GardenersCardiff answers:

I’ve written several articles on preventing malware through file permissions and proper OS configuration.

File and Folder permissions:
http://synfulvisions.com/?p=179

Registry permissions:
http://synfulvisions.com/?p=190

The real key is to actually understand the process by which malware is loaded and actually works. It’s not difficult to make a system immune if you have a bit of common sense, an understanding of the underlying functionality of the operating system, and can step back and look at the big picture.

Antivirus solutions are ineffective, no matter what solution you use. They will always be reactive, merely cleaning up after malware. Even the msot advanced heuristic engines cannot adequately detect new threats, especially those properly written. This also has to do with the method in whcih most anti-malware applications scan the system, Microsoft has been telling vendors not to use kernel hooks for many years, and they still do. Ironically, the only antivirus that is not vulnerable to the KHOBE attack against the SSDT is Microsoft Security Essentials. Go figure they would be the only publisher to follow their own rules.

Since I’m bored, I’ll go into a bit more deatil about the basic premise of the KHOBE attack. It illustrates a generic vulnerability in protection software, and is certainly not the only attack vector in existance.

When malware is first loaded through whatever browser, messenger, or Flash vulnerability happens to be popular at the time, it needs to do two things: 1. Write itself to the registry or attach itself to something that is loaded automatically, and 2. Hide from the antivirus. The first depends on the type of malware, what its purpose is, and the skill of the coder. This is somewhat irrelevant to the discussion, so we are going to assume it’s a garden variety trojan that just writes itself into HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun and does not need anything funky such as SE_TCB_NAME permission (limited to NT AuthorityLocalSystem account only). From there, our first task as a trojan is to evade antivirus scans, both file scans, and real time scans. We can do this by hooking into the kernel to evade the scans, and prevent the antivirus from terminating us.

When malware intends to do something, it generally uses “calls” to accomplish this. Almost all software uses OS calls instead of doing things itself, it’s more secure, and it’s far easier to write. If malware (or any application) wants to open a file, it tells the kernel to open a file, and specifies the file. The antivirus application sit there, and monitor/alter the System Service Descriptor Table, which lists all of the “calls.” When an application wants to do something, the antivirus applications uses the altered SSDT to intercept the call, verify that everything is good, and then pass the call onto the kernel using the original, unmodified parameters. However, we can accomplish the same thing, after the verification. The malware simply injects different parameters in after the verifications have been done, but before the call is passed to the kernel. This timing is made possible by processors that allow multiple execution threads running simultaneously. Could not be done on an original P4, Hyperthreading P4s were slightly vulnerable (2 threads at once), and it’s child’s play to do on a Core i7 (more simultaneous threads == easier to accomplish.)

Ok, so we now own the sytem. What can prevent this?

Permissions.

I have always advocated a multiple group, multiple user system. In my explanations I use the examples of Admin and User accounts, and NotAdmin and Admin groups. This simply keeps things organized. The premise is to work *with* functionality such as UAC, to allow a user to maintain his or her permissions for day to day work. They still have administrator rights, but software installations need to be done under the Admin account. No big deal, most users rarely install software and switching to a different user, or even running something as a different user is trivial. Blocking applications from executing under the standard user account out of temp folders, and blocking them from writing to the registry’s autorun locations will prevent almost every attack. The attacks not prevented are beyond the scope of this, and beyond the capabilities of antivirus software anyway.

Ok, now howabout preventing malware in your music downloads?

Easy, apply the same DENY EXECUTE permission on your music folder, and make sure to show extensions for all files. You’ll see the malware before it can infect, and you’ll also be safe if you accidentally click it.

GardenersCardiff answers:

White Grub is a generic term for the larval stage of a group of beetles that include Japanese Beetles and May/ June Beetles. Timing of insecticide applications for grubs in lawns is the most important part of the job. Just as in controlling molecrickets, grub elimination must be timed to target the youngest stage of the grubs that are close to the surface. While at or near the surface of your lawn, the grubs are easier to kill. Grubs that are in their early or most immature stages are more vulnerable to your pesticide application than the older grub stages.
Applications made to lawns in July and early August will have the best control. Contact your local county extension office if you need to know the exact time to apply white grub control products in your area.

Lawns showing damage from grubs may be treated with an insecticide. Insecticides available for homeowners include diazinon (25% EC [liquid] or 5% granular); trichlorfon (Dylox) (6.2% granular); bendiocarb (Intercept), halofenozide (GrubBGon, GrubEx), or imidacloprid (Merit, formerly GrubEx) for control of white grubs.

Beneficial nematodes are another way to control grubs. They take a little longer, but don’t have the dangers involved with perticides. Beneficial Nematodes are microscopic, nonsegmented worms that occur naturally in soil all around the world. Steinernema carpocapsae and Steinernema feltiae prey on ants, termites and the larval and grub stages of various beetles, weevils, armyworms, cutworms, chafers, webworms, borers, maggots, fleas, fungus gnats (sciarid flies).

Once they are released, the nematodes seek out host insects and enter their prey through body openings and emit an endo-toxin that results in death for the host insect within 48 hours. The nematodes reproduce and their offspring feed on the insect cadaver and emerge to seek out new hosts.

Nematodes are easy to use. They are shipped in a formulation that you mix with water. The solution can be applied using a watering can; hose end, backpack, or pump sprayers; or through irrigation or misting systems. Always release early in the morning or late afternoon when temperatures are cooler. Generally, 1 vial of Beneficial Nematodes will effectively treat approximately 900 sq. Ft. Of conventional garden rows. Make releases every 3-6 weeks or until infestation subsides.Nematodes can be stored in the refrigerator (do not freeze!) for up to 2 months.

Whatever you decide to use, read the instructions carefully. Many of these insecticide treatments will have warnings that restrict use of the lawn for a few days. Children and pets would be at risk if they wander onto a treated lawn too quickly after treatment.