[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ale] [OT] Databases of viruses/malware
Your best defense against zero day is to use good firewalls (hardware
and software), have well patched computers, and have users trained in
safe computing. (Yeah, I know, "trained users" is somewhat of an
oxymoron. "Trained responsible users" is really an oxymoron.) Clicking
email links is a huge vector which is largely avoidable. They should
understand not to invite things in through the firewall. Granted, on
websites, you can't always tell what's malicious. They should be trained
to avoid phishing and social engineering attacks, to the extent
possible. Running as an average user, rather than a super user with User
Account Control on (in Windows) or the default functionality in Ubuntu
is very helpful if something tries to execute with elevated privileges.
Of course, if you have the admin password, and you type it in, you're
toast. Running with scripting disabled in the browser and in PDF files
is very helpful, in my opinion, essential. Also, in my opinion,
disabling autorun / autoplay for all CD / DVD drives and USB ports is a
biggie. Firewire too, if applicable. A user in a corporate environment
should NEVER be able to pop in his memory stick and immediately get
infected. That is the new floppy disk, and the new vector. Viruses used
to spread like wildfire on college campuses via floppy disk. However, he
should still be able to use the memory stick for data storage. Likewise,
the janitor should never be able to pop in his memory stick and infect
the users' PC's. Of course, if he has time alone with the PC, it get's
much harder to protect. Things like bios boot passwords, and disabling
CD / DVD / USB boot, and physically locked cases come into play; and not
all PC's even support those features. If you can survive a few days
without getting the latest THING, your virus scanner(s) will probably be
updated and will be able to scan it, at the expense of all the poor
souls who originally caught the THING.
As I mentioned in another post, a technical college I worked for used
DeepFreeze to return every PC to a known state every night, just by
rebooting. I find that fascinating, but I'm not using personally because
of frequent data that I store and frequent updates, which are a problem
in that scenario. In any case, at the college, the lifetime of a virus
on a frozen PC is limited to 24 hours, because the PC's always get
rebooted or shut down at night.
This is one big reason I'm running Linux. At the moment, I'm not running
AV on it, but that may change over time. However, the family still runs
Windows, and I boot into Windows periodically to do things I cannot do
in Linux, so I still have to maintain that.
I note that Firefox, and Java work the same regardless of platform, so I
would think there is still a risk from infected web pages. (I use
NoScript to disable scripting on all non trusted sites.)
Flash is also the same on all platforms, so all platforms may have risk.
(Yes, I use Flash. Gotta have it for Pandora, Hulu, Youtube, and some
web conferencing sites.)
Also, with Wine on board, I'm capable of running native Windows
executables, so there might be a risk there too.
That brings up some Linux related questions:
1) Does the document viewer, which reads PDF's in Ubuntu, have
2) Leo Laporte, of the TWIT podcast network, recommends Foxit for
reading PDF's rather than Adobe. It's available for Linux here:
It looks like it comes as a tarball. Does anyone know how I can install
it through Synaptic or Apt, so I get auto updates?
3) How do I turn off autoplay / autorun in Ubuntu? I specifically DON'T
want anything autoexecuting on insertion of CD / DVD / USB.
4) Does Ubuntu and Linux in general have Data Execution Protection?
5) Is anyone aware of studies of security risks related to Wine?
Any help with these issues is greatly appreciated.
On 03/02/2011 10:44 PM, Greg Freemyer wrote:
> This is an awful long thread to not even mention:
> Malware factories usable by techno-phobes.
> The resulting 10's of thousands of unique zero day attacks per day!!
> Rootkits are last decade. Zero day attacks work better and are easy to create.
> Standalone boot cd's are useless against a zero day.
> Go Linux!
> On 3/2/11, Ron Frazier<atllinuxenthinfo at c3energy.com> wrote:
>> A valid question. The best way to fix a virus is never to catch one.
>> However, the post JD wrote which I replied to assumed a virus had been
>> detected and he was discussing how to get rid of it. I'll give you the
>> best answer I can. If I wipe the drive, and reinstall the system and non
>> infectable data files, then I would trust the computer. Then, I would do
>> routine virus scans, have live on the fly scanning active, and have data
>> execution protection on in the OS (if it's Windows) and the browser (if
>> it's IE). I would watch for anomalous events such as crashes, non
>> requested reboots, error messages, etc. I would watch for reports of odd
>> computer behavior from the users, missing or corrupt data, reports like
>> "I got this email from IT and clicked the link" or "what was that urgent
>> system maintenance thing yesterday (when there was none), etc. If I have
>> much probable cause at all, I'll reboot with a few different AV rescue
>> CD's and scan independent of the OS. For truly sensitive PC's and users,
>> I might wipe the drive and reinstall just based on probable cause alone.
>> Of course, I would immediately pursue and try to confirm any reports of
>> active viruses by the AV scanner.
>> To actually answer your question, there is no sure fire way to detect
>> these things. Just like organized criminals, the really good ones never
>> get caught. There are millions of users with infected computers who
>> don't even know it. The virus writers use the compromised PC's to join
>> bot nets, silently commit cyber terrorism, and steal confidential data
>> which is sold on the black market.
>> Security professionals feel free to jump in here.
>> On 03/02/2011 09:08 PM, Pat Regan wrote:
>>> On Wed, 02 Mar 2011 20:58:02 -0500
>>> Ron Frazier<atllinuxenthinfo at c3energy.com> wrote:
>>>> The problem is, you may never know if the remedy failed. If the virus
>>>> returns in a mutated form, or in rootkit form, it may not show any
>>>> evidence of it's presence until you boot another OS and scan again,
>>>> which may be weeks or months or never. In my opinion, if a machine is
>>>> compromised, the only way I can trust it again with confidential
>>>> data, for sure, is to wipe the drive.
>>> How do you know when to stop trusting it again? If it is hiding that
>>> well then how did you find it in the first place? :)
(PS - If you email me and don't get a quick response, you might want to
call on the phone. I get about 300 emails per day from alternate energy
mailing lists and such. I don't always see new messages very quickly.)
770-205-9422 (O) Leave a message.
linuxdude AT c3energy.com