NAT Router

You don't need to think in terms of "either/or". I have an inexpensive D-Link router between my cable modem and PC, and it has a firewall built-in, which I have enabled. I still use a software firewall on the PC because I like to be more aware of the outgoing traffic. The only time I've had a Trojan on my PC I became aware of it because Agnitum's Outpost Firewall flagged and blocked it.

Why do you feel software firewalls are a joke? The biggest problem with them is they require users to make decisions - it can sometimes be hard to identify applications requesting outbound connections even when you pay attention know what to look for. If the user just clicks "OK" every time the firewall pops up a permissions request then the purpose is defeated, but that's not the fault of the software.

Why don't you use an appropriate tool instead?

BTW, what has the router to do with that anyway?

You already stated it. You only became aware of a trojan horse because it was too stupid to adequately circumvent this Outpost thing, just like the other trojans on your computer did.

This is utterly bullshit. Legitimate applications don't require such a control, and for illegitimate applications the term "control" simply doesn't apply.

If the trojan horse can click "OK" on the popup, the purpose is obviously defeated by design.

I use a router/switch on my cable modem because I'm sharing the connection across multiple machines. It just happened to have a firewall feature as well, so I'm utilizing it. I'm sure that dedicated firewall appliances (such as sonicwall) are far more capable, but I haven't felt the need for one so far. I expect electronic threats to continue to get worse and I may opt for a firewall appliance down the road. I don't have a philosophy getting in the way.

The fact that some malware can defeat personal firewall software doesn't invalidate the software. Any form of security can be defeated given time and resources, and probably will be. That's why all forms of hardware and software security continue to evolve and improve. Can you be absolutely certain that no form of malware exists (or ever will exist) that can get past whatever you consider to be a "real" firewall? I don't see how you could. And if some malware gets past the firewall, what then? I don't see how having a software firewall installed on the host hurts anything, and it just might help identify a problem as I've already experienced.

Of course legitimate applications don't require such control. The firewall software simply "takes attendance". We get to see who's in the room and decide if something doesn't belong. It's possible for malware to be visible to the firewall, but if the firewall cannot identify it as a threat then it falls to the user who also may not have the skill to identify it. I think at least part of the solution for this problem is for software firewalls to rely on signatures, just like antivirus and antispyware apps, to identify applications.

Without a doubt that's true. Software firewalls need to be "hardened" over time to make it more difficult for malware to circumvent, or manipulate or shut them down. all IMHO, of course.

My gun has the feature to shoot myself in the foot. I still don't see the need to utilize it.

It seems like you have the philosophy of putting up things that get in your way. Because that's what a firewall as such. If it can't provide an adequate benefit to justify this disadvantage, you should consider dropping it.

It does, since it breaks the design goal.

Bullshit. Here, in the digital world, the set of all possibilities is finite and thus enumerable, in many cases quite easily.

Well, try to circumvent this:

access authenticate(string user, string password) { if (user == "testuser" && password == "Hippy floppy12345 kill Bush !!!12") return new ACCESS_TOKEN() else return null; }

Hint: You can't. You will only authenticated if you provide the correct username and password. No chance to use "more force" and sneak around it, there's simply no way to defeat it.

Beside that it introduced new vulnerabilities, in case of Outpost even well-known ones? Because it introduces complexity? Because it introduces errors?

Throwing more and more software doesn't solve your problem.

As I said: It generally fails.

You can't make it any more difficult. You can just play the cat-and-mouse game, whereas the malware is always the winner and the user is always the loser.

After all, it's quite obvious why it must fail: The user himself wants inter process communication.

What about "I will think about a concept to not get infected by malware in first place instead of trial attempts to treat the symptomes?"

And what did you do then? Did you reinstall the computer?

And why did you install the trojan in the first place, anyway?

Gerald

The NAT Router is your first barrier and it's the best barrier, but, it's the least of your needs. If you learn how to secure your computer the NAT Router just helps when you make a mistake in security.

In most cases, the NAT router does a LOT better job than the Windows firewall or the other firewalls because it's not going to allow you to poke holes in it by accident and it won't allow applications running on your computer to program it fir holes unless you setup that function yourself.

Once you get the NAT router the personal firewall solutions become candy.

Well, in a way, because a NAT router, unlike a personal FW is not running with the O/S. The PFW can be attacked just like the O/S can be attacked.

You may want to spend a little more money and get a FW router that meets the specs in the link for *What does a FW do?*

I use a PFW on my laptop when it's not connected to my network. I have no PFW(s) running on the any MS machine or the Linux FW active on the Linux machine, because I have a FW appliance that will meet those specs.

They have FW router's like Netgear's FR314 that's ICSA certified ,and others vendors do too, that will meet those specs in the link above.

Look at it this way, you pay for a PFW and then you have to keep renewing it, possibly paying for the renew.

It all washes out in the long run on money spent if you know what I mean.

I didn't intentionally install the Trojan. I only discovered after the fact that it was on my computer. All that was necessary to remove it was run a scan with "anti-Trojan" software (I don't remember specifically which one I used), the same way you would use antivirus or antispyware to remove those kinds of malware.

But you know how you got it? In most cases it is either something you install or some updates you did not install.

What makes you think that it removed all malware from your computer? A good malware comes in packages: the good stuff is well hidden somewhere and knows how to circumvent the software firewall while it also some primitive malware bundled which may be detected quickly. The user thinks the firewall blocks everything and the malware removal tool reports something removed.

I guess you are using an AV and PFW and the trojan still got past all this. Either you know that you have installed it with some software or it must be fairly good to get past AV and PFW. Malware designed to get past AV and PFW onto the computer will not be that easy detected except for some part for diversion. The only really secure thing to do would be to reformat the drive and reinstall windows.

Gerald

So, and how did it come so far? What did your investigation point out?

That's a lie.

Unlikely that you actually removed it. How do you think this should work reliably? Hint: It simply can't.

Seems like your security concept failed due to stupidity. How exactly is your Outpost thingy worth then?

Thanks to all who replied it is appreciated.

A special thank you to "Mr. Arnold" for his reply and great links.

Its off to the drawing board.

Thanks again.

I continued to scan my system with different antivirus, antispyware and anti-Trojan software and couldn't find additional problems. I also noted that there were no more attempts by unknown software to establish outbound connections. I guess it's possible that there was still malware on the system, but I didn't think so for the above reasons, plus the computer continued to be stable and normal in every perceivable way and that was good enough for me.

As far as how the Trojan got on my computer, remember that firewall software would not block it being downloaded. The only initial protection was antivirus which apparently missed it, but that's not so unusual. It was a few years ago when this happened and then it was the norm for antivirus software to update only once or twice a week. That left a window of a few days when new viruses (or Trojans) were invisible could easily infect systems. There's also the fact that even the best antivirus software does not detect 100% of all viruses. That's why a multilayered defense is necessary(and I think personal firewall software is one of those layers).

In the course of doing my job I have often had to clean computers that have been infected with viruses/Trojans/spyware. It's been my experience that the computers can be restored to normal functioning in most cases. A combination of multiple antivirus and antispyware scans does a very good job of removing malware. I only remember one case where the computer was so badly infected it was unrecoverable. It got that way because the user neglected to update the subscription for his antivirus - it hadn't had new "signatures" for many months.

Huh? The malware simply doesn't have to match with the signatures of the above-stated software. That's a trivial thing, any new malware does so by design.

It's still ready to start spamming and DoSing on command.

So then why did you EXECUTE it?

That's the typical phrase of those who're lacking concept.

Nah, just that they don't seem to be compromised any more. Did you ever actually verify if they are cleaned?

No. It got that way because he intentionally executed the malware.

Which only tells you that those programs don't know about any other malware running on your computer. Any new malware is not detected by any detection software until the software includes the signature for that malware. If it is not a wide spread malware chances are it will never be detected. Someone has to locate the malware, extract the details and send it to a antivirus, antispyware, ... company for analysis. And even if someone did it is not sure it is added as signatures for malware which is hardly seen in the wild would only slow the whole thing further down.

The problem is no outbound connections detected by the PFW does not say anything about whether some malware sends something out or not. Just like before it just tells you that the PFW could not detect it.

That's what a good malware is supposed to do. A keylogger can silently run in the background without distrupting the system and only send something out when there is other network traffic on the system. You will hardly ever notice.

Yes, but why did you download it in the first place?

Did you submit it then to your AV company?

Does it detect the malware now?

It is not "a few days". This is only true for the malware which spreads quickly. For anything, that spreads slowly or strategically and is not quickly noticed it can take weeks or months until someone found it and submitted it for analysis.

But no "layer" of this "multilayer defense" is able to protect the computer against _you_! That's the problem. It is completely worthless because you did install the malware in the first place, probably as administrator on the computer. At the very moment it is running, in particular as administrator user, all those "layers" collapse. A program running on the computer can mess with the system in any way it likes. It does not matter what kind of security software there is on the computer, as the computer which is running the security software is compromised thus you cannot tell whether or not the security software is still running as intended even if it seems to be so.

You said the malware must distrupt the system or the normal functioning of a computer? A good malware, in particular a trojan, is only useful if it is well hidden. But if someone is collecting some trojan computers for a DDoS attack the trojan will just sit there and wait until the signal comes. And something like a keylogger would not ever want to be noticed if possible.

This should make you think! Why would it be unrecoverable? Why do you think all the other computers were really recovered? The thing is: you don't. All you know is that you did not use any tool which could find something...

Gerald

Gerald,

Yes, I can see how it's possible for malware to be virtually undetectable. In that case, what strategy do you recommend to protect against it?

Don't execute it. Now that was simple...

You have to follow security normal when using a computer, on or off the net, and you need to make sure that you have apps/os patches that are designed to secure your system.

Once a machine is compromised, the only true to to be sure it's cleaned of malware is to wipe it completely and reinstall from known clean media in a clean environment.

I agree, but how can you tell if the machine HAS been compromised by undetectable malware?

Do you ask questions that can't be answered?

How can you detect something that can't be detected???? Come on.

If you have a machine that is/was compromised you know, or you would not have determined it was compromised. Now, the proper way to clean it is to wipe it, and do it in a clean environment with known clean media.

If you can't deteremine if your media is clean then get clean media.

Do you always run around in circles?