Slashdot Mirror
The Current State of the Malware/AntiVirus Arms Race
An anonymous reader writes "An article at Net Security explores how malware has developed self-defense techniques. This evolution is the result of the double-edged sword of the malware arms race. Anti-virus technology is ever more advanced, but as a result surviving viruses are increasingly sophisticated. What Net Security offers is a lengthy look at the current state of that arms race. 'There are many different kinds of malware self-defense techniques and these can be classified in a variety of ways. Some of these technologies are meant to bypass antivirus signature databases, while others are meant to hinder analysis of the malicious code. One malicious program may attempt to conceal itself in the system, while another will not waste valuable processor resources on this, choosing instead to search for and counter specific types of antivirus protection. These different tactics can be classified in different ways and put into various categories.'"
it's the computers that suffer. Wont someone please think of the computers?!
-Ours is the wisdom of Solomon, the magic of Merlyn, the fall of Icaris.
not because virus writers are clever, but because A/V companies are always very careful not to make too successful products, otherwise they'd kill the golden goose.
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
Malware evolution? That's just theory and conjecture. If god had wanted our computers to be free of viruses he wouldn't have invented Microsoft.
(There goes some karma.)
Developers: We can use your help.
"This article will only examine malicious programs written for the Windows operating system (and its predecessor, DOS) due to the rarity and relatively small number of malicious programs for other platforms."
OK, you had to go to the second page of TFA to see this, but at least they came right out and said that Windows is the primary and almost exclusive target of malware.
Unlike almost every other article about viruses and malware in recent years.
Mac OS X: Because it was easier to make UNIX user friendly than it was to fix Windows!
Guaranteed! This comment 100% Anthrax free!
Fruthermore, "trends" in malware construction obscure the reality that certain software packages (Windows, IIS) are otrders of magnitude more vulnerable than others (OS X, Linux, Apache). The unstated elephant in the room is that 95-99% of malware attacks are due to Microsoft vulnerabilities.
Crow T. Trollbot
There doesnt seem to be any mention of whitelisting in the arms race between malware and desktop management systems in this article. Companies like Trinamo are championing the approach of designating only a handful of applications as being "approved" for execution, denying viruses, trojans, malware, and other junk like toolbars a chance to run before they can do any harm. They have a bunch of free information on the subject online. http://www.trinamo-solutions.com/downloads/downloa d.html
This story is all over industry security portals at the moment, and has appeared in theregister, securityfocus, and others.
Jack
OMG I can't believe they didn't mention the technique of codependant programs that start each other when the other ends. That way you can never delete either one cuz the other one never lets it stop running. That one pisses me off the most :(
Google's Super Secret Search Algorithm: SELECT @search_results FROM internet WHERE @search_results = 'good'
I run a 'mom & pop' type computer store and recently came across what I can only imagine was a polymorphic virus. Norton was installed on this PC and would bring up a warning upon each bootup about a virus in a DLL file. As with all virus-infected systems I removed the HDD from the machine, hooked it up to our tech bench PC (a known-good system) and scanned the disk 'off-line'. This method works well 99% of the time. The scanner detected the DLL virus and removed it. Within a few minutes of booting the PC back up however, the virus was back, the PC was isolated at this point (no network connection), so it had to have come from the PC itself. I repeated this process a few times, just to be sure, but each time the scanner removed the DLL, and each time it booted back up the virus reappeared. I came to the conclusion that another executable was hiding the virus, probably using encryption, and was replacing it during bootup. I tried using file and process monitors to find what was replacing the virus, but I couldn't figure it out. In the end I had to reformat the disk and reinstall, which I hate having to do.
This conspiracy is about as old as the AV industry. At least you spared us this time the drivel about AV vendors first of all creating malware so they can sell their stuff.
Basically it's impossible to write the perfect AV software. It simply does not work. The perfect AV software could, of course, exist: Simply disallowing ANY kind of user interaction and installation of additional products. Perfect computer. Useless, but perfectly safe.
The problem is that malware does not use anything "special" that makes it easy to say "something that uses function X or accesses Y is malware". Doesn't work that way. What malware does it usually not much different from normal program activity. They access the windows registry, create keys there, they create and alter files (not necessarily system files, which would be "suspicious" behaviour to say the least), they plug into Internet Explorer, they open ports for incoming connections, they transfer data to and from the computer.
It's not anything that is by defintion "bad". How'd you want to create the "perfect" AV product?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
What's funny is that virus writers fight with each other too.
From my point of view, at least. Most malware today comes along as "invoice.pdf.exe" attachment to mails that allegedly come from "lawyer" (no, no name. "lawyer"). And similar rubbish.
The lastest big thing are hijacked server pages that serve you malformed frames for infection, but even that still needs a bit of user interaction to become really "useful".
Essentially, what it comes down to is the user. There is of course the bimonthly exploit in some MS package, usually with surprisingly little impact in the whole picture, but generally, most "commercial" malware writers don't get so sophisticated. They rely on social engineering and pure user stupidity.
And, unsurprisingly the success proves them right.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
A few days ago I was infected with PurityScan, several droppers, and a trojan or three.
I have no idea how they got there, but all I saw was a command prompt window pop up for a half a second and then I started getting IE popups (I used Firefox).
A virus scan/adaware/spybot would remove them, but they'd reappear on the next reboot.
A safemode scan of those would remove them, but they'd reappear on the next reboot.
As a result I formatted my Windows drive and reinstalled.
There's no telling how many root kits were hiding in my kernel, all for that might advertising dollar or chance at identity theft.
Any company caught using malware (I'm looking at you, PurityScan) should face charges for criminal trespass and breaking/entering if it turns out they were seeking out services from these contractors.
Job? I don't have time to get a job! Who will sit around and bitch about being broke and unemployed then?
I thought these problems ended years ago when the year of the linux desktop came and everyone stopped using windows... You mean there are still poor souls out there that don't use linux or mac?
Sam
FTA
...The earliest signature-based detection methods focused on searching for exact byte sequences... Later heuristic detection methods also used file code. ... |
...|
|
result evil hacker just wrote
|...polymorphic code is a highly time-consuming task
minor really point, better tools are out now with complete tools and associated databases (see mesasploit and ruby)
Actually until Microsoft (since they own 90% of the computer OS's out there) gets rid of the "Hide everything from the User" the status quos will continue.
It creates a "trust me" mentality which is exploitable.
Draconian Policies like the System Registry, automatic System Updates, hidden DLL substitutions, My Stack is better than your Stack, and general lack of internal documentation make it almost impossible for the average MCSE let alone the average user to deal with these kinds of threats. All this junk doesn't help matters either.
Good Technical Article and good website to bookmark...
To bad for MS, but this will not make them change.
Don't forget about the biggest and nastiest malware ever: Vista
Perhaps you mean the ParityDesktop software from Bit9.
..people who decide to not run them. Whenever someone emails you a virus, or offers you a virus on their webpage, if you decide to not save it, chmod +x it, and run it (whether as root pr your usual level of access), then for some geeky technical reason I don't understand, its defense code fails to activate.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
I challenge cybercriminals and conceptualists to reconsider their intentions and motives behind publishing a PoC that will only add fuel to the fire.
In other words, security by obscurity is still best. Well, I still believe that exposing the flaws is the best way to protect ourselves. Too many programs "phone home" and contain other spyware as it is. Proof of concept also helps to protect us from that.
What?
Here is Fred Cohen's take on the general subject:
B 2000DC.htm
http://all.net/resume/bio.html
http://all.net/journal/newsletter/index.html
http://all.net/Analyst/index.html
Ref.
http://all.net/
Paper:
An Undetectable Computer Virus
http://www.research.ibm.com/antivirus/SciPapers/V
Could this be the end of the Mac - PC flamewar?
Logic:
"... we can't stop here, this is bat country."
Fear and Loathing in Las Vegas, A Savage Journey to the Heart of the American Dream
Hunter S. Thompson
~hylas
What I want is a bootable CD that will then scan a system for malware.
Once the malware 0wns your comp, it can play all kinds of games to hide from the anti-malware software. The only sure way to find everything is to boot from a known safe OS image, like a CD, and then scan.
We should be able to do this today with ClamAV, but I just did a Google search and didn't find anything.
I also did a Google search for a good explanation of how to make your own bootable linux CD but the pages I found seemed pretty old. If you know a good HOWTO page for making a bootable CD please share thanks.
Please, there oughtta be a law that multi-page articles with text squeezed between massive, obnoxious graphics, have a PRINT FRIENDLY LINK!! ARGH!
-taosk8r
...extends beyond poor performance, spam, cost of software, etc.
We got hit here with a collateral listing of one of our tools as 'spyware'.. It shut down our software across the U.S.
We used a toolkit from a vendor to encrypt and compress files for transmission and for patch distribution. It was slick, lightweight, and sufficiently secure. it was also a commercial product, and was sold to another publisher who used it in their software.
One of their packages is an IM logging and monitoring tool. Good for AOL IM, and others. You have to either download it as shareware, or buy it outright, and then you have to install it, with the usual requirement that you actually have access to the PC. It's not and has never been distributed as 'spyware' in the sense of an unexpected or unsolicited install, nor was it ever distributed from a website or as part of another package - unless you repackaged it yourself. The biggest users were corporate IT departments monitoring IMs for compliance, and parents/spouses/etc snooping on others.
Not what I think of as 'spyware'. But someone else thought differently.
The IM logger got reported to either Trend Micro or McAfee as 'spyware' more than a year ago. Sporadic reports continued, until the latest (?) release came out and got popular. Then the flood of reports ensued. And when I say 'flood', I mean 'dozens'. I suspect some HijackThis logs started showing it, and after a few more reports, it was assumed by someone that this application was part of other kits. Listing the application by one anti- company leads to everyone else listing it. No one wants to be left behind, and none of the 'security' companies wants to be the one that lets bad stuff in, just because they actually evaluated the listing. No, it got listed by everyone.
And the controls along with it. Including the one we used for everyday, legitimate encryption and compression.
Our customers started reporting failed installs and reinstallations. One reported they got a virus alert. We looked things over. Why now? We hadn't changed anything substantial in years.
Then, on a whim, I Googled for it. BAM! Our control was listed as malware. WHA?
We figured it out an an hour. I asked around some of the contacts I knew at Symantec, etc. Their advice was simple - give up. Go get a new tool, recode, and move on. Surrender. Even though the module we used was by itself harmless, it was guilty by association. So we did. So far as I know, the company that produced these tools & modules is struggling with this. After all, their code signatures are now officially 'malware'. Kinda like banning drills 'cause someone drilled a hole in their finger by accident. Pretty soon, nothing gets drilled. Not a good state of affairs for the drillmakers.
And not a good state of affairs for drill users, either.
That IM logger that started all this? It was commercial software, and other than being highly annoying for kids who value hiding their IMS from snooping parents ("Hey, who's paying the Internet bill around here?"), or spouses caught on dating sites, the businesses forced by law to treat IMs as if they were business correspondence found this to be a good tool. Not so good any more. About the only way to use this is to keep writing exceptions to your anti- software. If you can. And keep re-writing these exceptions every damned update. Maybe more than twice a day.
It looks like this application is dead. Kinda sad.
We survived, though some of our customers did get concerned. In our business, being labelled as 'spyware' could cause massive problems, beyond the usual. It could be front-page of the fishwrap stuff.
In the midst of the virus/spyware/malware/anti- battle, this is one small story of how unintended consequences have real costs. We had to scurry to buy new stuff, re-code, and distribute. Our original tool vendor has had to give up on a good product, through no fault of their own. The application vendor that 'st
deleting the extra space after periods so i can stay relevant, yeah.
Cleaning out a virus/trojan problem has become close to impossible for the average person. Most people and even actual computer service shops just format and re-install.
/spyware scan.
I have only moderate PC service skills and this weekend my family's computer popped up a AVG warning that a Trojan was detected. This is not my computer but it shares my net connection via wireless. When I saw that detection warning I pulled the plug on it's net connection and then investigated. My brother had been downloading wma to mp4 converters. And bingo! On top of that, no one was keeping the AVG up to date or doing regular scans. Apparently everyone assumes I'll clean up their messes for them. Pisses me off.
So, guess how hard it is to clean out a Trojan these days? Guess what, your anti-virus is useless! It may detect the virus, and clean it, but it re-installs itself.
Get ready for a loooooong process involving:
-Disable system restore and remove all restore points.
-Reboot in safe mode, run anti-virus
-Use Autoruns or any other startup/running processes program.
-Write down what is being run on startup and what is currently running.
-Hop on Google to find out which of those are legitimate processes.
-Remove the bad-uns.
-Look for a cleaner program for your specific Trojan/Virus. Careful to get it from a reputable site.
-Run the special cleaner program in safe mode and regular mode.
-Grab output from HijackThis and use google to research any suspicious entries.
-Do all this without connecting the infected computer to the net. (PAIN!!!)
-Profit!!!! (I couldn't resist saying that)
So, then you cross your fingers for a few weeks waiting to see if your AV pops up another warning. All the while doing manual updates of your anti virus. Keep it in quarantine a while longer. Then, cautiously re-connect to the web and HOPE it's clean. Then YELL at your family to stop downloading crap, and make a "nice" desktop wallpaper in msPaint to drive home the rules.
*sigh* it's a huge pain, especially for people like me that need to research every process because they don't know what's legit or not. Not to mention that my sister does her online banking on that computer, and I've had to tell her to go change her passwords, get a new CC number, and inform her bank to put a watch on her account for any suspicious activity.
I really wish these virus writers would fry.
No wonder people just format and re-install.
Pessimists.net - as if life wasn't depressing enough.
Hopefully, in a corporate setting, having machine group policies to prevent execution from a USB driver, even better, restrict execution to designated drives and directories would stop this infection from spreading.
There is no right to feel safe thru security vaudeville at the expense of everyone's freedom, privacy and tax money.
I assume it's getting more and more difficult to write viruses as time goes by - is that correct? If this is indeed an arms race, then one side or the other is going to run out of time and energy and money sooner or later, and I'm guessing it won't be the AV companies since there's so much at stake.
A-Bomb
it's darwinism at it's finest!
sort of like why antibacterial soaps are bad -- doesn't kill 0.01% of germs. if you have a surface with 100 000 000 germs on it [not so far-fetched with counter tops], you're stuck with 10 000 of the hardcore baddies. sure, it seems harmless, but what happens when those 10 000 become 100 000 000 again?
is it me, or is this starting to sound familiar?
there are 10 types of people in this world; those who get this joke, and those who don't
story on one page, without 10 millions ads
You need to install an RTFM interface.
> it's darwinism at it's finest!
No, it's not. Natural Selection works by spontaneous mutation and the inescapable fact that any mutation that is unfavourable for survival will tend to get the bearer of it killed before breeding age, whereas any that is favourable probably won't. Over time this tends to result in organisms that are "fitted" to their environments--until the environment changes. Darwin suggested that Sexual Selection also shapes the way in which more complex organisms change.
Neither Natural Selection nor Sexual Selection, the two mechanisms postulated by Darwin, is at work here. Mutation is not a given, as it is with DNA, and reproduction doesn't occur. Natural Selection is a blind processes--hence Richard Dawkins' book title _The Blind Watchmaker_. If there's a (significantly) new piece of malware it's because someone wrote it; and when there's a significant leap in AV technology it's because someone thought it up. Unlike Natural Selection, it's anything but a blind process: it's driven by *mind*.
That is only true while Firefox/Linux/OS X users are more geeks than commonfolk. As soon as Linux is "user-friendly" (read: easy-enough-to-migrate-from-Windows) and widespread enough that Aunt Millie is using it, you'll have plenty of "average Windows n00bs" using Linux and it will become a tastier target.
"The viruses are intelligently designed. I'm not vouching for Microsoft Windows." - by geoffrobinson (109879) on Tuesday July 03, @12:12PM (#19731855)
... & there is one @ another Linux oriented site as well (UBUNTU discussion, where BSD was suggested instead of Linux OR even SELinux, & I posted here in a PC-BSD post with an arstechnica article base behind it, on the note of security in the reply I posted this challenge to):
Well, I will vouch for Windows, but I will let the "center for internet security's" CIS Tool 1.x, do it for me, as far as how intelligently designed Windows IS, and how solid it can be, from an internet security standpoint - so much so, that 11x now overall, no SELinux, OR BSD users cannot beat the score I obtain on the multiplatform tool for testing securit online!"
I am vouching for Windows Server 2003 SP #2 fully hotfix patched as of this date vs. *NIX systems, & why?
Because I have posted this 10x on slashdot, & 1 other LINUX oriented site (especially directed @ SeLinux kernel hook addons for a Windows ACL-like level of security control, because Linux does NOT have that by itself, w/ out SELinux afaik):
Here goes, evidence below:
A challenge to take a multiplatform security test that runs on many a *NIX and Windows NT-based OS of modern variety (2000/XP/Server 2003) & how to get the score I did with an easy as possible roadmap in a URL below for doing so!
Run the CIS Tool 1.x, on your BSD/Linux (prefereably SELinux)/Solaris rigs, it is downloadable here:
http://www.cisecurity.org/bench.html [cisecurity.org]
And, takes minute to haul in, install, & run it in an attempt to beat my 84.735 of 100 on it (from a reputable organization, The Center for Internet Security)...
Go for it, & see if you can beat my score of 84.735 on a FULLY custom security hardened Windows Server 2003 SP #2 fully patched as of the date of this posting.
Photo evidence of my score is here:
http://img.techpowerup.org/070618/APK14SecurityPoi ntsCISToolResult84735.jpg [techpowerup.org]
And, the same score I obtained, literally, yesterday, as well!
(After putting on the latest patches for Windows Update to my OS which I download & store here - but, nice part is? I'll never need them, because I GHOST this image once it is patched & scanned for malware/virus/trojans/rootkits etc. with the latest/greatest up to date tools for that purpose, & practice safe email practices & more like disabling potentially "deadly" things that can be exploited in browsers like ActiveX/Java &/or scripting (for sites that do NOT need it))
For Windows users' reference, all noted here & how to GET THAT SCORE:
http://forums.techpowerup.com/showthread.php?s=2aa c2d3ff16e9b8448875ee96e27d1ec&p=375355#post375355 [techpowerup.com]
(That's for the Windows users here to gain by).
Thing is - I'd like to see the *NIX users of all kinds beat that security test evaluation score for safety online & how well their systems are secured, as a more "concrete evidenece thereof" in fact, since the poster I am replying to is a "SHOW ME PERSON" (as am I)...
HOWEVER - here @ slashdot, where slogans & b.s. of ALL kinds are stated vs. Windows & Microsoft?
Well - I have challenged you ALL here repeatedly on this note 7 times now, this is the 8th here!
http://it.slashdot.org/comments.pl?sid=240571&cid= 19630923 [slashdot.org]
&
http://slashdot.org/comments.pl?sid=240283&cid=196 31141 [slashdot.org]
&
It's not going to be a military super-computing network that will become self-sentient and kill us all with super-advanced weaponry.
It's going to be a self-aware army of super-evolved spam-bots and rootkits that will forcibly overdose us all on Cialis and Viagra.
Moderator hint: a comment is neither "Flamebait" nor "Troll" if it is true.
Actually, by cheating
Funny little anecdote in the world of virus scanning (harmless although dishonnest).
CalmAV is such an open-source virus engine (with ClamWin as a Windows port).
There have been several studies done about it (links on ClamAV's site) which reported that ClamAV, despite not being a non-commercial project, has among the fastest response time when new threats emerges.
The studies also surprisingly uncovered a small cheating : some companies did small update that didn't bump up the signature release number, but that included the new virus detection. Normally such non-upped releases should be reserved for modification of the sig library that don't affect the number of detected viruses (like repacking the data more efficiently or whatever). But the companies nonetheless tried to slip in newer sigs, hoping that users would not notice it. When doing a retrospective study, unsuspecting users will read that virus XYZ is detected since Sig-file release A.B.C and they will see that Sig-file release A.B.C was released on YYYY-MM-DD HH:mm, thus will come to the conclusion that the virus was detected earlier than the concurrene. (Source, paragraph A dirty little secret).
But anecdote aside, ClamAV is a nice anti-virus engine, that has plugins (either bundled in or 3rd party) that enables on-the fly scanning of data at usual entry points (ClamAV is popular for mail filters in Unix. ClamWin has plugins for mail clients and FireFox's downloader, etc.) and is a nice stuff to put in the "post-download script" of your usual peer-2-peer software. Please note that ClamWin still lacks a on-access scanning mode (although some 3rd party application like Winpooch can start scanner before executing or reading files).
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
When I RTFAH (where H = headline), an image comes to mind of a diverse bunch of penguins standing together in the primordial swamp of the prehistoric world, watching on with a mixture of fascination and pity as the once all-powerful dinosaurs drop one by one ... bought to their knees by ever more sophisticated microbes, bacteria and viruses.
...
Yes junior, its horrible to watch, but the world is going to be a much safer place without them
It's funny how the situation with malware/antivirus "arms race" seems to mirror the situation with real life viruses vs. antibiotics. We keep having to find new antibiotics to combat increasingly drug resistant viruses, resulting in an arms race all its own.
Most analogies are fairly weak and break down quickly under scrutiny. This one is certainly no exception - after all there's no such thing as a perfect analogy. Yet it's interesting how the malware problem seems to be growing into the "virus" analogy over time, rather than diverging from it.
Now if only I could "reformat" my body and "reinstall" my "OS" whenever a real life virus attacks.