Avast Doesn't Block XP Defender malware (ave.exe)
in [Spyware]
|
From: Dustin Cook on 4 Apr 2010 14:21 ~BD~ <BoaterDave(a)hotmail.co.uk> wrote in news:C_edndT4OMbLSyXWnZ2dnUVZ7tmdnZ2d(a)bt.com: > Beauregard T. Shagnasty wrote: >> ~BD~ wrote: >> >>> TRT said >> >> Stop calling him "TRT". He is the exact opposite of the real truth. >> >> Have you bothered to do this? >> http://www.google.com/search?q=pcbutts1+software+thief >> >> <quote> >> From: "Intellectual Property and Licensing >> Group"<[cut]@microsoft.com> To: "'pcbutts1'" >> Sent: Monday, March 09, 2009 9:05 PM >> Subject: RE: Logo use >> >> Please provide us your name to verify in our system. >> </quote> >> > > BTS - I have read everything anyone and everyone has thrown in front > of me telling me that 'he/she' is one of life's bad guys. What I have > read may, or may not, be true. Fair enough. If it was published by the national inquirer (probably spelled wrong, I don't care), I'd respect your view. However, in this case, many many reputable sites are complaining about PcButts. Myself and others have witnessed *and caught him* in the act of code theft (research : pcbutts and rot13). So it goes beyond opinion to fact. > Whilst I may have missed it, I didn't see anything on 'his/her' web > site which stated that the picture of a blonde woman was a true > representation of the MVP in question. Maybe it's there simply to > cheer up an otherwise rather dull page! Then you missed it. Chris has been trying to convince people he's a female model for awhile now; Several threads were started about it. I know it's a waste of time for me to even say this again, but I'd suggest you do more reading about your idol and less posting. You might learn what a tool you are. > What you *think* you know from your Internet research may be totally > incorrect - there really is no way of *knowing* the truth on line. The internet isn't like religion where "faith" is a requirement. You can know the absolute truth about someone here. > Just remember, it was *you* who refused to have email contact with me, > though of what you were afraid I have absolutely no idea. Mr Lipman > will agree that email is a somewhat 'safer' medium than Usenet! I can't speak for Dave, but I at one point took the bait and responded to several of your emails; and as you can see, this is the end result of it. I don't blame David for not wanting to take the same road. > Happy Easter to you, regardless! And to you as well, Dave. -- "Hrrngh! Someday I'm going to hurl this...er...roll this...hrrngh.. nudge this boulder right down a cliff." - Goblin Warrior
From: ~BD~ on 4 Apr 2010 14:27 FromTheRafters wrote: > ...as a side note, I read somewhere, about a month ago, that 80% of the > most popular legitimate websites had served up malware within that one > week period. IIRC it was mostly through advertisements that they had > hosted. > > I read that too. I posted relevant article - the second post in this thread - but maybe David was too distracted/frustrated to read it! -- Dave
From: gufus on 4 Apr 2010 14:28 Hello, ~BD~! You wrote on Sun, 04 Apr 2010 18:55:23 +0100: | I'm unsure of the point you were making, but it's good to meet you! ;) What I was doing was teasing David Kaye, <evil grin>.. Nice to meet you too! have a /SUPER/ Easter. :-) -- With best regards, gufus. E-mail: stop.nospam.gbbsg(a)shaw.ca
From: gufus on 4 Apr 2010 14:34 Hello, David! You wrote on Sat, 3 Apr 2010 20:13:30 -0400: | The two are drinking the same K00laide. Wobblypop's | -- With best regards, gufus. E-mail: stop.nospam.gbbsg(a)shaw.ca
From: Ant on 4 Apr 2010 14:41
"David Kaye" wrote: > "Ant" wrote: >>You didn't say which browser was involved. Is it up-to-date? What >>plugins and other applicatiuons are used as helpers to view embedded >>content and are they sercurely configured and up-to-date? Think about >>Java (not javascript), PDF and Flash viewers, ActiveX components and >>other media players. Do you allow them to run automatically? > > Again, this particular computer is set up to imitate real world scenarios as > are present in my customers' computers. So that would be insecurely and typically lacking the latest (or any) third party software updates or patches for bug fixes. They might be a little better protected with Vista or Win7 if they haven't disabled the nags. > Prior to the infection I had visited > several websites from Google links. I did not click on anything within those > web pages. I don't recall if there was a pdf among the stuff I looked at or > not. My machine is set up top warn about ActiveX, but not Java, Flash, or > pdfs. However, downloading of exe and dll files should be triggering > *something* to warn me. You still haven't stated which browser and you don't need to click to be infected. In the last few days there have been updates for IE6 & 7, Firefox, Quicktime & Itunes and Foxit PDF reader. All of them correct exploitable vulnerabilities. Take a look at http://isc.sans.org/ To convince yourself to not allow PDF files to display automatically see the article "PDF Arbitrary Code Execution - vulnerable by design" at isc.sans.org. Foxit have corrected it but Adobe Acrobat is probably still vulnerable. In fact malicious PDFs, which are frequently used, often don't display at all but just run code. If you want some warning it's best to to have the appropriate OS security policies and logging in place. Firewalls are usually only concerned with network connections, not what you allow to run. The only way you can find out what causes a problem like this is to do an immediate investigation of all the recent HTTP (and perhaps other protocol) requests and examine any cached pages, scripts, Java .jar and .class files, etc when it happens so you can track down the bad site and what exploit was used. > As someone suggested, perhaps something else is being renamed as an exe. An executable named temp.tmp, for example, is easily run without being renamed by using the right API magic. > I did notice one thing that may be a clue. I couldn't run exe files any > longer until I entered the exe extension in the filetypes section to replace > what had been there. This was after the registry rollback, so I'm not sure > where the exe reference was being pulled from. It should have reverted just > like all other registry entries. That depends how you backup/restore the registry. File associations are stored in HKLM\software\Classes which is in the software hive in [win]\system32\config. Then there's the individual hives (ntuser.dat) in each user profile directory. It may be that exe association can be overrridden from those. Once malware is running with administrator rights it can do anything it wants, including elevating itself to have NT authority\system privilege. Thus it has full access to protected areas of the registry, the hard disk and the ability to load drivers. > So, indeed it could well be that ave.exe is really something non-exe that got > renamed and thus wasn't detected by Windows as being bogus. I have not saved > the ave.exe file to look at it. Perhaps I should have, but I had to use this > particular computer and just wanted to get rid of the malware. More important is to find the vulnerable software component that allowed it to run. |