Linked by David Adams on Fri 23rd Apr 2010 15:58 UTC
Bugs & Viruses A version of the McAfee antivirus software used in the corporate and public sectors misidentified the svchost.exe file in Windows XP systems as malware, sending the affected machines into a loop of restarts. Only users of McAfee VirusScan Enterprise on Windows XP service pack 3 were affected, but the fallout was pretty severe, with hospital and police systems among those taken down.
Permalink for comment 420665
To read all comments associated with this story, please click here.
RE[2]: State of AV today
by moondino on Sat 24th Apr 2010 17:38 UTC in reply to "RE: State of AV today"
moondino
Member since:
2010-03-27

Well then, kudos to you guys! It's a refreshing and rare thing to see people care about sanitizing input.

I don't see Chrome's sandboxing preventing a PDF or SWF overflow from executing / accessing files, especially if the filesystem is FAT / FAT32. It all depends on how the PDF / SWF is written, and if UAC is enabled and the user is vigilant, etc.

A programmer buddy of mine who works at Kayako and now some web-based firm had a virtual machine infected, and he uses nothing but Chrome across the board. No prompts, just loaded a page with an advert and *BLAM* fake anti-virus pop-ups everywhere. Nothing that a roll-back can't cure, but it is possible and I'm not too surprised.

Open Adobe Reader RIGHT NOW and hit Edit -> Preferences. Under Internet, uncheck Display PDF in browser. Under Javascript, uncheck Enable Adobe Javascript. Congratulations, you are now much, much more secure than you were a minute ago. To go another step further, install Secunia PSI and scan your system occasionally; install any patches as needed.

I've seen every trick in the book: javascript functions that take in obfuscated text BACKWARDS to parse it into a URL, to hide the URL from AV / HIPS scanners. As soon as AV companies start to detect this kind of thing, the malware groups just add another layer. The rabbit hole goes deeper and deeper. There was one page that had functions written in ten different languages. ;)

malwaredomainlist is a great place for people to get their hands on this kind of code in the wild and experiment with it. Remember to lock your VM down if you do! I would even recommend running the Windows VM in a Linux host, just for absolute safety.

Edited 2010-04-24 17:46 UTC

Reply Parent Score: 1