Jump to content

What next after Lavasoft/Grisoft drop support for 98 S.E

frogman

By frogman
in Malware Prevention and Security

 Share

Recommended Posts

herbalist

herbalist

Posted
Posted (edited)
The strongest advice is to use a whitelist program that stops unapproved executables running at all. This stops all but script/browser based attacks. I've been steered towards SSM. Have yet to try it.

For malicious code delivered via web content, have you looked into Proxomitron? It performs many of the functions of NoScript, plus a whole lot more. It also works with all browsers. It's filter rules can be a bit intimidating if you don't know a little HTML, but there are filter sets available in addition to the default ones it comes with. It's the kind of app that gets more powerful as you learn it. I've had it for 2 years and am still learning more of what it can do. Incredible tool. The best part is that it's not an installed app. Just unzip it, set your browsers proxy settings and use it.

SSM can also help with web based attacks by controlling what your browser and WSH can do. A lot of browser exploits use the browser to gain access to another app or process that wouldn't normally be accessible. By limiting the parent-child settings, SSM can help defeat a lot of these.

One of the biggest things you can do to reduce the risk from new/unknown exploits from the web is to limit what can be launched in the browser. Whenever possible with web content, run it outside of the browser. That would include most media, PDFs, etc. Are you familiar with the PDF exploit that was fairly recent? Info here.

If the PDF is opened in the browser, the exploit succeeds. On mine, it worked with both IE6 and SeaMonkey via Adobe. Downloading the PDF and opening it with Foxit defeats it, this time. When opened in Adobe, SSM blocked Adobe's attempt to access the browser, something it can't do when the browser has already launched Adobe. Eliminating browser integration with other apps makes web browsing a bit inconvenient, but it does prevent a lot of exploits from working.

For scripts that are run from your PC, changing the default app for scripts to Notepad prevents a lot of their misuse. You can always add a context menu entry for scripts to open them with WSH as an option, keeping notepad as the default app for them. This way, you can view them first. An app like Script Sentry will also do this for you. It will also let you whitelist specific scripts if you want.

Rick

Edited by herbalist
Link to comment
Share on other sites

noguru

noguru

Posted
Posted
How does A-Squared Free work out for you all on the anti-malware front. It claims support of 98...

Crashed all the time on my win98se. Older versions used to be ok. But you can try it, since they claim support for win98 it will run on some configs for sure. Unless they really didn't do any tests at all but I don't think so.

I have been researching a/v for 98se.

Avira claim support using their older version and currently say threat lists will continue.

Where do you get that info? The Avira website says something different, that they are going to stop the non-unicode VDF files on 31-12-2007. Just a few weeks to go :(

On the forum I see one post regarding this matter, a moderater claiming that it might be possible to use VDF files after this date. But he's not sure and doesn't give any more information.

He might be hinting to using the unicode VDF files. Installing those files manually might work. But that won't work with the automatic updater so that's a really uncomfortable solution.

Link to comment
Share on other sites
KevinR

KevinR

Posted
Posted
I have been researching a/v for 98se.

Avira claim support using their older version and currently say threat lists will continue.

Where do you get that info? The Avira website says something different, that they are going to stop the non-unicode VDF files on 31-12-2007. Just a few weeks to go :(

Sorry that was me with a bad freudian slip. I meant to say that AVAST claim support for 98 which I found out while researching because Avira have stuck two fingers up to their win98 users.

Apologies for confusion caused. :whistle:

Link to comment
Share on other sites
pcalvert

pcalvert

Posted
Posted
It would be foolish to believe 98 systems are not at risk, especially with the broad availability of extremely sophisticated PHP attack toolkits able to determine anything about a system and automatically deliver a custom tailored malware to that system if they can spot a vulnerability.

Hi eidenk. Are you also aware of any reliable 'cloaking' method(s) that would foil any such malicious attempts to identify a system (specifically 9x systems in this context)?

What about Proxomitron? In addition to filtering web content, you can use Proxomitron to make it appear that you are using IE7 and Windows Vista (just one example), even though you're actually using Opera and Windows 98 SE.

Phil

Link to comment
Share on other sites
noguru

noguru

Posted
Posted
I have been researching a/v for 98se.

Avira claim support using their older version and currently say threat lists will continue.

Where do you get that info? The Avira website says something different, that they are going to stop the non-unicode VDF files on 31-12-2007. Just a few weeks to go :(

Sorry that was me with a bad freudian slip. I meant to say that AVAST claim support for 98 which I found out while researching because Avira have stuck two fingers up to their win98 users.

Apologies for confusion caused. :whistle:

Don't worry about it. I was using Avira and had to make sure anyway.

Avast is keeping up Win9x support for sure when it comes to anti virus-updates. The website is clear about that. However, most new program develpment will be xp/vista only (not all modules run on win98). So it seems that win98 users are stuck with Avast if they want a free AV software that has a background on-access scanner.

So despite all the reasons I had not to use Avast before, I decided to install it. (Win98se with all (un)official updates including kernelEx)

And I'm not to unhappy with it.

I only use the standard on-access scanner. I tried the E-mail and web providers as well but they are huge resource hogs. They still are when you stop them so I uninstalled them totally. I don't want those anyway, the standard background scanner is fine for me. No need to check files before I actually download them. Perhaps this is usefull for people who download warez and cracks on suspicious sites all the time, but for "normal" browsing it's not needed imho.

The only problem that I encounter is that after a on-demand scan I loose my icons??

First in the quick-launch bar and menu and later if I don't reboot I loose all, desktop and explorer included. I don't use a skin and disabled the animated tray icon. But it keeps happening from time to time.

Personally I can live with this because normally I rarely do on demand scans and if I do I will do it online. It seems pointless to me to do a on-demand scan with the same software that is running in the background already.

The detection rate of Avast is not the best compared to Avira or others so a reliable online scan (like Trendmicro, supports win98) might be a good idea when you are in doubt.

Link to comment
Share on other sites
oscardog

oscardog

Posted
Posted

Re rootkits, mostly system executables etc will be infected usually taking up any padding space left in the target file to inject their code. This code then does it business by finding and executing any required functions in (system)dlls etc in the 2 gig virtual memory address space. By infecting system executables no registry alterations need to be made due to them being system files which run on os start, and they are hidden being they are default processes.

System safety monitor or any crc checking utility will help alert or prevent such actions.

herbalist lists such apps here http://www.msfn.org/board/index.php?showto...05936&st=60

Link to comment
Share on other sites
herbalist

herbalist

Posted
Posted
What about Proxomitron? In addition to filtering web content, you can use Proxomitron to make it appear that you are using IE7 and Windows Vista (just one example), even though you're actually using Opera and Windows 98 SE.

Proxomitron addresses some of the methods used by websites to determine your OS and browser. It can modify the user agent in the headers and block specific javascripts. Java and ActiveX can also be used to determine what you're running. It might be possible with flash as well. The best Proxomitron can do with these is whitelisting sites that are allowed to run them and removing specific Java applets. The old JDList filter set had that feature but the site it was available on is now Search Portal. I have a copy of it but it's 4 years old now and needs updating. The Grypen and Sidki filter sets are still maintained as far as I know.

Rick

Link to comment
Share on other sites
eidenk

eidenk

Posted
Posted (edited)
Re rootkits, mostly system executables etc will be infected usually taking up any padding space left in the target file to inject their code. This code then does it business by finding and executing any required functions in (system)dlls etc in the 2 gig virtual memory address space. By infecting system executables no registry alterations need to be made due to them being system files which run on os start, and they are hidden being they are default processes. System safety monitor or any crc checking utility will help alert or prevent such actions.

herbalist lists such apps here http://www.msfn.org/board/index.php?showto...05936&st=60

Actually, a rootkit is simply an executable who hides itself (and whatever payload it is bundled with and configured to hide) from the user.

A file that is alterated on disk is by no means a rootkit IMO as it is not hidden.

Alteration of files on disk is very easy to defeat as you've said, and is therefore barely used by attackers IMO as any decent firewall will block a modified executable that was previously set as trusted. Mine does.

The current hype seems to be FWB (which simply stands for firewal bypass). It consists into injecting code into a running process that is usually set as trusted (aka IE). As the injected malicious code is terminated along with the infected process when the latter is closed, FWB would seem to me to be not not suitable for everything. Certainly not for backdoor server I would say, unless code is injected in explorer.exe (which is running all the time on 99% of the windows machines) which apparently quite many are doing despite the fact you would normally not allow explorer to access the network without a prompt at least.

Not sure if all that falls under the FWB appellation works like that but I have certainly downloaded enough FWB uploaders, downloaders, backdoors etc... recently so that I can test the capabilities of those things by setting them up to do harmless things and run them on my machine. Which I will certainly be lazyly doing in the coming weeks.

Edit : Uploaded a compiled FWB sample + source code I downloaded from I don't remember where. It does not seek to bypass firewalls, it just launches notepad, injects code into it in memory and exits. Notepad is opened with a dialog box that does not exist in it normally.

http://rapidshare.com/files/77313778/fwb.zip.html

Edited by eidenk
Link to comment
Share on other sites
  • 3 weeks later...
erpdude8

erpdude8

Posted
Posted (edited)
First of all, Windows 98se does not handle memory above 256 very well AT ALL.

Where are you getting this from if I may ask ?

As far as anti-viral programs go, you can use the free AV scanner called Clam Win. You can read all about it and download it here:

http://www.clamwin.com/

Clam Win is not good IMO. If you want something good go for Antivir/Avira.

As for substitutes for AdAware, there is Spybot S&D, Doctor Alex and SuperAntiSpyware.

And don't forget to run a good firewall. I would recommend Jetico 1.1.

Dr. Mac's comment about Win98se not handling 256Mb of RAM is WRONG. Win98se handles 256mb+ of RAM well without any memory tweaks. It's when you get to 512Mb or greater that Win98se may choke at startup.

I'm currently beta testing Spybot 1.5.1.18 which you can find at the Spybot Beta forums site:

http://forums.spybot.info/forumdisplay.php?f=12

The official Spybot 1.5 release has some major kinks to work out such as the "floppy drive" scan when loading spybot 1.5; also it takes way too long to load when having the latest spybot detection updates installed. Both problems fixed in the latest Spybot beta.

Ditch any commercial antivirus programs you have installed and get NOD32 which also retains Win9x support.

Edited by erpdude8
Link to comment
Share on other sites
Fredledingue

Fredledingue

Posted
Posted

ActiveX inside IE is normaly not able to launch exe files or script files through WSH (wscript.exe).

IE doesn't use WSH. It uses its internal script engine, otherwise running exe file through IE would be possible.

The default IE setting will prompt a warning yes/no dialog when such ActiveX is running on a webpage.

You can change the setting to totaly disable such function. Enabling it without promt however is pure suicide.

Maxthon offers diferent level of extra security features such as an ActiveX blocker and OffByOne displays webpages without scripts running at all.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...