Slashdot Mirror
Shape-Shifting Malware Hits the Web
Stony Stevenson writes to tell us that in a recent interview, Marc Henauer has revealed that security researchers are falling behind now that malware is starting to be able to change its signature every few hours. "Unfortunately the know-how and construction kits used to create this shape-shifting threat are now readily available and are unleashing a wave of malware based on social engineering techniques. [...] Sweeney believes that a non rules-based monitoring process must be set up to defend all ingress and egress points covering SMTP, DNS, HTTP(s), IM etc."
What's the bad news?
The bad news is that all the users with a clue about protecting their PCs get sent spam, adware, crapware and all the other junk that these zombied PCs churn out until Windows does die.
All my posts about malware and virus software for some time have been doom and gloom. Seems moderators don't like that. This is nothing but the tip of the iceburg of what might be coming, and what is probably already in the wild, we just don't know it yet. I could probably think of a dozen scenarios where malware could already be hiding on your equipment, silently waiting to be signaled.
It's possibly in your router's flash by now, or your motherboard's flash, or sitting on a CD or CE player's flash, or an MP3 player. It only has to wait till it needs to start spreading, and be dormant there too, then one day you notice missing files, or there is an outbreak of serious malware globally. Yes, tinfoil hat stuff, but it is possible, and as time ticks on it is becoming more probable.
Nobody wants to believe it, but it is possible. If it is possible, it will only be a matter of time...
Support NYCountryLawyer RIAA vs People
> Maybe now we'll stop pretending that glorified versions of grep can keep us safe.
No, we just need to grep for the right string. You know, the code which does the shape shifting. Or is the suggestion that new executable code is somehow created out of nowhere?
Indeed. I don't really care if it's Linux or Open Solaris or OS X or, hell, even HP-UX. It doesn't even have to be *nix if it's built on a sound security model.
The fact that the global computing infrastructure is so homogeneously based an operating system as vulnerable as Windows just never gets discussed in these sorts of articles. Most Windows users I know just accept that virus protection, spyware protection, and the occasional reinstallation of the OS, are all the normal state of affairs in computing. Why would they think otherwise?
While I'm sure that the jump in Mac sales has a lot to do with the success of the iPod, I wonder what fraction of Mac buyers consider the "no-viruses" feature of OS X an important selling point?
Amen!
Imagine having two broken hands. You would have no way to directly take the money from your wallet and manage it yourself, you'd be forced somehow give your entire wallet to someone each time you wanted to pay. It would be almost impossible to prevent them from slipping an extra $20 unless you happened to see it. You're forced to trust someone completely.
For the foreseeable future, we're all dealing with two broken hands. There's no way to pick which parts of our set of capabilities we want to hand to a program. We have no way of stopping it from taking our personal data and sending it away, holding it hostage, or subtly sabotaging it.
I want my metaphorical fingers back.
--Mike--
That doesn't help the situation. If windows goes away, the problem with just migrate to Linux.
Until we get to the point where you can assign permissions to every single program for every single role you expect that program to fulfill, it's not going to get much better.
--Mike--
Self modifying code is self modifying code. If it changes its signature into a different permutation that contains the same logic (e.g. changing the registers loaded, moving memory locations, inserting no-ops that don't look like no-ops, allocating different stack size, using a different location on disk, etc.) then it becomes nearly invisible to automated tools. I'm sure the next revision of anti-viral software will aim for complex heuristics that attempt to negate this sort of hiding. Which will become the next major arms race between virus writers and anti-virus writers. (Just like spam vs. anti-spam.)
Of course, arms races are usually a bad thing. They waste resources yet deliver very little. We need to start thinking about building a new infrastructure that is not susceptible to such simplistic attacks. e.g. Managed languages, jailed environments, trust relationships for email servers, and other such steps to data security. Unfortunately, there is so much time and money invested in our current infrastructure that there's no chance the market would make such a change unless absolutely forced to do so. Thus we come full circle back to the GPP's point.
Javascript + Nintendo DSi = DSiCade
I don't read replies by ACs.
If you take a snapshot of your harddrive/OperatingSystem, and as long as you don't do anything to change it (no writing to disk anywhere, no launching applications) then take another snapshot a few minutes later and another and another, soon this shape/shifting malware will reveal itself, get enough glimpses of it and a picture will emerge so you will know what to look for then know how to eradicate it from your computer, I doubt the kludge like mcaffee & norton are capable but somebody has to rise to the occasion to build something good enough to do this, it would be worth it to leave your PC alone while some anti-malware runs that can deal with this shape/shifting malware and catch it so it can be removed, or reveal a method & list of files so you can manually remove it...
Politics is Treachery, Religion is Brainwashing
Oh, and I forgot a particularly nasty option: Compressing or encrypting the code. e.g. A piece of code can use OS services to compress data on disk. This would make it look like any other program with compressed segments. Another option is a variation of One Time Pad based on system information like hostname or MAC address. Again, it's hard to identify the stub as a definite virus header.
Even worse is that most viruses today are part of a Botnet that has Command and Control capabilities. So the hiding ability of the virus can be updated on a regular basis. Version 1 selected between compression and OTP? No problem! Version 2 will add reordering of code segments!
Quite nasty, these bugs.
Javascript + Nintendo DSi = DSiCade
Comment removed based on user account deletion
Actually, it is "rules". But, it is not "patterns".
/usr/bin/firefox, and has an md5 signature of 64b6c465f9919e1fa860707fb762cff2. If the signature changes (without having updated the program), a security alert is raised. And that name/hash combination is allowed outbound port 80 access.
Specifically, http outbound access should be allowed for firefox. The firefox binary is
Basically, security should be SElinux and Tripwire. Those two tools (or equivalents on alternate Operating Environments) cover most of the threats.
Malware cannot then hide as an existing program. New programs should have strict security profiles that prevent "excess" (network, disk, cpu, memory) usage.
It would be possible to create malware, but it would be worthless, in the sense that the resources that could be misappropriated would be minimal (note that Unix and Unix-like systems have had ulimit for ages -- SElinux expands on the idea). A particular malware COULD attempt escalate to root, but SElinux would prevent the attempt to escalate the "usual" way. Specifically, firefox has NO REASON to gain root, and this can be prevented.
What would the worst malware look like in this senario? A javascript in firefox because it can do almost unlimited port 80 access. Email can be limited to qmail or sendmail (and even further limited by the expected amount).
Unix-like systems (with the exception of MAC OS X, which frightens me a bit) are heading here. Intrusion alert systems coupled with execution limiting, role based security systems (apparmor and selinex).
"AppArmor is an application security tool designed to provide an easy-to-use security framework for your applications. AppArmor proactively protects the operating system and applications from external or internal threats, even zero-day attacks, by enforcing good behavior and preventing even unknown application flaws from being exploited. AppArmor security policies, called "profiles", completely define what system resources individual applications can access, and with what privileges. A number of default profiles are included with AppArmor, and using a combination of advanced static analysis and learning-based tools, AppArmor profiles for even very complex applications can be deployed successfully in a matter of hours."
Of course there is no need for malware detection with this model. Tripwire already does a better job than any "anti-malware" program could, because it snapshots the OK state of all files. *anything* that differs is then suspect. AppArmor/SElinux provides for the expected BEHAVIOR of all programs. If they differ, they are suspect.
As you have probably noted, this protection does not accomodate "rootkits". However, a rootkit cannot be "defended" against, or even detected when running under it (at least if it is a reasonably well done rootkit). But this simple approach will eliminate all, or almost all, malware seen in the wild. With no need for anti-malware updates, or subscriptions, etc.
Just another "Cubible(sic) Joe" 2 17 3061
Comment removed based on user account deletion
Malware writers go for botnets of puny windows desktop machines because that is low hanging fruit. One decent server with an always-on fiber connection to the net is worth thousands of times more than your dinky little ADSL gaming machine for just about anything that you would a botnet for. You know what the market share looks like on the server side? Most of the biggest and best machines on the net run *nix.
Macs have around 5% market share and are much more likely to be left on and connected all the time. By the market share argument, they should be getting having at least a few folks trying to get in.
You know why they don't? Sane privilege defaults, no activeX and clear separation between user data and and system applications, usually on entirely separate partitions.
Sorry dude, but windows really is just that bad.
How about giving the user more choices? You might want to let them run it in a sandbox, or run it without internet access, or chroot it.
If they had a way to express their intent, and actually control how much they give away when they click... it would go a VERY long way towards fixing things, probably 99%.
Have you ever tried Comodo's free firewall or free antivirus???
Both of them use whitelisting / safelists. Anything not whitelisted needs explicit permission from the user before they're able to read/write/delete/create a file or directory or access the internet. These two FREE (as in beer) products literally give you a similar level of control over what runs on your computer.
The Comodo antivirus doesn't work on Vista right now but will soon. Then again, this is Slashdot so we're all running XP right ?!?
For sandboxing, you can use VMWare Server (free as in beer) to generate an image to run in VMPlayer (also free as in beer) which you can then use within Windows. If you get VMWorkstation (not free but well worth it), you can get fine-grained control over snapshotting.
Not so. Not with Vista anyway. That's precisely what I did, yet for some reason, from time to time IE randomly opens up to an ad page. AVG doesn't know why, AdAware, Windows Defender (joke), and other programs couldn't figure it out either. I think it started when I installed itunes and quicktime. The weirdest thing is, it seems to occur when they system *sees* certain files, like when explorer opens the folder they are in. I don't know what kind of files though. It's rare and inconsistent, so I can't trace the cause. But without the IE executable, this wouldn't be a problem. I thought about accessing the HD from another computer and replacing IE with another executable, but that would probably brick windows. Oh, the humanity!
The path to enlightenment is truly through homemade drugs!
What exactly is a "non rules-based monitoring process?" I thought I had some clue about security procedures, but I'm be hard pressed to describe what such a process might be. Even more importantly, what would it cost to implement? TFA is no help here, consisting of the usual hand-waving about the never-ending arms race between malware writers and the rest of us.
He's talking about computer immune systems. Here's a link to an IBM research paper from the top of the Google results for "virus immune system computers":
http://www.research.ibm.com/antivirus/SciPapers/Kephart/VB97/
The basic idea is that computers and viruses are so advanced, that it's time to implement immune systems. Instead of comparing one's system against a large list of fairly static virus signature rules, an immune system could evolve and build the "rule" dynamically as it encounters and interacts with the virus. The semantic ambiguity in the statement is that he's referring to a "rule" as a state-based virus signature. In a "non rules-based system", such as an immune system, there would be behavioral standards, such as "only send out traffic on one port at a time, and send it out consistently on the same port". There might also be structural standards (ie. digital signatures on executable code) or functional standards (i.e. return an application manifest upon request that can be compared to a reference site). If an application doesn't conform to the behavioral, structural, and functional standards, then the immune system has leeway to gobble it up and dispose of it. One might argue with his semantics, and claim that the behavioral, structural, and functional standards in an immune system are also 'rules'. The thinking behind computer immune systems, however, is more along the lines of activation networks and neural nets which implement behavior standards as functional evaluations of code performance, rather than lists of static state-based virus signatures (which are called 'rules' in the jargon).
Put another way, instead of having a long list of 'rules' such as "foo.exe is a virus" or "any file with signature xyz is a virus", there would be standards such as "a process should communicate consistently on the same port and not port hop" or "a file shouldn't try to access certain areas of OS memory if it doesn't have a certain type of application manifest registered to OS developers". Yes, you could call those 'rules' also. But that's not what he's referring to in the article. In the article, when he says 'rules', he's referring to state-based virus signatures. A "non rules-based monitoring process" wouldn't use state-based signatures; instead, it would monitor the behavior of code against performance standards.
(yes, a 'standard' might be considered a "rule", if you want to argue semantics. They just happen to be using the term 'rule' in a jargon-specific manner.)
I'm sorry if my writing wasn't up to snuf.
A lot of people will tell you that an Object Capability System can't do anything more than one based on Access Control Lists. This argument is much like the ones posed against Structured programming when it came out... the opponents to change all said "well.. it doesn't really do anything new"... and if you picked enough nits, you could technically say they were right, in terms of the expressiveness of the program.
However, in practice it's not just about the types of computation your code you can express, but rather the programmers productivity. Structured programming made it easier to get things done. It saved programmers time.
In theory, in an ACL based system, you can run a program inside of a sandbox. You first create a new account for a program to run inside of, and then lock down the permissions of the rest of the system to make it safe. This is a non-trival task, which must be done perfectly if your program you wish to run turns out to be malicious.
A capabilities based system is designed from the start to enforce a policy of least privilege. That means that a program should given only the capabilities it requires to execute the task at hand, and nothing more. To run a program in a "sandbox" requires no more action that only giving it a sandbox to play in, the system enforces the rest. Not only that, it makes it possible for an end user to decide what rights to give a program without having to check all of the rest of the system.
The lack of awareness of the Capability Object Model severely constrains the possible futures that can be imagined by most of us, and we're making bad choices because of that ignorance.
I'm just trying to shine some light into the darkness.
--Mike--