Last year I did a post titled “When Level 300 is Level 100…” all about mis-titled and mis-represented sessions.

This afternoon I did a session titled “SEC404 – Look@me and Pay” with speaker Jakub Kaminski.

For those who don’t understand the rating systems applied to sessions:

• Level 100 – Sales Fluff
• Level 200 – Information / Minor Tech / Technical Sales Fluff
• Level 300 – Medium Technical
• Level 400 – Make your brain ache with overload technical.

With a SEC404, I thought beauty, just what I need, something to make my brain ache and walk out with some cold  hard information.

Just like my previous post, this was nothing more than a Level 200 Session about the different types of Malware / Fake Antivirus software that is available on the internet and really not one iota of technical info.

One core principal of this session that was missed was Microsoft Best Practice of Running Users with Least User Access – ie. Don’t give user Local Admin rights on their PC!!!

So, why is this a problem, the client has current up to date Antivirus…WRONG!

These new streams of Malware are so unbelievably sneaky that they stay ahead of the patch cycles of the AV Vendors and have many variants of the same virus out in the wild.

Pictured Above – Screenshots of fake antivirus Malware.

These malware streams spread through email with Attachments and Links to .exe files, Rogue or Hijacked Websites and ActiveX Controls, P2P and Chat such as MSN and Skype.

If a user were to be running as Admin, these applications will launch, execute and voila, one successfully infected PC.

Now, if the user were running with LUA, the application would launch, prompt for elevation privileges and all being well the user cannot continue (if they don’t have the Local Admin or Domain Admin Password to elevate.)

So with one small step, you can very easily avoid an infection.

The next thing to look at with these streams of viruses is the removal. They imbed themselves in such a way that even with booting to Safe Mode and theoretically “removing the files”, actually, the root of the virus or payload is actually sitting there waiting for the signal to re-spawn.

So, you’ve “removed” it, you boot up, log on not being on the network – everything looks good. Now lets plug the Ethernet cable back in and see what happens…

Congratulations – the payload has just phoned home, downloaded the same virus or a new one and successfully re-spawned.

So, how do I remove it?

In my business we have a simple policy. Infected machine = flatten and rebuild.

It is just not worth the risk of putting a potentially infected machine back in to a clean environment and having the rest of the environment at risk.

So, back the the start of this post… When a Level 400 session isn’t…

As a Tech.Ed delegate, It’s vitally important that you give feedback. Not just 5 for everything because it’s easy, rank thing correctly and leave proper feedback that’s relevant.

“Session was advertised as level 400 but lacked in depth technical content.”

This info gets back to the right people and yes, it does actually get read and makes for a better Tech.Ed moving forward.

Tech.Greg