On 01/11/2010 01:26 AM, Bill Arnold wrote: > > I'm having a discussion with one of my brothers (who that was intended for - > he had his own list) in the aftermath of recovering a machine that was > recently attacked like a lightning bolt. > > I'm using MS Security Essentials, because I believe it's MS's job to protect > Windows from these attacks (and why are they still called "viruses" > anyway?). As it happened, MS Security Essentials did stop it on re-boot, so > kudos for that. Of course the machine is now compromised, and I would regard > it as that no matter how many "a/v" programs I run, until I rebuild it > (again). I'm a small operation and I'm struggling to keep things as simple > as possible, but I'm thinking I need to either brush off Norton Ghost (which > I abandoned after it failed me ... It wants Net 2.0 and higher, but I needed > to use a C compiler that required Net 1.1, so I installed .NET 1.1 for it > (insert other steps, but basically restored back to .NET 2.0 after doing C > work) - but it turned out that these changes permanently broke Ghost's > ability to read any it's own backups in my library. So much for Ghost, for > the while anyway) > > Considering VMWARE Workstation, which can create a succession of 'images' of > the OS that can be restored from. I never liked the fact that it requires a > host OS to run on, which makes the active OS a 3rd layer. Assuming I can > live with it (as the price of useful protection), I'm wonder if the host OS > (for VMWARE) is vulnerable to attack. I read one post saying "no - if you do > not share common OS files", which is encouraging, but it seems other people > believe otherwise, so the real answer isn't clear. This approach would be > useless if the base OS can be attacked.
I've had good luck running Sun's Virtualbox. I switched to Virtualbox after using VMWARE Workstation for a number of years. The joker in my deck of cards right now is Oracle's acquisition of Sun, and what effect that might have on products previously owned by Sun, like MySQL, and Virtualbox. I use PostgreSQL as my database, so I'm not so worried about MySQL's fate. I host Virtualbox in Linux, (eg Fedora 11), and I have SELinux enabled. I run XP Pro as a guest OS of Virtualbox, but I only use XP Pro as necessary. I don't allow XP Pro to be used to browse the internet or run any email clients. All browsing of the internet and email clients are run in the home directory of the user, (eg Firefox, Thunderbird, Squirrelmail, etc.) in Fedora. This limits exposure to viruses, malware, spyware, etc in Windows XP Pro, where such dangerous apps are so prevalent. Since each VM running in Virtualbox is self contained within its own folder, it's easy to backup. All you need to do is copy and paste the folder. Also, you could clone an OS and use the close as a backup that could eventually become the primary OS in an emergency, and Virtualbox also supports snapshots. Since the apps that expose me to the majority of risk from attack from the internet are running under Linux with the protection of SELinux, my Linux and XP Pro OS(s) are both pretty well protected. Still I'm running a virus scanner in Fedora called "Clamtk 4.10" to scan anything downloaded from the internet, before I install or run the downloads. I think it would be a good idea to have software in place to protect any window OS, even when running the Window OS within a VM; although, I'm not currently doing so. The disadvantage of this approach is the learning curve for those who have little or no exposure to the Linux OS. Regards, LelandJ > > I don't think this was a drive-by. It's software running IP ranges, probably > 24x7. And there's more then 1 group of these bastards out there. It's even > possible to write programs that generate unique programs that do the same > thing, so the number of attackers and machines compromised must already be > in the stratosophere. They know, as we do, that they don't have to put > something on the screen when they attack - that's just taunting us - once > they've got control they can do anything they want to, and the possibilities > are seemingly endless. > > It has crossed my mind that's gold in being able to "protect and recover" > machines, but I want no part of any of it. The solution is to fix the > problem at it's root, which is serious gov't pressure on MS and the ISP's, > and tracking down the bastards behind it. Considering the scale of it, and > the trajectory, this is a really big thing. Yet it seems not to be > registering anywhere. > > I hate to suggest that the Internet be controlled, but to a large extent it > already is. For example, I've no doubt that the CIA/FBI/KBG/et al know > exactly how to pinpoint the source and target of any traffic sent over the > net. > > > Bill > > >> It's a never-ending battle. >> >> --- On Sun, 1/10/10, Bill Arnold >> <[email protected]> wrote: >> >>> From: Bill Arnold<[email protected]> >>> Subject: RE: [NF] An email was sent using my yahoo address >> book,but no virusfound. >>> To: [email protected] >>> Date: Sunday, January 10, 2010, 11:58 PM >>> Jim, >>> >>> Here's another note on the subject of "attacks" just >>> received. Everyone has >>> their own combination of what works. If's a freaking >>> career. >>> >>> And then tomorrow the mouse types a few lines to change the >>> code, and the >>> cycle repeats. >>> >>> >>> Bill >>> >>> >>>> -----Original Message----- >>>> From: [email protected] >>> >>>> [mailto:[email protected]] >>> On Behalf Of Nicholas Geti >>>> Sent: Sunday, January 10, 2010 10:08 PM >>>> To: [email protected] >>>> Subject: Re: [NF] An email was sent using my yahoo >>> address >>>> book,but no virusfound. >>>> >>>> >>>> That package is incredibly powerful. It has worked >>> everytime for me. >>>> However, you should run Malwarebytes and Spybot >>> afterwards. Then run >>>> combofix again. >>>> >>>> >>>> ----- Original Message ----- >>>> From: "Michael Madigan"<[email protected]> >>>> To: "ProFox Email List"<[email protected]> >>>> Sent: Sunday, January 10, 2010 1:00 PM >>>> Subject: Re: [NF] An email was sent using my yahoo >>> address >>>> book,but no virus >>>> found. >>>> >>>> >>>>> It looks like combofix may have fixed the >>> problem. There >>>> was no spam sent >>>>> in my name since the last time, over 24 hours. >>>>> [excessive quoting removed by server] _______________________________________________ Post Messages to: [email protected] Subscription Maintenance: http://leafe.com/mailman/listinfo/profox OT-free version of this list: http://leafe.com/mailman/listinfo/profoxtech Searchable Archive: http://leafe.com/archives/search/profox This message: http://leafe.com/archives/byMID/profox/[email protected] ** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.
