|
OSI bean dip posted:Stop being obtuse and read the white papers I posted. At which point, according to his SOP where he says he'll look at logs and access, he will.. mindphlux posted:If things look completely hosed, we come onsite, disconnect network to the machine, scan, assess, remediate - and packet log and check network traffic for anything really bizarre network-wide. and if it's actually hosed and we can't resolve in under an hour or so, we advise them we need to flatten and reformat and it will take X number more hours So. We're left with you being very angry about a posted SOP that will adequately deal with your worst-case boogey man malware. Do you (for the 5th .. 6th?) time of asking, actually know of one that will defeat this, or are you just being yourself, which is to project flaws onto other people in order to get really angry at them?
|
# ? Oct 28, 2015 12:14 |
|
|
# ? Apr 30, 2024 09:11 |
|
Notorious R.I.M. posted:I still don't get why we're nitpicking over whether a bunch of heuristic-based tools will happen to detect a rootkit when we can fix the problem by formatting and reloading from a recent backup. If this is any harder than running X, Y, Z, A, B, C, C# D, E, and F virus scanning tools that you use, maybe you should work on unfucking your / your client's awful IT structure instead of hoping that the 95% fix works 100 times in a row. This is the correct response.
|
# ? Oct 28, 2015 12:37 |
|
Khablam posted:I read the white papers, and it's a fascinating (if dated) piece of malware. This doesn't change the fact that mindphlux's SOP as posted will detect the presence of the malware (especially if you add in my caveat of an offline scan, which is just SOP by design really, you pull the drives, not the machines.) None of what mindplux suggested in the following list would have addressed it: mindphlux posted:rkill Don't see the 'fascinating', signature-based RogueKiller tool here either, nor a suggestion to restore the bootloader. Remind me again of what in this list would have fixed this? If mindphlux had accepted that his advice is garbage then made an effort to read into why I would say that then this argument with him would have been short. Of course, you and him share personality traits which when combined with incompetence, means neither of you can accept that you've made mistakes and as a result cannot learn. It's one thing to disagree with me, but it's another to continue to beat on this dead horse--you cannot win me over with your idiotic ideas. And again, you're being obtuse: it's a matter of time for when we start to see poo poo like TDSS/TDL again, but of course you seemingly have backed down on how it works because you're no longer calling the technique "nationstate-level" fantasy even though earlier in this thread you ran across it and suggested the very fix that would have watered down its effectiveness. quote:We're left with you being very angry about a posted SOP that will adequately deal with your worst-case boogey man malware. No. We're left with people listing poo poo like the above, thinking it is a magic bullet and leading other people in this thread to believe that they have a magical fix. At least you've finally understood that I am not telling people right off of the bat to format their machines but to consider the ramifications of what their machine has become--this after having simplified it for your Sesame Street-level brain. quote:Do you (for the 5th .. 6th?) time of asking, actually know of one that will defeat this, or are you just being yourself, which is to project flaws onto other people in order to get really angry at them? Yes. Read my thread. You seem to believe that anti-virus and all these magical tools will fix anything and thus have demonstrated a complete lack of knowledge of how they work. If you really, really think that tools will fix all malware, why not give me a technical explanation for why other than letting me answer your questions with "yes". Here's your first test question: explain to me in detail how a malware signature works. Lain Iwakura fucked around with this message at 15:55 on Oct 28, 2015 |
# ? Oct 28, 2015 15:30 |
|
So do you have a set of techniques to share? If not, what the gently caress is the point of letting other people know they are doing it wrong.
|
# ? Oct 28, 2015 15:36 |
|
redeyes posted:So do you have a set of techniques to share? If not, what the gently caress is the point of letting other people know they are doing it wrong. Read this thread which hasn't been posted in this thread several times already.
|
# ? Oct 28, 2015 15:42 |
|
Good lord, there has got to be somewhere else you guys can take this slapfight. This thread was actually interesting before the deluge of YouTube comments insulting one another's reading comprehension. Like, hash this out on irc or something. You'd probably even find it more productive to talk TO one another rather than frantically wiggling your epeens all over the thread. Please.
|
# ? Oct 28, 2015 16:39 |
|
This thread really wasn't doing anything important beforehand.
|
# ? Oct 28, 2015 16:43 |
|
Forever_Peace posted:Good lord, there has got to be somewhere else you guys can take this slapfight. This thread was actually interesting before the deluge of YouTube comments insulting one another's reading comprehension. If people were not giving negligent advice such as what we have consistently seen by people I quote then this sort of arguing going on would cease. There are individuals who are quick to chime in on solutions akin to divining rods with no technical knowledge behind them to explain how they are effective. If we want to go on about putting our dicks on the table, I have yet to do that and yet others who refute me have no problem. Lain Iwakura fucked around with this message at 16:57 on Oct 28, 2015 |
# ? Oct 28, 2015 16:50 |
|
thread needs gased
|
# ? Oct 28, 2015 17:15 |
|
OSI bean dip posted:If people were not giving negligent advice such as what we have consistently seen by people I quote then this sort of arguing going on would cease. There are individuals who are quick to chime in on solutions akin to divining rods with no technical knowledge behind them to explain how they are effective. There is no negligent advice in this thread but you are still killing the thread dead.
|
# ? Oct 28, 2015 17:24 |
|
Any lurkers who give a poo poo about security you're welcome to join us in http://forums.somethingawful.com/showthread.php?threadid=3712267
|
# ? Oct 28, 2015 17:27 |
|
yospos/whateverthefuckitisnow screams of serious posting about serious security seriousness
|
# ? Oct 28, 2015 18:47 |
|
Khablam posted:Do you (for the 5th .. 6th?) time of asking, actually know of one that will defeat this I seriously don't understand why you keep asking this. No one can point to something that can defeat all automated malware detection methods because the minute something is discovered through other means the automated methods are updated with the necessary process for finding it. There have been plenty of examples of malware that has gone through this process, namely 99% of the discrete types that are currently detectable. Assuming this means "no currently undetectable malware exists" is just nonsensical though. This fact is the entire problem with signature (or behavioral) anti-virus as a protection method. It is unable to adapt to a constantly changing attack surface without being continuously updated with new information.
|
# ? Oct 28, 2015 19:24 |
|
pr0zac posted:I seriously don't understand why you keep asking this. No one can point to something that can defeat all automated malware detection methods because the minute something is discovered through other means the automated methods are updated with the necessary process for finding it. There have been plenty of examples of malware that has gone through this process, namely 99% of the discrete types that are currently detectable. Assuming this means "no currently undetectable malware exists" is just nonsensical though. The problem that Khablam has is that he has no basis of understanding of how signature-based anti-virus works and would rather just go and cite AV tests from third-parties or rely on his "experience". He cannot answer a question about malware from a technical viewpoint except reciting what is best from a tier-1 help desk perspective, which is generally not good advice. Meanwhile those of us who have direct experience with this sort of thing consider him to be oblivious and think that he's arguing for the sake of a maligned ego. Lain Iwakura fucked around with this message at 19:32 on Oct 28, 2015 |
# ? Oct 28, 2015 19:26 |
|
MF_James posted:yospos/whateverthefuckitisnow screams of serious posting about serious security seriousness Subjunctive posted:Intel Management Engine is good times.
|
# ? Oct 28, 2015 20:30 |
|
Wiggly Wayne DDS posted:It really does though, here's a breakdown of x86 security: That's not a fun paper to read.
|
# ? Oct 28, 2015 20:35 |
|
Computers are pretty bad you guys.
|
# ? Oct 29, 2015 00:21 |
|
redeyes posted:So do you have a set of techniques to share? If not, what the gently caress is the point of letting other people know they are doing it wrong.
|
# ? Oct 29, 2015 03:56 |
|
MF_James posted:yospos/whateverthefuckitisnow screams of serious posting about serious security seriousness You'd fit right in, James
|
# ? Oct 29, 2015 04:07 |
|
I think he's been pretty clear about "salvage what you can that ain't backed up, then format the bastard from a clean system or boot disc, or image a backup image on if available"
|
# ? Oct 29, 2015 04:17 |
|
Oh cool! She had stopped blogging for awhile, so I thought she had fallen off the face of the earth or angered Put in or something.
|
# ? Oct 29, 2015 04:31 |
|
Ynglaur posted:Oh cool! She had stopped blogging for awhile, so I thought she had fallen off the face of the earth or angered Put in or something. None of us want this thread, but you especially don't want this thread.
|
# ? Oct 29, 2015 04:32 |
|
Sorry about your lack of reading comprehension.
|
# ? Oct 29, 2015 06:03 |
|
sorry about your aspergers
|
# ? Oct 29, 2015 06:23 |
|
mindphlux posted:sorry about your aspergers I guess we can come to a conclusion: you have a lack of reading comprehension skills and you'd rather continue to belittle me because you have nothing left to contribute and I know that you're a complete charlatan. Alright.
|
# ? Oct 29, 2015 06:36 |
|
mindphlux posted:sorry about your aspergers Sick burn, dude!
|
# ? Oct 29, 2015 06:38 |
|
|
# ? Oct 29, 2015 06:52 |
|
Mods, please put this thread out of its misery.
|
# ? Oct 29, 2015 07:20 |
|
so when are malware going to take advantage of high-frequency audio to jump from machine to machine without being detected?
|
# ? Oct 29, 2015 11:19 |
|
I'm new to SHSC, is it normal in here to emptyquote and do single emote posts, as well as call people names?
|
# ? Oct 29, 2015 11:38 |
|
bobbilljim posted:I'm new to SHSC, is it normal in here to emptyquote and do single emote posts, as well as call people names?
|
# ? Oct 29, 2015 11:41 |
|
HELPDESK HERO: This is my tool suite. There are many like it, but this one is mine. My tool suite is my best friend. It is my life. I must master it as I must master my life. My tool suite, without me, is useless. Without my tool suite, I am useless. I must run my tool suite true. I must click and hope harder than my enemy who is trying to infect me. I must detect him before he displays an advert to me. I will... My tool suite and I know that what counts in war is not the knowledge we have, the accuracy of our heuristics, nor the attack surface we have. We know that it is the probable hits that count. We will probably hit... My tool suite is human, even as I, because it is my life. Thus, I will learn it as a brother. I will not learn its weaknesses, only its strength, its parts, its accessories, its sourceforce url and its portable installer. I will keep my tool suite updated and ready, even as I am a+ certified and ready. We will become part of each other. We will... Before God, I swear this creed. My tool suite and I are the defenders of my country. We are the masters of our enemy. We are the saviors of my life. So be it, until victory is ours and there is no known malware, but peace! SOMEBODY NOT LIVING IN THE 90s: your techniques only catch known threats, it's quicker, easier and safer to purge everything and reload HELPDESK HERO: wow autistic much?!
|
# ? Oct 29, 2015 13:05 |
|
This argument is still going Tool suites can only do so much, and catch so many viruses, no matter how "good" they are. I learned that as a wet-behind-the-ears desktop technician. Formats became faster than most suite scans. Some of the posters in here sound like some guys in a LinkedIn group I'm in, beating off an A/V sponsor about how viruses would have NEVER made it on with this AV suite! I'm not a security analyst and I can see that.
|
# ? Oct 29, 2015 13:21 |
|
OSI bean dip posted:None of what mindplux suggested in the following list would have addressed it: You're arguing (once again) against a position that I have never made. You do this in literally every discussion and it's amazing to me how someone can warp reality in order to carry on some indignant rage. Why do you do this? I said that a combination of the above tools and an offline scan would detect it's presence. Or, actually just using the computer with a vague knowledge of what it drops into a visible space will clue you in (i.e. fake AV, etc). A "tier 1" helpdesk can likely also determine that there is a rootkit active on the machine. From there I suggested flatten/install with a wiped MBR. Now my assumption is that mindphlux, using his SOP which includes "reading all the logs" will also conclude the same and do the same. He verified this in a later post. So why are you so angry? No one is recommending those tools as a come one come all fix to every problem, but as a toolkit on which to make common sense determinations. quote:Here's your first test question: explain to me in detail how a malware signature works None of that changes one's SOP though. For, if nothing you throw at the machine reveals a problem, how are you determining there is one? Why are you even looking for the problem to begin with? These are the logical questions I posed several pages ago and you haven't come up with an answer. Like, just give me a scenario where you're using the posted SOP (lets say you're forced at gunpoint to get around your autism) in combination with an offline scan and concluding there is a problem that needs a format, which none of those tools are hinting at in any way. Why are you scanning the machine? Why are you ... doing anything? I'm not even arguing against your POV and if you spent some time reading what I wrote instead of just looking at it and concluding I was stupid, you would see that. Your ranting and cries of fraud and negligence over the posted SOP are an insane reaction but maybe I'm just expecting too much from a yospos poster.
|
# ? Oct 29, 2015 13:28 |
|
Khablam posted:Your ranting and cries of fraud and negligence over the posted SOP are an insane reaction but maybe I'm just expecting too much from a yospos poster. Don't be racist.
|
# ? Oct 29, 2015 13:52 |
|
Khablam posted:I said that a combination of the above tools and an offline scan would detect it's presence. Or, actually just using the computer with a vague knowledge of what it drops into a visible space will clue you in (i.e. fake AV, etc). 100% will detect its presence? How did you come to this conclusion? It's very much news to me that there is a sure-fire way to detect the presence of malware and if this is the case I really, really would throw lots of money at such a claim if it could be backed up. Please elaborate on this because you're sitting on a goldmine here. quote:There's no need to know this to use any of these tools. You simply need an understanding that detection rates are not 100% and that any determination of "clean" or "infected" based on their output has a non-zero margin of error. Didn't you just say "a combination of [tools] and [method] would detect its presence"? quote:I'm not even arguing against your POV and if you spent some time reading what I wrote instead of just looking at it and concluding I was stupid, you would see that. You've opted to make a remark about me and yet you've failed to answer my question to describe how signatures work. You're comfortable to make assumptions about detecting malware then later contradicting yourself, but you cannot tell me how an AV's signature works? Again, take this opportunity to wow me here: OSI bean dip posted:Here's your first test question: explain to me in detail how a malware signature works. If you are willing to recommend AV engines, procedures, and then go on a tirade about me, I think you can take the time to answer this question.
|
# ? Oct 29, 2015 14:59 |
|
Notorious R.I.M. posted:I still don't get why we're nitpicking over whether a bunch of heuristic-based tools will happen to detect a rootkit when we can fix the problem by formatting and reloading from a recent backup. If this is any harder than running X, Y, Z, A, B, C, C# D, E, and F virus scanning tools that you use, maybe you should work on unfucking your / your client's awful IT structure instead of hoping that the 95% fix works 100 times in a row. Yeah running 300+ cleaners sounds like a time sucking pain in the dick.
|
# ? Oct 29, 2015 15:10 |
|
Rhymenoserous posted:Yeah running 300+ cleaners sounds like a time sucking pain in the dick. You can if you write a script that queries all of your files' hashes against VirusTotal. It wont' clean it up but it's fun to get a result from dozens of different AV engines like Qihoo-360 and Jiangmin respond and then see how many of them give erroneous or conflicting answers. Oh the joys of signatures. [edit] In fact, here's a script you can use: Python code:
What's fun with this script is that you can run it against a directory of files and you stand a good chance of seeing false positives or conflicting answers. Lain Iwakura fucked around with this message at 17:02 on Oct 29, 2015 |
# ? Oct 29, 2015 15:40 |
|
For those of us playing along at home - are you saying that the often-cited "signature" method of detecting viruses and malware is just an md5 hash of the files? That sounds distressingly inadequate.
|
# ? Oct 29, 2015 17:38 |
|
|
# ? Apr 30, 2024 09:11 |
|
LordSaturn posted:For those of us playing along at home - are you saying that the often-cited "signature" method of detecting viruses and malware is just an md5 hash of the files? That sounds distressingly inadequate. Are you suggesting that I send the files straight to VirusTotal every time? Because I could do that and then wait six years for it to scan through 1 TB of files. All this script does is sends off a hash to VirusTotal to check through its history. If you upload a file to them and it has previously been seen, it'll inform you that it has seen the file before using the very same method but will then rescan the file if you request. It doesn't really do anything beyond that other saying "yes" or "no" to whether or not it has been seen before. It's not a definitive answer because the signatures can apply to multiple different hash results. Also sending files to VirusTotal is dumb in a lot of ways for a number of reasons, but mainly this: the files get sent to a number of organisations (including the well-respected Italian company, Hacking Team) in which they'll analyse it as they desire. If you're okay with sharing proprietary files from your organisation, then send them straight to VirusTotal. It can however lead to some hilarious results as some of us can attest. Lain Iwakura fucked around with this message at 18:02 on Oct 29, 2015 |
# ? Oct 29, 2015 17:52 |