Slashdot Mirror
Malware vs. Anti-Malware, 20 Years Into The Fray
jcatcw writes "Steven J. Vaughan-Nichols considers the dissimilarities between malware of yore and current infiltrations as we approach the 20th anniversary of the Robert Morris worm. Modern malware apps curl up and make themselves at home in your system, where they wait for a chance to snatch an important password or a credit card number. Welcome to the era of capitalist hacking. Any self-respecting malware program today is polymorphic, making signature-based antivirus approaches difficult. Heuristics and virtual sandboxes offer alternatives, but all such methods are reactive. Unfortunately, monitoring lists and networks is about the only current alternative."
Some malware i've seen has become seriously soffisticated, so much so cleaning it is basically impossible.
Non-admin rights, client-side file-scanners, web-side black-lists, and user training is the only way malware is going to go away.
throw new NoSignatureException();
Come on, the guy's name is Robert Morris:
http://pdos.csail.mit.edu/~rtm/
You're thinking of the William Morris talent agency in Hollywood, or something. Mods, please correct this.
Don't install system wide untrusted software, only use signed software from your public repository or from trusted vendors.
Prevent any other changes from being made to the system, mount system partitions read only.
Where users are installing software, force it into a sandbox (one for each application). Each sandbox will have limited access to the network, user files and hardware (such as web cams and microphones).
The simplest solution is to never allow software from users to run (mount home partition as no-exec). However, this doesn't cut it much of the time, which is why I would suggest doing something similar to no-exec, but as a sandbox rather then not running the file at all. I'm not sure how hard that would be, but I'm sure it is possible.
(Oh wait, are we talking about MS Windows here? I guess you can ignore what I said then...)
I wank in the shower.
Wish I could get paid just for clicking "approve" and filling in the text in the "from the ____ dept".
Done with slashdot, done with nerds, getting a life.
This is no flame. But after postings like "30th anniversary of spam" etc... ...Do we really have to remember the anniversary of every crap "invented"?
It also benefits certain software companies that there is no real clean up.
They can tote their next version of their OS as having new security features to prevent this problem, while other avenues of exploit will happen.
Remember the UPNP vulnerabilities? Countless other problems with windows as it is shipped?
Remember there is an industry right now built around "Security" not as we know it, but as the consumers of computer hardware know it.
Anti-virus and "Firewalls" for their windows machines.
Follow the $$$. If we had secure operating systems, you think all the A/V and other companies would make money? They would have to change their business model.
There is logic behind all of this.
Between spam, malware, and credit card fraud, the criminals are winning, big time.
The eventual consequence of this is a faltering of trust in our financial systems and economies, and the rise of new kinds of criminal mafias, with billion dollar portfolios. If you thought the mob was scary, wait until you see what rises out of the ashes of the current system.
The solution to this, I believe, is first to limit the information transferred in any transaction to that which is necessary for the transaction (no grocer, you don't need to know where I live); second to implement electronic cash (in the current credit card system you give authorization to perform transactions at any time in the future without verification); and third to establish and teach strong cryptography for communications, transactions, and identity.
But the biggest thing we can do now is get the world's police forces to get off their asses. As long as these things are not prosecuted, criminals will flourish, and they are.
It's time to make this an important issue in elections, before we all lose big.
1^2=1; (-1)^2=1; 1^2=(-1)^2; 1=-1; 1=0.
The whole way security is treated needs to be changed. Having root and an ordinary user just doesn't offer the level of granularity that users need. As a user I want to be able to do everything on my computer, what's really needed is fine grained access control per program. Of course, that has issues with users having to grant those privileges but you could have profiles. Imagine installing Evolution or something and it pops up and says "This software says it's a mail client, does that sound right to you?" and then what privileges it gets granted will be set by a "mail client" profile already installed on the system.
When you need to install something esoteric then you would have to do some more advanced steps but if you are installing something strange then you probably know what you are doing anyway.
This could maybe be combined with some sort of trust network. Say your friend installs something that needs non-standard access rights, they could grant the required permissions and create a new profile. You would have them in your trusted list and would have access to all of their profiles so when you install that application, it can categorise it using the info your friend provided.
I think this system provides a good balance between really fine grained permissions and not blindly clicking through loads of confirmation dialogs.
I just don't understand why malware isn't considered a form of vandalism and prosecuted as such.
"It also benefits certain software companies that there is no real clean up."
:)
It further benefits computer shops and geeks who get paid to nuke and pave compromised systems. If Windows were robust and easy to "disinfect" I would have far fewer free computers and less pocket change.
"This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
"Welcome to the era of capitalist hacking."
What does the theft of personal information have to do with the private ownership and exchange of wealth?
"Ask not what your country can do for you." --John F. Kennedy
Everyone knows it was Philip Morris, the guy who makes the cigarettes.
"It doesn't cost enough, and it makes too much sense."
There are many alternatives to this, starting with: "Recognize that operating systems which are readily compromised by malware are broken and not acceptable for use." If you choose to use an OS which is so intrinsically weak that it cannot survive exposure to the (unfirewalled) Internet without anti-virus, anti-spyware, anti-adware, etc., then you have chosen poorly, and no subsequent choice you make will compensate for that.
A followup point would be "Understand that it is not possible to 'clean' a malware-contaminated system. The only acceptable course of action is to wipe to bare metal, reinstall, and restore from backups." While it might have been partially true in a limited sense that some malware could be removed by anti-whatever products, that's certainly not the case now: it's much more likely that malware will evade detection and removal. Of course, it serves the purposes of both anti-whatever companies and lazy system administrators to continue propagating this fiction, because if they actually had to scrub and rebuild systems as often as they're infested, they might have to face some hard choices that they'd rather not.
And an excellent set of auxiliary points may be found in Marcus Ranum's The Six Dumbest Ideas in Computer Security, where he enumerates the most egregious (and sadly, most common) mistakes made by nearly everyone, including supposed "experts" with strings of meaningless, worthless certifications after their names.
So there are plenty of alternatives -- but choosing them and implementing them requires vision and insight, two qualities badly lacking in many in the profession.
That was the William Morris I thought of first as well:-)
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
There is a balance to be struck, and "Better safe than sorry" can be answered "better neither than either".
If we had secure operating systems, you think all the A/V and other companies would make money?
Of course they would. AV and anti-malware software isn't there to replace OS security, it's there for when the OS security has already been circumvented (typically deliberately by the end user).
No amount of OS security will protect the machine from an end-user deliberately running malicious code.
One page print page.
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
the "William Morris worm" sends you scripts, tries hard to get you to take a meeting, then charges 15%.
if this is supposed to be a new economy, how come they still want my old fashioned money?
Working with residential users on a regular basis, I have come to repeat: "There is no One Program that rule all malware (and I explain malware includes all the crapware since They figured out profit was to be made online). Safe surfing habits are the best defense against Malware." Soapbox aside, since Sony released rootkits into the wild, I have had more success with backing up data and performing the elegant Nuke and Pave. Format and reinstall. Without doing that, I have very little confidence in any of the existing spyware/adware/virus detection/removal programs available being able to 'clean' a pc. That said, when did Anti-Malware become a million (or billion) dollar industry??? How is it anyone's best interest to 'cure' the internet of hostility. It is so profitable for both white and black hats. Frustrating to say the least.
When you have a diverse collection of applications and ideas behind how those applications work, you have a continual flow of ideas. If, on the other hand, you have a monolithic OS that enforces "this is how you shall behave", you see less innovation and fewer new ideas.
DUH.
Diversity is HEALTHY.
As opposed, for example, to forced quota-based mixing-up. As in college "affirmative action", which serves to homogenize colleges throughout the U.S. based on, of all things, "national averages" rather than actually encouraging differences.
Listen up Microsoft, and Universities too: Diversity is healthy. But you do not gain real diversity by imposing a "standard" from the top down. It just doesn't work that way. But if you allow diversity to percolate from the bottom up, you are likely to be successful (as many Open Source operations can tell you today).
So up your bottom, I say.
Why have we seen no 'terrorist malware'?
I would naively assume that it would be easy enough to buy off the shelf botnet code release it and when it gets to a sufficient size upload something really toxic. For bonus points the attack could be limited via IP address or targeted at idealogically unsound files.
From a practical POV this sort of attack would circumvent the normal surveillance as there is no need to go to terrorist camps, no need to buy suspicious chemicals ...
they would still need to keep their gobs shut.
Is running a botnet a hugely expensive/technical enterprise? (I've no doubt there are enough disaffected techies out there to run the thing)
Is it that cyperterrorism just seen as too wussy to bother with.... That does not seem to hold water, terrorism is about publicity one strike or even the rumor of an attack would generate hyterical coverage in the world press. Followed up with Billions spent on improved security (not such a bad thing:-).
Perhaps that is the reason why the bot herders don't want to get involved as it would poison their honey pot...
But anyway, one of the ideas it espoused was that malware is what's driving systems development to the point of passing Turing tests. Between captchas, baysian filters, and similar 'proove you're a human' malware countermeasures, with virus heuristics, and malign software detection, you have a very potent 'reaper' process, which kills off substandard malicious code.
The stuff that sticks, is the stuff that's most adaptable, the most convincing Turing test faker, and as malware improves, so too does the counter-malware environment.
I mean, malware today, is actually working on detecting 'anti' malware, and trying to blind it or otherwise remove it - I've run into numerous trojans and bots that disable virus checkers for example.
OK, so it may be far fetched, but it's not all that unreasonable an extension of the automatic spam/virus/malware filtering and detection, vs. the subversive and adaptive malware out there.
Instead of reactive solutions, better computer architecture could be a solution.
A so-called "worm" always spreads by injecting and executing its code into a vulnerable process on a remote computer. For example, on an IBM AS/400 it can not do this, because if you overwrite a pointer with data, then it is not a pointer anymore - so it can not be used to address memory (that's why the machine actually has 65 bits instead of 64 bits, the 65th bit is a tag flag that marks pointers. aka pointer in memory protection).
Actually, you do not need much more than different instructions for data moving and address calculation, and instructions to mark code as code and data as data, and almost all possibilities to write any malware that installs itself are gone.
Unfortunately, as long as companies can sell current computer architectures, just because they are barely good enough to do some work sometimes, noone is going to build such a better, new architecture.