A Few Words on Malware

It sounds like the deck is stacked against me. What are my options if I am not knowledgable or trained well enough to do what you have done? Do I go with a Linux machine or (shudder) a Mac?

Drew K

Drew, I thought a Mac was safe, but years ago, my sister's Mac was hit with a bad virus.

I think the best defense is to be smart. You know the drill!

Pro-tip: don't click links from less than reputable people.

Malwarebytes, software has proven, at least to me, to be the best anti-malware protection out there. I'm sure most of you are more knowledgeable about computers and their inner operations, but it has saved me on numerous occasions.

There was a BBC Horizon documentary relating to this earlier in the week, available here. A real eye opener.

I do a scan and clean up about once a week, which seems to work.

What worries me the most, is when hackers gain access to whatever the NSA is using to pry into our lives. Given the absolute sloppiness of our government agencies, it's a matter of when, rather than if it will happen.

We've already had, (at least), two low level people simply walk out the door with classified information; it's only a matter of time until a smart person gets in and steals the software that makes the government spying possible.

It's not going to be good.

They don't even need to get in the door. We've had several instances of government officials losing laptops with sensitive information. We have also had records turning up at refuse tips.

Drew K - Your concerns are very valid. I am glad I have aroused some concern. The Black hats have made much more progress than the white hats this century. They are probably better organized and are not deterred by politics as the white hats. Most programmers are managed by less technical and more politically savvy managers. I have been told the hackers have their own blog sites and can post software for free or for a cost. The routine to mutate software has been shared for about a year. There is even a service that if you chose not to mutate your code you can pay for a service that will verify your malware is not in any AV scanner lists. Yes there is very good reason to be concerned.

What to do -
1) Maintain a virus scanner but if you have a paid version you might opt for a good free one. I am using free Avast because it was top rated a year or so ago it allows you to install it as a secondary scanner so you can run it in parallel with another scanner.
2) Get a top rated firewall Comodo and Zonealarm are the 2 most popular. I will note that The Symantic security suite may have a decent firewall. I couldn't use it because I couldn't figure out how to configure real time scanning. I have many 2T drives loaded with test data. Norton insisted on scanning all of the data. Even if I could have kept the scanning to C: it would have been usable. What ever firewall you use you need to be able to 'stealth' all your ports. When all your ports are stealthed probes can't detect if your computer is even on line. Stop all incomming traffic. With Comodo you can also stop fragmented traffic. This is a double-edged sword. You may interrupt real fragmented traffic but the way hackers get through your firewall is to make a packet that appears to be a reply from a fragmented connection. Personal firewalls keep a certain amount of requests in a buffer. If the reply returns in a normal amount of time they can match the incoming with the outgoing. If the reply is delayed, the request will not be in the buffer. If you allow fragmented traffic, the firewall will let it pass. If fragmented is off even a valid reply will be denied access through the firewall.
3) Use a bot-net age heuristic scanner. These are new, they monitor processes not files. If a monitored process is altered, you are warned that something and you can investigate. Malwarebytes has a free one and Comodo internet security system is another one. If you use Comodo firewall which is part of the their internet security system or the free firewall you should check to use the Comodo DNS server. The DNS server translates a url into an IP address which is how your browser finds the url. It is easy to alter your DNS setting to a different server. If you are using a hacker DNS server you can be directed fake sites to take your money and your automatic updates can contain malware. With the setting on, the only DNS requests that are allowed through the firewall are to the Comodo server.
4) All the above is a waste of time and effort if there is malware on your computer. There are ways to open a port and pipe a VPN (IP tunnel) through a firewall if you are on the inside. Most modern botnets use VPN to remain stealthy. You need to download at least the firewall from a trusted computer. Then start with a fresh computer I would image C: using Acronis there are free versions for WD and Seagate disks. I make my first backup before I connect to the internet. I have 3 backups phase III has all my core applications. I is completely virgin, II is very safe and III contains software that the install goes to the internet to get the latest version. I have a high level of confidence that my III is clean but I would not state my life on it. If something is even slightly suspicious, I reimage. I keep all my data on a different drive. The data is very unlikely to contain malware. The real threat, botnets, do not infect anything. The peices of software will appear benign and are but work as a team to produce a malicious effect.
5) I browse using addblock and Sandboxie. Comodo allows easy sandboxing and Chrome is self sandboxing. Even so I prefer Sandboxie because it warns you when something tries to alter your browser. It is also more accessable to the user. The user controls when to destroy the sandbox. Flushing your sandbox is the ultimate privacy. All your cookies, history etc is in your sandbox. I often browse the sandbox to see what is going on. You can see how good your security is. When my security was more lax I would find exes and dlls in the system folders. I would scan the sandbox to see if the scanners would find the malware. They never did. Now my sandbox is riddled with empty folders. I see these as signs of thwarted attacks. The black hats were allowed to create the folder but the package was never delivered. I acquire hundreds of folders per hour of browsing so I figure it is a very dangerous world.

kramarat - I would worry more about hackers than our government though I do worry about the IRS audits then NSA's grab for data. I was surprised that the IRS was after Zionists and well as conservatives. Jews are mostly Democrats. I am surprised they were not auditing all Republicans. Still our government doesn't stoop to highly illegal activities which are the hacker's domain. They WILL steal your personal information. They will probably use your computer to carry out criminal activities. My son knew some college buddies who had their door smashed in by a Homeland Security SWAT team, the household was handcuffed at gun point and all their computer and tech stuff was taken without any explanation. I explain to my son their computer must have been involved with the attack on the Pentagon which happened a few days before the break in. They were given back all their stuff a few months later. When they complained about the broken door, the mess from the tossing of their apartment ect they were told they were lucky they were not going to jail. I suspect you are liable for damages your computer does even if the real culprit was malware.

People make mistakes especially careless ones and we are all careless when rushed and have many things on our mind.

Nigh - Most govt laptops have been encrypted for many years even if there is no sensitive info on it. A spy could crack the laptop if it held valuable information but I doubt that they are plentiful and many laptops may have a bar code but not the agency logo. That means they are buying a pig in a poke which is the real value of encryption. It can be cracked with effort but you have to pay the price to see if there is anything worth while.

"I am using free Avast because it was top rated a year or so ago it allows you to install it as a secondary scanner so you can run it in parallel with another scanner."

I often see advice not to have 2 antivirus programmes because they can conflict???

"Still our government doesn't stoop to highly illegal activities which are the hacker's domain."

The Horizon documentary I referenced earlier suggested that the US government was responsible for malware designed to target Iranian nuclear facilities.

"It can be cracked with effort but you have to pay the price to see if there is anything worth while."

Some laptops have ended up in the hands of news agencies who have extracted embarrassing data.

I often see advice not to have 2 antivirus programmes because they can conflict???

That is to avoid a conflict. Some AVs conflict, some do not. If you run 2 in parallel you must be aware of this and in some instances 1 AV must go. I have run 2 in parallel for 20 yrs. I started this practice back when that was considered prudent. The problem was if a clueless user installed two AVs that both wanted to have complete control of everything. These users blame the AVs not their own stupidity. AV companies now discourage this practice so they can't be blamed. At least one package needs to be highly configurable. I always used 2 highly configurable. You must configure them NOT to conflict. I have only been interested in scanning incoming and outgoing files. I only manually scan each non C: disk a few times a year.

However, if you install Avast as a secondary it will not cause a conflict. Avast is a better AV than what I am using Comodo, however the Comodo security suite for $20/yr just recieved the top rating for security suites. The firewall is top rated and it also watches processes and monitors newly installed applications. It is probably no protection if a hackker can get through the firewall and DLL gets replaced. I have only recently disallowed fragmented streams. I haven't seen anything bad yet and my sandbox has mostly empty folders which is a good sign. I am hoping the files are just normal cookies. I am too lazy to check through the maze of 500 folders, created in a hour of browsing, looking for the dozen files.

Some laptops have ended up in the hands of news agencies who have extracted embarrassing data.

Aha yes! I never thought about them. They know there is probably at least one embarrassing item on any laptop no matter where it came from. I bet they pay well to boot. I now see the danger. I learned something today.

Maybe I'm lucky, but I have hand no problem that I know about. Your post seems like gloom & doom; is it really that bad?

I have one AV, which is AVG, but scan manually several times a month with Superantispyware, and once a month with Malwarebytes. Perhaps my "secret" is that I turn the computer totally off all night every night; I'm thinking that makes me less of a target. Also put the computer to sleep several times a day, but I don't know if that affects Internet incoming stuff.

The old RR modem had a standby button that took me offline several times a day, but an electrical storm took it out. The new one does not have a standby; the only way to shut it off, off line, is to unplug it which I haven't done.

One of your posts mentioned configure to not interfere--I don't know how!

Comments?

We don't really know. How can you know how many computers are infected by undetectable malware? Panda reports discovering 60,000 new strains discovered each day. I doubt that there are enough hackers to produce that many new packages every day. These would be probably mostly mutations and not truly new malware. I suspect detection occurs when more than one malware fights over a resource and the computer acts up and the computer goes to the shop. A study was made at the end of last year. The test was to discover if the top 4 AVs could detect the new wave of stealth malware. Each of the top 4 AVs never detected any of the 80 attacks. The main criticism was this new wave is too sophisticated to be common and the public shouldn't worry about it. The level of attacks on web sites has been umpressidented and have greatly upset the web community. It made the news outside the tech community. I am guessing why would this danger be so rare? I personnally suspect it is probably common since most computers have no protection against such a threat. The malware progates though infected web sites and that is up 50 - 100% of last year why would you think you have not been attacked?

You must be the judge. I have taken the extreme and have done what I can to prevent these attacks but many see me as paraniod. I see them as osterages. Lastly the AV companies are swamped by all the new malware. Panda is a small company not part of the top 4 AV companies. This and the fact that mutating software has been available for down load for a year. Why wouldn't you use it? Hackers are far from stupid.

Lastly, I am completely not gloom and doom. The white hats have some pretty smart guys. They are working on outsmarting mutating malware. Just google mutating malware; I get 120,000 hits. Many are theories on how to detect the undetectable. Here is a great article explaining the evolution of the new dreaded server-side-polymorphism-malware. Watch the video! A non tech can easily grasp the problem with crystal clear clarity. I have read articls but this video shows how the process works and why malware has shifted to server-side attacks. The attacking server can also have hundreds of times more computing power than your PC.

http://nakedsecurity.sophos.com/2012/07/31/server-side-polymorphism-malware/

I have mentioned how you can protect your computer. Your best protection is your firewall. Great industrial firewalls are too expensive for home use but high-end personal firewalls are a must. At minimum you need to stealth all your ports and block all incoming connections. These would not be replies to your computer processes like your browser but a connection out of the blue trying to get into your computer. Microsoft OS firewalls can not protect you from these tyes of attacks. A few years ago 'drive by' attackes were rare. No human is going to take the time to break into your computer. It is not worth their time. However, your computer is well worth a zombie's time to attack. Remember the hacker doesn't even pay for the electricity to run the zombie. It is a completely free asset easily captured.

I suggest downloading a free copy of Malware bytes anti-malware beta http://www.pcworld.com/article/254738/malwarebytes_anti_malware_free.html

As the article states it is not a good AV scanner but it is superior at detecting unknown malware.

Browse sandboxed. Chrome comes with its own sandbox, Comodo internet security allows sandboxed browsing by clicking on the browser icon from within the Comodo control box which is always visible when connected to a network. My favorite is Sandboxie because it provides more control for a techie user.

NEVER save passwords or keep yourself logged in to any site you don't want someone coming in as you. These are the first things malware servers steal from your computer. Maybe you have known someone that had their email box taken over so it can sent email with a poison link to everyone in their contact list. This is one of the ways this type of malware propagates. Just because your mail box did not get taken over does not mean you are infected. Even if your mail box was taken over doesn't mean your computer is infected but it probably is. It will probably not hijack your mailbox again since that might arouse suspicion.

All good advice. It's worth mentioning Shields Up, I think this is the newer version of Probe my Ports which will check your PCs visibility to hackers. It will run a quick test & advise if your ports are vulnerable. It's good news if they're not but, even then does not make you safe from viruses or malware.

What do you recommend as firewall software?

Nigh, Shields Up was an over site. I meant to mention it.

Comodo is concidered by most to be the best free or paid for personal firewall others rate Zonealarm as the best.

I have been conversing with others and I have one more good protection option.

This is another way to protect your computer. They have not figured out how to make an infected web page look safe to a scanner yet. The injection ports have been around for over 6 years. This product scans pages and keeps a master database of infected sites/pages. I have not looked into this in any great detail but I will look into the product this week. My concern is most web page infections are short lived. How dynamic is this product? I do know Blue Coat has the top of the line paid for products of this catigory. We use it at work and the security is very tight here. We use the best of breed for each catigory.

With Blue Coat K9 Web Protection, you don't have to wait for the latest security patch or upgrade, which can leave your computer vulnerable to new and evolving Web threats. K9 delivers the comprehensive protection you need automatically. With K9, you get the same advanced Web filtering technology used by enterprise and government institutions worldwide - all with a user-friendly interface that allows you to control Internet use in your home.

http://www1.k9webprotection.com/