Surviving ZLob: Lessons Learned

[vnangia]

Y'know, every time I see something like this (or have to do such a cleanup myself), I wonder why we can't charge Microsoft for engineering bad software. If you have a bad car, you have lemon laws. If you have a defective appliance, you have recalls and warranties. If you have a dishonest professional service (lawyer, accountant, etc, etc), you have ethics boards.

But if you're in the software business and make a defective product then you get a free pass because your product is sold as-is.

Can you imagine how quickly Microsoft (and other software companies - let's be honest, Adobe's products leave a lot to be desired in the everything department) would clean up their code if they couldn't sell their products as-is and could have civil cases brought against them for their shoddy work? If Microsoft were charged even $0.02 per person, per incident (surely a gross underestimation for time wasted) for their bugs, it would take only a couple of incidents before Microsoft was bankrupt or their code was audited and fixed.

 

[jam3ohio]

The Users Have Responsibility Too

A few years back, a buddy called panicking about his laptop that would not boot up. I asked him if he renewed his McAfee when it expired after the free trial. No, he said. The I asked him if he was still downloading porn with an expired security software. Yes, he sheepishly admitted. I had him bring the machine by and got the viruses off his machine, bought the McAfee renewal (with his credit card), and told him never to bring it back to me if he let that protection lapse. It was his fault for unsafe browsing...not Microsoft's. You can't think of every potential hole in the OS before shipping. Granted, MS could always do better, but the sheer volume of threats out there really make it required for users to take responsibility for their internet security.

 

[Unregistered]

Which free Anti virus software is best

Great article and thanks for sharing your experience.

I already follow many of your suggestions, but have been trying to find the best free anti virus software available. Previously I paid for Norton/Symantec, but I don't think it is worth paying for it anymore with so good software available for free.

I have been looking at AVG (As mentioned in the article) and Avast, what are your experiences and reasons for choosing one over the other of these two.

I guess that it is not advisable to have both as they might cause some conflicts.

 

[thiggins]

Y'know, every time I see something like this (or have to do such a cleanup myself), I wonder why we can't charge Microsoft for engineering bad software...

Well, it's not just Microsoft, but all application developers.

Realistically, things are only going to get worse as malware writers continue to sharpen their skills.

It would be great if EULAs could be changed to give some liability to software developers. But user education is also a very important part of the process. Sometimes I think people should be licensed to use a computer and computing devices should be registered like automobiles. But at least the latter isn't likely to happen.

 

[thiggins]

I had him bring the machine by and got the viruses off his machine, bought the McAfee renewal (with his credit card), and told him never to bring it back to me if he let that protection lapse.

Good approach. I didn't give as strong a lecture to my neighbors. But I told them both that they needed to check the AVG tray icon every day and make sure that there were no alerts. I also told them to manually update AVG on their notebook when they booted up, because it isn't used every day.

 

[thiggins]

I have been looking at AVG (As mentioned in the article) and Avast, what are your experiences and reasons for choosing one over the other of these two.

I have used AVG for a few years now and have installed it on friends and relatives' machines. I have no experience with Avast, other than encountering its spinning tray icon on my neighbors' system.

 

[claykin]

I have used AVG for a few years now and have installed it on friends and relatives' machines. I have no experience with Avast, other than encountering its spinning tray icon on my neighbors' system.

Tim

I use Avast and have had good success with it. In Avast's defense, the program does warn about 45 days in advance of its pending expiration. Once it has expired, it gives frequent warnings on screen. These warnings are in the form of a large square box that appears above the system tray.

Its simple to renew and Avast even includes a link in the warning to renew for free. People ignore it and that's their responsibility, not the AV.

I believe what happened in this case is that his Avast was expired and was out of date. Zlob got in and disabled parts of Avast from running and began doing its thing. Most malware programs will disable or partially disable out of date AV programs, no program is exempt from that rule, if its out of date.

Avast, Avira and to a lesser extent AVG are all good free solutions. Microsoft will be releasing their free AV/malware program, Microsoft Security Essentials in time for Windows 7 release. MSE will run on XP, Vista and 7 and early testing seems to indicate its easily as good, if not better, than all the current free solutions. Microsoft is running a beta program now, but its closed to new users.

That said, today's common infections, Zlob, Conficker, Sality, etc... Typically enter the system through known Windows security holes (and holes in 3rd party programs). If you want to protect your system, and not leave sole responsibility to your AV program, manually run Windows Update each month. Run it after the second Tuesday in each month to insure that you get the "in band" patches that MS releases. Install everything in the HIGH PRIORITY category and your protection from common "drive by" malware installs will increase by 99%. Also, if the Windows Update shield shows up mid month, don't ignore it for weeks, months, etc. Respond to it and let it install the patches that MS worked hard to write for your benefit!

My 2 cents.

 

[thiggins]

Thanks for the comment and tips, claykin. I don't think my neighbors would have ignored a warning box popped up from the system tray. I only saw the system after zlob was in and saw only the spinning Avast logo.

You'll get no argument from me that users have an obligation to keep Windows updated, too. And at least I had weaned them off of using IE and they don't use Outlook.

 

[claykin]

Thanks for the comment and tips, claykin. I don't think my neighbors would have ignored a warning box popped up from the system tray. I only saw the system after zlob was in and saw only the spinning Avast logo.

You'll get no argument from me that users have an obligation to keep Windows updated, too. And at least I had weaned them off of using IE and they don't use Outlook.

OK, but why hadn't Avast updated itself for months? I think you said months in your original article... Maybe they installed the free version but never registered it? In that case after 60 days it would have stopped updating itself automatically (after several red box warning messages appeared and badgered them).

Nothing, except corporate AV with a perpetual license could help people who refuse to listen to early warning messages. Then, inevitably they would eventually be using a 3-4 year old AV engine and still have little protection from current malware (how many offices do you know that still run Symantec Corporate AV V9.x from 2004 and think they are protected?)..... Either be a responsible PC user, or get a Mac (and wait for the AV writers to target you)

 

[YeOldeStonecat]

I have been looking at AVG (As mentioned in the article) and Avast, what are your experiences and reasons for choosing one over the other of these two.

I guess that it is not advisable to have both as they might cause some conflicts.

Should never run more than 1x antivirus real time protection at a time, else they step on each others toes, cause system instability, etc.

www.av-comparatives.org

In my experience with working on computers for a living, of the freebie antivirus programs, AntiVir is heads and toes above the rest. Avast in second place, AVG is "so-so". AVG is popular as far as the freebies go, but I have to repair a lot of computers that get hit even through they are protected by AVG.

To be soon taking over the "king of the free antivirus programs" list...Microsofts Security Essentials (MSE). Currently still in BETA, it'll be out soon. Microsoft hit a home run with this one, I've been using it in cleaning infested rigs and it does VERY well. Doesn't bog down your system either. Even though, as I write this, the BETA is closed, you can still find the download out there via Google from legit sites and it will still update fine.

Of the paid products I'm a fan of Eset, Kaspersky, AntiVir Pro, and believe it or not...Symantecs 2009 and newer products are actually very good. Yes..I said it..coming from someone who loathed Symantecs products for a long time, they completely...from the ground up, re-wrote their antivirus and internet protection suites for the 09 product. In a complete 180, they are now one of, if not THE, lightest products out there, their AV takes under 8 megs...yes..under 8 megs. And its detection and cleaning ability is top notch.

On the subject of these current "rogue/fake-alert" Vundu trojans, there are quite a few tools out there which make removing them relatively easy. The makers of these trojans are releasing several new variants PER DAY to keep ahead of the antivirus programs. We come across PCs with this every week, and the tools are doing a good job. MalwareBytes, SuperAntiSpyware, TCP/Winsock repair utility, CCleaner, Spybot Search and Destroy, added to an antivirus scanner or two and it's done. Actually MalwareBytes usually gets it quite well in the first pass...but IMO it's good to run/scan/remove a few remnants with other tools first.

 

[thiggins]

Thanks for the link to AV-Comparatives and your thoughts about AV products, Stonecat. As someone who uses and installs this stuff every day, your opinions are much more valuable than mine!

 

[Unregistered]

An additional tool in the armoury

There's an additional set of tools which any experienced net defender should know about, which can in many instances save one the time and complexity of a bare metal install.

Ultimate Boot 4 Windows [http://www.ubcd4win.com/] is a free user-extensible suite based on BartPE, which allows one to build an XP/2003 bootable CD/DVD disk; this will run a stripped-down copy of XP direct from the CD - it has several on-board AV and malware tools, as well as a whole raft of other very useful tools for systems diagnosis management or repair.

When building the CD/DVD one can also add one's own selection of tools to the mix, thus for example Acronis or DriveClone Pro or Ghost, or one's own selection of AV tools such as Symantec/Norton or Kaspersky: the home web site also delivers information on how to "build" such applications into the CD. Personally, for systems management purposes I usually carry a special version of the CD based on Server 2003 with various of the Active Directory and SysInternals tools installed.

Using this CD one can boot the infected system and mount its drive{s} for off-line scanning and disinfection: in more than 95% of all cases I've dealt with this sorts the problem entirely. The few cases this method does not address usually arise from somewhat rarer forms of malware which write their infections to drive boot sectors or system bios space.

If one is dealing with a system where the content is sensitive or unusually valuable then UB4Win allows one to take an offline image of the affected disk{s} to an external USB/1394/esata disk before attempting any repair: which is standard forensic practice: don't touch unless you can guarantee you can put it back to the state it was in before you started.

Using UB4Win to scan/repair will usually take no more than an hour or so, and is thus a damn sight quicker than rebuilding the OS from scratch, without the inherent risk which comes from moving user data off the old disk temporarily. Even if one has to take a disk image beforehand the process is rarely more than a couple of hours.

In passing I've used UB4Win with Acronis imaging tools to entirely replace a failing boot raid subsystem on a server in well under 2 hours. Customers tend to appreciate lower downtime

 

[R.G.]

A little bit of thinking will reveal the result that Microsoft (and other software companies, notably the anti-whatever utilities) and the malware writers have become two parts of a binary parasite. A binary parasite forms when a supplier of a good/legal product and a bad/malicious product come to need one another and both profit from the host by continuing to exist.

It is very much to Microsoft's advantage to have people tied to continuous updates every week or two to remain functional in the face of the blizzard of malware exploits. The advantages to the malware folks to have things to exploit are obvious. What is interesting about a binary parasite is that no collusion is needed, both halves of the parasite can truly, really oppose the operation of the other half and no secret meetings, no conspiracy. Both can hate the other side truly, and as long as the other side is not wiped out, things are good. The host keeps supporting them both.

The only bad thing is this: the host is us, the non-combatants

It is easy to say that no software is perfect, and that there will always be holes to exploit. However, it is indisputable that MS and other protection-ware companies profit from the continued existence of the malware guys. Accordingly, I suspect that in the absence of a bigger threat to MS and others from the continued existence of profitable malware exploits, you can be sure that the war will continue - with us, the hosts, paying both sides: one willingly for protection, the other inadvertently when the shields slip.

There are other examples of binary parasites, where the entrenched co-dependency of the good-side parasite on the bad-side parasite should be obvious.

 

[spooony]

Should never run more than 1x antivirus real time protection at a time, else they step on each others toes, cause system instability, etc.

www.av-comparatives.org

In my experience with working on computers for a living, of the freebie antivirus programs, AntiVir is heads and toes above the rest. Avast in second place, AVG is "so-so". AVG is popular as far as the freebies go, but I have to repair a lot of computers that get hit even through they are protected by AVG.

To be soon taking over the "king of the free antivirus programs" list...Microsofts Security Essentials (MSE). Currently still in BETA, it'll be out soon. Microsoft hit a home run with this one, I've been using it in cleaning infested rigs and it does VERY well. Doesn't bog down your system either. Even though, as I write this, the BETA is closed, you can still find the download out there via Google from legit sites and it will still update fine.

Of the paid products I'm a fan of Eset, Kaspersky, AntiVir Pro, and believe it or not...Symantecs 2009 and newer products are actually very good. Yes..I said it..coming from someone who loathed Symantecs products for a long time, they completely...from the ground up, re-wrote their antivirus and internet protection suites for the 09 product. In a complete 180, they are now one of, if not THE, lightest products out there, their AV takes under 8 megs...yes..under 8 megs. And its detection and cleaning ability is top notch.

On the subject of these current "rogue/fake-alert" Vundu trojans, there are quite a few tools out there which make removing them relatively easy. The makers of these trojans are releasing several new variants PER DAY to keep ahead of the antivirus programs. We come across PCs with this every week, and the tools are doing a good job. MalwareBytes, SuperAntiSpyware, TCP/Winsock repair utility, CCleaner, Spybot Search and Destroy, added to an antivirus scanner or two and it's done. Actually MalwareBytes usually gets it quite well in the first pass...but IMO it's good to run/scan/remove a few remnants with other tools first.

Slow scan engine poor script malware detection and no HIPS. Thats no king lol

Product Report Certified Protection Repair Usability
Avast: Free AntiVirus 6.0 112241 yes 5.0 4.0 4.5
AVG: Internet Security 10.0 112217 yes 5.5 4.5 3.0
Avira: Premium Security Suite 10.0 112235 yes 3.5 4.5 4.0
BitDefender: Internet Security Suite 2011 112275 yes 6.0 5.5 5.5
BullGuard: Internet Security 10.0 112219 yes 5.0 3.5 4.5
CA: Internet Security Suite 2011 112252 no 1.5 3.5 4.0
Comodo: Internet Security Premium 5.3 and 5.4 112298 no 3.5 1.5 3.0
Eset: Smart Security 4.2 112256 yes 4.0 3.5 5.5
F-Secure: Internet Security 2011 112279 yes 5.5 5.0 5.0
G Data: Internet Security 2012 112229 yes 5.5 4.0 4.0
GFI: Vipre Antivirus Premium 4.0 112208 yes 3.0 4.0 4.0
K7 Computing: Total Security 11.1 112238 no 4.0 3.5 3.0
Kaspersky: Internet Security 2011 and 2012 112249 yes 5.5 5.5 5.0
McAfee: Total Protection 2011 112247 no 3.0 3.0 3.5
Microsoft: Security Essentials 2.0 112233 yes 2.5 4.5 5.0
Norman: Security Suite Pro 8.0 112228 no 3.0 4.0 2.0
Panda: Internet Security 2011 and 2012 112261 yes 5.5 5.0 5.0
PC Tools: Internet Security 2011 112288 no 4.0 4.5 2.0
Sophos: Endpoint Security and Control 9.5 and 9.7 112274 yes 4.0 4.5 5.0
Symantec: Norton Internet Security 2011 112203 yes 5.0 5.0 3.5
Trend Micro: Titanium Internet Security 2011 112286 yes 4.5 3.5 4.5
Webroot: Internet Security Complete 7.0 112273 yes 2.0 5.0 4.0

 

[YeOldeStonecat]

Slow scan engine poor script malware detection and no HIPS. Thats no king lol

Which one are you talking about...on this over 2 year old thread that you dug up and that naturally some players have changed over the past 2 years.

And scan speed doesn't really count in the real world..you kick off a scan and walk away, come back later when it's finished. Who actually stands there waiting in front of the computer watching the scan progress bar while it scans?

 

[claykin]

VB100 has this graph posted showing proactive and reactive results. Microsoft Security Essentials seems to be included even though this was tested on Server 2008. They have a spot for "Microsoft SE" I know people successfully use MSE on Windows Server. Seems MSE had a good showing in this test.

http://www.virusbtn.com/vb100/RAP/RAP-quadrant-Dec10-Jun11-850.jpg

 

[stevech]

I switched from Norton AV (enterprise, not consumer) almost a year ago IIRC. I put my blind faith in Microsoft's Security Essentials.

My (naive?) hope is that they have a strong motive to better secure their own operating system and apps - - since the vulnerabilities were created by Microsoft themselves!

 

[spooony]

I ask everyone to be a good sport and run this and posts the log. On your systems in the current state
http://screen317.spywareinfoforum.org/SecurityCheck.exe

Please do not cheat its not going to help

 

[spooony]

Which one are you talking about...on this over 2 year old thread that you dug up and that naturally some players have changed over the past 2 years.

And scan speed doesn't really count in the real world..you kick off a scan and walk away, come back later when it's finished. Who actually stands there waiting in front of the computer watching the scan progress bar while it scans?

thats why i posted the above.. If you click on the one starting with the numbers you will get a detailed report of all. Hope it helps as it shows good and short commings of the different products