internet security

DCFC79

Avast is fine.

Checkout some of the other threads on the same subject.

AndyPix

JJ_Egan wrote: »

>>OP, Defender is fine >>

Considering typical AV Comparatives results where Defender is usually the bottom of the pile i would not class it as good enough .
However the difference between the bottom of the pile and top is usually about 5% .
Top ranked will not recognize about 1% of threats bottom ranked about 5% of threats get through .

Yeah, the difference between MS and the top performer is <0.5%
Defender is fine coupled with a bit of common sense


"Good enough" is all reletive.
If you are click happy and are going to expose your computer to loads and loads of virus samples then if you use defender there is less than half a percent more chance that you will be infected than if you were using the top performer.


If you have more than half a witt then defender is fine

JJ_Egan

AndyPix wrote: »

If you have more than half a witt then defender is fine

Thats the problem so many don't even have that .Hence pishing and ransomewear success .

hans_2

OP has Windows 10 so avcomparitive results are not relevant.

AV-TEST test results show

BIT DEFENDER



WINDOWS DEFENDER



Know which I would be using.

were

if you want to deposit a few quid, you get Kaspersky Internet Security 2016 is free for 2 devices

https://www.help.barclays.co.uk/faq/security-fraud/software.html

Sicard

AndyPix wrote: »

Wow , iv worked in offensive security for 10+ years and could not think of a way that malicious code could "hide behind the videos" on youtube


Would you mind quoting your source so i can read up further ??


OP, Defender is fine, coupled with a bit of common sense regarding clicking links and opening random attachments

I also been involved in security for many years, mainly as a bouncer for Mothercare.

Video files are not typically thought of as potentially malicious or infected file types, but it is possible for malware to be embedded in or disguised as a video file. Due to this common misconception, audio and video files are incredibly intriguing threat vectors for malware writers.
Reasons for Viruses

• Media players are very frequently used software; users tend to use them for an extended period of time, leaving them open during other tasks, and frequently switch media streams.
• There are a wide variety of different audio players and many of different codecs and audio file plugins - all written by generally non-security-focused people.
• The file formats involved are binary streams, and tend to be reasonably complex. Much parsing is required to manipulate them, and playback calculations can easily result in integer bugs.
• Players take untrusted input from many different unreliable sources (often over the network), and run with fairly high privilege and priority. For instance, in Windows Vista, a low-privileged IE instance can launch content in a higher-privileged WMP.
• They are perceived as relatively harmless - users are likely to play files given to them.
• They are frequently invoked without the user’s explicit acknowledgement, (i.e. embedded in a web page) [1].

Vulnerabilities

Typical vulnerability vectors are 1) fuzzing the media player by a modified video file and 2) embedding hyperlinks in a video file.
1) Fuzzing is a generic method to force a program to behave unexpectantly by providing invalid, unexpected or random data to the inputs.


Fuzzing is designed to find deep bugs and is used by developers to ensure the robustness of code, however, a developer’s best tool can be used to exploit. For media players, which are supposedly "format strict", a corrupted real video file can expose many bugs, most caused by dereferencing null pointers. The result is, allowing inappropriate memory access, which indicates the possibility of writing to memory that is not intended to be written [2]. Fortunately, fuzzing media players requires in-depth knowledge of the file format or else the “corrupted” file, will simply be ignored by the player.
2) A more direct method is by obtained by embedding a URL into modern media files.
For example, Microsoft Advanced System Format (ASF) allows for a simple script commands to be executed. In this case, "URLANDEXIT" is placed at address 0x1329-133B and following any URL. When this code executes, the user is directed to download an executable file, often disguised as a codec and prompting the user to download in order to play the media [1,3].
Metadefender Cloud, OPSWAT's anti-malware multi-scanning tool, has an example of one such file: https://www.metadefender.com/#!/results/file/c88e9ff9e59341eba97626d5beab7ebd/regular
The general threat name is "GetCodec", in this specific example, the media player was redirected to microsoftmediaplayer.net/pluginerror/ (website was taken down due to malware) and downloaded a trojan [4].
We have scanned the trojan here: https://www.metadefender.com/#!/results/file/bd493d4780924435bfeb96a2af6db5b2/regular
Microsoft (https://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?ThreatId=-2147335891#tab=2) and Woodman [4] gives a deeper understanding on how the Trojan behaves.
Examples of File Type Exploits

Below is a table listing the popular media file formats that have been recently exploited by routing the user to malicious sites [3].
File Format Detection Description First Reported Windows
.wma/.wmv Downloader-UA.b Exploits flaw in Digital Rights Management [1] January, 2005 Real Media
.rmvb W32/Realor.worm Infects Real Media files to embed link to malicious sites [2] November, 2006 Real Media
.rm/.rmvb Human crafted Launches malicious web pages without prompting [3] December, 2007 QucikTime.mov Human crafted Launches embedded hyperlinks to pornographic sites [4] April, 2008 Adobe Flash.swf Exploit-CVE-2007-0071 Vulnerability in DefineSceneAndFrameLabelData tag [5] June, 2008 Windows.asf W32/GetCodec.worm Infects .asf files to embed links to malicious web pages [6] July, 2008 Adobe Flash.swf Exploit-SWF.c Vulnerability in AVM2 "new function" opcode [7] June, 2010 QuickTime.mov Human crafted Executes arbitrary code on the target user's system [8] August, 2010 Adobe Flash.swf Exploit-CVE-2010-2885 Vulnerability in ActionScript Virtual Machine 2 [9] September, 2010 Adobe Flash.swf Exploit-CVE2010-3654 Vulnerability in AVM2 MultiName button class [10] October, 2010
https://www.opswat.com/blog/can-video-file-contain-virus


Researcher hides stealthy malware inside legitimate digitally signed files

The technique, which doesn't break the original file's signature, can allow malware to bypass antivirus detection



By Lucian Constantin
| Follow Romania Correspondent, IDG News Service | Aug 5, 2016 8:27 AM PT

Credit: IDGNS More like this

• Hardcore Windows: How to solve Windows 10 crashes in less than a minute
  
• Respect: Windows 10 security impresses hackers
  
• The history of ransomware: How PC hostage-taking has evolved over the years
  
• Video
  Why You Lost Your Windows 10 Product Key
  

A new technique allows attackers to hide malicious code inside digitally signed files without breaking their signatures and then to load that code directly into the memory of another process.
The attack method, developed by Tom Nipravsky, a researcher with cybersecurity firm Deep Instinct, might prove to be a valuable tool for criminals and espionage groups in the future, allowing them to get malware past antivirus scanners and other security products.
The first part of Nipravsky's research, which was presented at the Black Hat security conference in Las Vegas this week, has to do with file steganography -- the practice of hiding data inside a legitimate file.
[ Further reading: How the new age of antivirus software will protect your PC ]While malware authors have hidden malicious code or malware configuration data inside pictures in the past, Nipravsky's technique stands out because it allows them to do the same thing with digitally signed files. That's significant because the whole point of digitally signing a file is to guarantee that it comes from a particular developer and hasn't been altered en route.
If an executable file is signed, information about its signature is stored in its header, inside a field called the attribute certificate table (ACT) that's excluded when calculating the file's hash -- a unique string that serves as a cryptographic representation of its contents.
This makes sense because the digital certificate information is not part of the original file at the time when it is signed. It's only added later to certify that the file is configured as intended by its creator and has a certain hash.
However, this means that attackers can add data, including another complete file inside the ACT field, without changing the file hash and breaking the signature. Such an addition will modify the overall file size on disk, which includes its header fields, and this file size is checked by Microsoft's Authenticode technology when validating a file signature.
However, the file size is specified in three different places inside the file header and two of those values can be modified by an attacker without breaking the signature. The problem is that Authenticode checks those two modifiable file size entries and doesn't check the third one.
According to Nipravsky, this is a design logic flaw in Authenticode. Had the technology checked the third, unmodifiable file size value, attackers wouldn't be able to pull off this trick and still keep the file signature valid, he said.
The malicious data added to the ACT is not loaded into memory when the modified file itself is executed because it's part of the header, not the file body. However, the ACT can serve as a hiding place to pass a malicious file undetected past antivirus defenses.
For example, attackers could add their malicious code to one of the many Microsoft-signed Windows system files or to a Microsoft Office file. Their signatures would still be valid and the files functional.
Moreover, most security applications whitelist these files because they're signed by trusted publisher Microsoft to avoid false positive detections that could delete critical files and crash the system.
The second part of Nipravsky's research was to develop a stealthy way to load the malicious executable files hidden inside signed files without being detected. He reverse engineered the whole behind-the-curtain process that Windows performs when loading PE files to memory. This procedure is not publicly documented because developers don't typically need to do this themselves; they rely on the OS for file execution.
It took four months of eight-hours-per-day work, but Nipravsky's reverse engineering efforts allowed him to create a so-called reflective PE loader: an application that can load portable executables directly into the system memory without leaving any traces on disk. Because the loader uses the exact process that Windows does, it's difficult for security solutions to detect its behavior as suspicious.
Nipravsky's loader can be used as part of a stealthy attack chain, where a drive-by download exploit executes a malware dropper in memory. The process then downloads a digitally signed file with malicious code in its ACT from a server and then loads that code directly into memory.
The researcher has no intention of releasing his loader publicly because of its potential for abuse. However, skilled hackers could create their own loader if they're willing to put in the same effort.
The researcher tested his reflective PE loader against antivirus products and managed to execute malware those products would have otherwise detected.
In a demo, he took a ransomware program that one antivirus product normally detected and blocked, added it to the ACT of a digitally signed file, and executed it with the reflective PE loader.
The antivirus product only detected the ransom text file created by the ransomware program after it had already encrypted all of the user's files. In other words, too late.
Even if attackers don't have Nipravsky's reflective PE loader, they can still use the steganography technique to hide malware configuration data inside legitimate files or even to exfiltrate data stolen from organizations. Data hidden inside a digitally signed file would likely pass network-level traffic inspection systems without problems.


http://www.pcworld.com/article/3104908/researcher-hides-stealthy-malware-inside-legitimate-digitally-signed-files.html


Perhaps I was being over enthusiastic in suggesting Youtube, but this could be potentially a threat in the not too distant future.


But you must agree, and I enjoyed your cherry-picking enthusiasm, that it's not just naughty sites that you won't get naughty bugs'

pogofish

forgotmyname wrote: »

Crossing your fingers = free and probably as effective as McAfee.

This is the best way to deal with McAfee:



:mad:

RumRat

Sicard wrote: »

I also been involved in security for many years, mainly as a bouncer for Mothercare.

Etc. Etc. Etc........

Perhaps I was being over enthusiastic in suggesting Youtube, but this could be potentially a threat in the not too distant future.


But you must agree, and I enjoyed your cherry-picking enthusiasm, that it's not just naughty sites that you won't get naughty bugs'

You could have left out all that waffle and just posted your last few lines......................That's probably all anyone will read anyway.

digp

Windows defender cloud (latest Windows 10) is pretty good

Use crypto prevent 8 free

Hitman Pro in trial mode

Lock your hosts file down using MVP hosts file

Use adguard for chrome/etc with ghostery etc you should be ok

RumRat

Full list? Of What?