Slashdot Mirror
The Current State of the Malware/AntiVirus Arms Race
An anonymous reader writes "An article at Net Security explores how malware has developed self-defense techniques. This evolution is the result of the double-edged sword of the malware arms race. Anti-virus technology is ever more advanced, but as a result surviving viruses are increasingly sophisticated. What Net Security offers is a lengthy look at the current state of that arms race. 'There are many different kinds of malware self-defense techniques and these can be classified in a variety of ways. Some of these technologies are meant to bypass antivirus signature databases, while others are meant to hinder analysis of the malicious code. One malicious program may attempt to conceal itself in the system, while another will not waste valuable processor resources on this, choosing instead to search for and counter specific types of antivirus protection. These different tactics can be classified in different ways and put into various categories.'"
it's the computers that suffer. Wont someone please think of the computers?!
-Ours is the wisdom of Solomon, the magic of Merlyn, the fall of Icaris.
"This article will only examine malicious programs written for the Windows operating system (and its predecessor, DOS) due to the rarity and relatively small number of malicious programs for other platforms."
OK, you had to go to the second page of TFA to see this, but at least they came right out and said that Windows is the primary and almost exclusive target of malware.
Unlike almost every other article about viruses and malware in recent years.
Mac OS X: Because it was easier to make UNIX user friendly than it was to fix Windows!
Guaranteed! This comment 100% Anthrax free!
This conspiracy is about as old as the AV industry. At least you spared us this time the drivel about AV vendors first of all creating malware so they can sell their stuff.
Basically it's impossible to write the perfect AV software. It simply does not work. The perfect AV software could, of course, exist: Simply disallowing ANY kind of user interaction and installation of additional products. Perfect computer. Useless, but perfectly safe.
The problem is that malware does not use anything "special" that makes it easy to say "something that uses function X or accesses Y is malware". Doesn't work that way. What malware does it usually not much different from normal program activity. They access the windows registry, create keys there, they create and alter files (not necessarily system files, which would be "suspicious" behaviour to say the least), they plug into Internet Explorer, they open ports for incoming connections, they transfer data to and from the computer.
It's not anything that is by defintion "bad". How'd you want to create the "perfect" AV product?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
The viruses are intelligently designed. I'm not vouching for Microsoft Windows.
Except for ending slavery, the Nazis, communism, & securing American independence, war has never solved anything.
That's pretty much a given here on
This XP install has been going for over a year
Geez, and I thought Gentoo was supposed to take a while.
...extends beyond poor performance, spam, cost of software, etc.
We got hit here with a collateral listing of one of our tools as 'spyware'.. It shut down our software across the U.S.
We used a toolkit from a vendor to encrypt and compress files for transmission and for patch distribution. It was slick, lightweight, and sufficiently secure. it was also a commercial product, and was sold to another publisher who used it in their software.
One of their packages is an IM logging and monitoring tool. Good for AOL IM, and others. You have to either download it as shareware, or buy it outright, and then you have to install it, with the usual requirement that you actually have access to the PC. It's not and has never been distributed as 'spyware' in the sense of an unexpected or unsolicited install, nor was it ever distributed from a website or as part of another package - unless you repackaged it yourself. The biggest users were corporate IT departments monitoring IMs for compliance, and parents/spouses/etc snooping on others.
Not what I think of as 'spyware'. But someone else thought differently.
The IM logger got reported to either Trend Micro or McAfee as 'spyware' more than a year ago. Sporadic reports continued, until the latest (?) release came out and got popular. Then the flood of reports ensued. And when I say 'flood', I mean 'dozens'. I suspect some HijackThis logs started showing it, and after a few more reports, it was assumed by someone that this application was part of other kits. Listing the application by one anti- company leads to everyone else listing it. No one wants to be left behind, and none of the 'security' companies wants to be the one that lets bad stuff in, just because they actually evaluated the listing. No, it got listed by everyone.
And the controls along with it. Including the one we used for everyday, legitimate encryption and compression.
Our customers started reporting failed installs and reinstallations. One reported they got a virus alert. We looked things over. Why now? We hadn't changed anything substantial in years.
Then, on a whim, I Googled for it. BAM! Our control was listed as malware. WHA?
We figured it out an an hour. I asked around some of the contacts I knew at Symantec, etc. Their advice was simple - give up. Go get a new tool, recode, and move on. Surrender. Even though the module we used was by itself harmless, it was guilty by association. So we did. So far as I know, the company that produced these tools & modules is struggling with this. After all, their code signatures are now officially 'malware'. Kinda like banning drills 'cause someone drilled a hole in their finger by accident. Pretty soon, nothing gets drilled. Not a good state of affairs for the drillmakers.
And not a good state of affairs for drill users, either.
That IM logger that started all this? It was commercial software, and other than being highly annoying for kids who value hiding their IMS from snooping parents ("Hey, who's paying the Internet bill around here?"), or spouses caught on dating sites, the businesses forced by law to treat IMs as if they were business correspondence found this to be a good tool. Not so good any more. About the only way to use this is to keep writing exceptions to your anti- software. If you can. And keep re-writing these exceptions every damned update. Maybe more than twice a day.
It looks like this application is dead. Kinda sad.
We survived, though some of our customers did get concerned. In our business, being labelled as 'spyware' could cause massive problems, beyond the usual. It could be front-page of the fishwrap stuff.
In the midst of the virus/spyware/malware/anti- battle, this is one small story of how unintended consequences have real costs. We had to scurry to buy new stuff, re-code, and distribute. Our original tool vendor has had to give up on a good product, through no fault of their own. The application vendor that 'st
deleting the extra space after periods so i can stay relevant, yeah.
Actually, surprisingly it's getting easier. Think game development. With the advent of DirectX, you needn't know too much math anymore to get some cool looking 3D graphics on the screen. The same applies to malware. Back in the good ol' days of DOS, you had to know quite a bit about the inner workings of the system to get your virus in. You had to redirect software resets, trap a few interrupts, essentially you had to write a driver. Today, most of the malware that circulates could be written in VB. Some is.
.torrents, they turn into the ideal dead drop.
Obfuscation is also easier than ever, with a lot of runtime packers and scramblers existing. It's easy to repack a file in batch mode that ensures that no two samples an AV company could get are the same. Thus the simple "signature" approach someone suggested earlier won't find a thing anymore.
It's also not getting trickier to hook into the system. Since there are still the majority of crates running with users having admin access, the same ol' tactics that worked 5 years ago still work. It's also not simple to track the use of "suspicious" calls, since Windows itself makes quite liberal use of functions that e.g. hook keyboard input or inject code into other processes.
Writing malware is also no longer the pastime of bored adolescent geeks. It's business. We're talking organized crime cartels here and that a "virtual" bank robbery (by hijacking online banking sessions) is more profitable and less risky than the real counterpart is a given. When I see the figures, I sometimes wonder why I stay on this side of the fence...
It still is an arms race, but with the AV companies in the defense. Constantly. An AV company can only react to a development, anticipation is pretty much impossible. There are far too many roads the next attack can come from that it's not feasible to develop in a certain direction without anything warranting it.
A few years ago, malware authors started to obfuscate their code. AV companies reacted by developing ways to crack that obfuscation. Then malware attacked certain AV software directly, as mentioned in TFA. The software was adapted to thwart such attempts. Malware started to contain rootkit functionality to hide itself. AV tools started to come with their own file system drivers to read the HD directly instead of relying on system calls.
You cannot anticipate that sensibly. What will be next? I don't know. I can only see trends and development in the malware that runs through my fingers. Which is a very tiny amount of the malware that gets written every day. It's a bit like trying to sieve a beach with a toy sieve. The big thing in malware today is (and has been for about a year or two) remote controlling, setting up servers somewhere and making the malware phone home. Yes, it's no longer IRC. It's a server in Belarus, Kazakhstan or Brazil (or some other country where the police has better things to do than being bothered by a server that doesn't really do any damage in their own country). So some malware packages started implementing tools that can monitor traffic and find "suspicious" traffic, just in case they can't find the corresponding malware. Possibly because the malware itself doesn't exist anymore, it was only an installer that manipulated some system file in such a way to send that info... and so on.
The current thing is (aside of what's been here for ages) id theft. Your amazon or your ebay account, your online banking information, your credit card information, and of course your machine, as a place to spew malware from, as a spambot or simply as a relay to route traffic through to obfuscate the real destination. With broadband becoming the norm and computers running 24/7 to download
There's much at stake. For both sides. I don't see a winner on either side too soon. Well, it's good for my job security, that's a given, but I didn't go into this venue just to make money (it's not THAT well paid). If I wanted that, I'd have learned ABAP.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.