The Current State of the Malware/AntiVirus Arms Race

An anonymous reader writes "An article at Net Security explores how malware has developed self-defense techniques. This evolution is the result of the double-edged sword of the malware arms race. Anti-virus technology is ever more advanced, but as a result surviving viruses are increasingly sophisticated. What Net Security offers is a lengthy look at the current state of that arms race. 'There are many different kinds of malware self-defense techniques and these can be classified in a variety of ways. Some of these technologies are meant to bypass antivirus signature databases, while others are meant to hinder analysis of the malicious code. One malicious program may attempt to conceal itself in the system, while another will not waste valuable processor resources on this, choosing instead to search for and counter specific types of antivirus protection. These different tactics can be classified in different ways and put into various categories.'"

From TFA

[Chris+Tucker]

"This article will only examine malicious programs written for the Windows operating system (and its predecessor, DOS) due to the rarity and relatively small number of malicious programs for other platforms."

OK, you had to go to the second page of TFA to see this, but at least they came right out and said that Windows is the primary and almost exclusive target of malware.

Unlike almost every other article about viruses and malware in recent years.

Mac OS X: Because it was easier to make UNIX user friendly than it was to fix Windows!

Re:From TFA

[Opportunist]

Security is by definition the minimum of the system's capabilities and the user's. When the system can't hold its water (or data), the user can be the best security guru in the world and it is insecure. Likewise, the system can be as tight as possible, with a clickmonkey at the helm it is hopeless (provided it's an all purpose machine that doesn't restrict the user's ability to cause havoc).

Still, market share is a key factor when it comes to malware. Malware "kits" cost a wee bit of money, ranging from a few hundred to a few thousand USD, depending on sophistication and "additional services" (let's not get into too much detail, you get the idea). Basically, everyone develops for IE on a WinNT core machine. Why? Market.

Yes, there would be a market for FF exploits. But it's smaller. Development costs are pretty much equal for FF and IE exploits, and you can not really develop a "generic" exploit that targets both, unless you target the OS underneath and not the browser itself (that happens too, but generally requires a lot more knowledge about the OS itself, and it is by far less flexible). Since the cost of spreading malware is roughly equal for whatever you want to land, and doing so is not really cheap, attackers usually try to maximize their efficiency by limiting themselves to the most popular OS/browser combination (provided they want to do ID theft attacks). At the very least, they will limit themselves to the most popular OS.

The limiting factor here isn't that the "kit" itself would be costy. Yes, you might have a FF exploit kit available and you'd sell it for a fraction of the IE kit (but why should you, you could more easily develop an exploit kit for IE (there are effing templates for it in VC!) and cash in). But the spreading cost for either malware stays the same.

Thus the usual exploit targets IE/WinXP. Should the market share of FF rise, I'd wager to about 35-40%, we'll probably see mass spam of FF targeted malware, due to people using FF feeling secure and are thus maybe less wary. It might happen. But generally, you'll never see masses of malware for non-mainstream targets (OS, browser, webserver...). The cost of spreading is the same, no matter what your target is. So why shoot at something but the biggest target?

Re:They forgot one!

[syntaxeater]

http://www.microsoft.com/technet/sysinternals/util ities/ProcessExplorer.mspx

It's essentially a beefed up task manager that allows you to suspend and kill specific threads and processes.

Re:Lack of Specifity on Infection Vectors

[another_fanboy]

The unstated elephant in the room is that 95-99% of malware attacks are due to Microsoft vulnerabilities.
Microsoft's dominance over the market makes it more enticing to malware writers, regardless of how many vulnerabilities it has. If damage is their desire, they want the most damage; if it is a zombie network, they want the biggest zombie network.
If linux ever manages to overtake windows, it will become the primary target.

Good Technical Article, Bookmark IT.

FTA

| ...The earliest signature-based detection methods focused on searching for exact byte sequences... Later heuristic detection methods also used file code. ... |

  result evil hacker just wrote

|...polymorphic code is a highly time-consuming task ...|

minor really point, better tools are out now with complete tools and associated databases (see mesasploit and ruby)

Actually until Microsoft (since they own 90% of the computer OS's out there) gets rid of the "Hide everything from the User" the status quos will continue.

It creates a "trust me" mentality which is exploitable.

Draconian Policies like the System Registry, automatic System Updates, hidden DLL substitutions, My Stack is better than your Stack, and general lack of internal documentation make it almost impossible for the average MCSE let alone the average user to deal with these kinds of threats. All this junk doesn't help matters either.

Good Technical Article and good website to bookmark...

To bad for MS, but this will not make them change.

God I hate articles w/o print links!!!

[taosk8r]

Please, there oughtta be a law that multi-page articles with text squeezed between massive, obnoxious graphics, have a PRINT FRIENDLY LINK!! ARGH!

Re:Viruses will never go away

And I suppose that the Home Security System people are also the ones who rob people's houses, since they know who does and doesn't have an alarm installed, eh? All those people at ADT are just part of a big protection racket I tells ya...

Lets face it, there's enough bad people in the world to blame crime on without resorting to conspiracy theories to explain it.

Re:A question about diminishing returns

[Opportunist]

Actually, surprisingly it's getting easier. Think game development. With the advent of DirectX, you needn't know too much math anymore to get some cool looking 3D graphics on the screen. The same applies to malware. Back in the good ol' days of DOS, you had to know quite a bit about the inner workings of the system to get your virus in. You had to redirect software resets, trap a few interrupts, essentially you had to write a driver. Today, most of the malware that circulates could be written in VB. Some is.

Obfuscation is also easier than ever, with a lot of runtime packers and scramblers existing. It's easy to repack a file in batch mode that ensures that no two samples an AV company could get are the same. Thus the simple "signature" approach someone suggested earlier won't find a thing anymore.

It's also not getting trickier to hook into the system. Since there are still the majority of crates running with users having admin access, the same ol' tactics that worked 5 years ago still work. It's also not simple to track the use of "suspicious" calls, since Windows itself makes quite liberal use of functions that e.g. hook keyboard input or inject code into other processes.

Writing malware is also no longer the pastime of bored adolescent geeks. It's business. We're talking organized crime cartels here and that a "virtual" bank robbery (by hijacking online banking sessions) is more profitable and less risky than the real counterpart is a given. When I see the figures, I sometimes wonder why I stay on this side of the fence...

It still is an arms race, but with the AV companies in the defense. Constantly. An AV company can only react to a development, anticipation is pretty much impossible. There are far too many roads the next attack can come from that it's not feasible to develop in a certain direction without anything warranting it.

A few years ago, malware authors started to obfuscate their code. AV companies reacted by developing ways to crack that obfuscation. Then malware attacked certain AV software directly, as mentioned in TFA. The software was adapted to thwart such attempts. Malware started to contain rootkit functionality to hide itself. AV tools started to come with their own file system drivers to read the HD directly instead of relying on system calls.

You cannot anticipate that sensibly. What will be next? I don't know. I can only see trends and development in the malware that runs through my fingers. Which is a very tiny amount of the malware that gets written every day. It's a bit like trying to sieve a beach with a toy sieve. The big thing in malware today is (and has been for about a year or two) remote controlling, setting up servers somewhere and making the malware phone home. Yes, it's no longer IRC. It's a server in Belarus, Kazakhstan or Brazil (or some other country where the police has better things to do than being bothered by a server that doesn't really do any damage in their own country). So some malware packages started implementing tools that can monitor traffic and find "suspicious" traffic, just in case they can't find the corresponding malware. Possibly because the malware itself doesn't exist anymore, it was only an installer that manipulated some system file in such a way to send that info... and so on.

The current thing is (aside of what's been here for ages) id theft. Your amazon or your ebay account, your online banking information, your credit card information, and of course your machine, as a place to spew malware from, as a spambot or simply as a relay to route traffic through to obfuscate the real destination. With broadband becoming the norm and computers running 24/7 to download .torrents, they turn into the ideal dead drop.

There's much at stake. For both sides. I don't see a winner on either side too soon. Well, it's good for my job security, that's a given, but I didn't go into this venue just to make money (it's not THAT well paid). If I wanted that, I'd have learned ABAP.