Trojan Alureon Removal

Have you tried malwarebytes and spybot?

How about restore to an earlier time?

Yes,I have tried them as well as Kapersky,TDSS Killer, SuperAntivirus,MBR Check,and even the Microsoft remedies,which do not work after reboot.MS will detect,and ask to delete,I reply yes, it says it has deleted it, to reboot to complete the task.When I reboot, it does the same thing again,Groundhog Day.

Even went to Regedit and deleted all references to Alureon and Enigma software.

It is hiding somewhere, but I cannot find it.Restore does not work either.It has deleted all previous restore points.

HELP!

Holy sh*t!!!!

http://en.wikipedia.org/wiki/Alureon

I don't know.

Typical Bill Gates.

Oh, by the way we just caused a million Pc's to be infected. Good luck solving our problem for us.

And, if you do solve this for us, ket us know so we can rig a fix for a price.

Otherwise, you're on your own.

You know one is phuqt when the complexity of the viruses are having errors and need patches.

Sorry to say it's time to wipe the drive clean and start again....really wipe it, not just reformat...

Master Tech,

as per the WIKI link that Mark send: Its a Bootkit! It is resilient in your master boot sector, it is written in "stone" that it is there after the reboot.

Unless you get the disk offline and clean it from another system it will be there everytime you do it. Rootkit bootkits are very hard to clean even with root kit tools.

It is just the way they work.

But be warned that it could mean that you lose the disk and/or its data. So backup and prepare a new installation if everything fails.

I have copied MS off line repair, and booted from the USB thumb drive,and ran it from there.It still is immune to removal.Even bought a removal tool,which did not work.I am conferring with them now, and awaiting a reply.If necessary,I will try to scrub and reformat hard drive.As cheap as hard drives are, I may just take it out and shoot it, like they used to do a horse with a broken leg.My .223 should make a dent in it anyway.Or, I may disassemble it and use the magnets on my beer cooler.

I would think that as many smart people as there are in the software teams are at Microsoft, that there would be a solution.

Of course, they don't care much about the service after the sale,kinda like General Motors.If it does not generate an income,in this quarter,it does not matter.

Too bad all of the MBA's are taught to focus on quarterly returns,not long range goals.The Japanese companies are still sticking with the things that we taught them in the 1950's,and the difference is obvious in the quality of the products and the service.

If the American all car companies still had the ethics,morals, and genuine interest in making a quality product, no one in the world could come close.

But, GMAC Finance makes more money financing the hunks of metal than they do by selling them.

Only one American car company I would consider buying from,and that is FORD,the only one that didn't go running with tears in their eyes and their hand out when the government passed out all of our money.

Well, enough of that,I guess I have gotten off on a rant,but poor quality products are so pervasive it is hard not to.

Signed:

Another Happy MS user.(soon to be UBUNTU)

You can try over writing the boot sector with a generic but I would't bother. It is likely that there are far nastier infections on your computer although Alureon is nasty, you can still detect it. More advanced malware have knocked-out your computer defenses. New VERY nasty malware have been out more than a year. They can blow through your computer's defenses as if it was tissue paper, steal your PI, turn your computer into a Zombie and be completely invisible to any investigation. They will first steal anything of value from your computer then turn your computer into a Zombie to commit cybercrime that you can be partially responsible for. The Zombie actions go into full swing a while when your computer is idle. These can not be removed with any tool. The only way to remove them is by formatting or using a new disk drive. You can have your computer reset back to factory specs. See my article in this forum A Few Words on Malware. I suspect at least half the world's computers are infected this way. Usually, the first priority is identity theft second is to render your computer's security worthless allowing more maleware to infect you that may not have been able to break in otherwise.

If you live in the US I would lock my credit reports. This is the cheapest way to prevent the worse type of idenity thieft.

Computer Zombie definition

http://en.wikipedia.org/wiki/Zombie_(computer_science)

Their use is now mostly use to spread infections by spam, breaking into web sites, attacking/gathering intelligence of computers in a range of IP addresses, ect. Far less advanced bot nets have grown to over 10 million zombie strong years ago. Now that they can't be detected, 10 million is probably small potatoes. 10 million computer can canvas every computer connected to the internet within a day. I hope you can see just how dangerous this all is.

I know there are very nasty bugs out there,that use the "Forbidden zone" of the hard drive, where the factory writes info,that is not normally accessible via software,because firmware will not let the heads go there.This zone is very near the center of the platters, and does not hold much data,(due to the low speed) but enough to keep a virus alive .

I hope I have not been infected with one of those types. I am awaiting a reply from a purchased anti-virus program, and if they can't help,I will demand a refund or get my credit card provider to deny payment to them,or a charge-back to their account.

If all else fails,a physical destruction of the drive is called for...the only sure way to prevent it from replicating.

I know there are very nasty bugs out there,that use the "Forbidden zone" of the hard drive, where the factory writes info,that is not normally accessible via software,because firmware will not let the heads go there.This zone is very near the center of the platters, and does not hold much data,(due to the low speed) but enough to keep a virus alive.

I do not think so. Storing information in such a place is a problem because you can't access this through your OS making it useless. I think what you refer to is a hidden partition used to restore your disk to factory settings. That can be accessed and is usually infected so that type of factory restore is useless. It is way smarter to just make your malware invisible to scanners. ANY competent hacker can do this so why bother with anything else? Right now there is no solid protection against this unless you scan the web sites before you go to them. There are apps that may/may not catch software doing something suspicious. They can alert you and its makers of the problem.

Common sense would tell you if you have a virus or any other contagion that has no cure it will go through the population like wild fire. To believe your defences only let in one antiquated malware is wishful thinking and very naive. Only companies that provide a defence against invisable malware will even admit that they exist. Oh they know about them but why would anyone buy nearly worthless software? My artical does have a link to a vendor that will shield agaist invisable software and give a non-technical demonstration of how the invisable routine works but like rabies, once you are infected there is no cure!

Any chance of re-formatting and re-installing from scratch?

This is just so annoying, I really feel for you. There are many times when I really hate

computer technology, with all the decades and millions of human hours that has gone

into computer technology they are still as stupid as the very first computers. They

have just become so complex and they are not easy to use as many people claim and

now we have village idiots that write this stuff to destroy other peoples hardware and

sofware. You are going to have to use something I use all the time, its called

"Wipedrive" and yes "Wipedrive" does exactly that it completly wipes everything !!

Of course back up as much as you can, hope you have your recovery installation disks

or at least get hold of then from the manufacturer , then wipe the drive and reinstall

the operating system. I know this is a pain, but sometimes with nasties like this you

have no other choice.

Its the human factor that we just can not control and there is no answer. What

humans can create, humans can destroy. I myself am moving over to free systems

and open source at least there are no secrets in open source. I hope ??

This bug entered my desk top 2/3 years back. I tried all my resources to get rid of it. But could not get rid of it. Finally I dumped my desk top and bought this lap top. Guy who developed it should be located and hanged for 100 years.

I have had similar problems. I contracted "Stopzilla"® for several years now. Fairly expensive but worth it in my opinion.

Try ComboFix...free download.

Tried ComboFix.No luck,it came right back after a reboot.

Thanks for the advice.

alanidris, they are by no means village idiots. Most malware has been for profit for most of this century. Alureon captures IP personal information and uses what they want then sells what it can. They most likely capture all saved passwords, keep me logged in cookies and web master FTP login information as even a higher priority than credit card info and income tax data. They probably make many many times what they could at an honest job where they live.

This maybe can help , work for me ones , run a full scan dont deleted the virus locate him and star changing the extencion on the file ,.e try txt mpg anything you can imagine ,like i said works for me maybe works for you thanks

I cannot find the trojan.If I knew the alias name I could rename it or change the extension.It is very well hidden.Thanks for your input.

Have you tried cleaning your registry in safe mode?

If you don't clean the registry, then the spyware and trojans are in the registry too and when you reboot it just rewrites itself upon start up.

Been there, done that.Thanks anyway for the suggestion.

I've had similar problems repairing many friend's PCs. I only use Linux now so it is easy for me to boot a live Linux CD on the infected machine, download one or more Virus/Malware/Spybot removal tools, and clean up the infected drive. I can't directly verify this will work with Alureon, but suspect it WILL work and you won't need to fdisk your Windoze drive. Good luck!

I would try the same, its good advice.

Agree many things said here but a couple of extra points

1 When using MalwareBytes etc you need to be in Safe Moda as Januissary has said but also you should be in Networking Mode.

2 One of the Masters in this area used to be a guy called Steve Gibson over your way, he has helped me a number of times over the years. He has/had his own software which has been largely preventative.

3 A strong IT forum is PCBUILD and PCSOFT very strong, obvuiously Hardware and OS problems to PCBUILD and Software problems to PCSOFT. I usually snap read these fora every day to stay up to date with what is happening in the IT field. Just type your problem into the appropriate forum and await a response. Tell them your basic set up as otherwise there will be wasted time communicating backwards and forwards.

Good Luck

Sleepy

Can you please send a link to that site?I cannot find the one you refer to.

Thanks

Hi ,

PCBUILD is at Personal Computer Hardware discussion List [PCBUILD@LISTSERV.ICORS.ORG]; on behalf of; PCBUILD automatic digest system [LISTSERV@LISTSERV.ICORS.ORG]

PCSOFT is at PCSOFT - Personal Computer software discussion list [PCSOFT@LISTSERV.ICORS.ORG]; on behalf of; PCSOFT automatic digest system [LISTSERV@LISTSERV.ICORS.ORG]

best guy there is Peter Ekkermann but I guess that no one will answer on an individual basis

Steve Gibson should be available on: http://en.wikipedia.org/wiki/Steve_Gibson_(computer_programmer) read his wikii first. try and get to talk to him if you can if he is available.

Sorry for the delay but I have been struggling on a number of problems of mine own and I did not even know that you were interested until tonight.

Very Good Luck

Sleepy

HiTekRedNek

! Steve Gibson is at : http://en.wikipedia.org/wiki/Steve_Gibson_(computer_programmer) Read his wikii - I have used his tools and talked to him but that was a few years back.

2 PCBUILD is at: Personal Computer Hardware discussion List [PCBUILD@LISTSERV.ICORS.ORG]; on behalf of; PCBUILD automatic digest system [LISTSERV@LISTSERV.ICORS.ORG]

3 PCSOFT is at:PCSOFT - Personal Computer software discussion list [PCSOFT@LISTSERV.ICORS.ORG]; on behalf of; PCSOFT automatic digest system [LISTSERV@LISTSERV.ICORS.ORG]

PS if you get a chance to talk to them, Peter Ekkerman is one of the best guys.

Good Luck with this, these are Pesky problems - if only the perps did something useful with their lives.

Sleepy

Hi

Ihave sent the site info twice, all three of them but I don't see my response on CR4. I have been having this problem on and off this week.

I will try again in the morning

Good Luck

Sleepy

HiTekRedNek

I forgot to add that you do not need to ask for a named individual as the guys come on the fora when it interests them or when they see that no progress has been made by others.

SLEEPY

Make sure you don't have your computer connected to a source of re-infection. It wouldn't matter if all that clean-up works if another system just re-installs the virus.

i found this maybe will help you http://answers.microsoft.com/en-us/windows/forum/windows_xp-system/how-to-remove-alureon-rootkit/0537fc5e-2564-444f-81fe-d8be29ea4e37

You must boot a Linux Live CD and mount the Windoze partition. Then, delete the contents of ALL temp folders, including the IE5 content directories "temporary internet files". Delete the contents of all recycle folders.

Then, download Comodo for Linux and update it, run a scan on the Windoze partition.

Then, download Malwarebytes for Windows and copy the download to the Windows partition. Then, if you can, download the static update for Malwarebytes and copy that to the same location.

Shutdown, power off, disconnect the network and/or turnoff the wifi, and then boot into safe mode. In safe mode, run a disk check and if a reboot is needed, make sure you go straight back into safe mode. When the disk checks are ok, then power off, leave off for at least 30 sec, and then power on and boot to normal mode.

Leave all network connections disabled and run the Malwarebytes install and update you copied from your Linux session.

Run a full scan and let it "fix" anything it finds.

You should also use the Malwarebytes tools to remove startup items.

If you do not know how to do any of the more advanced cleaning tools and functions, then hire an expert. I charge about $250US to clean a machine out. It costs twice as much to reload it and set it up with all it's data and software, so this is a bargain.

My advice to everyone is to dump Windows ASAP. It is a very expensive system to own.

Thanks! I will try that and let you know how it turn out.

Thanks DB ! That did it.Saved me a lot of trouble.

I getting away from Windows,ASAP.

Thanks to everyone that helped with their advice.

Make sure you don't have your computer connected to a source of re-infection. It wouldn't matter if all that clean-up works if another system just re-installs the virus.

A very good point! When I think I have malware that is not detected. I disconnect from the internet till I have formatted and re-imaged C: and verify my firewall is up do I connect. When I plug in my eyes are off the monitor when I look back the firewall has posted a query do I want to let in an outside connection. The attack occurs within a second of connection. Alureon is older and less sophisticated so maybe that will not attack like the modern ones. I still believe you can't be so lucky to only have one infection.

According to the Wiki article about Alureon, "PCs usually get infected by manually downloading and installing Trojan software, and Alureon has been seen bundled with the rogue security software Security Essentials 2010.^[5]" -- the keyword being usually. Exceptions seem to be ignored. Are they any less important? So what other ways do infections occur? And do some exist on purpose by commercial vendors?

A nice article about rootkits and their evolution is this one, from Securelist. It was written in 2008 and the "final thoughts" section, starts with this sentence: The borderline cases listed above lead to the conclusion that there is no such thing as a malicious rootkit... Maybe not in and of itself, but...? It is both interesting and irritating to read about the subject. Users have little, to no control, over the OS. It is the engine that comes with our Internet automobile. And any number of Onstar type attachments can happen without us knowing. (Since the article was written mobile devices are now under attack in significant numbers.)

I suppose subjecting any piece of OS code to security scrutiny is good practice. After all, somebody, somewhere is going to do it. But publishing the results opens the door for anyone, and gives them a leg up on acting out any malicious desires.

Then there are articles like this that prematurely gave a false sense of security -- and probably helped sales of Windows 7.

The security claims/wars between Windows and Linux enthusiasts has been around for quite some time. Clouding the debate is news such as this, about Trustwave. One thing that doesn't get refuted as often, I think, is Linux reliability. The United Space Alliance (which will be the precursor for the "Federation" of Star Trek fame ) endorses it by switching.

It seems clear that the largest risk of infection is the Internet, either directly, or through downloaded software. The depressing thing is that it there is no permanent solution, except not being "connected" in some way. Attacks are ongoing. And what about USB drives? It almost makes one think 2 computers are necessary -- one to be connected and one to do most of one's work on -- and never the twain should meet. But how cumbersome that is when email is integral to how we use our computers. Next best is probably Sandboxed browser operation, for both Internet activity and running downloaded software. Even then, as the rootkit article discusses, commercial vendors have incorporated rootkit technology. Is there any escape?

Despite all the back and forth in the war of stealth software, one can't help having the uneasy feeling that, due to the sophistication, there might be rootkit technology on one's computer that is undetected and possibly undetectable without very sophisticated tools and expertise.

Another quote from the rootkit article: Most researchers focused on the concept of using hardware virtualization (integrated into the new Intel and AMD processors) to gain control over the operating system. This method makes it possible to create rootkits which are undetectable by current anti-rootkit tools. With friends (?) like this who needs enemas? How would we ever know that any manufacturer had included such in the processor design? Do we implicitly trust? FUD (aka loosely under the umbrella of paranoia; D alternately signifies Doubt or Disinformation) seems to drive so much human activity -- even low-tech.

Because of how computers work, susceptibility to rootkit technology may be inherent and unavoidable. In other words, there may not be an OS totally immune to being compromised in some way. Efforts are being made. But, to me, trust is on shaky ground. How will we ever know, after so many instances of vendors using the technology for their own purposes, that they might give in to the intoxication that comes with the tools themselves -- that we are being monitored/watched? Computers and data protection are definitely an added stress to modern lives.

A couple of thoughts... what if system calls were encrypted on-the-fly, on a per call basis? Is it possible? Practical? Or an encryption key needed for all file storage? How would a rootkit be able to become a file on a system, if that were required?

passerby-

(Since the article was written mobile devices are now under attack in significant numbers.)

They are probably under a heavier attack than PCs because they are less protected and probably do not have any way to remove malware.

I suppose subjecting any piece of OS code to security scrutiny is good practice. After all, somebody, somewhere is going to do it. But publishing the results opens the door for anyone, and gives them a leg up on acting out any malicious desires.

Hackers have their own way of getting code the firewall at Norton was breached and a significant amount of their source code was downloaded. I suspect most of our PC have less security than Norton.

It seems clear that the largest risk of infection is the Internet, either directly, or through downloaded software. The depressing thing is that it there is no permanent solution, except not being "connected" in some way. Attacks are ongoing. And what about USB drives? It almost makes one think 2 computers are necessary -- one to be connected and one to do most of one's work on -- and never the twain should meet. But how cumbersome that is when email is integral to how we use our computers. Next best is probably Sandboxed browser operation, for both Internet activity and running downloaded software. Even then, as the rootkit article discusses, commercial vendors have incorporated rootkit technology. Is there any escape?

Despite all the back and forth in the war of stealth software, one can't help having the uneasy feeling that, due to the sophistication, there might be rootkit technology on one's computer that is undetected and possibly undetectable without very sophisticated tools and expertise.

I don't think so by the very nature of a root kit it must be at the root of your system. Far more insidious is the new invisible malware. It can be anywhere.

Because of how computers work, susceptibility to rootkit technology may be inherent and unavoidable. In other words, there may not be an OS totally immune to being compromised in some way.

Server side malware attacks are universally effective.

A couple of thoughts... what if system calls were encrypted on-the-fly, on a per call basis? Is it possible? Practical? Or an encryption key needed for all file storage? How would a rootkit be able to become a file on a system, if that were required?

I will quote Scotty from Star Trek "The more they overthink the plumbing, the easier it is to plug up the drains." Having a second computer may not help all that much. The malware is 'mostly interested in stealing PI information that gives you access to web sites and credit card info.

I see your quandary and I have been there. Thought I was attacked by 'invisible' malware about a year ago. My contacts all thought I was nuts. I expect quite a few readers will reject what I state so I have included plenty of reference links for anyone interested. Since that time I have been educating myself on the new form of attack. You can protect yourself from today's new threats but I do not know about tomorrow.

Probably Windows is more vulnerable to old has-bin malware like Alureon. The new crop that has been out for over a year and probably spreading like wild fire because there is almost nothing to stop the spread.

These use server side attacks

How are the attacks carried out? The most effective are server side attacks and a common method is an iframe. They can complete the penetration through your firewall before your page is even displayed.

http://blog.unmaskparasites.com/tag/iframe/

How can the hackers penetrate my defenses?

http://en.wikipedia.org/wiki/Category:Internet_security

This is my guess as to what happens next. Because the attack is coming from a server, after it breaks through your firewall it performs a detailed analysis of your computer. In windows it probably scans your registry. It either adds new files or overwrites an EXE or dll with a duplicate that has additional capabilities. It also uploads files that contain IP Personal Information. Some would be saved passwords, cookies that keep you logged in to a web site, web master files that save access info and any other IP type file. These files have specific file extensions and are in a location that can be deduced from the registry. The attack is over in just a few seconds. At this time you have malware that is undetectable by any method known today. It will bore a hole in your firewall and fill in with an IP tunnel so your firewall is unaware that anything is wrong. It can also compromise your browser which has unlimited firewall passage. I suspect most new age bot-nets include a keylogger. These allow the hacker to learn all sorts of IDs/passwords. They then can use them to break into businesses, banks and other institutions. There were 800 break-ins last year and breakings are increasing by 80% probably because of the PI information gathered botnets. Some individuals think these hackers are poor fools. They make into the 7 figures. One made that much just by having his Zombies, computers under his control, clicking on adds displayed on his web site. You wouldn't think you could make much money doing that but he had millions of computers clicking adds 24/7.

How can the malware be invisible?

Server-side polymorphism: How mutating web malware tries to defeat anti-virus software

http://nakedsecurity.sophos.com/2012/07/31/server-side-polymorphism-malware/

A white paper explaining how "a frequently employed trick that is widely used by web exploits and well-known botnets - server-side polymorphism." works.

http://www.lavasoft.com/mylavasoft/securitycenter/whitepapers/detecting-polymorphic-malware

Is there anything I can do?

This is what I did.

I only browse using a limited user account.

I only browse the web with the browser sandboxed with Sandboxie. This is like a canary in a mine. A large number of malware attacks attack the browser. Sandboxie will display an error and prevents the attack. It is likely your computer experienced multiple attacks when your browser is attacked. I jettison my session immediately by deleting the contents of the session 'default box'. This is fine if you have one or two attacks per month. More than that you need to beef up your security.

My router has both NAT and a light packet scan. This is about a secure as you can get unless you go to a industrial strength level which is far out of my budget. My router is worthless as a watch dog. Even a good firewall such as Comodo or Zonealarm will not help much more unless you reject fragmented packets. I suspect fragmentation is easy to fake since you are communicating with the web site. I use Comodo Internet Security. They have at least one other advanced setting that I turned on but a month later I can't remember what it was. Since then I have not been attacked. That is my office computer. The family computer I added K-9 since no one is even a bit careful. K-9 will not let you open an infected web page. The page is scanned before you can open it. Although the malware on your computer is 'invisible', the delivery method is not. They complain browsing is sometimes slow I do not care since I don't use it.

Malwarebytes has a beta security app using heuristic techniques. I haven't tried it because I am already bogged down with security.

Lastly, I keep a image of my C: stored on an external disk. When in doubt, I reimage.

As a US DOD computer professional, I have a little (just a little) insight into what's possible and real, and yeah, what you said...

Precautions are a cost-benefit calculation. It sounds like yours are strong and well worth considering, given that once they're set up they're low-friction. At work we have a number of hoops to jump through in order to transfer data between networks. At home, not so much.

I'm very confident that an "Enemy of the State" scenario is completely plausible for any of us at any time, and that there are non-state actors out there who could pull it off if they wanted to.

In other words, keep some emergency cash on hand if you have the means. Or, don't go on the Internet, ever.

Thank you, aDIYguy. I really appreciate detailed fleshing out of a worthwhile subject.

If your paragraph,

This is my guess as to what happens next. Because the attack is coming from a server, after it breaks through your firewall it performs a detailed analysis of your computer. In windows it probably scans your registry. It either adds new files or overwrites an EXE or dll with a duplicate that has additional capabilities. It also uploads files that contain IP Personal Information. Some would be saved passwords, cookies that keep you logged in to a web site, web master files that save access info and any other IP type file. These files have specific file extensions and are in a location that can be deduced from the registry. The attack is over in just a few seconds. At this time you have malware that is undetectable by any method known today. It will bore a hole in your firewall and fill in with an IP tunnel so your firewall is unaware that anything is wrong. It can also compromise your browser which has unlimited firewall passage. I suspect most new age bot-nets include a keylogger. These allow the hacker to learn all sorts of IDs/passwords. They then can use them to break into businesses, banks and other institutions. There were 800 break-ins last year and breakings are increasing by 80% probably because of the PI information gathered botnets. Some individuals think these hackers are poor fools. They make into the 7 figures. One made that much just by having his Zombies, computers under his control, clicking on adds displayed on his web site. You wouldn't think you could make much money doing that but he had millions of computers clicking adds 24/7.

... doesn't sober I-net surfers up, I'm not sure what will. Plus the confirmation by Lynn.Wallace below your post. And did no one think about the vulnerability of mobile devices? That's hard to believe. If so, it is an extremely naive oversight. If it was considered...???... it leads to broader questions. Isn't it convenient that cell phones can be located by GPS technology? (O.K., that's paranoid thinking.)

Do you think your description of what can plausibly happen, is something the average computer surfer needs to worry about? (I guess that is answered by Lynn.W.) Server side attacks seem like a whale sifting plankton, gathering large amounts of information in big gulps, in addition to infecting user computers with modified web pages. The server is king, in that regard. Servers are the gate-keepers of our digital lives. A compromised server is a concentrated infection of the "water" supply.

I think the issues you raise ought to be of concern and given serious consideration by all surfers. I agree Sandboxie is a key line of defense and I have advocated its use since I started using it ~3 years ago. K-9 is something I haven't looked at but will. Isn't its database susceptible to server-side attacks, though?

The scenario in the first article I linked to, that was most sobering and serious to me, was the hardware virtualization, apparently existent in modern processors, which can get control of the OS, and create rootkits, which are not detectable. Your description of what can happen is equally frightening. Given recent revelations of complicity between phone companies, social networks and the government "spying" program, is/was hardware virtualization a joint effort? Spying on citizens has been around since there were governmental "security" organizations, but 9/11 allowed a floodgate of activity to be accepted and tolerated. A controversial musing of 9/11 in a larger context was presented by Naomi Klein in her book, The Shock Doctrine. It is appropriate to the consideration of what level of concern is paranoia or not.

(For those interested in delving a bit, here are a couple of links to familiarize oneself with the topic of virtualization -- one a spin from the mfg. side. 1, 2 - neither of which emphasize security as an asset. An example video from the Intel web site, "selling" the advantages of I/O virtualization, is enough to make the average computer user feel overwhelmed at the complexity of modern digital communications and, of necessity, leave their protection from evil-doers for, hopefully, good-guy experts to contend with.)

Yes, encrypted system calls may be over-thinking... and the hardware virtualization capability wouldn't be addressed by it. In short, our vulnerability is in the hands of those who design and create the technology we use in a consumer fashion. Where's Iron-code man? Or Bitman?

The best protection is just not connecting one's computer to any network -- as Lynn.W said, "Or don't go on the Internet, ever." But that isn't practical unless you don't use email. Even then, many business vendors have made it difficult (banks, TV providers, etc.) to adhere strictly to a paper relationship. So much data we use in our lives is only available to us in electronic form across a network... like media devices, with capabilities only accessible via the remote control. If you lose that, much of the functionality of the device is lost to the user.

Your post makes me even more concerned that my concern isn't just paranoia, or is it? Is it us or them?

On second thought, as I read the white paper you link to, if Polymorphic Generators use re-encryption, maybe the idea of encrypted system calls on a PC -- especially file creation -- isn't so outlandish. Perpetrators don't think it to be over-thinking. Only the user encryption key would allow a file to be stored. But perhaps it is a cat and mouse game that can never be won.

It is a bit like redundancy in circuit design. Where does one draw the line? Redundancy of redundancy of redundancy circuitry?

... doesn't sober I-net surfers up, I'm not sure what will.

People will believe what they want. I was warning my neighbor and he wasn't even interested. I figure he didn't want to be bothered with tech stuff. He didn't even ask if there was any easy way to protect his computer.

And did no one think about the vulnerability of mobile devices? That's hard to believe. If so, it is an extremely naive oversight. If it was considered...???...

Yes and there is protection for them which few use. I do not have a data plan because I am cheap but also because of the lack of security. I have learned of good protection for cell phones recently.

it leads to broader questions. Isn't it convenient that cell phones can be located by GPS technology? (O.K., that's paranoid thinking.)

I am paranoid as well but I would not worry about GPS. They are mostly interested in PI ID+passwords. Keep in mind, humans are not doing ANY of this. The write the routines using prewritten routines for most of the nitty-gritty. I suspect they may upload turbotax info and the like for a rainy day but their focus is on access PI. A big score would be to get into government or a business. The hacker may personally use that PI or sell it to a specialist. Email PI is also a favorite. They can spear phish asking you to click on a link to an infected web page.

Do you think your description of what can plausibly happen, is something the average computer surfer needs to worry about?

Large sums of money can be made by working the internet. How long do you think a $100 bill would last sitting unattended left out on a counter on Broadstreet NYC? The internet is more crowded than that! Junior programmers can build a bot net buying parts that can penetrate 90% of the world computers. Since we can't see the threat because it is invisible do we have any indication we should be worried? This year we have experienced an 80% increase in hacker break-ins. In late spring there was a rash of web sites broken into and taken over by bot-nets using brute force password cracking into thousands of sites per day. They got mine and when I complained to the hosting company they told me that was not possible! The rash was in all the tech news and even made the non-tech news such as Forbes. I will not renew my yearly contract with them this month. Although this is the year of the bot-net and the attacks are way up, a few years ago a college made a study. A fresh computer was connected to the internet without any security and it was monitored to see if it would be attacked by a 'drive by'. Zombies check a range of IP addresses to see if it can get in. This is analogous to a kid walking through a neighborhood checking if your door is locked. This was done a few hundred times. The average computer was attacked in 30 minutes. I bet more than 50% of the world's computers are vulnerable to this ploy because their ports are not in total stealth mode. You can assume every computer that has active ports has been infected for years.

K-9 is something I haven't looked at but will. Isn't its database susceptible to server-side attacks, though?

Why? It only scans the web page it doesn't open it. It works just like an AV does on your computer. It scans the file it doesn't open it. We can only hope Blue Coat is more secure than Norton.

The best protection is just not connecting one's computer to any network -- as Lynn.W said, "Or don't go on the Internet, ever.

I agree. Our stupid government who once kept projects isolated from the network are now moving to cloud technology to be 'cool' and to pretend to save money.

On second thought, as I read the white paper you link to, if Polymorphic Generators use re-encryption, maybe the idea of encrypted system calls on a PC -- especially file creation -- isn't so outlandish. Perpetrators don't think it to be over-thinking. Only the user encryption key would allow a file to be stored. But perhaps it is a cat and mouse game that can never be won.
It is a bit like redundancy in circuit design. Where does one draw the line? Redundancy of redundancy of redundancy circuitry?


Firstly, is doesn't encrypt the file it obfuscates the malicious code. The SOPHOS article and video make that clear for even a non-technical person. Check that out.

The problem with encrypting all your files is how do you read your files if they are encrypted? If you design an OS to do that properly then the hackers will use the OS to encrypt the files. They are a clever lot. If you can do something that makes your computer different, they may pass you by. Unfortunately, with most OSs there has to be a registry which is a road map to where everything is. I do keep all my data on D: not C: which MAY help but I doubt it.

You can use K-9 the free version of Blue Coat used by the security conscious government agencies. It works. You can also beef up your firewall. That is what I did. I am not getting attacked. If you read the Wikipedia articles on IP 'funnybusiness' most start with a fragmented packet. Some smart routers and all firewalls check to make sure all the packets it lets in are responses to your requests. Routers for home and small business do not have the capacity to remember even a seconds worth of traffic. They know you have requested to view the page they forge traffic that looks like part of your request and you get data you did not request. It is kind of like adding an extra thousand cars to the 200 car train. As long as it it part of the train that was allowed to pass your firewall nothing will stop it. Car The extra data is the attack. Only deep packet scans that check each car to make sure it is supposed to be there can stop this kind of attack and they are expensive. The have the resources to verify if the packet belongs or not. The cheap way out is to not accept ANY fragmented packets. High end personal firewalls have this option.

I really appreciate the time you've spent educating yourself -- and now others -- in the area of computer security. We all benefit from it.

GPS doesn't concern me for PI reasons. I just don't like the fact that one can be tracked as long as one's cell phone is on. Mine is very rarely on. I only have it for emergency instances. I wouldn't want Onstar in my car for that reason. Then again, maybe it doesn't matter. We can be (and are) tracked in so many other ways (CC transactions, being primary, for one). GPS is just capable of being more real-time.

I wasn't suggesting encrypting the files themselves, only having an encryption code/key necessary for file creation/storing. That way rogue files couldn't be stored without the proper key to allow the system call to actually store to the HD. The key would be regenerated often enough to not be valid in case it is copied. This would have to be pretty low-level, probably at the processor level, otherwise it would be easily circumvented. Back to processor shenanigans. Mfgs. usually have proprietary "back doors" that they don't disclose. The trust issue again.

I am definitely going to check out K-9.

The only really secure method,which is not practical for average users, is the infant technology of quantum computing,using entangled photons.

The problem is, it requires a single fiber from end to end.No repeaters can be used.

The military has successfully transmitted over a distance of 40 miles.

Observing the photon changes their state,so any tampering with the signal is immediately detected.

Supposedly,quantum computers can crack any encryption code very quickly,because it uses every state between 1 and zero.It can outperform the fastest digital computers in use today.

Of course,someone will figure a way to eavesdrop or hack then also.

Reminds me of the comic book characters:Spy vs Spy.

Passerby -

I really appreciate the time you've spent educating yourself -- and now others -- in the area of computer security. We all benefit from it.

I just want to reduce the number of zombies trying to get into my computer. This group is the right sort to actually benefit from my effort.

GPS doesn't concern me for PI reasons. I just don't like the fact that one can be tracked as long as one's cell phone is on. Mine is very rarely on. I only have it for emergency instances. I wouldn't want Onstar in my car for that reason. Then again, maybe it doesn't matter. We can be (and are) tracked in so many other ways (CC transactions, being primary, for one). GPS is just capable of being more real-time.

That would be a big brother threat and not a hacker threat. We can't do much about the govt. I guess I trust the govt as much as you.

I wasn't suggesting encrypting the files themselves, only having an encryption code/key necessary for file creation/storing. That way rogue files couldn't be stored without the proper key to allow the system call to actually store to the HD. The key would be regenerated often enough to not be valid in case it is copied. This would have to be pretty low-level, probably at the processor level, otherwise it would be easily circumvented. Back to processor shenanigans. Mfgs. usually have proprietary "back doors" that they don't disclose. The trust issue again.

It would be much easier to have a file flag that it would be read only flag that would be locked at a level above administrator. To access would require a hardware key. Then you could only update your system once and a while. The hackers will just figure out how to infect the system updates.

A simple approach would be to overwrite your OS every week from an image.

HiTekRedNek

What the bot net was using to crack passwords was just as effective as a super computer even if it was low tech. 10,000,000 zombies have a list of a many thousands of IP targets and each one tries a password against every IP in the list. When they are finished, they do it all over again with the next password on the list. The process avoids the brute force protection where the application locks out an IP address after 3 tries in x hrs. If a zombie gets in the IP and PI is sent to the boss. The boss server passes that info to an attack zombie that gets in changes the password for the admin then deletes/deactivates any other admin users next, it encrypts the database so even if you break in with superuser privileges you can't do anything other than to have the host kill the IP address. The sites were blog sites so they have a database and have a list of emails which the upload back the boss then they start emailing. My site was sending out over 60,000 emails a minute. Which got the attention of the host since the one site was using most of the server's power. They would have done better doing 1,000 a minute they could have operated for days before getting caught. The blog engines under fire made a quick upgrade that probably looks for login attempts coming from different IPs within a minute.