Author Topic: excluding khown trojans  (Read 9728 times)

0 Members and 1 Guest are viewing this topic.

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11786
    • AVAST Software
Re:excluding khown trojans
« Reply #15 on: August 27, 2004, 10:03:01 AM »
Well, I believe Vlk stated it quite clearly...
When a malware is running under Administrator account, there is no way to prevent it from doing whatever it wants to. No antiviruses, no process-guards... nothing.
You can use tools (such as PG) to prevent some "generic" techniques... but when the malware is cleverly written (it usually isn't) and specifically targets the particular protection programs (PG, avast!, whatever...), it will win. That's the fact.

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11664
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re:excluding khown trojans
« Reply #16 on: August 27, 2004, 10:22:01 AM »
But please note this is not anything new: it has actually ever been so.

Linux/Unix users somehow know (count with) this and really really take care of which account they're working under. They usually use the root (=admin) account only if they really need to (such as to make some changes in the system config or install a program). Otherwise, they run under an account with limited rights (limited only to the extent that their apps work OK, of course) and this is because they somehow anticipate that something bad will happen. And if something bad really happens, running under a non-root account can mitigate the threat enormously...

Dwarden, why do you think that protection of the ini file would help? There are multiple places where avast stores its configuration. Registry keys, the ini file and the data storage (the mdb or xml file) where avast actually stores all task settings (including the on-access task). So it'd actually make more sense to tamper with the data storage than with the ini file I guess... Anyway, if the malware doesn't change any of those, it can patch any of the avast files. Same effect. And if it doesn't patch any of the files, it can remove the reference to avast from all the registry entries (preventing it to start on next boot). Same effect... Etc. etc.  You see what I'm saying? There are unlimited possibilities. There's no generic way to fight with that. The only way is not to run under the admin account.


Cheers
Vlk
« Last Edit: August 27, 2004, 10:24:02 AM by Vlk »
If at first you don't succeed, then skydiving's not for you.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67259
Re:excluding khown trojans
« Reply #17 on: August 27, 2004, 01:53:02 PM »
But when the malware is cleverly written (it usually isn't) ... it will win. That's the fact.

Men, I hope you never go to the dark side of the power  :o

There are multiple places where avast stores its configuration. Registry keys, the ini file and the data storage (the mdb or xml file) where avast actually stores all task settings (including the on-access task).

Vlk, is there any way to 'understand' or 'edit' the mdb file?
Everytime I browse it with Access I can't figure out anything I can change, do, tweak, even understand...  :'(
« Last Edit: August 27, 2004, 02:01:39 PM by Technical »
The best things in life are free.

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11664
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re:excluding khown trojans
« Reply #18 on: August 27, 2004, 02:29:29 PM »
The MDB file is quite straightforward (of course, only if you open it with Access... :)).

Almost everything is in the LocalProperty table.


BTW this is becoming way too off-topic!
« Last Edit: August 27, 2004, 02:29:44 PM by Vlk »
If at first you don't succeed, then skydiving's not for you.

Offline lee20

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2326
  • The only true failure is when you give up
Re:excluding khown trojans
« Reply #19 on: August 27, 2004, 05:39:03 PM »
Wouldn't it be a good idea to backup the INI files and Registery keys/values so they if avast is "tamperd with" you can just put it back.

Mabey this could be done as an option when you install avast, a sort of Avast recovery.

--lee

"Anyone who has never made a mistake has never tried anything new."-Albert Einstein

Comodo Firewall, Avast 4.8, SpywareBlaster, Spybot + superantispyware, PeerGuardian and ALL software patched!

Offline Dwarden

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1789
  • Ideas, that's ocean without borders!
    • Bohemia Interactive
Re:excluding khown trojans
« Reply #20 on: August 28, 2004, 12:56:06 PM »
yes but there is major difference between configuration stored in "raw" format and encrypted format (of course if someone decide to debug and analyse what where why, no way to win over him, but this is not that case) ...

anyway i got my own meaning about this as i already got experience with trojans which done exactly this to KPF configs (when they were in raw mode).

and in windows you not need to be in admin account to spread damage and destruction :) ...

oh well ... it was just thought ... i see i need keep using file integrity guard ...

https://twitter.com/FoltynD , Tech. Community, Online Services & Distribution manager of Bohemia Interactive

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11786
    • AVAST Software
Re:excluding khown trojans
« Reply #21 on: August 28, 2004, 01:15:32 PM »
anyway i got my own meaning about this as i already got experience with trojans which done exactly this to KPF configs (when they were in raw mode).

If the trojan specifically targets the program (KPF) configs, it can modify them in any case, encrypted or not - so I don't really see any difference. For encryping the configs, the encryption key has to be stored somewhere on the disk - so, the malware can simply extract the key and access the encrypted files.
(Even though as I said, I find it unnecessarily complicated - it can just delete or trash the files, or the whole program).

The only difference it could make is as a protection against "malicious user" - but not again clever malware.

Offline Dwarden

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1789
  • Ideas, that's ocean without borders!
    • Bohemia Interactive
Re:excluding khown trojans
« Reply #22 on: September 01, 2004, 10:20:45 AM »
anyway i got my own meaning about this as i already got experience with trojans which done exactly this to KPF configs (when they were in raw mode).

If the trojan specifically targets the program (KPF) configs, it can modify them in any case, encrypted or not - so I don't really see any difference. For encryping the configs, the encryption key has to be stored somewhere on the disk - so, the malware can simply extract the key and access the encrypted files.
(Even though as I said, I find it unnecessarily complicated - it can just delete or trash the files, or the whole program).

The only difference it could make is as a protection against "malicious user" - but not again clever malware.

you know it can takes exactly 10 seconds w/o any ecryption or checksum (e.g. md5 of ini to "detect" something messed with)

and i'm quite sure it will need hours - days - weeks to get your "key stored somewhere" ...

since when is no security better than some security ? especially when talking AV software ...
https://twitter.com/FoltynD , Tech. Community, Online Services & Distribution manager of Bohemia Interactive

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11664
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re:excluding khown trojans
« Reply #23 on: September 01, 2004, 10:25:34 AM »
The problem with encrypted data is that they are fragile. If a single bit is changed, the whole block becomes useless.

That is, if a malware changes anything in an encrypted config blob, the configuration becomes invalid and we're toast.

Encryption is not the way in this case -- OS level protection is much better.
If at first you don't succeed, then skydiving's not for you.

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11786
    • AVAST Software
Re:excluding khown trojans
« Reply #24 on: September 01, 2004, 10:28:47 AM »
It takes 10 seconds to whom? To the program or to the author of the malware?
From the point of view of the program, it doesn't matter - both are basically the same. From the point of view of the author, yes, it may take slightly longer to program the malware (but not that much... finding the key wouldn't be very hard when the author decides what application he'll target specifically).

Additionally - what would be the hash of the ini file good for? OK, let's say we know that the file has been tampered with... but what next? The settings may be completely changed/overwritten (and we cannot restore them by the hash). The mail accounts may have been changed completely, redirected somewhere... if it's a filewall, then the list of allowed applications may be modified... are we going just to freeze the computer and not allow anything to do its work (because we don't know what is safe to allow)?

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31335
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re:excluding khown trojans
« Reply #25 on: September 01, 2004, 10:40:53 AM »
I agree with Igor and Vlk especially on the used account(s). As I always say to my customers: Security starts with the user, not the system.

What good is it to lock a draw in your desk when you leave the frontdoor open wide and the key of the draw hangs in the hal?