[nmglug] Stealth Viri

WA7BSZ wa7bsz at yahoo.com
Fri Mar 18 10:19:09 PST 2005


http://news.zdnet.co.uk/internet/security/0,39020375,39191840,00.htm

Here is a little fun article.  I always thought that if virus writers
really wanted to get the info, they should make their viri more
stealthy, you know, don't use up 100% of the processor, make it a max
of 5%, then people won't know their computers are infected.  Well now
they are apparently doing that.  The worst sentence in the article:

"None of the existing antivirus programs will find these viruses. You
can't see anything in the registry, which makes them hard to detect.
They try to hide their processes."

There are probably few written for Linux, but beware at work if you
have to use Windows.

One thing that would be effective against this is outbound packet
filtering.  If someone is going to get your credit card info or your
usernames and passwords, you don't need intrusion detection, you need
outbound packet filtering to stop it.  Maybe Astaro will do this.  They
get your numbers and usernames when your computer sends them out, not
when they hack in so much.  Sure they can get the info from hacking in
ahd searching all over, but it is a lot more efficient to just have the
computer send them your keystrokes.  They might even get some good
blackmail info.  Increased profit.

Silent keystroke monitors are the great threat.  Something that would
show you what your computer is sending out and to whom, and stopping it
until it has your approval is about the only way to stop this.  Of
course they could always encrypt and then you couldn't tell what it was
that was going out, and I have heard of them doing this also.  

This seems like the time when some serious loss will happen, until
enough people lose enough. 

If we add to this DNS cache poisoning, it could make it very difficult.
 You don't even know if your internet communications are being handled
by a man-in-the-middle as a result of a poisoned DNS cache, and maybe
they are doing that in an inobtrusive way also.  I saw an article that
said they think this may be happening, but they are not sure.  That is
the way the bad guys would want it to be.  They just do it some, get
info, then fix the DNS cache and move on to another one.  In the mean
time, people have made internet purchases and their personal info was
recorded by the man-im-the-middle site.  

So, what do you think?


		
__________________________________ 
Do you Yahoo!? 
Make Yahoo! your home page 
http://www.yahoo.com/r/hs




More information about the nmglug mailing list