Linked by David Adams on Fri 23rd Apr 2010 15:58 UTC
Bugs & Viruses A version of the McAfee antivirus software used in the corporate and public sectors misidentified the svchost.exe file in Windows XP systems as malware, sending the affected machines into a loop of restarts. Only users of McAfee VirusScan Enterprise on Windows XP service pack 3 were affected, but the fallout was pretty severe, with hospital and police systems among those taken down.
Thread beginning with comment 420591
To read all comments associated with this story, please click here.
State of AV today
by moondino on Sat 24th Apr 2010 02:44 UTC
moondino
Member since:
2010-03-27

Buffer overflow exploits via .pdf / .swf (sometimes Java applets, but lesser so) are the current infection points. If you have Adobe Reader and Flash installed and you aren't using Firefox + NoScript, you aren't as safe as you think you are. Adblock helps a bit. NoScript helps a lot, but even that isn't perfect if the top level domain you trust gets hacked and < iframe >'s you to a malicious .pdf file that then loads up a Zeus trojan .exe that no anti-virus can detect. (Zeus toolkits dynamically generate a different .exe and cannot be proactively detected well)

Most anti-virus software today is reactive, not proactive. Only companies investing heavily in HIPS (Host Intrusion Prevention) are going to go anywhere in the future. Instead of looking inside executables, start detecting odd < iframe >s on pages, scan .pdf and .swf files for odd tags, and prevent sudden and unwanted changes to the registry from executables coming from the browser cache unless explicitly allowed.

Congrats to OSNews choosing a content / commenting system that strips the < iframe > tag, btw. Bravo.

Reply Score: 2

RE: State of AV today
by David on Sat 24th Apr 2010 03:06 in reply to "State of AV today"
David Member since:
1997-10-01

We didn't choose it, we built it! :-)

And do you (or anyone else out there) know whether Chrome's sandbox would protect against the buffer overflow exploits you describe?

Reply Parent Score: 1

RE[2]: State of AV today
by moondino on Sat 24th Apr 2010 17:38 in reply to "RE: State of AV today"
moondino Member since:
2010-03-27

Well then, kudos to you guys! It's a refreshing and rare thing to see people care about sanitizing input.

I don't see Chrome's sandboxing preventing a PDF or SWF overflow from executing / accessing files, especially if the filesystem is FAT / FAT32. It all depends on how the PDF / SWF is written, and if UAC is enabled and the user is vigilant, etc.

A programmer buddy of mine who works at Kayako and now some web-based firm had a virtual machine infected, and he uses nothing but Chrome across the board. No prompts, just loaded a page with an advert and *BLAM* fake anti-virus pop-ups everywhere. Nothing that a roll-back can't cure, but it is possible and I'm not too surprised.

Open Adobe Reader RIGHT NOW and hit Edit -> Preferences. Under Internet, uncheck Display PDF in browser. Under Javascript, uncheck Enable Adobe Javascript. Congratulations, you are now much, much more secure than you were a minute ago. To go another step further, install Secunia PSI and scan your system occasionally; install any patches as needed.

I've seen every trick in the book: javascript functions that take in obfuscated text BACKWARDS to parse it into a URL, to hide the URL from AV / HIPS scanners. As soon as AV companies start to detect this kind of thing, the malware groups just add another layer. The rabbit hole goes deeper and deeper. There was one page that had functions written in ten different languages. ;)

malwaredomainlist is a great place for people to get their hands on this kind of code in the wild and experiment with it. Remember to lock your VM down if you do! I would even recommend running the Windows VM in a Linux host, just for absolute safety.

Edited 2010-04-24 17:46 UTC

Reply Parent Score: 1