Archives November 2009

I still like Avira

Attention: This content is 15 years old. Please keep its age in mind while reading as its contents may now be outdated or inaccurate.

Yesterday I wrote about how I had stumbled upon a virus through Java in Firefox and how Avira didn’t quite stop all the infections.

I also mentioned I didn’t blame Avira because I felt that it was a new strain, and it looks like I was right.

Yesterday when I scanned the infected file it wasn’t reporting any issues.

Today I noticed a little update notice from Avira so for the heck of it I scanned the infected file again (kept it around to test with), and bam, detected!

detectedSo for the heck of it I popped it through my trusty online scanner, VirusTotal which will scan any file you upload against 41 antivirus engines.

The other day I got:

File iaStor.sys received on 2009.11.12 18:25:30 (UTC)
Current status: finished

Result: 1/41 (2.44%)

Reanalysing the file today I get:

File iaStor.sys received on 2009.11.15 00:09:41 (UTC)
Current status: finished

Result: 11/41 (26.83%)
So this was obviously a new strain and engines are finally starting to update!
Also, yay for Avira being one of the 11 detecting it now.  I picked Avira because of it’s high detection rates, so hopefully they will continue leading the sector. 🙂

Make Firefox More Secure, Disable Java

Attention: This content is 15 years old. Please keep its age in mind while reading as its contents may now be outdated or inaccurate.

No, not Javascript.  Java.

Despite similar names, Javascript and Java are 2 entirely different things.

Java, or Java applets are programs that can be embedded in to websites.  They are generally poorly written, and hardly ever function right.  Most people will probably never even need java, and in fact the only website I can think of that I ever use it on is Facebook’s shitty multi-photo uploader which I use only a handful of times a year.

Why am I writing about this?  Because I had a Windows 7 machine that was fully updated, running an updated Firefox with Java (Java may have not been up to date),  and a fully updated Antivirus program.  By clicking one simple link, the machine was infected through the Java run time in Firefox.  Despite clicking “Deny” on the Java question, the app still managed to run itself.  It looked like it caused some type of crash in the Java run time and allowed itself to execute code.  The virus then proceeded to attempt to hijack the browser and insert other malicious code in to the system.  Avira Antivirus was able to block most of these attempts, but it did miss something.  I have a feeling that this was a new strain of the virus, so I’m not going to place too much blame on Avira here.  After all was said and done I ran the infected file through an online scanner, and only 1 of 41 virus engines detected it.  Yikes!

Before shutting down the system I had ran FULL scans with Malwarebytes and Avira, both came back clean.  I rebooted the system and that is when it happened.  7 load screen… blue screen…. reboot.  Over and over.  Safe mode was of no use, other methods of recovery didn’t work, the bluescreen yielded no useful information.  It wouldn’t even point me to the file causing the crash (which would of helped me tremendously).  To make a long story short (I put probably 4 hours in to fixing this bluescreen), the virus had attempted to insert code in to my iaStor.sys driver.  This is an Intel Storage driver, vital to system operation.  I believe that because this was a Windows 7 machine, it was unable to successfully hijack this file (the virus was probably written to hijack XP machines).  I found the lone infected file by pulling the drive out of the laptop and using a separate computer running Nod32 to scan the entire drive,  and replaced the infected file with a good copy I had in my archives.  The really strange thing about it was the good file and infected file were the same exact size, but the infected file no longer had the Intel signature and had a different MD5 hash then the good file.  The virus obviously tried to re-write some part of my storage driver… who knows what though.

Nod32 identified it as Olmarik.pv which from what I can tell is a pretty new strain.

To bring this story back to it’s point, a fully updated system, running Firefox still caught an infection thanks to shitty ass Java.  So, do yourself a favor out there RIGHT NOW.  Disable Java.

Tools -> Options -> Content

Un-check Enable Java:

disablejava

The nice part about this is that if you do end up on a site that you TRUST and need to enable it, you can simple check the box again and reload the page and it will work.  You don’t have to restart your browser.  Just be sure to disable it again after you’re done to keep your browser safe!

I have made this change on all of my machines and I strongly encourage you to as well!