Slashdot Mirror

← Back to Stories (view on slashdot.org)

Shape-Shifting Malware Hits the Web

Posted by ScuttleMonkey on from the dopple-gang-bang-the-new-ddos dept.

Stony Stevenson writes to tell us that in a recent interview, Marc Henauer has revealed that security researchers are falling behind now that malware is starting to be able to change its signature every few hours. "Unfortunately the know-how and construction kits used to create this shape-shifting threat are now readily available and are unleashing a wave of malware based on social engineering techniques. [...] Sweeney believes that a non rules-based monitoring process must be set up to defend all ingress and egress points covering SMTP, DNS, HTTP(s), IM etc."

25 of 179 comments (clear)

  1. This is a GOOD thing by $RANDOMLUSER · · Score: 5, Insightful

    Maybe now we'll stop pretending that glorified versions of grep can keep us safe.

    --
    No folly is more costly than the folly of intolerant idealism. - Winston Churchill
    1. Re:This is a GOOD thing by Anonymous Coward · · Score: 1, Insightful

      Why do you suppose that the shape-shifting code cannot shape-shift itself?

    2. Re:This is a GOOD thing by fatphil · · Score: 2, Insightful

      Bzzzt! In order to do that we have to first solve the Halting Problem.
      It is impossible, for arbitrary code, to even tell which parts of the code are code, and which are data. Working out which bits of the code are a morphing routine is unimaginably harder.

      --
      Also FatPhil on SoylentNews, id 863
  2. Enumerating the Bad is not a good idea by corsec67 · · Score: 5, Insightful

    Enumerating the bad is usually a bad idea, since it is to easy to change what is "bad". We enumerate the good with firewalls, why should software security be any different? Distro repository + corperate repository should cover all software necessary, right?

    Will we now see true evolution of software viruses?

    This is pretty much #1 and #2 in this list of The Six Dumbest Ideas in Computer Security.

    --
    If I have nothing to hide, don't search me
    1. Re:Enumerating the Bad is not a good idea by KDR_11k · · Score: 1, Insightful

      How do you propose enumerating the good for a virus scanner? A list of all harmless computer programs ever? Don't expect the user to fill it in, he bought the scanner to check unknown executables for viruses, not to keep a whitelist of known executables for him (if he knows it's safe he won't need the scanner). Remember that any defense becomes useless if it produces so many false positives that the legitimate positives get drowned out in the noise.

      --
      Justice is the sheep getting arrested while an impartial judge declares the vote void.
    2. Re:Enumerating the Bad is not a good idea by UbuntuDupe · · Score: 0, Insightful

      Computer viruses being redesigned to handle one known precaution against them, is indeed an example of evolution of a meme, Dawkins's generalization of the concept of a gene. Evolution does not merely work across self-replicating amino acid chains.

      --
      Apology to Ubuntu forum.
  3. Can someone explain what this means? by yuna49 · · Score: 4, Insightful

    Sweeney believes that a non rules-based monitoring process must be set up to defend all ingress and egress points covering SMTP, DNS, HTTP(s), IM etc.

    What exactly is a "non rules-based monitoring process?" I thought I had some clue about security procedures, but I'm be hard pressed to describe what such a process might be. Even more importantly, what would it cost to implement? TFA is no help here, consisting of the usual hand-waving about the never-ending arms race between malware writers and the rest of us.

    We all know what the most effective solution to this problem would be. Funny how it's never mentioned in any of these articles.

  4. It's just the anti-virus companies claiming that. by khasim · · Score: 5, Insightful

    That way they can keep selling you "updated" "signature files" every hour / day / week / month / year.

    The correct way to handle this is to set up your system so that the user cannot ACCIDENTALLY execute any external code.

    There's no way to solve the issue of some idiot clicking on everything and putting in the root password whenever asked. So don't bother bringing that case up.

    For everyone else, lock the OS files so that it cannot be infected and set the user writable portion to not execute any code. There, the majority of that problem is solved.

    Then, ship the default installation without any open ports and you've pretty much solved the worm issue.

    But that approach means that the anti-virus companies cannot keep selling you new signature files. So don't expect any of them to support it.

  5. It won't end until there is extreme violence by erroneus · · Score: 2, Insightful

    Until the people who are putting this stuff out there are seriously and literally beaten either within inches of their lives or to death, this sort of thing will get worse and worse.

    These assholes call themselves "marketers." They have gotten away with it for so long, they often call a great portion of this "legitimate business." It's not enough to criminalize this stuff... especially when law enforcement generally has no idea how to prosecute or make a case against any of it.

    There should be a series of web sites built that creates a "hit list" of people responsible for this crap. That's where the end of this should begin.

    1. Re:It won't end until there is extreme violence by maxume · · Score: 2, Insightful

      That's stupid.

      Look how well playing wack-a-mole has worked for drug enforcement. Rather, look how it hasn't worked at all.

      --
      Nerd rage is the funniest rage.
  6. Re:It's just the anti-virus companies claiming tha by davester666 · · Score: 1, Insightful

    But there is no way to uninstall Internet Explorer. Sure you can delete the icon, so it doesn't appear to be installed, but it still is always available.

    --
    Sleep your way to a whiter smile...date a dentist!
  7. Re:It's just the anti-virus companies claiming tha by ka9dgx · · Score: 1, Insightful
    That doesn't fix the confused deputy problem. Even if the user never makes a mistake, their system can still be compromised. You should NEVER have to trust an application to contain itself to a set of capabilities. That's what Operating Systems are supposed to do for you.

    --Mike--

  8. A Blast from the Past.... by NullProg · · Score: 5, Insightful

    1991
            Tequila is the first widespread polymorphic virus found in the wild. Polymorphic viruses make detection difficult for virus scanners by changing their appearance with each new infection.


    Sweeney believes that a non rules-based monitoring process must be set up to defend all ingress and egress points covering SMTP, DNS, HTTP(s), IM etc."

    Its called heuristics and its been in use for a while.

    Enjoy,

    --
    It's just the normal noises in here.
  9. Re:It's just the anti-virus companies claiming tha by ka9dgx · · Score: 5, Insightful
    The user has two options... click or don't.

    How about giving the user more choices? You might want to let them run it in a sandbox, or run it without internet access, or chroot it.

    If they had a way to express their intent, and actually control how much they give away when they click... it would go a VERY long way towards fixing things, probably 99%.

    --Mike--

  10. Re:My Solution by ka9dgx · · Score: 2, Insightful
    Ok.. you kill the author of a piece of malware... does that magically remove it from all the places it's gone to?

    It might make us feel better, but it's not a solution.

    --Mike--

  11. Re:It's just the anti-virus companies claiming tha by Anonymous Coward · · Score: 1, Insightful

    With real OS you certainly mean WinNT right?
    'cause UNIX is so 70s

  12. Re:It's just the anti-virus companies claiming tha by idontgno · · Score: 2, Insightful

    As long as you can avoid every piece of software that uses IE's integrated libraries and services for its own web access and rendering. Good luck with that.

    Really, "iexplore.exe" is the least of your problems. The real evil is in the half-assed DLLs and associated components.

    --
    Welcome to the Panopticon. Used to be a prison, now it's your home.
  13. Re:a possible solution by FudRucker · · Score: 2, Insightful

    thats exactly why I don't use ms-windows anymore, everything is just too open to attack, open Windows Explorer file manager and type in a URL - it does not launch IE, it is IE or morphs in to IE, open Internet Explorer and type in C: hit enter and you can use it as a file manager and change & delete files, if that is not asking for trouble I don't know what is, knowing this and how many users run their PCs 24/7/365 with admin privileges because managing a multi-user system with admin & users privileges kept separate is just too inconvenient...

    when Linux becomes too popular and if it becomes the target of malware like windows is I will move to something else, maybe some flavor of BSD or Solaris...

    --
    Politics is Treachery, Religion is Brainwashing
  14. Trying to wikipedia your way to a +5, eh? by Anonymous Coward · · Score: 3, Insightful
    This is what the GP said:

    For everyone else, lock the OS files so that it cannot be infected and set the user writable portion to not execute any code. There, the majority of that problem is solved. This is what you said:

    You should NEVER have to trust an application to contain itself to a set of capabilities. That's what Operating Systems are supposed to do for you. So, he said that we should control executables at the OS level, and your response is "no, we should control executables at the OS level (plus a wikipedia link to a sort-of but not really related problem)." Hold on, your brilliance is hurting my eyes.

    Come on mods, this guy didn't even read the parent! I know he has a wikipedia link, but follow the damn conversation!
  15. No, it's not freakin' Unix by Anonymous Coward · · Score: 3, Insightful

    Thinking that using Unix is the solution to getting 0wned is like thinking that heterosexuality is the solution to getting AIDS. The only general solution is education.

    As the article states, this malware is all based on social engineering. If you can convince somebody to run a program because it will show them the latest celebrity sex tape, it doesn't matter what OS they're running. Right now it only works on Windows because the malware authors know that they can get 90% of the market by doing only 10% of the work and it's very difficult for virus-type malware to spread when hosts that are susceptible are hard to find. If any other OS took over perhaps 25% of the market, that OS would become a target also.

    The answer, of course, is to educate users that they should be very skeptical of offers to view some celebrity sex tape or dancing bunnies, and that they should ignore such things.

    The fact that Unix doesn't have many naive desktop users simply means that it gets attacked in different ways than typical Windows machines. Quite frankly, the first worm ever took advantage of the insecurity of Unix machines, and the term rootkit obviously comes from the Unix world.

    dom

  16. Re:It's just the anti-virus companies claiming tha by Missing_dc · · Score: 2, Insightful

    Ok, so we set a cancel/allow feature for every app. that may work for skilled or intelligent users, and most slashdotters would be OK.

    The REST of the users out there are not as program/os/security savvy and would tell their PC to allow the app so they can watch that adult video or so they can have that pretty screensaver. They become so trained to just click allow that it defeats the purpose. As a sysadmin and a former helpdesker, I can tell you that the majority of computer users are a bunch of crack-tards who barely understand the mechanics of their machines. They would have no clue if a program asking for access is legit or not.

    We as a community CANNOT use ourselves as a standard to base security(or perceived common sense) against. really, just look at society as a whole and ask yourself, do you consider yourself part of the norm, or are they just a bunch of petty, mindless sheep. Look at what they consider entertainment as a clue. Lost and American Gladiator- one gives them excitement and watercooler talk and the other allows them to imagine themselves doing better on those challenges so they feel good about themselves. Fabricated dreams.
    What would you say the average slashdotter IQ is and what is the world average?

    --
    How amazed would you be to suddenly find that you just forgot what I wrote and you needed to reread my post.... again.
  17. Re:It's just the anti-virus companies claiming tha by Kartoffel · · Score: 2, Insightful

    I don't know. Back in the day, IE for Solaris was a pretty decent alternative to Netscape.

  18. Re:It's just the anti-virus companies claiming tha by techno-vampire · · Score: 3, Insightful
    How about giving the user more choices? You might want to let them run it in a sandbox, or run it without internet access, or chroot it.


    And how many users, pray tell, do you think would understand what those options are, or which one to pick for any given program. If your answer is > 1 %, you have a much higher opinion of the average computer user's understanding of what they're doing than I do.

    --
    Good, inexpensive web hosting
  19. Re:It's just the anti-virus companies claiming tha by Anonymous Coward · · Score: 2, Insightful

    .dll = .Framework, .bundle, .dylib,.so

  20. How about a ring security model? ala Intel ISA? by master_p · · Score: 2, Insightful

    The system runs at ring 0, the local applications at ring 1, the intranet applications at ring 2, the internet applications at ring 3. Thus no malware can do anything, unless there is a bug in the software interfaces between the rings.