Was very astounded!

[AdrianH]

As posted previously :

http://www.theregister.co.uk/2010/11/24/windows_0day_report/

Windows 0day allows malicious code execution

Antimalware provider Prevx has sounded the alarm about a serious vulnerability in fully patched versions of Microsoft Windows. It allows attackers to execute malware, even in versions designed to withstand such exploits.............. (read more)

Windows in trouble again 

XP/Vista/Win7 32 and 64 bit affected.

there are many new attacks that bypass security , all you can do is be cautious and have good backups/images to hand.

[Tenko]

Take security software that has HIPS-technology, Avast with OnlineArmor (in case you don't want to try CIS) will give you at least same protection as NIS2011 (NIS has HIPS but auto-HIPS which mean that NIS will take decisions instead of you) if not even better.

Many find CIS, by default settings, very annoying; it asks you, at the same time as it gives you hints which decision you should take, if you want to allow/block or sandbox. But many don't understand why. Well... the reason why CIS asks is because it trusts the users decisions.

Here is a video where you can get tips how to configure CIS for your needs and how you want it to work. http://www.youtube.com/languy99#p/u/23/Bj_Tg8EeY-s

Regards,
              Tenko

[scythe944]

Im gonna run them like this for a while and see where they go with avast, hopefully they just overlooked this one and can fix it in the next release.

If you really wanted to, you could try to find the files that were downloaded on your computer (the actual virus or malware, whatever it was) and submit it to avast to help improve detections.

That would help you, and anyone else that possibly comes across it.

By the way, Malwarebytes is a great free tool to help catch the "extras" that A/V products don't.

good luck.

[kyoten3]

I believe that malware bytes deleted the files in question. i know it was a odd file name that was residing in the app data/temp folder something like fekiuilwi343et.exe also there was a registry key as well. I'm not sure if malware bytes saves the log of the scan but if so or if there is a way i can get the info just tell me and ill do it. I hate these things, at my job we make around 4-5k each week just on virus removal and 99% of it is rogue antivirus's. My biggest problem is that i don't know how i got it. I've been in computers for years and worked directly as a tech for 3 years now so i know what to watch out for or at least thought i did. I've managed to keep my wifes pc clean for over a year and she is a major facebook user and I get the rogue using google, lol just very frustrating. Anyway if there is a way i can get info that would be useful let me know

[scythe944]

Malwarebytes by default puts everything it removes in a quarantine.  A log is also saved under the "Application Settings\Data" folder or somewhere around there for the user that ran the scan.

You could examine what the file names were by looking at the log, and you could restore the files to send them to avast if you wanted to give some help to the community.

You could send them to virus AT avast.com in a password protected zip file, with the password in the subject, you could upload them here:http://www.avast.com/contact-form.php?loadStyles&subject=SALES, or you could send them to avast directly from within the avast interface.

[schmidthouse]

Well from everything I've read..it sure sounds like developers (code writers) everywhere need to come up with a better way of "detecting and disabling" this kind of growing threat that appears to be getting more common as time passes! I don't know if thats possible but it seems to me if this kind of threat can be developed then it should be able to STOP it before it installs..Yes..No??

[scythe944]

Yeah, I'm sure that's what they strive for, but I think all the A/V companies are outnumbered by how many teams of people are developing the rogue's.

With the A/V companies starting to do more work with cloud systems, we might eventually get to a point where a lot of this is caught before it ever gets to end user's systems, but the framework is still in it's infancy.  It'll take a bit in order to start seeing real results.

[schmidthouse]

Good point about the number of teams developing this stuff...unfortunately that makes the game a "reactive" one, rather then "proactive"..at this point anyway

[scythe944]

Yeah, it's unfortunate, but that's the way things go I guess.

More Malware writers than Anti-malware, more thugs than policemen, more... well, you get the idea.

[DavidR]

Things haven;t changed in the time that viruses first came on the scene. Catch-up has always been the game, whilst generic, heuristic, algorithmic signatures and behavioural analysis are trying to combat new malware without a specific signature.

The problem being they have to strike a balance between detecting unknown malware and not detecting legitimate files. Get it wrong and you get too many false positives which can damage a system if a user elects to delete or not catching new malware.

[Tarq57]

I've managed to keep my wifes pc clean for over a year and she is a major facebook user and I get the rogue using google, lol just very frustrating.

I've read about quite a number of infected pages being near the top of some Google results page, some even sponsored results. You don't need to go to a suspected "dodgy" (porn or warez) site to get what's called a drive by download, you just need default settings on the browser that allow scripts to run.
Websites are hacked and infected at an alarming rate. All that is needed is for the web host to be using software with a vulnerability in it. A bit of light reading about how to prevent this here.

I believe that a lot of users who download these rogues do so inadvertently, by just visiting the page hosting it.

Good point about the number of teams developing this stuff...unfortunately that makes the game a "reactive" one, rather then "proactive"..at this point anyway

I think it always has been. The rogue antivirus game is worth seriously big money. New variants of the trojans/rootkits/worms that enable installation of these are being developed and released constantly.
The only things I'm aware of that prevent them is related to disabling scripting (mentioned above), NOT clicking on what some people would recognize as dodgy links or attachments, the heuristics/behaviour blockers around- some AV's have these - unfortunately they are often a "best guess" type detection, and if turned up high present with a higher percentage of FPs.

Seriously, a layered defense is the way to go, and to guarantee that is beyond the means (and interest) of the average computer user, and for similar reasons, beyond the scope of an AV designed for the average user.

Avast represents what I consider an excellent compromise. Better than most. Additional hardening is important, though, with any AV.

[schmidthouse]

Ah yes the 'dreaded' false positive...another great point!

[Joe S]

Maybe you should avoid the porn and hacker sites. Hacker sites are probably worse that porn sites for malware.
Joe

[Tenko]

for such things you can control with www.urlvoid.org

[Tarq57]

Maybe you should avoid the porn and hacker sites. Hacker sites are probably worse that porn sites for malware.
Joe

Any site can host malware.
This is yesterdays thinking, and slightly naive.