On-line Opinion Magazine…OK, it's a blog
Random header image... Refresh for more!

It’s A Virus

That’s apparently what McAfee’s programmers thought Windows XP with Service Pack 3 was, according to the BBC report: Security update hits Windows PCs

Thousands of PCs around the world have been paralysed by a security update that wrongly labelled part of Windows as a virus.

The update was sent out by security firm McAfee and made affected PCs endlessly restart.

McAfee’s 5958 update wrongly identified the Windows svchost.exe file as the wecorl.a virus. This worm tries to replace an existing svchost file with its own version to help it take over a machine.

The update wrongly labelled svchost as the virus and then quarantined it. This caused many PCs to crash as Windows uses many copies of the file to keep the operating system going.

Computers inside businesses running Windows XP with service pack 3 applied were the hardest hit according to reports…

Given some of the things that Service Pack 3 gets up to, I’m not surprised that anti-virus software would think it was malignant. Much of the snooping that SP3 does to “protect” M$ from “pirates” is exactly the same as many virus programs, including the bit about reporting home.

9 comments

1 Kryten42 { 04.23.10 at 9:09 pm }

Noooo… Really?? 🙄 😛

Yeah… took me awhile to find and disable/remove all the useless snooping stuff from SP3 and make it useful. There’s a pretty good tool that works well for that too:

Official Home of xp-AntiSpy

Most of the site is in German, though the software including help are multilingual. The website ‘About’ page is English too. 🙂

Stay safe out there! 😉

2 Bryan { 04.23.10 at 10:40 pm }

Hell, I’m still running SP2 because I didn’t like the unilateral EULA that was included in SP3.

People don’t seem to understand that all of this anti-virus software that you have to buy is part of the cost of Windows. You don’t really need it on the Mac or Linux boxes. It’s not the pros that are the real problem, they can break in if they put their minds to it, but the damn script-kiddies that make live a living hell for ordinary users because Windows is such a piece of crap when it comes to security.

3 Badtux { 04.24.10 at 10:57 am }

Windows 7 is actually a lot better there security-wise. I won’t say I’m impressed by Windows 7, but at least I’m not absolutely repulsed by it. It’s also a pig because of the need for backward compatibility isolation boxes for XP apps, don’t even think of trying to run it with less than 2 gigabytes of memory, 4 is better, 8 makes it jump up and down in joy. And finally: Don’t even *think* of running Windows 7 on 32-bit hardware. It is a *dog*. The 64-bit version performs quite well though, nicely fast (once you turn off the eye candy) on my Macbook Pro (running natively via Boot Camp).

Oh yeah, my antivirus. Since it’s still Windows, I’m running the free antivirus from Microsoft, even though I’m using Google Chrome as my browser and Chrome sandboxes any potential exploits quite well thank you very much (I would *not* use Internet Explorer unless you have to use an actual Microsoft site that requires it, it’s a virus vector, not a browser).

Regarding script kiddies: I’ve decidedly encountered Linux boxes compromised by script kiddies. Once it was a bind (name server) problem, and once it was a portmap (rpc server) problem (and the portmap problem happened even if NFS was disabled). Both boxes then had a scripted rootkit installed, and both boxes then were used to send out bajillions of sex porn emails. And one of those boxes was at a school district central office, oh joy ;). So anyhow, we now know a lot more about securing Linux than we knew back then, but most Linux boxes “in the wild” are nowhere near secure. And neither is Windows 7, for that matter, I’m just saying that you can’t be complacent with Linux either — go look at the NSA hardening doc for Red Hat Enterprise Linux and follow its directions exactly, for example. Linux is compromised differently from Windows because it’s primarily used as a server rather than as a client, but it’s not immune to attack by any means.

– Badtux the Linux Penguin

4 Bryan { 04.24.10 at 2:31 pm }

Well Bind has always been a problem by its nature, but the Linux problems are server related, not user related. If the server administrator follows the rules, users never see a problem. With Windows, everyone has problems.

I’ve never been compromised because years in NSA left me a bit paranoid about such things so I don’t automatically launch anything, and pay attention when software is down-loading, even from trusted sites. My attitude makes for less than the “optimal user experience” and means that I have to sign in every time I visit sites, but I don’t spend days attempting to undue the damage caused by some malicious SOB.

I loaned by old laptop to neighbor for a few weeks so her kids could do something for school. but I reformatted the hard drive and re-installed it when I got it back, because I felt sure her oldest son was visiting gaming sites which are notorious for infecting machines.

Any system can be hacked, but the problems are nowhere near as prevalent in Linux and Mac as Windows.

5 Kryten42 { 04.24.10 at 8:41 pm }

Looks like SP 1 will be out soon fr Vista 7. I still get the M$ TehNet bulletins, and I got a link to d/l the preview of SP1. That didn’t take long. I expect SP2 within the next year. As always, it’s sure to fix some things and break others. 😉

The problems with Linux security problems are invariable improperly configured systems. It’s a complex subject, and does take some work, but a linux box can be well secured (and without any commercial software to make it secure.) Servers, and Web servers especially, are the most vulnerable. The Server I setup a year ago has never had a successful hack, even though the logs show many attempts. I can tell they are mostly the *script kiddy* variety, as they are almost all looking for standard vulnerabilities, especially in MySQL, which has many issues (especially code injection types) if you don’t configure it properly! My server has a lot of s/w running to attack, but so far, so good! 😀 The other thing that many Sys Admin’s (or just server admin’s) are guilty of is that even if they configure it properly to start, they think it’s a ‘set and forget’. Not so. They need to be constantly checked, you need to keep up to date on the security bulletins for the s/w used, and apply any recommended updates or make recommended changes.

My System is running CentOS 5.4 x86_64, Apache (with mod_Security, mod_Evasive), MySQL (with all demo databases removed and all users removes, especially anonymous), Perl/CGI, PHP (secured with Suhosin/SuPHP), I use a Chroot Jail for all accounts and root is not allowed to login remotely (have to login with an encrypted admin account and su to root, and only via SSH with a 2048bit cirt), telnet is disabled, and only ports I actually need are open, tmp dir’s are all secured and moved from standard locations (and no execute privileges are allowed), secured BIND (named), dovecot & Exim for mail, secured… etc. Apache has been configured to only send “I’m alive’ when an illegal address is used, rather than the versions of everything running! (I always hated that about Apache, but it can be useful on a dev system, should never be allowed on a live system! The less a potential attacker knows, the better!) All administrative functions are only accessible via SSL/SSH. And where possible, sandboxes are used. 🙂 For added security, I’ve carefully configured iptables/netfilter and run a few scripts, like BFD (Brute Force Detection)
LES (Linux Environment Security), LSM (Linux Socket Monitor), NSIV (Network Socket Inode Validation), PRM (Process Resource Monitor), SIM (System Integrity Monitor) and RKhunter. And all this runs on a VPS with only 512MB RAM with no problems. 🙂 Try that with Windoze server! 😈

Yeah, it’s a lot of work initially, but once done, isn’t hard to maintain. And… it was kinda fun showing the young guns that an old dog can eat them for breakfast! 😛 😆

6 Badtux { 04.25.10 at 12:41 am }

The NSA document that I referred to earlier is a good start for securing Linux. We had a “soft appliance” for a while that was based on RHEL5, that document plus some other goodies we developed inhouse are what we did.

One thing that is currently broken in every Linux distribution is that sandboxing is *way* too hard, and so is effective use of SELinux to sandbox. I have a solution for that by using technology that my employer produces in a different way from what they intended, now all I have to do is figure out how to convince our marketing department that it was their idea so that they could actually market it as a product :evil:.

7 Kryten42 { 04.25.10 at 1:39 am }

Yeah. I had so many problems with SElinux, that it was actually better to just disable it. A lot of things don’t play nice with SElinux.*shrug*

My starting reference points are a couple books by Syngress (like ‘Hack Proofing Linux’) and Addison-Wesley Professional series like ‘Chained Exploits: Advanced Hacking Attacks from Start to Finish’) and some ‘insider’ doc’s from some security lists I’m on for protecting such things as OpenSSL, OpenSSH & BIND (which are very difficult to secure well). I also use suEXEC, however if it’s improperly configured, it becomes a nightmare. I use Nessus, ethereal, snort & other tools. Another thing I do is build my own kernel and app’s from known good sources. The main reason is that a) I don’t have a lot of resources (RAM etc) to waste on ‘generic’ build with a lot of mod’s etc I don’t want to use. I cut PHP down a lot by removing everything I don’t want, and adding a few I did, same with apache etc. The fewer mods etc, the fewer points of attack. Another thing is I move everything from ‘default’ locations (I never use/var/www/*, /tmp or /etc for config files like php.ini for example). I also give each app it’s own user & group, so if one app is compromised, they can’t jump to another. Also, all file/dir permissions are carefully set, and most files are only accessible by the owner and where necessary, readable by ‘world’ (web pages generally need this of course). I have a shell script to do all that for me which took me a while to create (it’s about 1800 lines with comments). I use DirectAdmin/CustomBuild and Webmin/Usermin to manage the system, s/w and accounts (I don’t like cPanel for various reasons).

I had a huge problem setting up a sandbox when using chroot jails, because a successful attacker would have access to kernel functions. That can be avoided, but it’s not at all easy. I’m actually currently looking at whether or not to continue with chroot jail’s actually. Everything is a trade-off! But is it a good trade-off or a bad one is the questions! Though, mod_chroot is getting better. 😉

My systems have never been successfully attacked over several years, but the problem is that if something *breaks*… it can be a REAL pain to fix! Security can really be a two-edged sword! *shrug* Nothing is ever perfect. 🙂

I came across this recently… Looks promising. 🙂

The Planet Sand Castle

For my own development here, I use VMware sandboxed images available from the CentOS repo. Makes things a little easier as I generally kill a few CentOS systems while setting/testing security. 😆

Of course, the BEST rule for any security is “Keep it simple, stupid!” Unfortunately, in the real world, that’s often easier said than done! 😆

8 Kryten42 { 04.25.10 at 1:44 am }

Oh! I’m currently plating with MySQL Sandbox, since MySQL is probably the most vulnerable and exploitable piece of software on the server! We’ll se how it goes… 😉

9 Kryten42 { 04.25.10 at 1:53 am }

Oops! Wrong URL (kinda). Homepage: MySQL Sandbox