Firewall/antivirus software to detect stealth malware

I read that spyware and trojans exist which can't be detected by the
virus scanning software, which are not blocked or detected by firewalls
and which go into hiding when you activate the task manager, so that you
can't identify the related process(es).

Is there any secure way to identify such malware? Which firewall (or
virus scanner) for XP would you recommend?
--

Alfred Molon
http://www.molon.de - Photos of Asia, Africa and Europe

Re: Firewall/antivirus software to detect stealth malware

Alfred Molon wrote:
> I read that spyware and trojans exist which can't be detected by the
> virus scanning software, which are not blocked or detected by firewalls
> and which go into hiding when you activate the task manager, so that you
> can't identify the related process(es).
>
> Is there any secure way to identify such malware? Which firewall (or
> virus scanner) for XP would you recommend?

Long

http://www.windowsecurity.com/articles/Hidden_Backdoors_Troj an_Horses_and_Rootkit_Tools_in_a_Windows_Environment.html

Short

http://tinyurl.com/klw1

You use the tools in the link and you look for yourself from time to
time. You can even make Process Explorer the default Task Manager.

Re: Firewall/antivirus software to detect stealth malware

Alfred Molon wrote:
> I read that spyware and trojans exist which can't be detected by the
> virus scanning software, which are not blocked or detected by firewalls
> and which go into hiding when you activate the task manager, so that you
> can't identify the related process(es).
>
> Is there any secure way to identify such malware? Which firewall (or
> virus scanner) for XP would you recommend?

I am by no means as competent in this field as the gurus but I am coming
to understand the difficulty of making sure your computer is not
compromised. When I read PHRAK online I realized that true internet
security and privacy was an illusion in flux.

There are many layers of processes between your display/keyboard and the
engine that makes it happen. I think the kernal [machine launguage]is
the lowest level and when malware and 'security'-ware interact at the
same level some clever-er person will always be able to obfuscate their
actions. EG; code melts away after assembling bits of seemingly begnine
code from multiple locations on your HD, code interacts with the
security software rendering it ineffectual.....
I think M$-Vista tries to get around that by making the kernal level
code 'offlimits' to ALL developers. This means the 'goodguys' are
subject to rules the badguys aren't...Hmmm, much like police work.

FWIW, I am at the point where utility vs the game of
hacking/counterhacking is beyond most online persons and suggest perhaps:
1/ never connect a computer with valuable or sensitive information to
the wall. Think of it like leaving a locked safe on your front lawn
....eventually someone will get in if for no other reason that 'becasue'.
I could never understand why the Pentagon had to have critical Nuclear
weapon information on internet connected computers??? Nor why our
sensitive Credit Card info is similarly exposed by collection points and
financial institutes. Recent news attests to the inherent vulnerability
of purchase documents to nepharious users.

2/ For internet access, use a simply configured, software firewalled,
hardware firewalled [eg, Linksys router] and keep the install disks
close at hand.

3/ Even having 'no valuable information' on your computer doesn't
prevent you from being targeted... people need open boxes to hide their
identity and you can easily and unwittingly assist that task if
connected 'insecurely'

4/ RE 3...you are always connected insecurely relative to somebodies
skill or persistence.

5/ the mind can't devise a means of revealing everything
'knowable'...the very process of examination changes the state of being.
The corollary to that is "if you can imagine a lock, you can imagine a
key or hack"

Warf...take me now, I confess- my dirty pics of Paris Hilton should have
been better concealed![g]

Re: Firewall/antivirus software to detect stealth malware

Thanks for the reply. Another question: does the 'connection status'
window always show if there is some data flow (in both directions) or is
there malware capable of sending/receiving data so that it does not show
in the counts of the connection status window? A few years ago I
detected a trojan by observing that data was flowing even if it should
not (that was before I installed the firewall).
--

Alfred Molon
http://www.molon.de - Photos of Asia, Africa and Europe

Re: Firewall/antivirus software to detect stealth malware

Alfred Molon wrote:
> Thanks for the reply. Another question: does the 'connection status'
> window always show if there is some data flow (in both directions) or is
> there malware capable of sending/receiving data so that it does not show
> in the counts of the connection status window? A few years ago I
> detected a trojan by observing that data was flowing even if it should
> not (that was before I installed the firewall).

If that's what you're looking at, then you have serious problems in
determining if malware is running on your machine.

And if you're depended upon some kind of snake-oil in personal FW's,
AV's or other forms of snake-oil malware detection solutions running on
the machine to tell you what's happening, then you have problems as
every last bit of it can be circumvented and defeated.

Again, the tools in the link I provided will help you in the
determination and detection of malware that has circumvented the
snake-oil solutions you want to depend upon.

Re: Firewall/antivirus software to detect stealth malware

In article , Mr.
Arnold says...

> If that's what you're looking at, then you have serious problems in
> determining if malware is running on your machine.
>
> And if you're depended upon some kind of snake-oil in personal FW's,
> AV's or other forms of snake-oil malware detection solutions running on
> the machine to tell you what's happening, then you have problems as
> every last bit of it can be circumvented and defeated.
>
> Again, the tools in the link I provided will help you in the
> determination and detection of malware that has circumvented the
> snake-oil solutions you want to depend upon.

Perhaps you misunderstood my question. And by the way I checked the link
you posted. Browsed among others through the list of processes and the
entries in the windows registry, but could not spot anything suspicious,
probably because I'm not an expert and have no idea of what most
processes and registry entries are anyway.

By the way, what tools specifically are you referring to? Perhaps I
missed something.

Anyway, getting back to my original question, I simply asked if the
connection status window always shows the count of bytes which leave the
computer or if even that count could be faked.
--

Alfred Molon
http://www.molon.de - Photos of Asia, Africa and Europe

Re: Firewall/antivirus software to detect stealth malware

Alfred Molon wrote:

>
>
> Perhaps you misunderstood my question. And by the way I checked the link
> you posted. Browsed among others through the list of processes and the
> entries in the windows registry, but could not spot anything suspicious,
> probably because I'm not an expert and have no idea of what most
> processes and registry entries are anyway.

You can look at the registry, but most home users have no business in
the registry trying to do anything, as messing with the registry
manually and not knowing what you're doing can sure hose the O/S and
make the O/S non functional.
>
> By the way, what tools specifically are you referring to? Perhaps I
> missed something.
>

http://www.pcworld.com/downloads/file/fid,23780-order,1-page ,1-c,alldownloads/description.html

I suggest you go to SystemInternals and download the software and use it
to dill down into a running process and see what hidden processes legit
or not legit, such as malware, are hosted or could be hosted by a
running process. There are plenty of articles out on Google that will
show you how to effectively use PE to look for yourself at what's
running on the computer.

http://www.freedownloadscenter.com/Network_and_Internet/Netw ork_Information_Tools/Active_Ports.html
http://www.techspot.com/downloads/660-tcpview.html

The three tools which are (free) were being discussed in the original
link I provided. I suggest you go back and read those sections in the
original link.

> Anyway, getting back to my original question, I simply asked if the
> connection status window always shows the count of bytes which leave the
> computer or if even that count could be faked.

Malware can fool the O/S as explained in the link provided.

http://www.microsoft.com/technet/community/columns/secmgmt/s m0504.mspx

You should cut down the attack vector on your computer as much as
possible, like if the machine has a direct connection to the modem, no
router between the computer and the modem, then remove Client for MS
Networks and MS File and Print Sharing off of the NIC or dial-up
connection. The computer has no business in any networking situation
with a machine that has a direct connection to the modem, which is a
direct connection to the Internet.

http://labmice.techtarget.com/articles/winxpsecuritychecklis t.htm

There are other links out on Google that tell *you* the home user which
NT Services on a NT based O/S such as XP can be safely shutdown that
will help in closing the attack vector on the O/S.

You should practice safe hex as much as possible.

http://www.claymania.com/safe-hex.html

Re: Firewall/antivirus software to detect stealth malware

One other thing, if you want to know what traffic is leaving the
computer, then use a packet sniffer like (free) Ethereal or others.

http://netsecurity.about.com/cs/hackertools/a/aafreepacsniff .htm

Re: Firewall/antivirus software to detect stealth malware

Thanks, I'll go through the links you posted.
--

Alfred Molon
http://www.molon.de - Photos of Asia, Africa and Europe

Re: Firewall/antivirus software to detect stealth malware

You say you want out of the box protection - do not even think about
Jetico. It requires knowledge of network security and is not at all easy
to configure.

Buy Outpost Pro and let it run out of the box. It will ask a few very
basic questions. They all do. As you become more familiar with the
product you can begin to tweek the in/out security tighter and tighter.

Buy Superantispyware pro. Let it run all the time. Very frequent updates.
Download free Adaware (Lavasoft)
Download free Spybot Use the free ones as a double check

Download free AVG.

Use the free System Safty Monitor (google for this product)

There is no way to have perfect protection short of non-connection.
If you do the things I suggested you will be reasonably safe.
Do not go to porn or warez sites.

Old Garibaldi

Re: Firewall/antivirus software to detect stealth malware

Post removed (X-No-Archive: yes)

Re: Firewall/antivirus software to detect stealth malware

Gary wrote:
> Buy Outpost Pro and let it run out of the box.

Did they fix their bad security design flaws now?

Yours,
VB.
--
"Pornography is an abstract phenomenon. It cannot exist without a medium
to propagate it, and it has very little (if anything at all) to do with sex."
Tina Lorenz

Re: Firewall/antivirus software to detect stealth malware

In article <4ibyh.21569$w91.12599@newsread1.news.pas.earthlink.net>,
Gary says...

> You say you want out of the box protection - do not even think about
> Jetico. It requires knowledge of network security and is not at all easy
> to configure.

Uups... where did I write that I want out of the box protection? I have
no problem configuring a firewall or learning to do so (in case my
knowledge is not sufficient).
--

Alfred Molon
http://www.molon.de - Photos of Asia, Africa and Europe

Re: Firewall/antivirus software to detect stealth malware

Sebastian Gottschalk wrote:

Mr. Gottschalk

Perhaps you are a troll, perhaps not. If you are not, I do not think you
know as much as you pretend to know.

To Mr. Molen - I misunderstood you and I'm sorry. I did not mean to dis
your expertise with network security.

Re: Firewall/antivirus software to detect stealth malware

Post removed (X-No-Archive: yes)

Re: Firewall/antivirus software to detect stealth malware

Gary wrote:
>
>
> Sebastian Gottschalk wrote:
>
> Mr. Gottschalk
>
> Perhaps you are a troll, perhaps not. If you are not, I do not think you
> know as much as you pretend to know.
>

Depends on what you're talking about. If you're talking about I.T.
skills, Seb probably knows a lot. But if you're taking about social
skills, then I guess he scores about -1 on a scale of 1-10. We're pretty
much used to his style here. He's become a bit of a character -
basically a 'Grumpy Old Man'!

Jim Ford

Re: Firewall/antivirus software to detect stealth malware

Gary wrote:
>
>
> Sebastian Gottschalk wrote:
>
> Mr. Gottschalk
>
> Perhaps you are a troll, perhaps not. If you are not, I do not think you
> know as much as you pretend to know.
>

Depends on what you're talking about. If you're talking about I.T.
skills, Seb probably knows a lot. But if you're taking about social
skills, then I guess he scores about -1 on a scale of 1-10. We're pretty
much used to his style here. He's become a bit of a character -
our resident 'Grumpy Old Man'!

Jim Ford