Avast Doesn't Block XP Defender malware (ave.exe)
in [Spyware]
|
From: FromTheRafters on 4 Apr 2010 07:31 "David Kaye" <sfdavidkaye2(a)yahoo.com> wrote in message news:hp85v4$ua4$3(a)news.eternal-september.org... > "FromTheRafters" <erratic(a)nomail.afraid.org> wrote: > >> >>Were you running as administrator at the time of the "attack"? > > Running XP Pro with a default user with admin privileges. > >>It is possible, while browsing to a legitimate site, to get redirected >>to a site that launches several browser exploits aimed at executing a >>rogue application on your machine. > > Using OpenDNS as the DNS. Using Windows Firewall and Avast. I > checked > filedates in various directories and didn't see much other than > ave.exe and > its entries in the registry. It was actually fairly simple to get rid > of, > having dealt with it before on customer machines. Yeah, some are easy enough to remove, and even easier to avoid *having* to remove. :o) >>(server-side) to avoid detection by your antimalware component. >>Similar >>to the way a virus can be self-polymorphic - a downloaded program file >>can take many forms. > > What's eating me is that the program launched with a window that was > clearly > detectable in Task Manager as ave.exe, and yet while Avast was running > it > simply didn't see the program. Some stuff will get past detectors. With admin rights, what gets past may well attack the detector itself. After that, even well known and reliably detectable malware can get past. > After rolling back the registry 5 days manually (booting up with > BART-PE) I > then ran XP in regular mode and scanned with MalwareBytes. MB > immediately saw > it. (I'm using the freebie MB, so it does no realtime scanning). > Avast > still didn't see it even after I ran the drive scan option. And I > have the > latest Avast update. The best thing to know would be exactly what was on the exploit riddled website. ....as a side note, I read somewhere, about a month ago, that 80% of the most popular legitimate websites had served up malware within that one week period. IIRC it was mostly through advertisements that they had hosted.
From: FromTheRafters on 4 Apr 2010 07:44 "David Kaye" <sfdavidkaye2(a)yahoo.com> wrote in message news:hp9idk$lsu$1(a)news.eternal-september.org... [...] > When I remove malware, turn off unnecessary services, remove unneeded > startups, and put in a rudimentary anti-malware program (Avast > lately), [...] Avast! is an antivirus program. As you apparently already know, it is good to have an antimalware program as well. It looks like soon enough the two will completely merge because it is becoming more and more important for AV (formerly heavy on the more preventative content scanning) to adopt context scanning for post infestation identification and clean-up. ....still, if a detector program is virus capable, I suspect it will still be called an antivirus even if it is a comprehensive antimalware as well (since viruses are a special case).
From: FromTheRafters on 4 Apr 2010 07:50 "David Kaye" <sfdavidkaye2(a)yahoo.com> wrote in message news:hp947a$ekl$3(a)news.eternal-september.org... > "Beauregard T. Shagnasty" <a.nony.mous(a)example.invalid> wrote: > >>Ah. It seems I've posted "nearly an hour before you." How do you >>explain >>that everyone else sees your clock an hour in the future? >> >>Currently 11:57pm Eastern Daylight Time > > I'm not sure. There is no setting on the user account at ES to adjust > the > time. My computer's clock is set to Pacific (US & Canada) with > allowance made > for DST. It adjusted correctly at the beginning of daylight time. > > Lemme see. I have a program that calls an API routine for system > time. Let's > see if it shows GMT correctly... > > Okay, the routine calls the GetTimeZoneInformation and GetSystemTime > functions from the kernel32 library. The routines return an offset > from GMT > as 7 hours, which is correct. Normally it would be 8 hours, but we're > on DST > here in North America. Since Bush signed into law the advanced > daylight time > law several years ago, starting DST 3 weeks ahead of the way it used > to be > (and ending it 1 week later) it just might be that Eternal September > is > assuming that we're not on DST here yet. This would account for their > server > thinking GMT (UTC) is 8 hours ahead. Well then, it should correct itself today then.
From: FromTheRafters on 4 Apr 2010 07:57 "David Kaye" <sfdavidkaye2(a)yahoo.com> wrote in message news:hp94ma$ekl$5(a)news.eternal-september.org... > "FromTheRafters" <erratic(a)nomail.afraid.org> wrote: > >>It is possible for a trojan to drop a file named ave.exe that is for >>all >>practical purposes unique to that system. The filename means nothing. >>The thing that should be detected is the dropper itself - if you don't >>install it, you don't have to identify and remove it. > > This may be the case given that the name displayed apparently adjusts > itself > to the system in use. Thus for XP it's called something like "XP > Defender" > and for Vista it's called "Vista Defender", etc. Also, whether it's > called > Defender or any number of other names also seems to change. > > Regardless, I should think that Avast's heuristics should have picked > up some > of the telltale signs of the infection even if it didn't have the > exact > definition in place. Avast! doesn't use "heuristics" (according to them). They do use them for their e-mail scanning module though. > I'm thiking of going back to ZoneAlarm since Windows firewall was so > easy to > disable. Hmmm... I just heard that most auto accidents happen within 10 miles of home, so I'll be moving to a safer neighborhood.
From: Beauregard T. Shagnasty on 4 Apr 2010 07:58
David Kaye wrote: > Date: Sun, 04 Apr 2010 06:04:14 GMT > Injection-Date: Sun, 4 Apr 2010 05:04:14 +0000 (UTC) > > I guess I'll just chalk it up to being a forward thinker. I would like to know why "GMT" and "UTC" are an hour apart on your posts. GMT and UTC are the same. My posts via eternal-september show my correct time zone (as -0400 EDT) but yours do not show your time zone. And everyone who has replied sees your posts an hour in the future. Just yours. -- -bts -Four wheels carry the body; two wheels move the soul |