|
Are Adobe Acrobat/Flash seriously the largest vectors of infections now?
----------------
|
# ? Feb 25, 2009 16:38 |
|
|
# ? Jun 7, 2024 15:09 |
|
Cardboard Box A posted:Are Adobe Acrobat/Flash seriously the largest vectors of infections now? Largest on a fully patched machine or largest overall? I think your answers are going to be very, very different depending on which one you mean with so much of the world still vulnerable to every IE exploit under the sun.
|
# ? Feb 25, 2009 16:45 |
|
maybe we should all go back to IE 2.0 with acrobat from the same era. I found its drat near imposible to get a virus on an old machine because the viruses that affected them simply arent around anymore.
|
# ? Feb 25, 2009 17:51 |
|
I got a couple odd entries in my event log today, the source listed as "crypt32". The messages logged were: Successful auto update retrieval of third-party root certificate from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/6252DC40F71143A22FDE9EF7348E064251B18118.crt> and Successful auto update of third-party root certificate:: Subject: <CN=Certum CA, O=Unizeto Sp. z o.o., C=PL> Sha1 thumbprint: <6252DC40F71143A22FDE9EF7348E064251B18118> Google wasn't much help, does this look suspicious to anyone? It looks legitimate enough, but anything involving the words "root certificate" is a little unsettling. I think around the time it was logged I was installing the latest GIMP, but I can't imagine why GIMP would need to do anything involving a root certificate. I saw a couple similar messages the other day when I installed Quake Live as well (which I shrugged off because it installed PunkBuster which does some wierd poo poo that might involve root certificates), but other than that, I haven't seen any events like this in all the years I've been using XP on my desktops. Edit: VVV Thanks, and just suspicious of any sudden changes in the status quo I guess. Sikreci fucked around with this message at 19:49 on Feb 25, 2009 |
# ? Feb 25, 2009 19:36 |
|
Don't worry about it. It's legitimate and on top of that, I'm not sure why you would find a Windows DLL updating from the Microsoft servers fishy.
|
# ? Feb 25, 2009 19:39 |
There is a really good breakdown of Conficker up @ http://mtc.sri.com/Conficker
|
|
# ? Feb 26, 2009 23:33 |
|
Adobe Reader/Acrobat JBIG2 Stream Array Indexing Vulnerability Adobe is planning to release updates to Adobe Reader and Acrobat to resolve the relevant security issue. Adobe expects to make available an update for Adobe Reader 9 and Acrobat 9 by March 11th, 2009. Adobe is planning to make updates for Adobe Reader 7 and 8, and Acrobat 7 and 8, available by March 18th. March 11th, 2009. For something loving being actively exploited right now. Two, three weeks.
|
# ? Feb 27, 2009 04:04 |
Elected by Dogs posted:Adobe Reader/Acrobat JBIG2 Stream Array Indexing Vulnerability Roll that .dll out via a login script and disable the BHO via Group Policy? GPO / (Local or Global) Policy / (Computer or User Configuration) / Administrative Templates / Windows Components / Internet Explorer / Security Features / Add-on Management {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} URL grey tea fucked around with this message at 04:50 on Feb 27, 2009 |
|
# ? Feb 27, 2009 04:46 |
|
Orange Juilius posted:http://vrt-sourcefire.blogspot.com/2009/02/homebrew-patch-for-adobe-acroreader-9.html I don't do IT for work (still a student) - I'm just shocked that something as exploitable (and being exploited already), Adobe already knows about it, the community already has ap atch, and they're just arsing around
|
# ? Feb 27, 2009 04:58 |
|
Just got this update at work. I swear to god if any of the users I work with get this I am taking their computers away, for they are too dumb to use them.quote:We’ve had two cases in two days of users being infected with a virus. The virus is coming in via email through a “postcard.exe” or “ecard.exe”. This executable is not being detected by viruscan. Once the email opens it creates a javawx.exe in the system32 folder. This executable creates files in the Users temp folder that virsuscan does detect and delete. The virusscan logs does log the deletion and that the javawx.exe file created the file. Viruscan however does not detect the javawx.exe file as a virus and does not delete it.
|
# ? Feb 27, 2009 19:11 |
|
Doc Faustus posted:Just got this update at work. I swear to god if any of the users I work with get this I am taking their computers away, for they are too dumb to use them. I'd be pretty drat concerned about whether I got the whole thing if it's new enough that the scanner doesn't pick it up but sloppy enough that you can just wander in and delete it, even in safe mode.
|
# ? Feb 27, 2009 19:32 |
|
Midelne posted:I'd be pretty drat concerned about whether I got the whole thing if it's new enough that the scanner doesn't pick it up but sloppy enough that you can just wander in and delete it, even in safe mode. I'd be concerned that the scanner couldn't pick up something that simple...
|
# ? Feb 27, 2009 21:01 |
|
I'm concerned that people would run "ecard.exe". I think if I do find someone with that, I'm going to tell them I've got an extra computer that Dell delivered by accident, and it's a really nice one, but I'll give 'em a discount on it...
|
# ? Feb 27, 2009 23:04 |
|
Doc Faustus posted:I'm concerned that people would run "ecard.exe". I think if I do find someone with that, I'm going to tell them I've got an extra computer that Dell delivered by accident, and it's a really nice one, but I'll give 'em a discount on it... Real life: gently caress off you're a scammer i'll kill you Internet: REALLY? THIS TALKING FLASHY XBOX CONSOLE WANTS TO REMORTGAGE MY HOUSE AND ENLARGE MY PENIS AND GIVE ME A TALKING PURPLE GORILLA? *hands over ssn, cc and runs .pif*
|
# ? Feb 27, 2009 23:31 |
|
Elected by Dogs posted:I don't do IT for work (still a student) - I'm just shocked that something as exploitable (and being exploited already), Adobe already knows about it, the community already has ap atch, and they're just arsing around This is SOP for Adobe. I'm amazed that they're not just letting it go and making you pay for Acrobat 10 to get the fix.
|
# ? Feb 28, 2009 00:12 |
|
Well, something in this thread on pages 12 and 13 is triggering warnings from AVG resident shield now, so good job on that.
|
# ? Feb 28, 2009 18:56 |
|
hall n oates mom posted:Well, something in this thread on pages 12 and 13 is triggering warnings from AVG resident shield now, so good job on that. My windows machine is tied up right now and no AVG-sporting VMs around; can you try checking which post pops the warning (start here)?
|
# ? Feb 28, 2009 23:29 |
|
I dunno what's going on, I use AVG myself and it isn't giving me any warnings about any page of this thread. I did buy no-ads though.
|
# ? Feb 28, 2009 23:46 |
|
Oh god. Reading this thread is making me seriously consider throwing Opera inside VirtualBox and use that for browsing.
|
# ? Feb 28, 2009 23:54 |
|
Well, that's what I get for clicking a link to Encylopedia Dramatica I guess! Apparently someone put some sort of malware into a page that crashed my computer, and when I logged back on, almost all of my virus scan hardware was busted, Windows System restore wasn't working, and the Windows Installer won't load anything so I can't install any programs. Oh, and to be continued assholes, they made it so the website you had set as your homepage in firefox wouldn't load. Bastards. I'm actually using Flock right now just because nobody ever bothers to do anything to block it. Looks like the virus is being listed as "Unclassified.Unknown Origin", mixed in with Rootkit.Agent/Gen-UACFake. Guess the Rootkit means I'm reinstalling Windows! Zorak fucked around with this message at 03:17 on Mar 1, 2009 |
# ? Mar 1, 2009 00:28 |
|
Oh god oh god oh god!
|
# ? Mar 1, 2009 02:17 |
|
ymgve posted:Oh god. Reading this thread is making me seriously consider throwing Opera inside VirtualBox and use that for browsing. If you are ultra paranoid you can do this pretty easy. Just grab virtual box and a xubuntu image from here http://en.wordpress.com/tag/virtualbox-images/ It would be great if somebody sold a commercial product that would run firefox or opera in a virtual machine that would be transparent to the end user. Would be great for office and public settings. I just tried it and xubuntu with firefox open with digg.com takes up about 256mb of ram. Not too shabby. It took like maybe 10 min not including download time to set it all up. EDIT: Oh crap virtual box has a seamless mode that works wonderful! Capnbigboobies fucked around with this message at 03:19 on Mar 1, 2009 |
# ? Mar 1, 2009 03:15 |
|
I made a VM using VMware with the intent of testing suspicious applications. It is installed with a completely clean version of Win XP SP3. I have snapshotted this for quick and easy flattens. Is there any risk of a virus jumping into the host? I don't want my computer getting compromised (even if I do use a combination of Avira and SuperAntiSpyware) Lediur fucked around with this message at 05:10 on Mar 1, 2009 |
# ? Mar 1, 2009 04:55 |
|
I thought the purpose of a virtual OS was so that it couldn't do anything to the main OS.
|
# ? Mar 1, 2009 06:13 |
|
F2B posted:Heck yes. That's what I do. I don't even mess with removal. If I so much as suspect any minor breech, I just restore the image. And yes 20 minutes is absolutely sublime compared to a 1 hour scan. Really. Using a bootable CD and a USB hard drive, you can have a restore time of 6 minutes. I'm not even making GBS threads you.
|
# ? Mar 1, 2009 07:20 |
|
Lediur posted:I made a VM using VMware with the intent of testing suspicious applications. It is installed with a completely clean version of Win XP SP3. I have snapshotted this for quick and easy flattens. I guess there is a small chance if you have windows shares between the guest and host OS with some viruses if you are not up to date on patches.
|
# ? Mar 1, 2009 07:49 |
|
Orange Juilius posted:There is a really good breakdown of Conficker up @ Somehow I'm not surprised hearing Conficker and Antivirus XP 2009 may have been made by the same people.
|
# ? Mar 1, 2009 07:58 |
|
Lediur posted:I made a VM using VMware with the intent of testing suspicious applications. It is installed with a completely clean version of Win XP SP3. I have snapshotted this for quick and easy flattens. There is always the risk of the VM having holes, but then again, you have to actually run something that is aware that it's inside a VM and capable of breaking out. Your average virus won't be able to do poo poo. (Has there ever been an in-the-wild exploit that breaks out of a VM?)
|
# ? Mar 1, 2009 13:37 |
|
ymgve posted:(Has there ever been an in-the-wild exploit that breaks out of a VM?) There have been a couple, but the vast majority of sophisticated malware (like Conficker) would rather detect the VM then hide / delete themselves to stymie Antivirus/Security researchers.
|
# ? Mar 1, 2009 15:35 |
|
Kelson posted:There have been a couple, but the vast majority of sophisticated malware (like Conficker) would rather detect the VM then hide / delete themselves to stymie Antivirus/Security researchers. This. The overwhelming majority of infections are not going to be inside a VM unless they're being studied, and there's no reason for an intelligent virus writer to really want to display their project's behavior to someone who's studying it to find ways to kill it. VMs, despite being fairly simple to set up, are too conceptually advanced for the average user. I suspect that they always will be.
|
# ? Mar 1, 2009 16:04 |
|
Maybe I should just install the bare minimum XP and run everything inside a VM with most of my system resources allocated.
|
# ? Mar 1, 2009 18:12 |
|
Cojawfee posted:Maybe I should just install the bare minimum XP and run everything inside a VM with most of my system resources allocated. But then if that VM gets infected, all of your stuff is still screwed up.
|
# ? Mar 1, 2009 18:20 |
|
n/m, I think I'm fine
CraigK fucked around with this message at 23:36 on Mar 1, 2009 |
# ? Mar 1, 2009 23:27 |
|
fishmech posted:But then if that VM gets infected, all of your stuff is still screwed up. Ok, then I will install XP, and install Wubi inside that, and then install Virtual box in there, and install XP again. So I can play games in the main XP, do word processing in Wubi, and then browse the internet in the virtual box.
|
# ? Mar 2, 2009 00:21 |
|
Cojawfee posted:Ok, then I will install XP, and install Wubi inside that, and then install Virtual box in there, and install XP again. So I can play games in the main XP, do word processing in Wubi, and then browse the internet in the virtual box. What you could do is actually run your VM with independent-nonpersistent disks/snapshots; that way any (non VM-escaping) infection is erased each time you restart the image. This is one of the more successful ways I've seen some teaching centers manage their computers so one class of students can't jack with the next class.
|
# ? Mar 2, 2009 01:26 |
|
fishmech posted:But then if that VM gets infected, all of your stuff is still screwed up. Yeah that's why I would make the guest OS linux instead of xp. Sure linux is not invincible but its far better than xp while being lighter on system resources than vista. For running firefox linux would work fine.
|
# ? Mar 2, 2009 09:18 |
|
Kelson posted:What you could do is actually run your VM with independent-nonpersistent disks/snapshots; that way any (non VM-escaping) infection is erased each time you restart the image. This is one of the more successful ways I've seen some teaching centers manage their computers so one class of students can't jack with the next class. Yes, my high school used some sort of hardware device that would revert to a disk image on each reboot. This worked until people figured out the BIOS password
|
# ? Mar 2, 2009 12:02 |
|
John Dough posted:Yes, my high school used some sort of hardware device that would revert to a disk image on each reboot. This worked until people figured out the BIOS password deep freeze?
|
# ? Mar 2, 2009 14:39 |
|
Where I work we have a citrix connection setup so it just opens IE. It doesnt even look like its in a virtual window or anything.
|
# ? Mar 2, 2009 15:47 |
|
|
# ? Jun 7, 2024 15:09 |
|
lalala... Customer calls describing a typical winantivirus type infection. I tried to do a webex session to run malwarebytes but the app keeps redirecting the webex join page to some "this page may be infected, click here to buy" screen. Awesome. Right now I'm in via RDP from the server, running the scanner. Objects scanned: 82783 Objects infected: 9 Time elapsed: 55 minute(s), 38 second(s) Surely it's almost done... Also, apparently this client is too cheap to buy an enterprise-level antivirus software, so in addition to my mbam scan, I've got this lovely message on the side of the screen from "McAfee Personal Firewall Plus" quote:The application Windows Explorer has changed since you first gave it access to the Internet. Do you still want to let it access the Internet? 58 minutes...
|
# ? Mar 2, 2009 17:06 |