tag:blogger.com,1999:blog-7347279.post1758405063888398872..comments2023-08-26T05:04:33.009-04:00Comments on anti-virus rants: the energizer bunny looks more like a RATkurt wismerhttp://www.blogger.com/profile/03810635947269551517noreply@blogger.comBlogger5125tag:blogger.com,1999:blog-7347279.post-69470151252956515792010-03-10T13:29:20.812-05:002010-03-10T13:29:20.812-05:00@anonymous:
the Run key is not that unusual given...@anonymous: <br />the Run key is not that unusual given the proper behaviour of the software (it auto-detects when the device is plugged in and brings up the monitor UI) but the port listening is something that should have clued me in (assuming i actually saw that warning from my firewall - as mentioned, there is at least one instance i can recall where i missed the message due to UI latency).<br /><br />as for examining the dll more closely - that's something the average person simply cannot do. could i pull apart programs before allowing them to run on my systems? perhaps, but then i would be taking steps that ordinary people simply can't and i wouldn't have been able to use myself as an example of how safe people can keep themselves. also, that's more work than i care to do. i already avoid new software most of the time in order to minimize risks - if i had to pick apart programs too then i'd never install anything at all.<br /><br />i suppose that highlights another failure though - i <b>could</b> have simply avoided the software. i didn't need it, the charger works perfectly fine without it. the monitor software does give a time-until-fully-charged estimate that the single LED on the device cannot convey, but in practice the estimate wasn't particularly accurate (though i wouldn't have known that without using it).<br /><br />i just keep going back and forth on this. not getting suspicious over the open port seems the most likely place where i failed, though.<br /><br />oh, and by the way - if discovering this had actually been easy it wouldn't have taken us collectively 3 years to discover something was wrong.kurt wismerhttps://www.blogger.com/profile/03810635947269551517noreply@blogger.comtag:blogger.com,1999:blog-7347279.post-4730850926689165142010-03-10T13:11:43.254-05:002010-03-10T13:11:43.254-05:00I say "trust, but verify." If I had inst...I say "trust, but verify." If I had installed this Energizer software, I would have wondered why it adds a Run key to load a dll that then proceeds to open a port to listen for traffic. That is very, very suspicious action. Then, I would have examined the arucer.dll file more closely. Discovering simple malware like this is easy. :) If it had been a sophisticated rootkit, it might have been more difficult...Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-7347279.post-51376220678373012992010-03-09T09:51:51.040-05:002010-03-09T09:51:51.040-05:00@rob:
agreed - there's really only so much any...@rob:<br />agreed - there's really only so much any particular layer can do on it's own. my router's logs would probably have shown the outgoing connection activity, however, and i do inspect those from time to time. <br /><br />@anonymous:<br />it actually stands for both things. you should have followed my first link and read my definition.kurt wismerhttps://www.blogger.com/profile/03810635947269551517noreply@blogger.comtag:blogger.com,1999:blog-7347279.post-15445009211696405192010-03-09T08:31:17.252-05:002010-03-09T08:31:17.252-05:00You do know that RAT stands for Remote Administrat...You do know that RAT stands for Remote Administration Tool and not Remote Access Trojan. Right?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-7347279.post-28801779745233744042010-03-09T07:36:55.953-05:002010-03-09T07:36:55.953-05:00Of course, even the router safety net (my last lin...Of course, even the router safety net (my last line of defence too) is helpless against outgoing botnet type connections to irc. The firewall prompt might be a little more obvious there though.Robnoreply@blogger.com