|
LordSaturn posted:For those of us playing along at home - are you saying that the often-cited "signature" method of detecting viruses and malware is just an md5 hash of the files? That sounds distressingly inadequate. signature based virus detection is woefully inadequate and has been since like 2000 (I made the date up). It can NOT keep up with emerging threats or malware/virus creators that constantly change their code. It basically searches for the same string within the code that is seemingly unique to that virus/malware instance/family and flags it based on that, but if the creator figures out what that signature is, or just happens to change it out of luck, then the new version will not be detected. This is a broad generalization based on my understanding (which admittedly could be incorrect).
|
#
?
Oct 29, 2015 17:54
|
|
|
|
| # ? Apr 25, 2024 12:30 |
|
|
It became obsolete when the Internet happened.
|
|
#
?
Oct 29, 2015 17:59
|
|
|
MF_James posted:signature based virus detection is woefully inadequate and has been since like 2000 (I made the date up). It can NOT keep up with emerging threats or malware/virus creators that constantly change their code. It basically searches for the same string within the code that is seemingly unique to that virus/malware instance/family and flags it based on that, but if the creator figures out what that signature is, or just happens to change it out of luck, then the new version will not be detected. The signature based detection mechanisms utilised by closed-source AV software are entirely proprietary and no vendor will divulge the specifics of their detection mechanisms. Of course this is somewhat moot in responding to LordSaturn's comment as the point is entirely missed.
|
|
#
?
Oct 29, 2015 18:02
|
|
|
Dodoman posted:Mods, please put this thread out of its misery. Quoting fake Fishmech for posterity.
|
|
#
?
Oct 29, 2015 18:03
|
|
|
Khablam posted:None of that changes one's SOP though. For, if nothing you throw at the machine reveals a problem, how are you determining there is one? Why are you even looking for the problem to begin with? You seem very distressed about not getting an answer to this question so I guess I'll try to help you out a little bit. Let's say you got an obvious malware package of some kind. It got there through some vulnerability or other, maybe you forgot to update Flash in the last 8 hours. The less sophisticated malware goes ahead and makes itself known, loudly trumpets its presence by throwing up porn popups or what have you. You clean it using your magical 200 tools (god only knows why you think this takes less time/effort than just reinstalling and restoring from backups, but we've gone in circles a few hundred times with that already). It looks "clean" to you now, your tools did not detect anything but the malware that was very good at loudly trumpeting its presence anyway, now they don't detect anything and you don't see any porn popups. You release the computer to the customer with a clean bill of health. However... Unbeknownst to you, another, much more stealthy, piece of malware also used the same attack vector at around the same time. This one is new enough not to be caught by your heuristic/signature scanners, or it's sophisticated enough to evade these things, or both. This one does not loudly trumpet its presence, because its goal is not to make money for its creator by blasting porn popups all over the screen or trying to sell fake antivirus (but I repeat myself) - it's trying to use the machine to join a botnet and collect passwords. To this end, it does things like hide its network connections, it keylogs, it installs its own root cert (or defeats certificate verification in another way) and MITMs financial websites, it slurps up your emails, and so on. Now your machine is being used to DDOS whatever thing the SEA doesn't like this week and oh yeah, all your credit cards have been sold on the black market, your bank account just got drained, and if you're a lawyer maybe some of that confidential information in your email just got leaked. Or if you're a software developer maybe the source code to your company's crown jewels is up on The Pirate Bay. Enjoy the years of your life you'll spend dealing with the identity theft and trying to recover your funds, to say nothing of the damage to your professional reputation. If you had just flattened, reinstalled, and restored from backup, none of this would have happened (or at least, it would have been much less likely) - you had an opportunity to catch this because someone less stealthy used the same attack vector and alerted you to it, but you just removed the obvious infection and left it at that. Is that enough of an answer for you?
|
|
#
?
Oct 29, 2015 19:03
|
|
|
OSI bean dip posted:Are you suggesting that I send the files straight to VirusTotal every time? Because I could do that and then wait six years for it to scan through 1 TB of files. No, sorry, I'm just following the discussion and I thought for a second that all signature-based detection was based on md5 hashes which seemed kind of  like how could anyone ever trust that to work, that would be the easiest thing in the world to pad your way out of.I don't actually know anything about this subject and the discussion is very interesting to me.
|
|
#
?
Oct 29, 2015 20:28
|
|
|
MF_James posted:signature based virus detection is woefully inadequate and has been since like 2000 (I made the date up). It can NOT keep up with emerging threats or malware/virus creators that constantly change their code. It basically searches for the same string within the code that is seemingly unique to that virus/malware instance/family and flags it based on that, but if the creator figures out what that signature is, or just happens to change it out of luck, then the new version will not be detected. cheese-cube posted:The signature based detection mechanisms utilised by closed-source AV software are entirely proprietary and no vendor will divulge the specifics of their detection mechanisms. Of course this is somewhat moot in responding to LordSaturn's comment as the point is entirely missed. Traditionally, anti-virus works through a few ways:
Once broadband became a thing and the new millennium dawned, malware started to change. Spam was really the big driving-force behind malware for a long time and to a certain extent still is, but it never became a huge issue in the malware sense until we started to see e-mail RBLs becoming popular--RBLs have been around since the mid-late 90s but became much more popular as everyone else started to get online. As a result of RBLs becoming popular, we started to see a shift in getting access to botnets for the purposes of sending e-mail spam as opposed to sharing files--much of the botnet activity I used to see back in the early-00s were really for people to share warez and porn. Because of this shift in how botnets were being used, malware was becoming a bigger problem for the AV vendors to manage so then began an arms race between the writers and the defenders. It helps to understand the basic logic of how a signature works (and it should be mentioned that heuristics really fall into the signature category here so I won't elaborate much on them). It's sort of hard to write into words (and I know that certain people are going to nitpick on what is written here because they want to be "right") but it sort of works like this:
The thing is that the malware writers can use whatever they have at their disposal to pump out thousands of unique copies of their software that evade the signatures that have been created already. The idea behind heuristics is to come up with a pattern that potentially predicts this, but the packers already take that into account and can render any discovered pattern useless within a very short period of time. To combat that, AV vendors have agreements amongst many of themselves to share the data they already have, so Symantec may end up with McAfee's, Trend Micro's, Sophos', or Microsoft's data and vice-versa. VirusTotal for example is not popular with malware authors because VT themselves share the data with vendors who request access--at a fee of course, which is in order of a few thousand per month. They themselves have online testing tools that take popular AV engines and run the malware against and spit out results. It's really an arm's race that in my opinion the AV industry lost a decade ago, so the idea that you should go shopping around for different AV vendors is stupid. The solution for AV vendors to keep the signature race going is to throw more people at it. It doesn't mean success but more bodies in seats in their labs does usually lead to better results. However, that becomes expensive so you have to make business decisions around that. I won't go much further into this but you'll probably get the idea. AV vendors will come out and say that their cloud detection works but really all it is is a pre-warning for or from them. They'll get a hash sum from a client machine, run it against their DB, and if it has already has seen in it. they'll report back with details. The dirty little secret is that if your AV engine is already signature-based, you're going to have details about that hash sum anyway in the next update so all you're doing is pre-emptively checking against their set of signatures and hoping that they have seen it before you have managed to update. Suspicious behaviour is a bit of a different beast all together and probably the worst of the bunch. It relies on a list of patterns within a pre-configured file in order to determine if the action taken by an application is legitimate or not. Here's a kicker: go and make a change to your Windows Firewall with it enabled; it might actually set it off. It works fine if you're running it on a single machine, but try and enable it corporate-wide across thousands of machines then deploy a change later via GPO that requires a task to be performed that the behaviour monitoring picks up on--your help desk will absolutely love you. AV vendors keep this sort of thing close to their chest on what they're actually looking for but I wouldn't be shocked if a list of what the look out for is floating about. Sandboxing is useful to me because I can run the malware within a controlled environment to determine what the ramifications are, but there are solutions that will run malware at the perimeter and will react after the fact if it does something that is discovered to be malicious. You just have to hope that the box doesn't get compromised because of a a vulnerability. So the reason why I have been giving mindphlux and Khablam poo poo for their opinions is because they both don't understand malware, how its remediated, and why a set of tools rambled off will do squat. They're quick to suggest software based on something they read elsewhere in this thread or on some other website, but they're then just as quick to defend their decisions when they're called out on their inability to explain them. Malware authors spend a lot of loving time going over how the whitehats are going after them and there is a lot of money to be made by them to keep it that way. You cannot assume that a list of software will fix the problem and that the only way to go about this is to assess how bad you think the risk is if you continue to use the machine post-infection. I consider it negligent to go about in this thread suggesting fixes without having any knowledge of what lead up to someone getting infected before. I do recommend for those of you who are curious about the mindset of these guys that you contribute to Brian Krebs' forehead-reduction surgery by reading his book, Spam Nation. It's not a bad read as he does go into some detail about how malware, spam, and security in general became the way it is. I've had a few of you ask me questions via PM already and I am always happy to answer them as long as they're constructive and I feel comfortable to give an answer. I would hope that the aforementioned two shut up. Lain Iwakura fucked around with this message at 21:10 on Oct 29, 2015 |
|
#
?
Oct 29, 2015 20:35
|
|
|
OSI bean dip posted:Sandboxing is useful to me because I can run the malware within a controlled environment to determine what the ramifications are, but there are solutions that will run malware at the perimeter and will react after the fact if it does something that is discovered to be malicious. You just have to hope that the box doesn't get compromised because of a a vulnerability. can you comment on malicious code that stays benign when it notices it's in a sandbox? detecting sandboxing seems like it's really easy, or at least noticing you're in a virtualbox vm
|
|
#
?
Oct 29, 2015 21:14
|
|
|
That's becoming more and more of a problem which is why bare metal analysis is becoming more and more popular.
|
|
#
?
Oct 29, 2015 21:17
|
|
|
Mido posted:can you comment on malicious code that stays benign when it notices it's in a sandbox? detecting sandboxing seems like it's really easy, or at least noticing you're in a virtualbox vm Yup. They exist but sometimes it's not easy to detect whether or not you're in a sandbox. Typically what malware authors will do when they're aware of a sandbox is make the code do absolutely gently caress all and then the sandboxing software times out. How they check for it is through a number of factors but usually it's something like the hardware configuration or the OS environment itself. This is a good read if you're curious: http://www.drchaos.com/malware-sandbox-and-breach-detection-evasion-techniques/ How do the AV vendors fix this? Well the only way is to know how they themselves are getting caught and then adjusting things to avoid that. If you are running your own sandbox environment, don't install VMware tools for example. spankmeister posted:That's becoming more and more of a problem which is why bare metal analysis is becoming more and more popular. Pretty much. This is a non-option if you're running a FireEye though.
|
|
#
?
Oct 29, 2015 21:22
|
|
|
I've seen samples do things like checking browser history, machine creation date, installed and uninstalled software, recently opened files etc. Not even mentioning the vm detection techniques.
|
|
#
?
Oct 29, 2015 21:28
|
|
|
OSI bean dip posted:This is a good read if you're curious: hahaha jesus christ: code:
|
|
#
?
Oct 29, 2015 22:34
|
|
|
OSI bean dip posted:So the reason why I have been giving mindphlux and Khablam poo poo for their opinions is because they both don't understand malware, how its remediated, and why a set of tools rambled off will do squat. They're quick to suggest software based on something they read elsewhere in this thread or on some other website, but they're then just as quick to defend their decisions when they're called out on their inability to explain them. Malware authors spend a lot of loving time going over how the whitehats are going after them and there is a lot of money to be made by them to keep it that way. You cannot assume that a list of software will fix the problem and that the only way to go about this is to assess how bad you think the risk is if you continue to use the machine post-infection. I consider it negligent to go about in this thread suggesting fixes without having any knowledge of what lead up to someone getting infected before. The thing you simply can't grasp / won't admit to having done so, is that I'm fully aware there are limitations to scanning for malware. You seem to then blithely assume this makes anything signature based completely useless, whereas this largely isn't the case because AV companies compensate somewhat by pushing definitions hourly or more. Your rants ITT are basically "I worked at restaurant X so I know not to eat there" projected upon computers. It's akin to having a ship with a hole in it. You're saying "this ship is hosed it can't do anything" and the guys invested in the ship have instead taken to bailing water to keep it afloat. It's not ideal but it's serving a purpose if you have it's limitations in mind. For instance, you wouldn't trust an AV to remove an established infection if you have any reason to suspect it's hooked into your system in any way. But that malware being served on a banner ad? There's a very large chance that's going to get stopped by an up to date AV as it's "in the wild" footprint it just too large to not get scooped up and shared around in short order. Granted I sandbox my browser anyway, but we're looking at the 99.99% of people who don't. You talk about the weaknesses of cloud based approaches but not their strengths; one client AV flagging something as suspicious leads to a definition to all clients in a short period of time. For genuinely new malware this isn't very quick for the reasons you mention, but for a "changed enough to not flag the signature" variant? Those are pushed out very quickly. This is just an idealogical difference, I assume, and we won't ever agree but it doesn't matter because you haven't answered the logical questions. If you have nothing flagged to you as wrong, how are you concluding there is a problem to be dealing with? The overwhelming majority of any cases brought to "IT support" are because something is wrong. Though there are companies that start each day with end-user machines starting from a clean image (or another variant of a dumb terminal) these are in the severe minority and largely you're looking at established machines. This also includes most home users. If Dave nomastersinmalware Jones turns on his work computer and it works perfectly, with no warning or issues, why is he calling anyone for help? If IT runs a scheduled AV scan and it finds nothing every evening, why are they investigating the machine? I keep bashing this point because you will fix based on what you can determine is wrong, and this always has an origin point. The tools listed will very likely clue anyone half competent in to what is wrong. Or, in the other scenario, they don't. If you have a machine that is given to you because it's doing something fishy (network traffic / slowness / any non-standard behaviour) and a cause can't be found then you have to accept the fact there's very likely to be something you can't detect going on, in which case you're going to default to flatten/install. The problem with "but anything can be wrong Khablam you just don't know" thinking, is anything can be wrong right now. Why aren't you formatting your machine right now, reader, there could be malware stealing your poo poo. If you want to harp on about how any detection is meaningless, why aren't you prescribing ways in which people can use a known-good environment for anything involving CC details, personal details or (draw the line based on your countries laws)? If we literally believe the stuff you're talking about is a valid threat we should all be considering daily, isn't your remediation of flatten/install useless anyway? If you think that sounds insane, isn't your whole shtick here rather incongruous? You seem to be desperately reaching for some sort of "gotcha" where you can point that you know something more than me (and anyone else reading) and not in any way suggesting anything useful. tl;dr - I'm going to shorten this whole discussion into a shorter point: No one is saying the posted tools are a remediation technique to any problem possible, but a good way to determine what is wrong. If they can't determine what is wrong this is a problem unto itself you need to deal with. Your problem, is that your POV includes any and all machines where you don't suspect anything is wrong, and any and all tools tell you there is nothing wrong. This prove Anyway you can take your angry energy and go after this guy, who is the person you seem to think mindphlux and I are. https://imgur.com/gallery/kTbBpRT Khablam fucked around with this message at 00:12 on Oct 30, 2015 |
|
#
?
Oct 29, 2015 23:59
|
|
|
Khablam posted:You seem to be desperately reaching for some sort of "gotcha" where you can point that you know something more than me (and anyone else reading) and not in any way suggesting anything useful. all your posts along this topic reek of ... insecurity, shall we say. please go take a walk. nobody cares, nobody respects you at this point. OSI is posting not to attack you, but rather to make sure someone reading this thread doesn't take someone like you or your misinformation seriously
|
|
#
?
Oct 30, 2015 00:23
|
|
|
Mido posted:OSI is posting not to attack you Well...
|
|
#
?
Oct 30, 2015 00:38
|
|
|
Subjunctive posted:Well... i've read it as OSI & co attacking the lovely mindset of computer janitors who think that you can solve computer security issues with extremely high doses of homeopathic software. OSI's last post was totally reasonable and khablam's childish attempt at a repartee is both pathetic and uninteresting to anyone but themselves. but now i too am making GBS threads up the place so 
|
|
#
?
Oct 30, 2015 00:49
|
|
|
have you guys noticed my super cool sig?
|
|
#
?
Oct 30, 2015 00:52
|
|
|
Sharktopus posted:have you guys noticed my super cool sig? Your signature is awesome.
|
|
#
?
Oct 30, 2015 00:53
|
|
|
its like slowloris for your browser
|
|
#
?
Oct 30, 2015 00:54
|
|
|
Mido posted:all your posts along this topic reek of ... insecurity, shall we say.
|
|
#
?
Oct 30, 2015 02:17
|
|
|
So you didn't bother to read my post at all. Did you spend, like, all day on that one? Because you mentioned "you didn't answer my logical questions" (which aren't all that logical, really) in there and, well, I did, so ... To summarize: it's likely that the same infection vector will be used by both an undetectable malware package and a detectable one, so if you actually find one, your chances that you have more that you aren't finding go way up. In that case, you should just reformat. That way you're basically guaranteed to get them all! This differs from "well I could be owned right now and not know anything" in terms of, well, the risk factor. Your equating the two is super disingenuous. Well, either that or you actually don't understand the difference, I suppose.
|
|
#
?
Oct 30, 2015 02:21
|
|
|
Ahhh memories, I used to get monthly Sophos virus definition CDs back in the days when 56k ruled. They commonly became coasters. Back then taking your computer away to get "fixed" for viruses meant some support bloke simply ran Sophos offline and calling it a day once it turned up clean. You got back a machine that now was somewhat worse as all Sophos did was strip out any malicious code hiding in various .exes headers or flat out deleting various files Windows needed to use. Stuff would still remain in many dark corners or on other user profiles. Gives you an idea how ineffective most scanners are - even if they do update hourly, they most likely just have found a few new variants of known signatures. Leap 15 years ahead and you're in an age where Fortune 500 companies have to keep so far ahead of the game as people will simply leave a USB labeled "accounts" in the carpark waiting for a curious worker to pick it up and then try it at work or failing that give it a go at home. OSI is on the ball when it comes to the cold war between viruses and a desktop scanner - they might sound all clever with fancy features and real-time detection, but it's been a long time since "FIRE EVERYTHING" did anything but keep a system floating long enough to evacuate data. And that's if you're lucky.
|
|
#
?
Oct 30, 2015 02:26
|
|
|
all I want to know is how Khablam thinks malware signatures gets added to antivirus software in the first place
|
|
#
?
Oct 30, 2015 02:36
|
|
|
Hey I have a question. Did you read the OP of this very thread you're posting in? The one which defines what this thread is about? I.e. Viruses which do interesting and devious things? Like evade detection? I'm just curious. Please answer my logical questions. Thanks.
|
|
#
?
Oct 30, 2015 02:37
|
|
|
The thing with AV and all of the tools mentioned is that by their very nature, they are reactive. Today your standard user (and by a larger measure corporations) have to be proactive against malware / other attacks. Non-IE based browser with adblock (within the scope of environment requirements), limited Java and Flash installs, GPO policies preventing executables from running out of %APPDATA%, limited user accounts, etc, etc. Even this won't prevent Joe Randomuser in accounting from plugging in the USB drive he found in the parking lot, but with the goal being prevention rather than reaction, it will be possible for IT / IS to get a grasp on his machine before it can allow an attacker to pivot into the core network and steal all the data. Ultimately it's a losing battle and it's a matter of when, not if. The best thing companies can do is be prepared. I worked in a screwdriver shop and for run-of-the-mill stuff the tools mentioned in this thread serve a purpose, but there's never a 100% guarantee without completely rebuilding the drive and reinstalling the OS. As a consultant I often do full write-ups on malware with remediation steps and the like, but at the end of the day our recommendation to customers if they're going to put an infected box (and god forbid a compromised server) back into rotation is to restore from a verified gold image.
|
|
#
?
Oct 30, 2015 16:01
|
|
|
co199 posted:The thing with AV and all of the tools mentioned is that by their very nature, they are reactive. Today your standard user (and by a larger measure corporations) have to be proactive against malware / other attacks. Non-IE based browser with adblock (within the scope of environment requirements), limited Java and Flash installs, GPO policies preventing executables from running out of %APPDATA%, limited user accounts, etc, etc. Even this won't prevent Joe Randomuser in accounting from plugging in the USB drive he found in the parking lot, but with the goal being prevention rather than reaction, it will be possible for IT / IS to get a grasp on his machine before it can allow an attacker to pivot into the core network and steal all the data. One thing I don't miss about being an infosec consultant (other than having to fly somewhere on a moment's notice) is how you'll spend half of the allocated hours to writing a report and then having it outright ignored.
|
|
#
?
Oct 30, 2015 17:31
|
|
|
OSI bean dip posted:One thing I don't miss about being an infosec consultant (other than having to fly somewhere on a moment's notice) is how you'll spend half of the allocated hours to writing a report and then having it outright ignored. Yup. Had a client get hit with Cryptowall 2, flew out, did the imaging and post-mortem, wrote a whole report with site-specific recommendations for prevention. Due to internal battles (IS/Risk vs IT pissing match) none of it ever got implemented. They came back three months later with the same goddamn thing. It was too bad I really couldn't send them the same report with a giant 72pt font header that said I TOLD YOU SO.
|
|
#
?
Oct 30, 2015 17:33
|
|
|
co199 posted:(IS/Risk vs IT pissing match) huh. What a complete shock.
|
|
#
?
Oct 30, 2015 19:13
|
|
|
Dessert Rose posted:So you didn't bother to read my post at all. Did you spend, like, all day on that one? Because you mentioned "you didn't answer my logical questions" (which aren't all that logical, really) in there and, well, I did, so ... I mean there are two scenarios really 1) You can determine what happened 2) You can't. If you have a means of determining where the malware came from, it's exact type, then you can treat the malware in isolation to anything else. e.g. those lovely FBI warning fullscreen covers that were popular a few years ago. If someone says "I tried to open this email and then the FBI came for me" and you know from having seen this 30 times before than you can just delete the exe and the startup entry, then that's your logical fix. Being confident in doing something like that comes from researching the malware and looking at what it does. If various whitepapers and bulletins tell you it does that and nothing else, and nothing you do reveals another problem, then you can be sure the system is clean (or at least, this particular malware isn't leading to the problem). If you have hints of a sophisticated malware attack, or you have some sort of dropper on your hands, or you reasonably suspect what you can see is a payload, not the vector, then you react differently. Again, never said any of the tools were the fix. My "questions" weren't trick questions, they were genuine queries. Where are you going to draw the line? Do you even have control over that decision or is it someone elses cost/risk assessment? In a vacuum, would you recommend flattening the drive with *any* malware? For what it's worth I quit working anywhere near that environment in my 20s because the insanity of trying to deal with the same problems week in, week out, with the same clients because you don't have any kind of policy control, is maddening. Half the problem with recommending flattening systems in those environments is pretty much this roleplay: a- So we found the problem, and we're going to format your machine and bring over your server backup. It'll be 2hrs b- But what was wrong a- [explain problem] b- but cant you remove it a- yes.. b- then why don't you a- there's a chance it could be caused by something we can't see b- but doesn't it cost us more if you spend 2hrs doing that? a- yes b- then aren't you just saying theres something wrong to get more money? my system just said there was one suspicious file and... a- kills self The chief problem with recommending it as a primary control to home users is they just won't do it if they weren't already inclined, so you're left with the net advice of nothing. So instead of telling them how to remove the browser extension that injects ads, people get told "could be anything, better reformat" and instead they just ignore it, or do some form of fix that doesn't solve the issue. Ironically enough, trying to get people to do the right thing is largely more "dangerous" than not. The problem is that Beandip is right, it's just that getting people to follow correct advice when there's a way of being almost-certain you're fine with 1/50th the effort is a hard sell. It was almost impossible to sell firewalls pre-sasser, and still hugely painful to get people into the habit of regular backups before the encrypting viruses started freaking people out. Khablam fucked around with this message at 00:14 on Oct 31, 2015 |
|
#
?
Oct 30, 2015 21:51
|
|
|
Khablam posted:The problem is that Beandip is right, it's just that getting people to follow correct advice when there's a way of being almost-certain you're fine with 1/50th the effort is a hard sell. It was almost impossible to firewalls pre-sasser, and still hugely painful to get people into the habit of regular backups before the encrypting viruses started freaking people out. You're right here, but the trick is to let them know that it's going to cost them more money in the long run if they don't deal with the root of the problem. Some of this has been a circular argument but in the modern security industry people are slowly starting to realize that they are super hosed if they don't take a proactive stance against malware. Proactive stances include changing the mindset of dealing with malware - it's no longer a tool-based fix. I've used an argument that AV is no longer the first line of defense, it's the last line of defense. If your AV solution is detecting something, chances are it's the tip of the iceberg in how hosed your environment is. Using Cryptowall as an example, AV tools very rarely detect new variants of Cryptowall until the binary is in the wild, because that team actively develops their malware. They have VTI accounts just like researchers do and as soon as a binary is submitted, they change their code. IP blocking the C2 servers helps as well, but ultimately there needs to be a mindset shift within organizations to a proactive stance rather than reactive. Yes, it costs money. Yes, they'll argue that it's just easier to remove the sample, and yes, you'll want to kill yourself. I think anyone that's been in this industry for any amount of time knows that you construct arguments in terms of cost, not in terms of capability. When you can reasonably make the argument that formatting this machine and spending that two hours now will save you another engagement cost down the road ($24,000-$100,000+++ depending on severity), it's a lot easier to fight that fight.
|
|
#
?
Oct 30, 2015 22:28
|
|
|
My wife is getting a captcha when she tries to use google saying that it has detected unusual traffic. The weird thing is, we're on the same connection, it should be masquerading our private IPs to a single public one, but I don't get that message when I try to search. Is it likely a virus? Does Google use MAC addresses instead of IPs? Wouldn't the source MAC change to the router's anyway? I'm running malwarebytes and a bitdefender scan right now. To flatten and reinstall we would need to upgrade to 10, and I'm not sure I can sell her on that.
|
|
#
?
Feb 10, 2016 20:16
|
|
|
22 Eargesplitten posted:My wife is getting a captcha when she tries to use google saying that it has detected unusual traffic. The weird thing is, we're on the same connection, it should be masquerading our private IPs to a single public one, but I don't get that message when I try to search. Is it likely a virus? Does Google use MAC addresses instead of IPs? Wouldn't the source MAC change to the router's anyway? Please read this thread: https://forums.somethingawful.com/showthread.php?threadid=3723583
|
|
#
?
Feb 10, 2016 20:19
|
|
|
Yes, I get it, I read it before, I know that anything I can do will be suboptimal. I can't do bitlocker because she's on Home Edition, although I should probably change DNS. I already addressed the flatten and reinstall option you always push. Weird development, it's only when she's on her google account. She signs out, she can do it fine. So it's not her computer, it's her account. Which explains why I have no problem. So it's likely her account was compromised because I know she doesn't use different passwords on every site. I tried to set up Keepass for her, but she got frustrated when it took me too long to set up.
|
|
#
?
Feb 10, 2016 20:25
|
|
|
22 Eargesplitten posted:she got frustrated when it took me too long to set up. Sever.
|
|
#
?
Feb 10, 2016 20:46
|
|
|
If she was a client, I would fire her. I might just get on her computer after she goes to sleep and set it up.
|
|
#
?
Feb 10, 2016 20:49
|
|
|
22 Eargesplitten posted:Yes, I get it, I read it before, I know that anything I can do will be suboptimal. I can't do bitlocker because she's on Home Edition, although I should probably change DNS. I already addressed the flatten and reinstall option you always push. Whatever solution is going to be suggested by anyone else is going to be half-assed at best. I would recommend that if you cannot get get this cleaned up with whatever software you're using right now to just flatten and reinstall. I would also change whatever passwords you think are affected too. I am not a relationship expert here but I think that if your wife cannot understand that she has a broken computer that whatever further advice needed may not be appropriate here.
|
|
#
?
Feb 10, 2016 20:51
|
|
|
You basically have an object lesson on your hands of why a password manager is essential. It really shouldn't take a lot of time to get it running, and you can certainly triage the most essential passwords first, and ensure to turn on 2FA on all sites where it's offered. You don't need to gently caress about making KeePass work in the browser, the auto-type hotkeys will work on 99% of all dialogs if you simply edit the key sequence to what is needed.
|
|
#
?
Feb 10, 2016 21:10
|
|
|
Yeah. I use Keepass on both computers and my phone using bittorrent sync to keep the database and key local, I think I downloaded a different version to her computer because set up was not the same at all. It stopped doing the captcha thing, we quarantined one file on malwarebytes. If this comes up again I'm really going to push for her to back up her stuff on her external drive and either go to 10 or 7, which I have a key and .ISO for.
|
|
#
?
Feb 10, 2016 21:53
|
|
|
22 Eargesplitten posted:Yeah. I use Keepass on both computers and my phone using bittorrent sync to keep the database and key local, I think I downloaded a different version to her computer because set up was not the same at all. Go to 7 or 10, so she's on XP? You really need to get rid of XP if its allowed to touch the internet. XP is a huge risk since no patches have been released in several months now, probably coming close to a year if not already past it.
|
|
#
?
Feb 10, 2016 22:42
|
|
|
|
| # ? Apr 25, 2024 12:30 |
|
|
Sorry, she's on 8.1. She's on an OEM key, I don't have any reinstall media for 8.1.
|
|
#
?
Feb 10, 2016 22:46
|
|