Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
The Something Awful Forums > Discussion > Serious Hardware/Software Crap > Rootkit.KInject is a sexy new virus. Let's talk about notable viruses we have recently encountered
 
  • Locked thread
Wiggly Wayne DDS
Sep 11, 2010

Khablam posted:

Yes.

Well no, that's exactly what I said. One needs to know how basic, fundamental principles of computer design to see why it's not true.

Are you reading what I wrote? I said

You're missing the point. Do this:

Start at the point of infection, explain:
- What the attack vector was
- What it targets
- How it spreads
- What / how it does it
- The latter stuff about airgapping

If you can't explain every process that occurs at each step, guess what - you don't understand why it's not possible. Then claiming it might be possible because you don't understand why it's not, is (I am pretty sure) exactly the point he is trying to make about people working in IT security.

(as a bonus and to let you start to see what I mean: the last term is a paradox by definition - if the system can communicate with another machine in any way, it's not airgapped, making the statement nonsensical. He's smarter than you and playing with your lack of knowledge, both of terminology and process).

Anyway, even before I posted today two users PMd me to tell me you'll literally believe anything you're told, so I don't suspect you'll
a) Read what I wrote
b) Comprehend it if it doesn't fit your world model
c) Do any work to look at what I'm saying before replying again
d) Will continue to ignore parts of the story that don't make sense so you can carry on believing the story as a whole

If you're at the point of selectively quoting what I (and others) are writing about it in order to not be disproving your own argument in your posts, you need to take a step back and look at your motivation for holding the belief.
You know you can have multi-stage attacks and this could just be the preservation payload right? It doesn't really matter if all of what he's saying is true or not. Parts of the attack described are feasible and arguing semantics over airgapped systems isn't changing anything. Approach with scepticism and don't take his words for the absolute truth but completely dismissing it isn't helping anyone. Even if he's taking the piss you don't just shout down anyone trying to talk about it.

* # ¿ Nov 2, 2013 23:10
  • Quote
Adbot
ADBOT LOVES YOU

# ¿ May 21, 2024 01:31
  • Quote
Wiggly Wayne DDS
Sep 11, 2010

Alereon posted:

It comes down to a simple choice: Do you want your system to work, or do you want high scores in detection and blocking benchmarks? Those desires are mutually exclusive because the apps that achieve those high rates do so by aggressively blocking entire classes of content and using loose generic/heuristic detections. This is visible to users as certain websites and applications not working.

It's perfectly reasonable to decide that you want to make an informed choice to trade functionality and performance for additional protection. It's not reasonable to pretend that tradeoff doesn't exist, especially when the way most users discover that is by spending hours troubleshooting issues caused by their malware protection application.
That's far too reasonable an approach, have you considered yelling at people for using MSE instead?

Realistically users getting hit by malware aren't going to avoid it more by having a different vendor solution in front of them. They'll still make the same ill-informed decisions as they've not been told to do anything else. It comes down to education, making sure their software auto-updates and ultimately reducing risk. Pay attention to when you're just treating symptoms rather than the underlying issue.

It's a shame this thread turned into CJs yelling about how their favourite antivirus is better, or how another forum is incompetent. Has anyone seen any notable viruses lately? What propagation methods were they using? Any interesting vulnerabilities being leveraged or just phishing? How deep did it dig into the system and did it bring any friends? Got a sample variant for someone else to look at?

* # ¿ Mar 2, 2014 18:23
  • Quote
Wiggly Wayne DDS
Sep 11, 2010

Install Windows posted:

This is correct. Android "scanners" are almost entirely useless.
I wouldn't say almost.

* # ¿ May 22, 2014 03:12
  • Quote
Wiggly Wayne DDS
Sep 11, 2010

Khablam posted:

Yes, that's the one, adoption of updates including the vulnerability fix hasn't been great, which is mainly why I think AV on android is a good idea.

I believe this is the case presently, as well. The drive-by downloads can't force a package to install, but the ones identified work roughly:

- They download a java trojan
- It downloads the APK which masquerades as a system update
- This will pop up at a random time after visiting the page so that it appears to be disconnected from the browsing

Anyway, my point was simply that trusting the app stores to be clean of malware (even the Play store) is where a lot of people fall down, and that's what the comment I was replying to was stating.
What'd be worse is trusting someone to give out security advice when they're talking out of their arse.

* # ¿ May 23, 2014 00:56
  • Quote
Wiggly Wayne DDS
Sep 11, 2010



 While file previews exist the answer is still wrong.

* # ¿ Aug 10, 2014 01:09
  • Quote
Wiggly Wayne DDS
Sep 11, 2010

Khablam posted:

"Relatively easy productivity and security upgrades" often don't get used much for the first part, and in most cases don't supply the latter (unless it's out of support). Docx compatibility was patched into every version of word after '97 - so, 200x and XP, so format compatibility is not really an issue.

Ultimately the logic is backwards, large companies are only going to upgrade after the new version has a track record of reliability and compatibility, because "it just working" is their number one priority, and the people holding the money are usually pretty immune to nebulous claims of "increased workflow and progressively streamlines e-business customer interactions, allows the incorporation of professionally built goal-oriented process improvements into your employees output".

This also ignores that upgrade costs are near-linear after a point, so large businesses are no more immune to a per-workstation upgrade cost than small ones.
Format compatibility is an issue as not everyone uses Microsoft Word.

* # ¿ Aug 20, 2014 17:36
  • Quote
Wiggly Wayne DDS
Sep 11, 2010



 Airgap anyone posting here

* # ¿ Nov 25, 2014 20:36
  • Quote
Wiggly Wayne DDS
Sep 11, 2010



 your password systems are dumb and insecure and you should all feel bad

* # ¿ Oct 16, 2015 15:21
  • Quote
Wiggly Wayne DDS
Sep 11, 2010

mindphlux posted:

you have given some decent advice in this thread, but.......... really? your linked thread doesn't address malware removal at all, and the advice given is.... errr.... ??? "unplug your machine from the internet and run an (undefined) scan"? or reformat? dunno what you're on about dude...
Your malware removal advice is from a decade ago, and wasn't even that effective then.

* # ¿ Oct 22, 2015 07:27
  • Quote
Wiggly Wayne DDS
Sep 11, 2010

mindphlux posted:

it has been effective in practice for me for the past 5 years, I can think of only 2 machines out of several hundred where I wasn't able to identify/remove the malware, and had to reflatten. I'm not saying you're wrong, but seriously, outline a better generic malware removal workflow top to bottom or gtfo.
Your practice has been removing the obvious pieces of malware, and considering that case-closed. Malware is not a constant, you can't outline a top-to-bottom workflow for removal without providing poor advice. I do not care how long you have been providing this level of service, or how you convince yourself that your practices are effective. The advice you have given is not going to do anything but remove the low-hanging fruit and provide false-confidence.

e: I see you have edited your post.

mindphlux posted:

it has been effective in practice for me for the past 5 years, I can think of only 2 machines out of several hundred where I wasn't able to identify/remove the malware, and had to reflatten. I mean, I do this for a living.

I'm not saying you're wrong, because I really haven't altered my SOP in at least half a decade. but not for lack of want - I'd love something better, but really digging in to logs and actually troubleshooting is the only thing I've found that works. but seriously, outline a better generic malware removal workflow top to bottom or gtfo.
Yes, you very much should be going through logs and troubleshooting. That is part of how you analyse a situation. Now if those are the practices you believe are what actually works, then why did you push this advice out?

mindphlux posted:

rkill
combofix
hijackthis
add / remove programs
check browser plugins, reset settings as needed
reboot
adwcleaner
malwarebytes
sfc /scannow
check all the logs
When you say "I mean, I do this for a living" what precisely do you mean skill-wise? It's easy enough to state that but you're not providing any means of discerning your level of competence, and how seriously your advice should be taken.

Wiggly Wayne DDS fucked around with this message at 08:33 on Oct 22, 2015

* # ¿ Oct 22, 2015 08:17
  • Quote
Wiggly Wayne DDS
Sep 11, 2010

mindphlux posted:

If you think flattening and reinstalling every time a machine gets infected with malware is sane advice, you are either a. an individual with lots of time on your hands, b. someone who has never worked in a business environment, or c. a sysadmin at a large organization that has the luxury of a standard system image with poo poo already preinstalled that you can just push out to any machine that gets infected.

almost every one of the tools I listed gives you logs that are very useful in tracking down whatever the gently caress has gone wrong, and if you're competent, you can identify and remove the most lovely portions of the malware on a system and rehabilitate it in 30-45 minutes. that's 30-45 minutes too long, but again, give me a more time effective solution and I'm all about it. flatten and reinstall? lol yeah, totally going to bill a client for 5 hours of time while I do the needless and support them while they try and track down all their software installs and licenses and reconfigure all their poo poo. should I have prefaced this by saying my company is a MSP for small to midsize clients, with very disparate budgets and operating environments?

As Ynglaur points out, you can't prove a negative. Is there maybe some PUP or something that makes it through my SOP? yeah I'm sure! but if brodude lawyer whose time is worth $500/hr is back up and running again (in 30-45 minutes) for the next 8-12 months without opening a new ticket, and I can't find any trace of the original malware identified (and haven't found any utterly disgusting rootkits), tell me why flattening is a better option.

Also, computers are generally on a network, so really by your logic I should be flattening the entire network every time anything remotely serious rears its head.

** the IT company we replaced for one of our larger clients did this, btw. it was a shitshow, every user down for multiple days, and viruses back in a month's time.

**** and yes, let me spend my time trying to "educate" the entire metro area of my city on how to properly operate a computer so they don't get a virus.




really, I mean, give me a better suggestion. I'm all ears.
You may be fleecing people for a piss-poor security service, but that doesn't mean it's effective at all. I feel like I should copy-paste my previous reply, because you're setting off all the red flags again. As it stands if you are capable of providing confident malware analysis in the space of 30-45 minutes you should really try to get a job in the security industry, we could really do with a man of your incredible talents.

* # ¿ Oct 22, 2015 17:21
  • Quote
Wiggly Wayne DDS
Sep 11, 2010

mindphlux posted:

Yes, I'm completely willing to do this, and have already several times. They are diagnostic tools that help identify malware, provide their user with logs, and allow me (or one) to rehabilitate otherwise unusable systems. And yes, of course scanning offline.

I've seen you troll other people enough to know I shouldn't continue seriousposting, but I'll just say this : you haven't provided any productive contribution to this discussion aside from flatten; reinstall. Give a better solution. v :) v
I don't see you providing contribution to a discussion. I've provided plenty of points for a discussion to occur, yet you are focusing on arguing with OSI bean dip over your incompetence. Flatten and install is the most effective solution, I'm sorry to have to break it to you.

* # ¿ Oct 22, 2015 17:44
  • Quote
Wiggly Wayne DDS
Sep 11, 2010

Khablam posted:

Beandip and Wiggly aren't wrong, they're just approaching the problem as though every piece of malware is custom written for their machine and they're a middle-eastern state starting a nuclear program. So you're just arguing a POV, and they won't ever budge. Just give up.

You can tear your hair out with their bizarre "prove a negative" nonsense or you can just ignore the crazies who spend far too much time thinking about this kind of thing.

You can play their game of "show me the evidence" and then they just claim the evidence is wrong, because they are right and it doesn't agree with them.
They're either the same person or have been jerking each other off so long they've fused, but it's functionally the same at this point.

e: Can either of you blowhards stop trying to play "prove the negative", and suggest a piece of malware that slips through the SOP you're stamping your feet about?
e2: I'm not in principle arguing against flatten and install, I'm saying your reaction (as usual) is to act like a couple of hyper paranoid monkeys to a 0.001% threat chance.
How informative, please go on.

* # ¿ Oct 22, 2015 18:38
  • Quote
Wiggly Wayne DDS
Sep 11, 2010

Geemer posted:

How do you trust your computer not to be infected already? Maybe it's such a good malware that you can't even find it.
You don't, and yes that is an actual possibility you have to consider.

quote:

Also, what do consumer protection laws in the US have to do with malware anyway? Malware is made to steal info or coerce the user to spend money, not the most legitimate business practices. Do you really think a malware writer stops to think if they are handling the passwords and credit card numbers they steal in accordance to the relevant legislation?

:allears:
It was to do with fraudulent usage of your banking account. Reading comprehension, much like risk assessment, is a hard problem but someday someone will solve it.

* # ¿ Oct 22, 2015 19:37
  • Quote
Wiggly Wayne DDS
Sep 11, 2010

Khablam posted:

You're the IT equivalent of the anti-vax people, where evidence there's no harm is just more proof to them there is, and no-ones opinion is worth anything to you if you disagree, and such any differing opinion is moot to you. You have never "proven" anything in this or any thread, you've simply kept screaming whilst the people less invested walk away.
Anti-vax? Well we can talk about herd immunity, and how quacks make the situation worse but I feel like you may be on the wrong side of the argument in that case.

* # ¿ Oct 22, 2015 20:27
  • Quote
Wiggly Wayne DDS
Sep 11, 2010

Tapedump posted:

Wait, is this indicative of your own siding with the anti-vax stance, or is it just you drawing an analogy to the info sec argument here?

The answer is really, really important.
Analogy, but when we're talking about infections and how poor solutions make a situation worse the line really becomes blurred.

* # ¿ Oct 23, 2015 20:04
  • Quote
Wiggly Wayne DDS
Sep 11, 2010

mindphlux posted:

also let's not bother to provide any positive examples of what we think 'the right way' is, and instead just troll people on the internet, it will be great, I promise.
From the sounds of it you seem to be very keen on not learning anything, and are dismissing anything critical as trolling. When you're providing bad security services to lawyers you're well past the "positive examples" stage, and into the "beyond help" part of the process. I sincerely hope they are aware of the level of risk you are putting them and their clients critically-sensitive data at when you provide your services, or you're going to meet more lawyers in your future.

* # ¿ Oct 27, 2015 08:48
  • Quote
Wiggly Wayne DDS
Sep 11, 2010

mindphlux posted:

no, I actually have asked about 5 times for examples of how you guys propose to handle malware/virus problems in a reasonable amount of time. I outlined my SOP line by line, please outline yours line by line.

I don't claim that anything you're saying is technically incorrect, but flattening a system or spending hours isolating machines and doing packet/process traces every time a machine gets some java exploit or something is not practical.
Can you express to me the financial and reputational damage of your lawyer clients having malware after you've assured them that their system is clean? This isn't a situation where you can perform sloppy practices, especially not for a paycheck.

* # ¿ Oct 27, 2015 15:04
  • Quote
Wiggly Wayne DDS
Sep 11, 2010



 i'm glad code signing certs are hard to obtain

* # ¿ Oct 27, 2015 20:47
  • Quote
Wiggly Wayne DDS
Sep 11, 2010

redeyes posted:

There are certainly problems with compromised certs recently but it seems like the industry revokes them pretty fast. I've yet to see a boot sector virus or anything like it on systems with secure boot enabled.
:laffo:
Signed drivers can have security vulnerabilities as well.

redeyes posted:

That was a question not a statement pal. Windows 10 is not Windows 8 so maybe this is fixed.
So maybe not so important other than theoretically?
Uh, I hate to break it to you but that's not how vulnerabilities work...

* # ¿ Oct 27, 2015 20:55
  • Quote
Wiggly Wayne DDS
Sep 11, 2010

Khablam posted:

- If the malware is invisible to a "free web tools" / paid AV analysis, why are you looking for it?
I mean I had an idea you were criminally negligent but this is a level beyond what I was thinking.

* # ¿ Oct 28, 2015 00:33
  • Quote
Wiggly Wayne DDS
Sep 11, 2010



 This thread really wasn't doing anything important beforehand.

* # ¿ Oct 28, 2015 16:43
  • Quote
Wiggly Wayne DDS
Sep 11, 2010



 Any lurkers who give a poo poo about security you're welcome to join us in http://forums.somethingawful.com/showthread.php?threadid=3712267

* # ¿ Oct 28, 2015 17:27
  • Quote
Adbot
ADBOT LOVES YOU

# ¿ May 21, 2024 01:31
  • Quote
Wiggly Wayne DDS
Sep 11, 2010

MF_James posted:

yospos/whateverthefuckitisnow screams of serious posting about serious security seriousness
It really does though, here's a breakdown of x86 security:

Subjunctive posted:

Intel Management Engine is good times.

http://blog.invisiblethings.org/2015/10/27/x86_harmful.html
* # ¿ Oct 28, 2015 20:30
  • Quote
  • Locked thread
The Something Awful Forums > Discussion > Serious Hardware/Software Crap > Rootkit.KInject is a sexy new virus. Let's talk about notable viruses we have recently encountered