Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

The Current State of Parasites


  • Please log in to reply
5 replies to this topic

#1 fred3

fred3

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:11:33 AM

Posted 24 February 2011 - 02:29 AM

"Parasites" is what I call the entire collection of viruses, worms, trojans, browser hijackers, root kits, etc. etc.

As time goes on it seems that the landscape changes. I wonder if there isn't some place (or if there shouldn't be) where we could discuss what we're seeing nowadays?

I guess it's always possible to be surprised and then think that the world has changed - but after cleaning up a whole lot of computers when something new shows up in general behaviors then that's worth revealing it seems. Root kits are a good example of this.

In very few cases have I cleaned up a computer in a more or less "normal" way only to find that there's a root kit that just keeps on causing trouble. It makes me think that good root kit removal should be part of cleanup from the beginning whether it's evident or not. Obviously, usually not. But the root kit tools seem to be users of our time and not to be taken lightly. Is that the case?

The other day I fixed a computer that started out not liking a few Windows updates. Malwarebytes anti-malware is usually my first "checker". If it doesn't find anything then there's not likely anything to worry about. Not in this case. Anti-malware didn't *ever* find anything. So, I see that as a change in the landscape because it *always* found something (just not everything) but it always seemed to found something in a compromised computer and so was a good indicator. In this case it was SuperAntiSpyware that found something and fixed it. That just seemed odd in my experience. So, I'm wondering.....

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,486 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:33 PM

Posted 24 February 2011 - 07:27 AM

Malwarebytes Anti-Malware uses a proprietary low level driver similar to some anti-rootkit (ARK) scanners to locate hidden files and special techniques which enable it to detect a wide spectrum of threats including active rootkits. SUPERAntiSpyware Free also offers technology to deal with some rootkit infections.

Some Anti-rootkit (ARK)tools are intended for advanced users or to be used under the guidance of an expert who can interpret the log results and investigate it for malicious entries before taking any removal action. Incorrectly removing legitimate entries could lead to disastrous problems with your operating system.

Why? Not all hidden components detected by anti-rootkit (ARK) scanners and security tools are malicious. It is normal for a Firewall, some anti-virus and anti-malware software (ProcessGuard, Prevx), CD Emulators sandboxes, virtual machines and Host based Intrusion Prevention Systems (HIPS) to exhibit rootkit-like behavior or hook into the OS kernal/SSDT (System Service Descriptor Table) in order to protect your system. SSDT is a table that stores addresses of functions that are used by Windows. Whenever a function is called, Windows looks in this table to find the address for it. Both legitimate programs and rootkits can hook into and alter this table.

API Kernel hooks are not always bad since some system monitoring software and security tools use them as well. If no hooks are active on a system it means that all system services are handled by ntoskrnl.exe which is a base component of Windows operating systems and the process used in the boot-up cycle of a computer. ARK scanners do not differentiate between what is good and what is bad...they only report what is found. Therefore, even on a clean system some hidden essential components may be detected when performing a scan to check for the presence of rootkits. As such, you should not be alarmed if you see any hidden entries created by legitimate programs after performing a scan.

In most cases further investigation is required after the initial ARK scan by someone trained in rootkit detection or with advanced knowledge of the operating system. Report logs need to be analyzed and detected components identified in order to determined if they are benign, system critical or malevolent before attempted removal. Using an ARK scanner without knowing how to tell the difference between legitimate and malicious entries can be dangerous if a critical component is incorrectly removed.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 fred3

fred3
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:11:33 AM

Posted 24 February 2011 - 11:32 AM

As time goes on it seems that the landscape changes. I wonder if there isn't some place (or if there shouldn't be) where we could discuss what we're seeing nowadays?


motivated because what I found the other day was unusual..... suggests new threats or approaches in dealing with them, etc.

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,486 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:33 PM

Posted 24 February 2011 - 12:12 PM

I wonder if there isn't some place (or if there shouldn't be) where we could discuss what we're seeing nowadays?

Experts discuss this type of information, strategies on how to deal with, etc in private areas not open to the general public. Everything we discuss can be read by the bad guys. Yes, they read these threads looking for clues on how to circumvent our tools. We don't want to provide any information they can use against us so we talk in private.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 chromebuster

chromebuster

  • Members
  • 899 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:the crazy city of Boston, In the North East reaches of New England
  • Local time:02:33 PM

Posted 25 February 2011 - 04:18 PM

What I can tell you from the history I've read and learned for no particular reason is that malware authors have gone from being pranksters to being identity stealers. It seems that back in the 1990's, a computer that was infected with an ancient virus could live it's life out that way if the user was not knowledgeable enough to take care of it, or, never mind that, they may not have even recognized it. Some of those in particular are the ancient DOS viruses that never wanted to ruin anything, and often never did, they more or less just messed up one's processing speed. Today that's not even close to possible, and from what I read somewhere, a few security individuals seemed to have thought that most file infector viruses are all extinct but maybe for two particular families. Gone in favor of rogues and annoyances like that.

The AccessCop Network is just me and my crew. 

Some call me The Queen of Cambridge


#6 fred3

fred3
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:11:33 AM

Posted 25 February 2011 - 04:47 PM

OK. I don't think that sort of comment gives much away, eh?

For my own part I'm sensing that more obscure parasites are becoming more common. In some sense I don't really care how they work (notwithstanding the recent ACM article suggestintg malware education for the second time in about 5 years), what I care about is:
1) to recognize the presence of parasites that got by reasonable security software and perhaps external devices.
2) to get rid of same
Under the assumption that (1) is either necessary for (2) and, if not that, then to save time and money. That is, unless (2) were quick and painless like the dentist of old, which it usually is not.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users