Jump to content

[9x/Me] Surviving Without a Virus Scanner


Queue

Recommended Posts


You've said above you download an average of 5 to 10 infected files per day.

So what was infected for example today and with what in your downloads ?

Give us a list please, don't be so unhelpful.

Other than that and out of curiosity I was just wondering if those keygen.exe, that sometimes don't run on 98 as you've mentioned above, come together with those digitally signed executable you deem safe and those nfo files you spoke about in another thread ?

Link to comment
Share on other sites

I am using Kerio 2--14, and think it's great.

I also use the alpha shield external firewall.

Now what I want to know, is this: are these firewall settings in any way defeating the functions of the external firewall?

Out going ping command in/out------both denied.

Incoming icmp--------denied

Outgoing reply Time exceede---Icmp in----denied.

Outgoingreply on ping comm...Icmpout-----denied.

Other ICMP--Icomp (both)-------------------denied.

Icmp-------other 2(both)---------------------denied.

DHCP dynamic host..... UDP..................denied.

Windows Explorer---------------------------denied.

The only thing I allow is the DNS UDP (both)

If system appears on the firewall setting on one of my computers, I deny that.

I deny outgoing and incoming exho request too.

Am I denying anything vital for the external firewall to function properly, does anyone know?

Would greatly appreciate advice from anyone that really knows what they are doing---as I do not know anything much about firewall settings.

My policy is deny everything, unless it is essential to me using the internet.

Link to comment
Share on other sites

Simply by being in Brazil, I've, up to now, avoided zero-days
Are you serious when you say this ?
Very. I've had a bitnet account back in 1991, before we had real internet here. As soon as there was internet available I've moved over to it. I've participated in listservs, then usenet newsgroups, then forums, so I was as current about what was happening abroad as possible from here. But, in all this time, I've had only four virus episodes (I mean really getting the machine infected, not caching viruses and deleting them without the machine getting infected): ping-pong, stoned, brasil and jerusalem. The first three were boot sector infectors, being easy to remove by hand, by using debug or symdeb or NU (the good old Norton hexeditor). Jerusalem cost me a reinstall from scratch, and taught me viruses were a serious matter. Some time later the McAfee ViruScan arrived in Brazil, and I've used it continuously up to 2002 or 2003, when I switched to AVG, which I use up to the present. Incidentally, note that all those four viruses were cached through 5 1/4 floppies! When I began using fast internet at home (July 2003) I installed a FreeBSD firewall that latter I've changed for a Linux one that I use today. My scanner cached numerous viruses along all this time, but I've managed to avoid infection up to now. I've seen much damage due to viruses along this time, but not on my machines. And, anyway, I do backup obsessively. Edited by dencorso
Link to comment
Share on other sites

So what was infected for example today and with what in your downloads ?Give us a list please, don't be so unhelpful.
If you asked Eugene Kaspersky this question, he wouldn't answer you, even if he wanted to help you.

BTW, did you know that there are collectors of viruses, just like stamp collectors? "I got a virus which you don't have, but I won't show you." :P

Link to comment
Share on other sites

So dencorso, you're using a firewal on an external router, what's the benefit of that ?I don't seem to see any as it will block only incoming traffic if I am not mistaken.
You're right. It's more useful to protect XP than Win 9x/ME, because it blocks incoming attacks and sniffing. To turn off either the machine or, at least, the internet connection, when the machine would otherwise be idle is also a good idea, when feasible. A software firewall to prevent and detect programs trying to call home is also very usefull. I'm intending to use one again, and I think the Tiny Personal Firewall, reccomnded by Multibooter, may be just what I was looking for. I've used the Norton Personal Firewall 2003 for some time in the past, but it hogged down the system too much for my taste, so I ended by dumping it. BTW, the good old usenet Firewall FAQ (last updated in 2001, the 2009 revision exists at this link) remains a fair introductory reference for anyone new to the subject, and provides a good demonstration of how little things changed since then, at least at the conceptual level: the hardware has had a lot of improvement, the software became more powerful (or more bloated, it depends on how you look at it), but almost no really new ideas have appeared in the last 8 years. Edited by dencorso
Link to comment
Share on other sites

I don't use P2P much anymore, and have never used it to the point of wanting a dedicated PC for it. When I do run P2P, finding trojans disguised as or hidden inside of legitimate files is quite common. P2P has proven to be an easy way for some to take control of a lot of PCs with trojans and rootkits. I used to post at a couple of P2P forums and was amazed at how little regard many of them for their own security (not pointing at you, Multibooter). Several that I talked to at those forums refused to run an AV or firewall. They were so obsessed with getting every possible bit of transfer speed and were totally convinced that security software would cost them some of that speed. Botnet owners love those dedicated P2P users. Fast PCs on very fast connections with open ports and no defenses, perfect for DDOS attacks. My P2P usage is primarily music and some software. Everything I download (P2P or otherwise) is scanned with online scanners. Applications I get through P2P are installed or launched on a test OS I built for this purpose. Once I'm convinced that the file is safe and meets my needs, then I'll move it to a good OS.

I've also taken additional precautions on the OS containing the P2P software (Shareaza). When I going to use Shareaza, I load in a different registry containing severe system and software restrictions, along with an alternate SSM ruleset that prevents Shareaza from launching any other process and blocks all other executables in Shareaza's folders from running.

Rick

Link to comment
Share on other sites

I do backup obsessively.
Hi dencorso,,

I don't (On second thoughts: maybe I do). I only make a backup after the final clean install of a new software package. Besides my original software CDs, downloads and data, I only backup \Windows\ and \Program Files\. During the installation of a software package I always choose an install-to location outside of \Program Files\, to keep \Program Files\ small (Exception: Kaspersky KIS6 must be installed to \Program Files\ otherwise an opsys restore turns a valid purchased key somehow into a blacklisted one, there must be a bug in their validation program). Currently the size of my rared up Win98 opsys backup (\Windows\ + \Program Files\) is 495MB. The install-to directory of a new clean software I backup separately, but only once. I have archived all my opsys backups and install-tos going back to Nov.2003. I can restore the system to basically any date between Nov.2003 and now. This helped me to trace the last infection to its origin, a respectable website (trojan spooner, in Jan 2004).

I do restore obsessively, mostly the last clean opsys backup, maybe once every third day. It doesn't matter if I tread in murky or black waters, any stuff which gets thru and stays unnoticed, gets wiped out in a couple of days. Because my opsys backups are small, a restore takes less than 10 minutes, including the booting into WinXP, and then back into Win98.

Regarding your problem with AVG:

a) I went thru a similar problem when my ancient Kaspersky AVP v4.5 stopped working under Win98 in December 2008. My workaround was to purchase at ebay old unopened retail boxes of Kaspersky Internet Security/Kaspersky Anti-Virus v6.0.2.621, which is still supported under Win98. I bought a supply of 3 boxes=3 years of updates, in the hope that Kaspersky Lab will continue to supply signature updates under Win98, and that the 2 unused keys will still be accepted in the next 2 years. The keys of Kaspersky are version specific, i.e. a key for v9 does not work for v6. I don't know where else one could purchase keys of v6, maybe by calling up Kaspersky Labs in Moscow or in Brazil http://usa.kaspersky.com/about-us/contact-info/ . There are no valid v6 keys in dark channels.

b ) Real-time scanning is not necessary under Win9x. On-demand scanning plus cautious practices are sufficient.

c) Eventually there will be no more virus-scanning under Win98. This means that all on-demand scanning will have to be done from WinXP. Kaspersky KIS can scan across the Network. I am planning on 2 desktop boxes running at the same time, one under Win98, the other under WinXP, and both connected via LAN. 2 boxes under a desk, connected to a monitor, keyboard and mouse via a KVM switch.

People wishing to continue to use Win98 safely, will most likely have 2 options in 2-3 years:

- either they multiboot and have Win98 and WinXP on their computer, checking Win98 from WinXP (or from another opsys)

- or they set up a Win98/XP network, and scan their Win98 machine from a WinXP machine in the network

Edited by Multibooter
Link to comment
Share on other sites

I think the Tiny Personal Firewall, reccomnded by Multibooter, may be just what I was looking for
Tiny Personal Firewall v2.0.14 (I prefer this v2.0.14 to the last version) can be downloaded with Firefox from http://web.archive.org/web/20011227140728/...PF_Build_14.exe Somehow FlashGet v1.65 couldn't download it today.

BTW, there was another benefit of dumping ZoneAlarm v5.5: I have to run Norton Disk Doctor much less now. When shutting down with the power-off button, i.e. when Win98 was hung, ZoneAlarm caused damage to the file system, which NDD detected with the msg: "The following files have allocation errors: \windows\Internet Logs\tvDebug.log". Very often there were also lots of lost clusters.

Edited by Multibooter
Link to comment
Share on other sites

I don't use P2P much anymore, and have never used it to the point of wanting a dedicated PC for it.
The dedicated laptop also serves as a print server computer, with the lid usually closed. It's up 24 hours a day. Since I use near-identical laptops, the only work to get another dedicated computer going is to clone a HDD, no additional support is required.
Botnet owners love those dedicated P2P users.
Yes. I now remember that at least on 10 different occasions the mule requested to send email messages, then the firewall came up and then Win98 was frozen. I guess this botnet stuff didn't work so well under Win98 :thumbup
Everything I download (P2P or otherwise) is scanned with online scanners. Applications I get through P2P are installed or launched on a test OS I built for this purpose. Once I'm convinced that the file is safe and meets my needs, then I'll move it to a good OS.
Good safe practicce. Edited by Multibooter
Link to comment
Share on other sites

You are contradicting yourself here. You can't blame somebody if its not safe anywhere. And change the word P2P with "internet" and its also a valid statement.

No, I'm not contradicting myself. Browsing the web doesn't mean downloading tons of executables from unknown sources. The web of HTML documents, images, CSS, and JavaScript. When you download an executable from the web, you do so from a trusted source. With P2P, all the sources are untrusted and unknown.

Link to comment
Share on other sites

So dencorso, you're using a firewal on an external router, what's the benefit of that ?I don't seem to see any as it will block only incoming traffic if I am not mistaken.

Obviously I'm not dencorso, but I think I can do a good job of explaining this one.

Let's start with a diagram:

Computer---\

Computer----\ 65.7.34.120

Computer-----Router/Firewall---Modem---Internet

Computer----/

Computer---/

Even if you only have one computer, just ignore the extra 4 in the diagram, the layout would still be the same.

Now, when your computer makes a connection to another computer out on the internet, the router keeps track of which computer made the connection, and when a reply comes, sends it back to the computer that made the request. There is no interference with outbound connections.

When an incoming connection is attempted, let's say someone makes a connection to the (fake) IP address listed above (65.7.34.120) at port 135, the connection is refused. This occurs for two reasons: the first is that the router doesn't know which computer on the network would even want the connection request, the second is because it's not been told to accept connections on port 135 and forward them to a certain computer.

This is the primary security benefit of a hardware firewall: denying incoming connections.

As an example, on my Win9x machine, the following ports are open: 137, 138, 139 (all NetBIOS related) and 1033 (related to modifying web content before it reaches my browser). Without a hardware or software firewall, remote users could, theorhetically, try and establish connections to my NetBIOS ports. Closing those ports isn't an options: they're related to proper network functionality of Windows. WinXP usually also has port 445 open. Many early remote exploits on WinXP are services listening on given ports; a fresh install of WinXP without any updates is very vulnerable to automated attack if directly connected to the internet.

If I want to be able to receive an incoming connection on a given port, there are at least two options: I can change my router's settings to explicitly forward incoming connection requests on a given port to a specific computer on my network, or a program can use a system called Universal Plug 'n' Play (UPnP) to ask the router to forward a certain port (so I won't have to configure it manually).

Hardware firewalls can be configured to affect outgoing connections as well, but it typically can just control things at the port number level; only advanced firewalls analyze the data being sent and filters it according to what type of data it is. A software firewall has more information available, such as which program is trying to make an outbound connection or wants to start listening on a given port.

Queue

Link to comment
Share on other sites

Another 9X thread relocated. I hope users of NT systems can see this is a thread for 9X users and refrain from adding the 'upgrade your OS" posts.

The 98FE unit, my primary OS, changes very little. Except for little unzip and go apps, when I do install or update software, I make a full system backup first. If something goes wrong with the install, like finding they've removed 98 compatibility, I can get back to where I was very easily. Contrary to the standard advice, I don't make an effort to stay current with the browsers. Right now, I'm using SeaMonkey 1.1.9, which is 7 versions behind. Most of my extensions are installed in the application folder and have to be re-installed when I update the browser. Every so often, one of the updates breaks an extension I use, forcing me to either find a replacement, find a way to fix it, or back up to an earlier version of the browser. With most of the browsers integration with other applications removed, disabled, or otherwise blocked, its traffic filtered through Proxomitron and SSM restricting the access the browser has to the OS components and other applications, I don't worry much about non-IE browser weaknesses.

I back up the entire OS at once except for the boot folder, which contains several bootable images including Knoppix. This I treat as a separate OS. I was using an older version of the Acronis rescue CD for all the backup and restoring tasks, which worked very well. I never had a problem with it except for one time when I was restoring from CDs. One of the CDs was damaged, not the fault of Acronis. I have backup images of this OS dating back to 2006. Don't ask me why I haven't pitched these. Last year I started experimenting with using 7zip for full OS backups. For the most part, it has worked well. It has enabled me to back up and restore any of the Windows OS from any any other, including the DOS image. The 7z backup images are 25-35% smaller than the Acronis images and take quite a bit longer to make. I can extract individual files from them from Windows and DOS. For me, that's a big plus. It seems I'm always having to open a backup image to get something I left on the desktop. Another advantage of using 7zip is that I can keep using Windows and doing other tasks while it's running, which makes the longer creation and extraction times a non-issue. The ability to run 7zip at a lower priority in the background is sweet.

A software firewall to prevent and detect programs trying to call home is also very usefull. I'm intending to use one again, and I think the Tiny Personal Firewall, reccomnded by Multibooter, may be just what I was looking for.

Tiny and Kerio are excellent firewalls for 9X systems. Kerio 2 was developed from Tiny. Their engines are so similar that Kerio can import Tiny's rules. I'm pretty sure that Multibooter stays with 2.0.14 because it's pre 9/11. If you don't consider it necessary to use pre 9/11 software, there's version 2.0.15 of Tiny and Kerio 2.1.5, also very similar. The size difference between Tiny and Kerio (1.35MB vs 2.06MB) is due to help files contained in Kerio. If being "stealthed" is important to you in a firewall, Tiny doesn't stealth ports 0 (nul port) and 1 properly. The other major difference is that Kerio can export and import rulesets, a feature Tiny doesn't have. Other than that, they're almost the same firewall.

Yes. I now remember that at least on 10 different occasions the mule requested to send email messages, then the firewall came up and then Win98 was frozen. I guess this botnet stuff didn't work so well under Win98 :thumbup

In that instance, definitely. The potential attacker has no way of knowing what OS the potential target is running. If he/she did know, they could just as easily pack a different trojan that did run on 98.

On web pages, it's not that simple. Some of those who create malicious sites or attack supposedly safe sites use scripting, headers, and other tactics to determine the OS, browser type and version, and at times which patches have been applied. It uses that information to select the best malware for compromising that system, or if the system is not vulnerable, the site delivers no payload at all. They can tell if the PC/IP address has been there before, which makes it hard for security app vendors to get samples. Some of these attackers have really put some work into these sites, with up to 40 pieces of malware or exploit code. It would be a simple matter to include something for a 9X system if they chose to. We're not dealing with script kiddies anymore. These are professional coders who know how to exploit vulnerabilities, defeat AV detection, and bury code so deep into a system that it's a nightmare to get it back out. The "security through obscurity" concept for 9X systems is of limited value that only helps in certain situations, P2P downloads being one of them. Don't rely on it.

Eventually there will be no more virus-scanning under Win98. This means that all on-demand scanning will have to be done from WinXP.

I don't see this as a problem. Besides online AV scanners like HouseCall, local on-demand integrity checkers can be used to scan the file system for new, altered, and missing files. Anything new or altered can be uploaded to VirusTotal. There's several good free ones. There's also several apps that poll files and folders at user defined intervals. There's at least one that checks the root directory along with the "windows" and "system" folders at bootup, also free. I have quite a few of these on my FE system but rarely ever use them anymore. In some ways, running an integrity checker is superior to scanning with an AV. The AV is looking for known threats. It doesn't detect unknown malicious code, altered, corrupt, new, missing, or moved files. Integrity checkers can find all of these. I have a fair selection of these if anyone is interested.

Rick

Link to comment
Share on other sites

As an example, on my Win9x machine, the following ports are open: 137, 138, 139 (all NetBIOS related) and 1033 (related to modifying web content before it reaches my browser). Without a hardware or software firewall, remote users could, theorhetically, try and establish connections to my NetBIOS ports. Closing those ports isn't an options: they're related to proper network functionality of Windows.

Unless you need to share files over a local network, the NETBIOS ports can be closed. That's the first thing I do on a 9X system.

Link to comment
Share on other sites

I'm pretty sure that Multibooter stays with 2.0.14 because it's pre 9/11. If you don't consider it necessary to use pre 9/11 software, there's version 2.0.15 of Tiny and Kerio 2.1.5, also very similar.
Yes. I had to weigh priorities, because Tiny v2.0.15 has a nice handling of peer networks, which Tiny v2.0.14 does not have.
The potential attacker has no way of knowing what OS the potential target is running. If he/she did know, they could just as easily pack a different trojan that did run on 98.
My feeling is that it's very difficult to defend against a trojan customized especially to your machine. Maybe one could fake that one is running WinXP or Vista and then hope that this customized trojan won't work under Win98.

http://browserspy.dk/os.php is a good site to show what is easily seen of one's computer. Which are the best tools to pretend to be running a different operating system?

The "security through obscurity" concept for 9X systems is of limited value that only helps in certain situations, P2P downloads being one of them. Don't rely on it.
Yes. "security through obscurity" is based on an economic argument which may not always hold: Criminals want to make money and going after a 0.1% of the potential market is not a money-making proposition. Governments are restricted by budgets: Spending big money on devoping something like a "Bundestrojaner" which covers only 0.1% of potential targets would need a special reason. Maybe some governments spend money to penetrate Arabic Windows operating systems; but Arabic Windows 98 is seriously flawed and hardly anybody still uses it, so it doesn't look like there is a ready source of budget funds for targeting Win98 under that category.

One could stay away from popular applications. Removing which unneeded functionality from Win98 would make Win98 safer against customized trojans? Active desktop, webckeck.dll? Any suggestions?

Is there a general faking tool which could pretend to have a range of popular (WinXP) applications installed, so that potential trojans fall into such a honeypot and crash Win98?

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...