Author Topic: Zero Day exploit being used to infect PCs  (Read 30533 times)

0 Members and 1 Guest are viewing this topic.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: Zero Day exploit being used to infect PCs
« Reply #30 on: September 24, 2006, 03:36:15 PM »
I wish to see a list of 'problematic' applications with DEP.
I have, like Sasha, DEP allowed to every application. No delays, no problems.
Why does some people have to make execptions? What execptions are needed?
The best things in life are free.

Offline bob3160

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 48524
  • 64 Years of Happiness
    • bob3160 Protecting Yourself, Your Computer and, Your Identity
Re: Zero Day exploit being used to infect PCs
« Reply #31 on: September 24, 2006, 04:14:17 PM »
It's amazing, This change which was brought out in a post by Mastertech is
now apparently the way to go till Patch Tuesday.
Unfortunately, his thread has been deleted due to certain derogatory comments within that thread.
Comment's not made by him but that didn't seem to matter.

Since I've not seen him reply to anything in here, guess he's again been handed a banana.  :(

When will we ever learn to live and let live? It's not necessary to agree with a person to still
accept some help from that individual. Personal animosities have no place in a support forum. IMHO



Free Security Seminar: https://bit.ly/bobg2023  -  Important: http://www.organdonor.gov/ -- My Web Site: http://bob3160.strikingly.com/ - Win 11 Pro v22H2 64bit, 16 Gig Ram, 1TB SSD, Avast Free 23.5.6066, How to Successfully Install Avast http://goo.gl/VLXdeRepair & Clean Install https://goo.gl/t7aJGq -- My Online Activity https://bit.ly/BobGInternet

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: Zero Day exploit being used to infect PCs
« Reply #32 on: September 24, 2006, 04:23:05 PM »
Hey SZC....mine has been checked just the opposite since day one on this laptop(turn on DEP for essential Windiows Programs and Services Only)and what is the best way to go-everything runs fine as is and i really hate to change anything ???
But did you receive any error message?
The simpler solution (just use DEP for essential Windows programs) isn't necessary if your system works well with the 'stronger and safer' option.
Besides this, if *any* program generates an error, you should see the error message posted by Frank...
The best things in life are free.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Zero Day exploit being used to infect PCs
« Reply #33 on: September 24, 2006, 04:39:04 PM »
Hi Tech,

With older programs, you can get an error, but software DEP can be applied per application. And there are ways around it. But there are holes in DEP (Ms has not reacted to the Russian Researcher that wrote a tool for that one). But the most important message here is:
"It's unlikely they will ever reveal how they screwed things up to allow callbacks into data that's not supposed to be 'run', but it's a certainty they figured out one whale of a hack here."
polonus

I copy from my other posting

"There will be malware around that will disable DEP while attack, actually this malware has been demonstrated, and is around. Could not this mean that DEP actually comes down to DEPressive??? Read this: http://radsoft.net/resources/rants/20051231,01.shtml

Here about the hole in DEP that Russian security found up half a year ago:
http://www.tunexp.com/news/windows-story-609.html

Limitations

Unlike similar protection schemes available on other operating systems, DEP provides no address space layout randomization, which may allow return-to-libc attacks that could feasibly be used to disable DEP during an attack.

The possibility has now been demonstrated against Windows Hardware-enforced DEP by skape in. which relies on a return-to-libc style attack. This technique relies on directly pointing the EIP register to the known service-pack-dependant location which applies the OptIn/OptOut mechanism. It is reliant on the boottime option of OptOut/OptIn being available. If all pages are strictly enforced, then this attack will not succeed. The PaX documentation further elaborates on why ASLR is necessary. It may be possible to develop a successful attack if the address of prepared data such as corrupted images or MP3s can be known by the attacker.(is already done in QuickTime)
[source Wikipedia]

Software conflicts

DEP is occasionally the cause of software problems, usually with older software. It has exposed bugs in the Virtuozzo virtualization software that prevent certain programs from being virtualized correctly. In most cases, these problems may be solved by disabling the DEP features.

As a response to this, DEP can be turned off on a per-application basis, retaining compatibility for older programs. [source Wikipedia]"


Safest way to go is with hardware DEP. How to go, you read here:
http://blogs.zdnet.com/Ou/index.php?p=150


p
« Last Edit: September 24, 2006, 05:16:55 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

drhayden1

  • Guest
Re: Zero Day exploit being used to infect PCs
« Reply #34 on: September 24, 2006, 06:01:43 PM »
someone tech told me its was your birthday today(9/24/06)

have a good one my friend ;D

drhayden1

  • Guest
Re: Zero Day exploit being used to infect PCs
« Reply #35 on: September 24, 2006, 06:11:16 PM »
thanks polonus...thats what i did from the link you posted and advise from a few others here on the forum...when the patch comes out.....do we leave as is or go back to default(the top one) ???
« Last Edit: September 24, 2006, 06:30:09 PM by drhayden1 »

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Zero Day exploit being used to infect PCs
« Reply #36 on: September 24, 2006, 07:13:02 PM »
Quote
It's amazing, This change which was brought out in a post by Mastertech is
now apparently the way to go till Patch Tuesday.

Bob, if you take a look at page 1 of this thread you'll see I'd already posted information about how DEP can be used to block the exploit:

http://forum.avast.com/index.php?topic=23646.msg195274#msg195274

Quote
Unfortunately, his thread has been deleted due to certain derogatory comments within that thread. Comment's not made by him but that didn't seem to matter.

It was nothing to do with the nature of the comments posted of course. This guy has a reputation for this sort of thing all over the internet but when he posts here it's never his fault that threads get deleted, but because of comments made by other forum members?

If somebody comes here to troll and threads get deleted, let's place the blame where the blame belongs- with the troll.



     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

Offline bob3160

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 48524
  • 64 Years of Happiness
    • bob3160 Protecting Yourself, Your Computer and, Your Identity
Re: Zero Day exploit being used to infect PCs
« Reply #37 on: September 24, 2006, 07:37:48 PM »
It was nothing to do with the nature of the comments posted of course. This guy has a reputation for this sort of thing all over the internet but when he posts here it's never his fault that threads get deleted, but because of comments made by other forum members?
You're entitled to your opinions.
Free Security Seminar: https://bit.ly/bobg2023  -  Important: http://www.organdonor.gov/ -- My Web Site: http://bob3160.strikingly.com/ - Win 11 Pro v22H2 64bit, 16 Gig Ram, 1TB SSD, Avast Free 23.5.6066, How to Successfully Install Avast http://goo.gl/VLXdeRepair & Clean Install https://goo.gl/t7aJGq -- My Online Activity https://bit.ly/BobGInternet

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Zero Day exploit being used to infect PCs
« Reply #38 on: September 24, 2006, 07:40:15 PM »
The forum administrators clearly said that the posts were deleted for trolling. Not my opinion at all.
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

neal62

  • Guest
Re: Zero Day exploit being used to infect PCs
« Reply #39 on: September 24, 2006, 08:58:44 PM »
Thanks FWF. Appreciate all the information you have posted concerning this latest threat.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Zero Day exploit being used to infect PCs
« Reply #40 on: September 24, 2006, 09:14:44 PM »
Hi bob3160 & FwF,

Let us turn to the question at hand, and let us get  two things clear here. To use DEP means the HARDWARE variety of DEP (if your computer has it on board), the software DEP helps but is under attack, has some holes, and there is a patch tool for it written by a Russian researchers that should be installed (he has not heard from MS since he published.
People have short term memory. Remember that some coder said that if the source code of MS was revealed there would be holes found up as big you would not sleep nicely for some days to come. This remark  sparked by comments made by Microsoft VP Jim Allchin who stated, under oath, that there were flaws in Windows so great that they would threaten national security if the Windows source code were to be disclosed. He mentioned Message Queueing, and immediately regretted it, because as until today there is no cure for the ShatterAttack: http://en.wikipedia.org/wiki/Shatter_attack
Mac OS advertises this now as one of the 5 major flaws in the design of Windows, that was originally designed to be a stand-alone machine, never to go out on the Internet in the first place etc. etc. etc.


polonus
« Last Edit: September 24, 2006, 10:00:17 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline bob3160

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 48524
  • 64 Years of Happiness
    • bob3160 Protecting Yourself, Your Computer and, Your Identity
Re: Zero Day exploit being used to infect PCs
« Reply #41 on: September 25, 2006, 12:27:50 AM »
The forum administrators clearly said that the posts were deleted for trolling. Not my opinion at all.
FWF,
I guess then the following would be another example of his trolling considering the reply that followed?
http://forum.avast.com/index.php?topic=23485.msg195501#msg195501
Free Security Seminar: https://bit.ly/bobg2023  -  Important: http://www.organdonor.gov/ -- My Web Site: http://bob3160.strikingly.com/ - Win 11 Pro v22H2 64bit, 16 Gig Ram, 1TB SSD, Avast Free 23.5.6066, How to Successfully Install Avast http://goo.gl/VLXdeRepair & Clean Install https://goo.gl/t7aJGq -- My Online Activity https://bit.ly/BobGInternet

drhayden1

  • Guest
Re: Zero Day exploit being used to infect PCs
« Reply #42 on: September 25, 2006, 02:36:54 AM »
http://en.wikipedia.org/wiki/Data_Execution_Prevention

this link helped me understand DEP a-little better than i knew before ???
have a good one avast! world :D

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Zero Day exploit being used to infect PCs
« Reply #43 on: September 25, 2006, 08:48:04 AM »
Thanks drhayden1!

From the Wiki article:

Quote
Software DEP, while unrelated to the NX bit, is what Microsoft calls their enforcement of "Safe Secure Exception Handling". Software DEP/SafeSEH simply checks when an exception is thrown to make sure that the exception is registered in a function table for the application, and requires the program to be built with it. This is likely a countermeasure against a specific exploit that occured exactly one time in history. However, even though it creates the impression that software DEP is related to the prevention of executing code in data pages, it is something totally different. It does not prevent the execution of code, as a result of a buffer overflows in any way!

(My italics)

This is the reference cited for this claim:

http://www.sys-manage.com/english/products/products_BufferShield_Exploits.html

If this information is correct, Software DEP has a very poor record in preventing Zero-day exploits. In fact, VML would be the first exploit it has actually blocked!
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

drhayden1

  • Guest
Re: Zero Day exploit being used to infect PCs
« Reply #44 on: September 25, 2006, 01:23:27 PM »
thanks for the reply and for the info freewheelinfrank 8)
« Last Edit: September 25, 2006, 02:39:44 PM by drhayden1 »