Monday, December 28, 2009

Security Expert don’t like AntiVirus

It’s like saying don’t use condoms. They know, but believe it or not, they have never used Anti-viruses and never got damage from viruses. Prefer to take other kind of protections elsewhere to prevent viruses to come near to my Ethernet card instead of worrying to remove it with dozens dollars solutions and software packages when the virus is already in. Ethical Hacker hate Anti-Virus.

So slow, so heavy for system. You will be wondering if still run a 486. No, have a dual core with 2 GB of RAM; still Anti-viruses slow your system down.

So you may be wondering why I decided to write this post. Here is explained.
Yesterday I boot my laptop with XP, and I see a wonderful error message saying “Generic Host Process for Win32″ was shut down due to an error. After few seconds the famous and familiar box of “NTAutority\SYSTEM” with a countdown appeared saying RPC service has been shut down and the system had to be rebooted.

This made me think of some worm or virus exploiting some new rpc-dcom vulnerability.
Quite strange, but still possible in windows. My laptop was unusable.

So I decided to try that McAfee 2006 that the good old friend fuder sent to me from the other side of the World.
Installation was smooth. After reboot I was asked a password for the McAfee Security center. Every time I wanted to use the antivirus I had to put that password. I have not investigated the arcane reason for this choice but it’s ok to type a password. A full scan of my hard drive took about 4 hours. I left my laptop work while I was studying.

When it finished to check everything I found out that it deleted all (and only) my source codes saying they were viruses (they were c++ codes for networking tools, troubleshooting programs and a couple of pop3 crackers I wrote when I was a child to which I am still attached). Now I don’t understand the reason why it had to consider
100 lines of raw socket coding a virus. But above all I don’t understand why I couldn’t have the chance to decide what to do with the “viruses” on my system. I want to be free to keep them in! Damn!

I had backup copies fortunately.

Being always skeptic on the use of an antivirus I hadn’t used an AV for the last 5-6 years and I wanted to see how and if things got better: McAfee ate about 80-100Mb of Ram in background and about 160 Mb while running a scan, 40-100% of CPU if you are lucky.
I was not lucky. Indeed, I restarted my laptop, at least I tried to do it but all the services run at start up by this AV, freeze my Pc because of background scans, update requests and attempt to protect my system. I still thought I had a bad virus even if I hadn’t noticed any suspicious activity in FileMon nor in TcpView, nor in the Registry with RegMon. Until I uninstalled the AV and understood that it was causing the system to freeze while my original problem was due to Windows error that I was able to fix with the installation of a hot fix provided directly on Microsoft’s website.

I will never install an Antivirus again, and I have never had a virus in my laptop. This may sound crazy. But the correct usage of a great firewall like 8Signs’s Firewall, the use of Adaware for spyware and adware, the correct and tempestive patching of your windows machine can drastically decrease the chances to get a virus (Using Mozilla of Firefox is always a good choice).
Then I always keep little handy great programs like TcpView, to monitor what processes are accessing the net (useful for malicious programs sending your personal data on internet, like Trojans), or RegMon to monitor registry activities at API calls level keeping track of all the processes reading or writing in the registry.

In the end Root kits are real menaces to your server or home pc. They are so sophisticated that can be 100% undetectable, by injecting themselves into important system libraries and able to hide suspicious files, processes, registry values, modify apis and so on. For this kind of root kits I advise the use of Gmer, nice little utility that lets you keep track of hidden services and processes that are most likely malicious root kits. Gmer lets you kill the process and delete the exe/service.

My “manual” approach versus the automatic approach of antivirus should be relegated to advanced users, with a deep knowledge of how viruses and worms work. Wear the condom if you are not sure who you are going with.

Ratproxy 1.53: Automatic Security Audit tool

A semi-automated, largely passive web application security audit tool, optimized for an accurate and sensitive detection, and automatic annotation, of potential problems and security-relevant design patterns based on the observation of existing, user-initiated traffic in complex web 2.0 environments.

Detects and prioritizes broad classes of security problems, such as dynamic cross-site trust model considerations, script inclusion issues, content serving problems, insufficient XSRF and XSS defenses, and much more.

Ratproxy is currently believed to support Linux, FreeBSD, MacOS X, and Windows (Cygwin) environments.

RootKit Hunter 1.3.4 Scanner: 99.9% clean Malicious tools

Rootkit scanner is scanning tool to ensure you for about 99.9%* you’re clean of nasty tools. This tool scans for rootkits, backdoors and local exploits

The change log lists 4 additions, 8 changes and 9 bugfixes.Naming a few:

Added IntoXonia

NG rootkit check.

Added Phalanx2 rootkit check

Added support for TCB shadow files.

The ’—propupd’ option can now take an optional file, directory or package name after it.

Revised file properties inode check.

Tests against the SSH configuration file now accept the key/value pair.

Improved the O/S name detection.

The Linux ’os_specific’ test has now been split into two separate tests.

Improved ALLOWPROCDELFILE configuration option.

Improved hidden files and directories check.

The DBDIR directory can now be read-only, after installation.

Improved debug file option.

The system startup file and directory tests have now been merged.

Inguma 0.1.1: In-depth Penetration Tester

Inguma is a free penetration testing and vulnerability discovery toolkit entirely written in python. Framework includes modules to discover hosts, gather information about, fuzz targets, brute force usernames and passwords, exploits, and a disassembler.


Added library libinformix. Supports connection establishment and command execution. Pure python code.
Added a brute force module for Informix databases (bruteifx).
Fixed bugs in the Sybase’s brute force module.
Added an Informix SQLEXEC protocol fuzzer.
Added Currently it just work for creating oracle password files (from version 8 to 11).
Added module db2discover to discover IBM DB2 database servers.
Added an information gather module for Informix database servers.
Very (basic) initial support for RDP protocol format.
Added support for fuzzing based on PCAP packets.
Added a POC for the Sun Java Web Proxy Server heap overflow (fixed).
Distributed Nikto database updated.
Added basic support for Bluetooth and Wifi (Hugo).
Added a frontend for Nmap (Hugo).
Added libhexdump (Hugo).
Added modules tcpproxy, hexdump and simple web server (Hugo).
Changed format of OpenDis databases to SQLite format (use -sdb=file.sqlite).
Added OpenDis Binary Navigator.