Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Antivirus integrity


  • Please log in to reply
20 replies to this topic

#1 nCharge

nCharge

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:50 PM

Posted 18 October 2012 - 05:33 AM

Hello ,

I know there is malware that "deactivate" your AV product , but how would you know ?
Is the AV really deactivated the way that you will see "Guard:Off" or perhaps the malware will add himself in the excluded section , making the AV still working but will not react against the threat ?

In that way , how could you know if a malware is playing with your computer ? Are symptoms always that obvious ?

Edited by nCharge, 18 October 2012 - 05:34 AM.


BC AdBot (Login to Remove)

 


#2 Romeo29

Romeo29

    Learning To Bleep


  • Members
  • 3,194 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:127.0.0.1
  • Local time:06:50 AM

Posted 18 October 2012 - 07:02 AM

You have to ask : "Why do people create malware?" In general, malware authors create them for money. They spend weeks and months writing and testing them. Then they sell the code to others in the online underground.

1. Malware authors create them to make money. So they try redirecting sites, changing homepages etc to generate site traffic and automated clicks to make revenue from advertisements. You may notice popups, new toolbars, hidden popup windows etc. they can also hijack your email addresses and your friends complain you of sending weird mails. They may try to sell you fake antivirus stuff. Some bleepers also encrypt files and then charge you for unlocking them.

2. Malware wants to stay on your PC. In order to stay on your PC, they prevent you from accessing security, antivirus products sites. sometimes they block bleepingcomputer.com too :) Additionally, they disable settings in Internet Explorer, change group policies and prevent you from running tools like registry editor. The antivirus or anti-malware application close as soon as you run them.

Some of them are created for espionage and are very hard to detect but that is something an ordinary PC user does not have to worry about.

I cannot think of anything else right now.

#3 nCharge

nCharge
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:50 PM

Posted 18 October 2012 - 07:36 AM

So , it's more the Guard:Off symptom right ?
In that case the user will see it quickly.

Some of them are created for espionage and are very hard to detect but that is something an ordinary PC user does not have to worry about.

You mean that it is uncommon to have malware that hides well ? (We always see something strange ?)

#4 Animal

Animal

    Bleepin' Animinion


  • Site Admin
  • 35,751 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Where You Least Expect Me To Be
  • Local time:04:50 AM

Posted 18 October 2012 - 11:59 AM

You mean that it is uncommon to have malware that hides well ? (We always see something strange ?)

You also have to factor in the user quotient. Some users you could hide the malware in plain sight and it would go undetected. Other users are so aware a single pixel, or other minuscule activity, out of place sends up warning flags in their opinion. So there is a wide variance of what the idea of 'hides well' looks like.

The Internet is so big, so powerful and pointless that for some people it is a complete substitute for life.
Andrew Brown (1938-1994)


A learning experience is one of those things that say, "You know that thing you just did? Don't do that." Douglas Adams (1952-2001)


"Imagination is more important than knowledge. Knowledge is limited. Imagination circles the world." Albert Einstein (1879-1955)


Follow BleepingComputer on: Facebook | Twitter | Google+

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,749 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:50 AM

Posted 18 October 2012 - 12:59 PM

...know if a malware is playing with your computer ? Are symptoms always that obvious ?

No, symptoms are not always obvious but in many cases they are and we refer to them as "signs of infection."

For example with the Mebroot rootkit, signs of infection included:
1. When attempting to log into ebay, Paypal, gmail, Yahoo! mail, user is redirected to a phishing screen asking for personal info (SS number, Credit card number, ATM pin).
2. Random Audio/Radio/Voice ads & sounds such as "Congratulations You've Won" audio.
3. Commercials in foreign languages.
4. Pop ups when no browser is open.
5. BSOD and Stop 0x0000007B error message while booting the system.

Signs of infection seen with TDSS:
1. Google search results redirected as the malware modifies DNS query results.
2. Infected (patched) files like atapi.sys, iastor.sys and others in the Windows drivers folder.
3. Internet Explorer opens on its own.
4. Infected Master Boot Record.
5. BSODs, slown computer and poor performance.
6. Random Audio/Radio/Voice ads.
7. Repeated Fake alerts indicating the computer is infected.
8. Frequent IExplore.exe instances.

Signs of infection seen with latest variant of TDL4/MaxSS bootkit:
1. Redirections in all browsers
2. Infected consrv.dll file which places various files in a random folder in the systemroot\INSTALLER folder.
3. Hidden malicious partition
4. Presence of %WinDir%\$NtUninstallKB3057$, %WinDir%\$NtUninstallKB32069$, etc folder
5. Booting issues.

There are many more signs and symptoms depending on the malware infection.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 Romeo29

Romeo29

    Learning To Bleep


  • Members
  • 3,194 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:127.0.0.1
  • Local time:06:50 AM

Posted 18 October 2012 - 08:10 PM

You mean that it is uncommon to have malware that hides well ? (We always see something strange ?)


Yes. I was talking about things like Stuxnet, Flame and now miniFlame etc. You have to see the motive and target of malware authors.The highly sophisticated malware like Stuxnet was designed for industrial espionage, had a specific target and it stayed undetected for some time. They are designed to work silently without raising any alarm. Looking at the malware files, they have speculated that these malware stayed hidden for some years. But common PC users were not the target.

Then there is malware which targets common people who usually have no idea about virus or antivirus. Their motive is to fear them into paying for fake antivirus or steal their financial information - consequently lots of changes in your system. As Animal has said, the symptoms are visible to people who know. Once one of my niece's friend asked how she could install XP Antivirus 2011 on her new computer. Her logic was that she had already paid for it to install on Windows XP, so why not install it on her new Windows 7 PC. But she could not find the setup file.

#7 nCharge

nCharge
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:50 PM

Posted 19 October 2012 - 05:23 AM

To quietman7 : Are there always "signs of infections" when dealing with malwares ?

And what about AVs ? How can you detect is it's been compromised by a malware , will you see Guard:Off ? Can malware behave like rootkits by excluding themselves and send back information through your AV that there is no excluded items ?

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,749 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:50 AM

Posted 19 October 2012 - 08:03 AM

Are there always "signs of infections" when dealing with malwares ?

No but in mose cases there are...some are obvious and other signs require "digging" around with investigative tools.

And what about AVs ? How can you detect is it's been compromised by a malware

Some types of malware can deliberately disable your AV and its related services.

Can malware behave like rootkits

You need to understand the terminology. See Glossary of Malware Related Terms.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 nCharge

nCharge
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:50 PM

Posted 20 October 2012 - 10:16 AM

No but in mose cases there are...some are obvious and other signs require "digging" around with investigative tools

Do you have an example where there is no signs of infection ?

Some types of malware can deliberately disable your AV and its related services.

So nothing related to the exclusion zone ?

You need to understand the terminology

So , malware=rootkits,viruses,trojans,etc...

Edited by nCharge, 20 October 2012 - 11:39 AM.


#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,749 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:50 AM

Posted 20 October 2012 - 04:46 PM

Do you have an example where there is no signs of infection?

An older example would be NAVIPROMO (EGDACCESS Dialer)...there were no signs of infection in normal mode but specialized tools run in safe mode to create logs would show certain entries trained experts can recognize. The TDSS rootkit infects a driver and specialized tools used by experts can reveal it's presence. More sophisticated rootkits don't always show obvious signs.

So nothing related to the exclusion zone?

Not sure what you mean. Are you referring to security zones in Internet Explorer? If so, some infections will change those settings.

So , malware=rootkits,viruses,trojans,etc..

Malware is a general term and broad category. It often refers to unsolicited commercial software, hostile or intrusive software like Rogue security programs which downloads itself onto your system. Once install, the malware performs certain behaviors and hidden activities such as advertising, collecting personal information, or changing the configuration of your computer without your knowledge of permission. Some will force pop-up adds, redirect your browser's home page or search page, or add additional components to your browser you don't need or want. Some will track your Web movements, collect demographic, personal and usage information from your computer and report back to their creators with the data. Others will offer free enhancements to your operating system or browser such as extra toolbars, special buttons, enhanced search capabilities and make it very difficult to change your settings back to the way you originally had them.

Rootkits are powerful stealth system-monitoring programs that are almost impossible to detect. Rootkits are not a malware infection in and of themselves but are used by backdoor Trojans, Botnets and IRCBots to conceal their presence in order to prevent detection of the attacker's software and make removal more difficult. Rootkits can effectively hide its presence by intercepting and modifying low-level application programming interface (API) functions and can hide the presence of processes, folders, files and registry keys.

Not all rootkits are malicious. Legitimate programs can use rootkits for legitimate reasons so it's presence is not always indicative of a malware infection. It is normal for a Firewall, some anti-virus and anti-malware software (ProcessGuard, Prevx), CD Emulators sandboxes, virtual machines and Host based Intrusion Prevention Systems (HIPS) to exhibit rootkit-like behavior or hook into the OS kernal/SSDT (System Service Descriptor Table) in order to protect your system. SSDT is a table that stores addresses of functions that are used by Windows. Whenever a function is called, Windows looks in this table to find the address for it. Both legitimate programs and rootkits can hook into and alter this table.

When used for malicious reasons, a rootkit takes active measures to obscure its presence (hide itself from view) within the host system through subversion or evasion of standard operating system security tools and APIs used for diagnosis, scanning, and monitoring. Rootkits are able to do this by modifying the behavior of an operating system's core parts through loading code into other processes, the installation or modification of drivers, or kernel modules. Rootkits hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Some algorithms used by rootkit detectors, such as BlackLight, attempt to find what the rootkit is hiding instead of detecting the presence of the rootkits hooks. There are several rootkit classifications depending on whether the malware survives reboot and whether it executes in user mode or kernel mode. Most rootkits are classified as malware, because the payloads they are bundled with are malicious.

API Kernel hooks are not always bad since some system monitoring software and security tools use them as well. If no hooks are active on a system it means that all system services are handled by ntoskrnl.exe which is a base component of Windows operating systems and the process used in the boot-up cycle of a computer. Anti-rootkit (ARK) scanners do not differentiate between what is good and what is bad...they only report what is found. Therefore, even on a clean system some hidden components may be detected when performing a scan to check for the presence of rootkits and you should not be alarmed if any hidden entries created by legitimate programs are detected. In most cases further investigation is required after the initial ARK scan by someone trained in rootkit detection or with advanced knowledge of the operating system. Report logs need to be analyzed and detected components identified in order to determined if they are benign, system critical or malevolent before attempted removal. Using an ARK scanner without knowing how to tell the difference between legitimate and malicious entries can be dangerous if a critical component is incorrectly removed.

Rootkits can be especially dangerous because they compromise system integrity by making changes that allow it to be used by the attacker for malicious purposes. Remote attackers use backdoors as a means of accessing and taking control of a computer that bepasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker. Typically, a hacker installs a rootkit on a computer after first obtaining user-level access, either by exploiting a known vulnerability or cracking a password. Once the rootkit is installed, it allows the attacker to mask intrusion and gain root or privileged access to the computer and other machines on the network. Rootkits can result in browser search redirects to malicious web pages, the downloading of additional malware, and the ability to receive commands from attackers. Some rootkits can disable anti-virus and security tools in order to prevent detection and even thwart attempts to terminate them.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 nCharge

nCharge
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:50 PM

Posted 22 October 2012 - 05:13 AM

To quietman7 :
1-You talk about infections with no symptoms , that's a fact but are AV able to show warnings ? Or the infected user will never know he's infected unless he asks experts ? (as with TDSS)

2-I mean exceptions : Can malware add themselves in AV's exceptions zone and send back to the user that there is no exceptions added , so the malware will stay undetected/not scanned ?

3-So , rootkit is like just an invisibility cloak hiding the real malicious payload , rootkits are not initially destructive ?

#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,749 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:50 AM

Posted 22 October 2012 - 08:09 AM

No single product is 100% foolproof and can prevent, detect and remove all threats at any given time. The security community is in a constant state of change as new infections appear and it takes time for them to be reported, samples collected, analyzed, and tested by anti-vendors. Security vendors use different scanning engines and different detection methods such as heuristic analysis or behavioral analysis which can account for discrepancies in scanning outcomes. Depending on how often the anti-virus or anti-malware database is updated can also account for differences in threat detections. So if an anti-virus is able to detect malware it will show a warning, if not, then you would not know unless you try doing a few online scans for a second opinion.
Eset Online Anti-virus Scanner is one of the more effective ones.

I'm not aware of malware adding itself to an AV's exceptions zone since most have safeguards to prevent altering its files and settings....but anything is possible since some malware intentionally target AV's.

As I said in a previous reply rootkits are not a malware infection in and of themselves but are used by other types of malware to conceal their presence. Most rootkits are classified as malware, because the payloads they are bundled with are malicious. The links I provided explain rootkits in much more specific detail if you want to learn more about them.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 frankp316

frankp316

  • Members
  • 2,677 posts
  • OFFLINE
  •  
  • Local time:06:50 AM

Posted 22 October 2012 - 10:03 AM

To quietman7 :
1-You talk about infections with no symptoms , that's a fact but are AV able to show warnings ? Or the infected user will never know he's infected unless he asks experts ? (as with TDSS)

2-I mean exceptions : Can malware add themselves in AV's exceptions zone and send back to the user that there is no exceptions added , so the malware will stay undetected/not scanned ?

3-So , rootkit is like just an invisibility cloak hiding the real malicious payload , rootkits are not initially destructive ?



From personal experience, I can tell you there is malware that will get on your system and not do anything immediately. That's why most of the regulars here scan their systems regularly. I do mine weekly. On one occasion, MalwareBytes detected malware that was on my system for the better part of a week but did nothing. I didn't know it was there. So vigilance is very important. The experts here are trying to answer you the best they can. But there is no simple one size fits all answer. I'm no expert but I have been around BC long enough to know that malware is a moving target and there are no simple solutions. Accepting that is very important because trying to simplify malware protection is only going to get you into trouble. Every infection is different and display different symptoms. And the bad guys are creating new infections daily. It's the same with protection products. They are all different and that's why a lot of us use more than one product. As a layman, I don't need to know how rootkits work. Each one is different anyway. I am content to leave the details to the experts at BC.

Edited by frankp316, 22 October 2012 - 10:10 AM.


#14 nCharge

nCharge
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:50 PM

Posted 22 October 2012 - 12:24 PM

To quietman7 :

No single product is 100% foolproof

You are definitely right.What is wanted to say is at a given time , a malware can be in the system.Then if there is no sign of infection , you will have to wait until few updates for the AV to detect it (1).Meanwhile , between the infection and the update time , how would you know if the malware compromised your AV ? According to what I see you could know by watching if your AV gets disabled/turns off by itself.(2)

Are point (1) and (2) correct ?

Plus :
(1):Does this happen everytime : If you get infected by a new variant , you have to pray not for the malware to destroy your computer and wait for the next update and have the malware detected and eradicated ?

(2):According to what I see elsewhere , you can know whether your AV is compromised this way : If your AV is disabled/turns off without you doing anthing , it is compromised (I mean this is a sign that most of the people will notice without being an expert);if not , it is not.

#15 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,749 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:50 AM

Posted 22 October 2012 - 01:06 PM

Anti-virus updates may or may not detect new malware...it really depends on the vendor and what they include in the updae package. In some cases the detection may be immediate depending on the scanning engine the vendor uses. Heuristic analysis is the ability of an anti-virus program to detect possible new variants of malware before the vendor can get samples and update the program's definitions for detection. Heuristics uses non-specific detection methods to find new or unknown malware which allows the anti-virus to detect and stop if before doing any harm to your system. Heuristic scanning methods vary depending on the vendor. Some claim to allow emulation of the file's activities in a virtual sandbox. Others scan the file more intensively, searching line by line inspecting the code in a file to see if it contains virus-like characteristics. If the number of these characteristics/instructions exceeds a pre-defined threshold, the file is flagged as a possible virus.

If your anti-virus is suddenly disabled, then that can be a sign of a possible infection. However, anti-viruses are programs subject to glitches and sometimes a bug in an update can cause it not to function properly.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users