Shape-Shifting Malware Hits the Web

Stony Stevenson writes to tell us that in a recent interview, Marc Henauer has revealed that security researchers are falling behind now that malware is starting to be able to change its signature every few hours. "Unfortunately the know-how and construction kits used to create this shape-shifting threat are now readily available and are unleashing a wave of malware based on social engineering techniques. [...] Sweeney believes that a non rules-based monitoring process must be set up to defend all ingress and egress points covering SMTP, DNS, HTTP(s), IM etc."

This is a GOOD thing

[$RANDOMLUSER]

Maybe now we'll stop pretending that glorified versions of grep can keep us safe.

Enumerating the Bad is not a good idea

[corsec67]

Enumerating the bad is usually a bad idea, since it is to easy to change what is "bad". We enumerate the good with firewalls, why should software security be any different? Distro repository + corperate repository should cover all software necessary, right?

Will we now see true evolution of software viruses?

This is pretty much #1 and #2 in this list of The Six Dumbest Ideas in Computer Security.

Can someone explain what this means?

[yuna49]

Sweeney believes that a non rules-based monitoring process must be set up to defend all ingress and egress points covering SMTP, DNS, HTTP(s), IM etc.

What exactly is a "non rules-based monitoring process?" I thought I had some clue about security procedures, but I'm be hard pressed to describe what such a process might be. Even more importantly, what would it cost to implement? TFA is no help here, consisting of the usual hand-waving about the never-ending arms race between malware writers and the rest of us.

We all know what the most effective solution to this problem would be. Funny how it's never mentioned in any of these articles.

It's just the anti-virus companies claiming that.

[khasim]

That way they can keep selling you "updated" "signature files" every hour / day / week / month / year.

The correct way to handle this is to set up your system so that the user cannot ACCIDENTALLY execute any external code.

There's no way to solve the issue of some idiot clicking on everything and putting in the root password whenever asked. So don't bother bringing that case up.

For everyone else, lock the OS files so that it cannot be infected and set the user writable portion to not execute any code. There, the majority of that problem is solved.

Then, ship the default installation without any open ports and you've pretty much solved the worm issue.

But that approach means that the anti-virus companies cannot keep selling you new signature files. So don't expect any of them to support it.

A Blast from the Past....

[NullProg]

1991
        Tequila is the first widespread polymorphic virus found in the wild. Polymorphic viruses make detection difficult for virus scanners by changing their appearance with each new infection.


Sweeney believes that a non rules-based monitoring process must be set up to defend all ingress and egress points covering SMTP, DNS, HTTP(s), IM etc."

Its called heuristics and its been in use for a while.

Enjoy,

Re:It's just the anti-virus companies claiming tha

[ka9dgx]

The user has two options... click or don't.

How about giving the user more choices? You might want to let them run it in a sandbox, or run it without internet access, or chroot it.

If they had a way to express their intent, and actually control how much they give away when they click... it would go a VERY long way towards fixing things, probably 99%.

--Mike--

Trying to wikipedia your way to a +5, eh?

This is what the GP said:

For everyone else, lock the OS files so that it cannot be infected and set the user writable portion to not execute any code. There, the majority of that problem is solved. This is what you said:

You should NEVER have to trust an application to contain itself to a set of capabilities. That's what Operating Systems are supposed to do for you. So, he said that we should control executables at the OS level, and your response is "no, we should control executables at the OS level (plus a wikipedia link to a sort-of but not really related problem)." Hold on, your brilliance is hurting my eyes.

Come on mods, this guy didn't even read the parent! I know he has a wikipedia link, but follow the damn conversation!

No, it's not freakin' Unix

Thinking that using Unix is the solution to getting 0wned is like thinking that heterosexuality is the solution to getting AIDS. The only general solution is education.

As the article states, this malware is all based on social engineering. If you can convince somebody to run a program because it will show them the latest celebrity sex tape, it doesn't matter what OS they're running. Right now it only works on Windows because the malware authors know that they can get 90% of the market by doing only 10% of the work and it's very difficult for virus-type malware to spread when hosts that are susceptible are hard to find. If any other OS took over perhaps 25% of the market, that OS would become a target also.

The answer, of course, is to educate users that they should be very skeptical of offers to view some celebrity sex tape or dancing bunnies, and that they should ignore such things.

The fact that Unix doesn't have many naive desktop users simply means that it gets attacked in different ways than typical Windows machines. Quite frankly, the first worm ever took advantage of the insecurity of Unix machines, and the term rootkit obviously comes from the Unix world.

dom

Re:It's just the anti-virus companies claiming tha

[techno-vampire]

How about giving the user more choices? You might want to let them run it in a sandbox, or run it without internet access, or chroot it.

And how many users, pray tell, do you think would understand what those options are, or which one to pick for any given program. If your answer is > 1 %, you have a much higher opinion of the average computer user's understanding of what they're doing than I do.