reasons given that I saw were:
(1) they will conflict ... but I did not notice conflicts - things seem to run for me, programs seem to work, what am I missing?
(2) it might be actually LESS secure to use two firewalls - I don't understand why - can someone explain?
(3) it's a pain since you have to configure same things in two places - Agreed but not a problem in my case
(4) any others?

I've run different combinations, e.g. zonealarm + McAfee (both firewall hips and on-access anti-virus) + avira.

Thanks a lot again!

#8 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,628 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:18 AM

Posted 14 February 2010 - 12:21 AM

I thank you for your detailed post and will come back and reread it some more in the future. It has some interesting links that I'd like to follow up on.

I hope you do come back to refer to this topic as I have been working on a response that has turned into a small book that has taken me a week to write. As I said, I am slow--slower than molasses at the south pole. But I felt some things needed to be addressed so I hope you will take your time to read thru it all. Just consider yourself forewarned... :thumbsup:
-----------------------------------
Hi Learning123,
Well, I think you are still missing the point and, no offense but much of your reasoning is flawed and/or shows a lack of knowledge. I still hope to correct the last part--I used to have this quote in my signature from Will Rogers: "We are all ignorant, just on different subjects."

Let me review in general what we have been talking about, then I hope to go over specifics point by point.

Your original question is how do you know you are getting the authentic GMER download and in general how do you know any unsigned software is authentic? It is basically a question of trust.

My answer to that is that you can trust the software from legitimate sites, especially when it comes to software that is primarily designed to find and remove malware.

You have basically rejected that advice and contend that you can't trust any software that isn't digitally signed. And it becomes clearer that the whole reason for your question is that you are concerned about unsigned software because it could be an entry point to your system that could jeopardize sensitive information stored on your computer and which could ultimately lead to identity theft. Which actually changes the whole question into--What is the best way to protect my computer so that I don't get attacked/infected and fall victim to identity theft, which I will try to go into answering later.

It seems to be your contention that you can trust software that is digitally signed and can't trust that which isn't. Which leads me to believe that you are looking for black and white answers in an endeavor in which there are many gray areas. There is no magic bullet--security is a matter of risk reduction, not risk elimination. Another major point is that good security is not convenient--so security done quickly is not often of good quality. It is the need for speed that gets many infected in the first place.

Your concern over and presentation of scenarios to show that malware or hackers/crackers could use GMER or other security software as a clever means to gain entry into a system is really just begging the question and leads me to believe you don't have enough knowledge of how security software works and what is happening in the real world of malware/security threats.

At this point, let's be clear on some terminology, specifically, Entry Point. In the security field (not to be confused with the same term used in computer programming), an Entry Point is the method or technique used to gain entry to one's computer system and/or network--also known as an attack vector. In other words, how an infection or hacker/cracker "got in" in the first place. A good analogy would be a doorway. In the large majority of cases, because of the use of social engineering, the door is inadvertently opened so that the malware is basically invited in. And a large percentage of these are not targeting any one individual or organization so this is what I think of as a generalized or randomized attack--much like the old door-to-door salesman using all the tricks they know to get invited in.

Obviously, not all attackers are invited in, they may get thru a door you neglected to close or simply break in thru brute force. These can be random also, but more often they are targeted attacks--they are gaining entry because they know you have something they want.

I think you have heard of and are more concerned about and focused on targeted attacks. Which is fine, as a good security game plan will protect you as much as possible against all types of threats. Having a natural distrust puts you one step ahead of the rest, it's just my opinion you need to think a little harder when determining who and what it is that you can trust.

A point I have failed to make so far that might have made all this a bit clearer and easier is that calling GMER and similar programs and thinking of them as protection is a big mistake. In the strictest sense of the word any on demand scanner is not protection. The sole purpose is to find and possibly remove infections after they already have gained entry. In a vague sense such scanners are protection because they will prevent further threats from what was removed--like saving your little brother from a bully; you have protected him form getting hurt anymore, but the damage--such as a black eye and broken teeth--has already been done. To me, protection is preventing the bully from attacking in the first place. GMER won't do this, and neither will most of the removal tools used in the malware removal forum. Because they are designed to help remove, not to protect.

This ties in to your new question. If you know how security software works, then you will know why you don't need more than one antivirus (AV) with on access/real time scanning at a time and no more than one firewall at a time.

Again let's define what we are talking about here.

On Demand Scans:
You are probably somewhat familiar with these as it relates to antivirus (Norton, McAfee, AVG, AntiVir, etc.) and other anti-malware programs (SuperAntiSpyware, MalwareBytes AntiMalware, etc.). They are called on demand because you control (have command over) when and what to scan. As I've described a bit already, in the case of AV's and anti-malware programs these work by testing against a set of definitions that you must keep up to date. They will also attempt to repair affected files, move them to a quarantine or simply delete.

But there are also On Demand Scanners, such as GMER and HijackThis, to name just a few, that are primarily diagnostic tools. They may have some "fixing" ability, but their main purpose is to search the system for data that meets its search criteria so that a human can analyze what that data means and if it is a threat or not. For GMER and HijackThis and similar tools that mostly means that they look for areas of your registry and system that allow malicious files to load into memory--so that a file becomes a process. The one weakness of any malicious file is that it has to run--just as if you had double-clicked it--every time you boot into Windows, else it is just a dormant piece of code. This is why programs like GMER are much smaller than your AV--they don't have near as much area to cover nor do they need to perform as many functions as an AV.

Malware removal tools also fall into this category and are also small and light wieght because they usually focus on one infection or family of threats. These can have both diagnostic and removal functions.

The main point of all this is that On Demand Scanners do not proactively protect your system--their main purpose is not to block any entry points--just find and remove what is already there.

On Access/Realtime Scanners:
This is your proactive protection feature of any full-featured antivirus and is what conflicts with other full-featured AV's when you have more than one installed. These are also known by various and sundry other terms, some proprietary to the AV vendor--Guard, Monitor, ActiveShield, AutoProtect, etc. I like to refer to them as On Access because it best describes how they work. As already mentioned, a file has to be executed/loaded into memory/running to have any affect on your system, i.e., deliver its payload. An On Access scanner will block your access to the file so that you don't open/execute/run it. It will warn you that the file has been positively identified as a threat or possible threat. Then you must decide what to do with the file--attempt repair, delete, quarantine, etc.

The main point here is that this is what primarily blocks Entry Points. Because opening email attachments is still a very common entry point method, lets use that as an example. Let's say you receive an email that has an infectious executable file attached. If you don't try to open that attached file, your On Access scanner does nothing and you could have it sitting harmlessly in your inbox. But when you try to open the file, your On Access scanner intercepts your command and tells you it is a malicious file--it's basically a file filter. If you tell the On Access scanner to delete the file, then the infection has failed to gain entry. If you quarantine it, then you have a dormant copy--basically a backup--sitting on your hard drive; again the infection has failed to gain entry. For the sake of argument, let's say you tell the On Access scanner to allow access or ignore their warning--you have just allowed entry to your system so that the infection can proceed to install and do its dirty work--you just opened the door to let it in.

By design and necessity your AV's On Access scanner must run in the background and so is represented by an icon in your System Tray. That is your protection against infection, not a removal diagnostic tool like GMER. And tho they aren't perfect, they actually work pretty well.

Here is why you should not run two AV's with On Access scanners at the same time:

One, it makes your system unstable--that is the main reason. AV's are very large, complicated programs that dig deep into your system just like malware does in order to root it out. I liken it to a rat terrier that has to go down into the rat hole to rid you of a rat problem. The bigger the program the more bugs and even by itself an AV can cause instability. I have worked many HijackThis logs where a person has more than one AV with protection running and having all kinds of problems as a result, so that they are convinced they are infected. When we get them straightened out so that they are running just one AV with protection, the instability goes away and they find they were never infected in the first place.

Even tho you say you don't experience "conflicts" I think if you look closer you will find some stability issues. The AV's you mention do include On Access scanners. I could see it if you ran more than one AV that are On Demand only, such as the free version of Bit Defender and ClamWin--you should be able to install as many On Demand scanners that you want. Even then you should use the scanners one at a time, as scanning is very taxing on your system's resources. I've also heard some people claim that they've run AntiVir as a second AV with no problems--it has always had a light footprint, and probably still is the lightest, altho version 9 is heavier now.

I have a hard time believing that McAfee gets along with any other AV--it's the worst at flagging other security utilites as malware instead of warning that it may be something that either malware or a good guy could use.

A second reason is that, like a rat terrier going down a rat hole, On Access scanners exhibit some of the same behaviors that malware does. So the heuristic abilities of these scanners will have them flagging and attacking each other for suspicious behavior. This is also a distraction and the end result is less security instead of more.

My question to you would be, why would you want to run more than one AV? Do you think that makes you doubly protected? It has been my experience that it doesn't. I get that experience from years of working these forums, including working or reviewing HijackThis and other diagnostic logs that show a small snapshot of what is running on a person's system--plus I have tried out most free AV's and Firewalls along with a couple of commercial AV's. And I have seen the recommendation against more than one from the AV vendors and Microsoft that Quietman7 has linked you to in that other thread.

You aren't the first person to think you are being smart by having more than one AV. I do understand to an extent why some will reach that conclusion. No one AV is going to catch everything--there is just too much out there now for definitions to keep up with. So getting a second opinion is not only a good idea it is encouraged--you just don't need to install two AV's to do that. There are several online AV scanners that you can easily remove the parts of when they are done--obviously these are On Demand only. Here are just a couple--the first is diagnostic only, the second can also remove found threats:

Kaspersky Online Scanner
Trend Micro's HouseCall

And supplement your AV scans with a few anti-malware programs like SuperAntiSpyware and MBAM

Granted thes are not On Access scanners, but should give some peace of mind if you suspect that yours has failed. It's my considered opinion that you should trust your one AV On Access scanner will do it's job the best it can and that job is only one part of an overall security strategy. If you think having two AV's and firewalls has you covered so that you can "set it and forget it" then you have decreased your security because you are now wholly dependent on those programs and will be caught with your pants down when they fail.

The biggest threat to security is your own behavior. Knowing best surfing and computing practices and being ever vigilant will protect you much more than any bit of programming code. Combine computing code with your acquired knowledge and you will achieve a much higher risk reduction. I know you already know much of this, but as a starting point, read the pinned topics in this forum, especially the ones by harrywaldron and this one: http://www.bleepingcomputer.com/forums/t/2520/how-did-i-get-infected/

I would put much more emphasis on keeping Windows up to date as well as commonly used third party software and plugins such as Adobe Reader, Flash and Java as well as your browsers. A great deal of threats get past AV protection by exploiting unpatched holes in Windows and these programs.

Otherwise, combine good behavior with one AV, one firewall and perhaps a HIPS like WinPatrol--altho most third party firewalls include HIPS as well--and you will be very well protected.

One last point on the new question. What do you hope to accomplish having more than one firewall? In basic terms a firewall just closes/blocks open ports and stealths them so no potential attacker knows they are there. If a port is already closed and stealthed, what good is a second firewall going to do you?

Now I have brought all this up to make one simple point. Your scenarios of a fake GMER being substituted at the legit website as a possible Entry Point shows that you are worried about a betrayal of trust from an entity that you would expect to trust the most--a sort of blue-light rapist. That is certainly possible, but it only holds water if the program you are worried about is a protection program such as an AV with an On Access scanner. In the case of GMER and similar programs, it doesn't hold water because it isn't a protection program--no On Access scanner so no trust to betray in the first place.

And, as I have been trying to convey to you, GMER won't be used as a lure to an entry point, because it is a tool used for removal of what has already gained entry. When most people have a need for GMER they are already past the point of worrying about malware getting in--they are lured by GMER's purpose--to find and remove any rootkits that may be present.

And thirdly, code signing has very little weight for any freeware. When you don't pay anything then you don't have to worry about getting what you paid for from who you pay it to. Because no money changes hands, no general malware is going to bother with a Blue Light Rapist scenario.

So to conclude this, you are correct that there are some very nasty threats out there to worry about. I hope you can see now that you have one less thing to worry about. You should trust the people who make tools that find and remove malware. I hope you are not like the rare individuals we come across that distrust the very people who are trying to help them. I hope you will trust me when I tell you that you can trust GMER and similar removal aids. I know what to trust after years of dealing with real people and if you couldn't trust GMER--which is both the name of the program and the screen name of the person who coded it, it wouldn't now be part of BC's Preparation Guide. <--Please read this link instead of telling me you will read it later.

Please don't misunderstand, I am all for checking credentials and verififcation so I think you are being well served by checking the certificates of code, but only to code where that security measure applies, which would be commercial applications that you will be paying for. A blue light rapist scenario is almost reasonable for something like Norton AV/Norton Internet Security, or any other well known security suite. But as I've already explained, this is not likely to happen at all when you deal with the official website--any hacking into a website will be very temporary and not worth the malware author's effort. That is more of a paranoid fantasy akin to believing that AV vendors and malware authors are in cahoots.

What does happen along these lines is people will crack the license of legit popular AV's--let's use Norton as an example because I've seen it happen with them. They then make the cracked software or keygen available to download--often thru a P2P file sharing network like Limewire--for free or much cheaper than the legit version, but it includes a trojan--there is your entry point.

And one last general point that is a bit of an aside: Microsoft has released a security advisory for SSL TDL because it found a vulnerability that is as yet unpatched. MS says this vulneability is not being exploited that they know of and doesn't appear to be very severe. As I understand it, encryption is not affected so encrypted info is safe, but it affects negotiation/identity verification. So don't be ultimately dependent of this technology.

Also note this toward the end of the article:

To improve security protections for customers, Microsoft provides vulnerability information to major security software providers in advance of each monthly security update release. Security software providers can then use this vulnerability information to provide updated protections to customers via their security software or devices, such as antivirus, network-based intrusion detection systems, or host-based intrusion prevention systems. To determine whether active protections are available from security software providers, please visit the active protections Web sites provided by program partners, listed in Microsoft Active Protections Program (MAPP) Partners.


The MAPP page is here: http://www.microsoft.com/security/msrc/col...pppartners.aspx

So there is another way to determine who you can trust--I suspect all products from these companies are digitally signed (also notice there are no "partners" that offer freeware only products). On the other hand these would be candidates for a blue light rapist scenario.

The only thing I want to get from signing is a confirmation that I got something from GMER for example. I understand that if GMER themselves decided to put a malware in their software (on purpose or maybe by being infected), that I would then still be infected.

I've gone over why the website attack won't be effective ad nauseum so no need to continue with that--I want you to know that you can trust that GMER will not ever intentionally infect his own removal program. I know there are exceptions to every rule so never say never but this kind of thing just doesn't happen in the malware removal community that has developed over the years at sites like BC. It is a tight-knit community and takes a special bred of individual to volunteer to rid folks of nastiness on their computers--all for little or no compensation other than thank yous. This bred of people just doesn't go over to the dark side like that.

I can understand some distrust from people on the outside looking in. Try to look at it from the perspective of those of us on the inside looking out. This is analogous to an episode in golfing history where a security person would not allow Tiger Woods onto the course because he didn't have his credentials. To us GMER is like Tiger Woods--we have watched him for years and know who and what he is.

I also understand that a lot of attacks are done via social networks and I am not using signing for that protection.

First, I have not mentioned social networks at all so you may be confusing social engineering with social networking. Tho somewhat related they are two entirely different things. Social networks in a strict sense are sites like Facebook and Twitter, just to mention a very few, where people connect to interact with each other. In a loose sense, forums like BC are social networks and actually the entire internet could be considered a social network--you can be social with anyone in the world.

Social engineering is a technique used by malware authors to trick you into allowing an entry point into your system. Phishing emails are social engineering but I think the best example is the old technique of sending an email or IM message with a link to pictures of a naked Anna Kournikova--most men, especially young ones, are puerile enough to open the file/website that infects their system even when they may know better and some will tell their On Access scanner to take a hike when it warns them against what they are about to do.

Even if you meant to say social engineering instead of social networking, this is something you should be worried about as social engineering is the primary way general malware gains entry points. And the best protection against this is the good use of your gray matter.

Regarding your comment that many people use unsigned software as long as it solves the problem, I can only say that I am more worried about attacks that I cannot identify as a problem then the ones I can. In other words, the most damaging kind of attack is the one you never find on your computer but the one that sends you banking passwords to the hackers. So once it hits, all you will know is that your money got withdrawn from a bank. You may not even know whether this was due to malware on your computer, or some other way of hackers getting into your account.

I think you mean, the most dangerous kind of malware you will never find on your computer--instead of the most damaging kind of attack. What you are describing is a truly stealthed attack and you are entirely correct that they are pretty scary. Password stealing and general information stealing malware, which is also known as surveillance software--which is the ultimate spyware, include components known as keyloggers, as well as routines that will take screenshots and anything else you can think of that will yield the desired information. Using a rootkit to hide the keylogger and other information stealing components makes it a stealthed attack. If that was all the malware did it would be truly stealthed. In the case of generalised malware, they get greedy and include other money making components whose symptoms give them away, such as pop up ads and pay per click schemes that redirect to certain search engines.

A targeted attack is more likely to be truly stealthed. In fact that is what keyloggers were originally designed to do. They have been around for a long time, typically installed by jealous spouses to spy on their significant other or by office managers to make sure employees are following company policy on company owned computers. So of course they are more effective if the person being spied on doesn't know they are present. And like many other programs they can also be used by those with malicious intent. Both by generalized malware that may give itself away or by a "hacker" that has targeted you personally--just like a spouse targets their significant other.

So yes, a keylogger hidden by a rootkit is scary. That is why, if you were in the shoes of those who have been hit by one, you wouldn't worry about checking the certificates of GMER--you just want it to find that rootkit so you can get that bully off you--only then can you begin the process of rebuilding your credit or reporting the potential loss of identity to the proper authorities. For one thing GMER will reveal more than one of the signed apps you mentioned--F-Secure's Blacklight. When Blacklight first came out we used to use it a lot to help others--now we use GMER because it is a better ARK. Same thing with SysInternal's Rootkit Revealer.

So your statement is very ironic--it is like saying you don't care about your neighbor's house being broken into, you are just worried about the police investigating it breaking into your house.

As far as not knowing, with computers, you can find the keyloggers and rootkits and whatever if you look hard enough and know what you are doing. However, it can be like searching for a needle in a haystack--not impossible, but very difficult. But you are correct that, when you have suffered having your bank account cleaned out, that could have happened many ways besides online banking. I believe waiters that take your credit card and keep the number are still more dangerous than that information being lost to generalized keyloggers. The waiter may use the stolen info immediately for their own gain. Generalized malware that steals such information is mostly automated (read up on BotNets and how they work) and builds an inventory that gets sold to someone else on underground IRC chat channels. That stolen info may have gone stale (you change your credit card number) or just simply doesn't get sold at all--this you won't ever know about if you ever get that kind of malware on your system.

To use your own example, that pcbutts1 guy could have embedded a silent password-stealer into the legit software and the signature would be the only way to know you got the wrong file.

He could have but he didn't--as far as I know the removal tool worked as well as one downloaded from the official site. He could have charged for the tool, but he didn't do that either. His motivation is purely driven by ego--stealing a reputation that he didn't earn. The point is that it is incorrect to say the only way to tell is to check the code signing--if you get the tool from the official site that is recommended by reputable people, then there is nothing to worry about.

This is also why if I were a hacker I would have redirected you to real GMER site - so you would NOT be able to realize you are on some suspicious chinese site. You see my point?

No, because if you were a hacker you would be broke. It would be like a burglar looking to break into a house that has already been broken into and cleaned out--lea =ving you with nothing but perhaps a few dregs. Plus if I were on the official GMER site then I wouldn't be on a suspicious Chinese site. Again, it's begging the question and missing my point that website security is much more dynamic and so safer and more efficient than code signing.

The goal of the hacker who is really after money is to make sure everything looks and in fact IS as legitimate as possible with one small silent never-noticeable password-stealer, preferably the one that can even remove itself form the system once it gets the goods...

You have a valid point that so far we don't know about such attacks much. But from my readings we are well on the way to that kind of world.

Again I believe you are focused on one type of attack, targeted attack from a human being behind a keyboard. Cyber Criminals have more goals than just to make money and those wanting to make money can do it in ways other than stealing banking information. You should really look up backdoors and botnets. Once there is a backdoor on your system a hacker or bot can do anything on the computer that you can do--as if they were sitting behind the keyboard. A bot will start downloading and installing information stealing applications that I have mentioned, install a mailer daemon to start sending out spam to all your address book contacts, cause your browser to redirect to pay per click search sites, install a engine so that you suffer from massive pop ups, and various other goals, including holding your files for ransom that I mentioned earlier. This is not to even mention the most common attack now which is to install a fake security program that tries to fool you into believing you are infected and must pay to remove. How is this not really being after money? Some automated attacks do limit themselves to stealing passwords, but not to banking accounts. In MMORPG games like World of Warcraft and Lineage, people earn virtual gold and goods by performing certain tasks and achieving certain goals. Some malware authors, mostly out of China, have found out that some people will pay real money for those virtual goods (it's called cheating) and so the bots they design just steal the passwords to a player's MMORPG game account so that they can steal the virtual goods and sell them on the black market. So the goals and ways t make money are many and vari--and there is nothing stopping an individual hacker from using these tools and methods to target you personally.

Even if there is a individual hacker targeting you, they may have goals other than making money. It's not unheard of for hackers to use the storage space on your hard drive to store files that could be used as evidence against them, such as a bookie--if they get arrested their computers get confiscated.

I'm puzzled why you think we don't know much about such attacks--and that you concede to me a "valid" point I never made. The kind of attack you mention has happened before and will happen again. What you describe is much like a cat burglary--you don't realize a cat burglar has been there til what was stolen comes up missing. But that doesn't mean we don't know what a cat burglary itself is. And we are not headed to this kind of world, it is already here. We just have to protect ourselves to the best of our ability thru risk reduction.

With all due respect, I think you might also be biased towards the more traditional attacks that you have seen over years and on this kind of forums - but those people that get attacked in the way I described don't need a cleaning software - they are well beyond that point. If you ever find the kind of attack I mentioned, you would not be cleaning your computer - you would be reinstalling from scratch and hoping the bank would give you some of your stolen money back.

I'm not sure what you mean by "traditional" attacks, but it seems obvious to me that you have been grossly misinformed about what goes on in the malware removal forum. The forums were initiated because of a need for dealing with new attacks. Anti-virus and anti-malware either weren't dealing with them because there were so new that definitions had not come out or because completely automated removal is dangerous and needs a human to ensure the safest procedure possible. Cutting edge malware often gets discovered here first and removal procedures get developed here before they become common elsewhere. So any traditions and conventions are developed over time thru trial and error.

As far as not needing a removal tool for your attack scenario, you actually have a valid point, but let me clarify it for you.

Any time you have been backdoored is a very serious issue--your computer's security has been completely compromised. It doesn't matter what the goal of the attacker was or if it was completely stealthed. Just the fact that the attacker has complete control over your system and the possibility that your sensitive info is in the hands of cyber criminals is a serious matter if you engage in online banking and other financial transactions. Rootkits themselves are usually an indication of a backdoor situation but any time we discover that someone has been backdoored, we strongly suggest that they do a reformat. As already mentioned, we may be able to find and remove the rootkit and most of the infection but there may be parts left behind that means it is still compromised so it it very difficult to find and remove it all. This is a decision that a computer user must make themselves tho. Many will chose to try removal instead, some because they don't do financial transactions on their computer--perhaps it's dedicated to gaming or something else.

And as you mentioned, it's possible the remote access program has been deleted and the hacker has left your computer and all evidence it had been there--just like a cat burglar. If that were the case what good would reformatting do? Still I believe it is better not to take the chance that it will happen again--the sooner you quit fooling around with it and get your computer back to normal, the sooner you can begin the process of recovery from Identity Theft and its effect on your credit rating.

In my opinion, with some of the serious malware that is out there now, I would still go with a reformat even without a situation where online banking is involved. Not only does the more automated malware not clean up after itself, it leaves a big mess behind--changed permissions, orphaned reg entries, stray files, damaged Windows utilities like Task Manager, regedit, etc., and crippled if not completely killed antivirus and other security programs. Repairing all the damage can be more of a hassle than a reformat, tho neither is very much fun.

So in conclusion, take counsel of your fears; that's how your learn to protect yourself from all the nasty stuff that is out there. Worrying doesn't do you any good if you don't do anything to prevent what you are worrying about from happening. And try not to find other things to worry about that isn't necessary--we all have enough to worry about as it is.

Edited by Papakid, 14 February 2010 - 11:23 AM.

The thing about people

is they change

when they walk away.--Mipso


#9 xblindx

xblindx

  • Banned
  • 1,923 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:18 AM

Posted 14 February 2010 - 11:06 AM

That was an excellent read Papakid, good work :thumbsup:

#10 Learning123

Learning123
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:18 AM

Posted 21 February 2010 - 07:38 PM

Boy Papakid, that was a long post - a small book indeed. It sounded like I might have offended you, which I certainly did not mean, so I apologize. A lot of what you wrote I understand - things like on-access vs on-demand scans. I probably used the terms incorrectly, so I am sorry again. Finally, you mentioned a few times that I am worried about mistrusting either GMER themselves or the folks on this forum etc. And yet again I am sorry to have caused such impression - did not mean this all. My question on GMER was NOT whether I should distrust them - I am obviously willing to run their software (if I can ensure it's theirs), so I trust GMER more than enough based on recommendations like the ones on this forum.

You said :
---
Your original question is how do you know you are getting the authentic GMER download and in general how do you know any unsigned software is authentic? It is basically a question of trust.
---

You might have misunderstood my question - I am NOT asking there whether I should trust GMER. I am only asking whether I should trust that my downloaded bits match what GMER in fact released. So, no, it's not a question of whether I trust GMER. Maybe it's a question of trust in that whether I trust the delivery system that gets me the GMER bits - and I'd rather not have to trust it - the signature would have solved that issue.

Yes, there are plenty of ways to attack a system. I am comfortable defending against some of them. My question was only about the hacker in the middle delivering "cracked" GMER content. Yes, I am asking about some very specific kind of attack - it's *not* because I don't worry about other kinds of attacks. Please don't assume that. My point was simple: with signed software I am sure I get what the author signed. With unsigned software, I might be getting other bits - just like the ones found on P2P network, EVEN IF it looks to me like I am getting them from valid website. Again, I did not mean to imply that those signed anti-rootkits are better than GMER. I never said that. All I might have implied is that I have more trust that blacklight and microsoft files I have are indeed from original source. It's not a reflection on how good or bad they are compared to GMER - just the fact that I can trust the fact that those bits indeed come from the claimed source.
With GMER, as much as I would love to run the software, I would not be able to have same level of trust without the signature.

Yes, the real gmer website might be hacked only temporarily, but I do not have to think such temporary hacks with signed software that I download. With things like NoScript, I would not allow the site to run anything on my PC - only download a file. So, a hacked-site already may not be able to hurt me except for the download I am going to run. Similarly, I'd rather not have to think whether my ISP is hacked with something similar, or whether there are other "holes" that might be attacked because of lack of the signature.

You also make a point that once I need the GMER, by that time I already know I have been hacked and don't need to worry much about being hacked again. I agree. My point however is that I want to run GMER BEFORE I know that I am hacked. I just wanted to search to rootkits. Most likely I am NOT hacked. So, your point does not apply to my situation but again, I agree with its general concept.

I think your other point is that there other better ways to attack people than to try to explore the whole unsigned business. I think in part I am putting you in defensive position because you and many other helpful folks here and other forums recommend downloading GMER - and so questioning this sounds in some sense like questioning your fundamental advice to people. Sorry about that - I did not realize this when I wrote the question. I think I understand your position - I don't mind closing this signing question.

Let's move to the other question now - running 2 AVs or 2 firewalls. (And yes, from here on out by running them at the same time, I mean on-access, not on-demand runs.) I think I understand now that after you have spent a lot of time triaging people's problems running more than 1 AV/firewall at the same time, it's only natural to not even want to start on one if they have 2 of them running at the same time. Your experience shows that this leads to instabilities. I am not sure how you suggest I look "closer" at my systems to find such instabilities. Yes, I see a couple of errors in event log but I doubt they have to do with the 2 pieces of software, even if they do, they don't bother me either (e.g. the time was not synched with a time server - not a big deal to me). One thing I am learning is that if I ever do have instabilities, I should turn off one of them to see if the "instability" goes away.

You asked what I want to accomplish by running two AVs, and then I think you answered the question yourself - they are different and one may catch something the other one won't. No, I don't think it will double my protection. But I think it will increase it simply because there are 2 pieces of code testing my files. Maybe it will go from 95% to 99%, who knows.. McAfee suit had found an issue that Norton had missed when it was installed on a system. So I don't want to stop running McAfee which includes both HIPS and onAccess protection. But then I also read about how AntiVir is so much better or at least handles issues that McAfee misses, so that's why I am running them both. I trust Zonealaram more than McAfee HIPS, but just did not bother turning off HIPS because well, I had not had an issue with it (yet?).

Your second reason not to run 2 at the same time is they will flag each other as malware. They actually had not (or if they had, I was expecting this and already told them to allow each other - I forget if I did since this would have been obvious to me).

I don't think there was a 3rd reason.

By the way, you mention reformatting - one thing I am reading in some places is that reformatting may not be enough when it comes to MBR and other bits on the harddrive that might be infected. (still in learning) I am currently looking into wiping software - any favorites?

Edited by Learning123, 21 February 2010 - 07:44 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users