Slashdot Mirror
Shape-Shifting Malware Hits the Web
Stony Stevenson writes to tell us that in a recent interview, Marc Henauer has revealed that security researchers are falling behind now that malware is starting to be able to change its signature every few hours. "Unfortunately the know-how and construction kits used to create this shape-shifting threat are now readily available and are unleashing a wave of malware based on social engineering techniques. [...] Sweeney believes that a non rules-based monitoring process must be set up to defend all ingress and egress points covering SMTP, DNS, HTTP(s), IM etc."
Maybe now we'll stop pretending that glorified versions of grep can keep us safe.
No folly is more costly than the folly of intolerant idealism. - Winston Churchill
The slashdot synopsis is longer than the article.
Enumerating the bad is usually a bad idea, since it is to easy to change what is "bad". We enumerate the good with firewalls, why should software security be any different? Distro repository + corperate repository should cover all software necessary, right?
Will we now see true evolution of software viruses?
This is pretty much #1 and #2 in this list of The Six Dumbest Ideas in Computer Security.
If I have nothing to hide, don't search me
Sweeney believes that a non rules-based monitoring process must be set up to defend all ingress and egress points covering SMTP, DNS, HTTP(s), IM etc.
What exactly is a "non rules-based monitoring process?" I thought I had some clue about security procedures, but I'm be hard pressed to describe what such a process might be. Even more importantly, what would it cost to implement? TFA is no help here, consisting of the usual hand-waving about the never-ending arms race between malware writers and the rest of us.
We all know what the most effective solution to this problem would be. Funny how it's never mentioned in any of these articles.
That way they can keep selling you "updated" "signature files" every hour / day / week / month / year.
The correct way to handle this is to set up your system so that the user cannot ACCIDENTALLY execute any external code.
There's no way to solve the issue of some idiot clicking on everything and putting in the root password whenever asked. So don't bother bringing that case up.
For everyone else, lock the OS files so that it cannot be infected and set the user writable portion to not execute any code. There, the majority of that problem is solved.
Then, ship the default installation without any open ports and you've pretty much solved the worm issue.
But that approach means that the anti-virus companies cannot keep selling you new signature files. So don't expect any of them to support it.
Until the people who are putting this stuff out there are seriously and literally beaten either within inches of their lives or to death, this sort of thing will get worse and worse.
These assholes call themselves "marketers." They have gotten away with it for so long, they often call a great portion of this "legitimate business." It's not enough to criminalize this stuff... especially when law enforcement generally has no idea how to prosecute or make a case against any of it.
There should be a series of web sites built that creates a "hit list" of people responsible for this crap. That's where the end of this should begin.
All my posts about malware and virus software for some time have been doom and gloom. Seems moderators don't like that. This is nothing but the tip of the iceburg of what might be coming, and what is probably already in the wild, we just don't know it yet. I could probably think of a dozen scenarios where malware could already be hiding on your equipment, silently waiting to be signaled.
It's possibly in your router's flash by now, or your motherboard's flash, or sitting on a CD or CE player's flash, or an MP3 player. It only has to wait till it needs to start spreading, and be dormant there too, then one day you notice missing files, or there is an outbreak of serious malware globally. Yes, tinfoil hat stuff, but it is possible, and as time ticks on it is becoming more probable.
Nobody wants to believe it, but it is possible. If it is possible, it will only be a matter of time...
Support NYCountryLawyer RIAA vs People
I thought shape-shifting malware was the official business attire of geeks everywhere.
Leave the gun, take the cannolis.
Or am I the only one old enough to remember that brief time when DAME was considered the unholy terror?
You either believe in rational thought or you don't
1991
Tequila is the first widespread polymorphic virus found in the wild. Polymorphic viruses make detection difficult for virus scanners by changing their appearance with each new infection.
Sweeney believes that a non rules-based monitoring process must be set up to defend all ingress and egress points covering SMTP, DNS, HTTP(s), IM etc."
Its called heuristics and its been in use for a while.
Enjoy,
It's just the normal noises in here.
That doesn't help the situation. If windows goes away, the problem with just migrate to Linux.
Until we get to the point where you can assign permissions to every single program for every single role you expect that program to fulfill, it's not going to get much better.
--Mike--
I don't read replies by ACs.
If you take a snapshot of your harddrive/OperatingSystem, and as long as you don't do anything to change it (no writing to disk anywhere, no launching applications) then take another snapshot a few minutes later and another and another, soon this shape/shifting malware will reveal itself, get enough glimpses of it and a picture will emerge so you will know what to look for then know how to eradicate it from your computer, I doubt the kludge like mcaffee & norton are capable but somebody has to rise to the occasion to build something good enough to do this, it would be worth it to leave your PC alone while some anti-malware runs that can deal with this shape/shifting malware and catch it so it can be removed, or reveal a method & list of files so you can manually remove it...
Politics is Treachery, Religion is Brainwashing
Comment removed based on user account deletion
The correct way to handle this is to set up your system so that the user cannot ACCIDENTALLY execute any external code.
and you do that by asking cancel or allow for each app.
I'm pretty sure that deleting all the shortcuts and then putting firefox as the default browser is a way better solution then actually trying to yank IE out of Windows.
How about giving the user more choices? You might want to let them run it in a sandbox, or run it without internet access, or chroot it.
If they had a way to express their intent, and actually control how much they give away when they click... it would go a VERY long way towards fixing things, probably 99%.
--Mike--
Comment removed based on user account deletion
It might make us feel better, but it's not a solution.
--Mike--
Comment removed based on user account deletion
As long as you can avoid every piece of software that uses IE's integrated libraries and services for its own web access and rendering. Good luck with that.
Really, "iexplore.exe" is the least of your problems. The real evil is in the half-assed DLLs and associated components.
Welcome to the Panopticon. Used to be a prison, now it's your home.
Come on mods, this guy didn't even read the parent! I know he has a wikipedia link, but follow the damn conversation!
Thinking that using Unix is the solution to getting 0wned is like thinking that heterosexuality is the solution to getting AIDS. The only general solution is education.
As the article states, this malware is all based on social engineering. If you can convince somebody to run a program because it will show them the latest celebrity sex tape, it doesn't matter what OS they're running. Right now it only works on Windows because the malware authors know that they can get 90% of the market by doing only 10% of the work and it's very difficult for virus-type malware to spread when hosts that are susceptible are hard to find. If any other OS took over perhaps 25% of the market, that OS would become a target also.
The answer, of course, is to educate users that they should be very skeptical of offers to view some celebrity sex tape or dancing bunnies, and that they should ignore such things.
The fact that Unix doesn't have many naive desktop users simply means that it gets attacked in different ways than typical Windows machines. Quite frankly, the first worm ever took advantage of the insecurity of Unix machines, and the term rootkit obviously comes from the Unix world.
dom
Good luck with that.
Last I checked, neither my MacBook nor my Linux desktop used a single DLL.Cantankerous old coot since 1957.
Ok, so we set a cancel/allow feature for every app. that may work for skilled or intelligent users, and most slashdotters would be OK.
The REST of the users out there are not as program/os/security savvy and would tell their PC to allow the app so they can watch that adult video or so they can have that pretty screensaver. They become so trained to just click allow that it defeats the purpose. As a sysadmin and a former helpdesker, I can tell you that the majority of computer users are a bunch of crack-tards who barely understand the mechanics of their machines. They would have no clue if a program asking for access is legit or not.
We as a community CANNOT use ourselves as a standard to base security(or perceived common sense) against. really, just look at society as a whole and ask yourself, do you consider yourself part of the norm, or are they just a bunch of petty, mindless sheep. Look at what they consider entertainment as a clue. Lost and American Gladiator- one gives them excitement and watercooler talk and the other allows them to imagine themselves doing better on those challenges so they feel good about themselves. Fabricated dreams.
What would you say the average slashdotter IQ is and what is the world average?
How amazed would you be to suddenly find that you just forgot what I wrote and you needed to reread my post.... again.
Malware writers go for botnets of puny windows desktop machines because that is low hanging fruit. One decent server with an always-on fiber connection to the net is worth thousands of times more than your dinky little ADSL gaming machine for just about anything that you would a botnet for. You know what the market share looks like on the server side? Most of the biggest and best machines on the net run *nix.
Macs have around 5% market share and are much more likely to be left on and connected all the time. By the market share argument, they should be getting having at least a few folks trying to get in.
You know why they don't? Sane privilege defaults, no activeX and clear separation between user data and and system applications, usually on entirely separate partitions.
Sorry dude, but windows really is just that bad.
I don't know. Back in the day, IE for Solaris was a pretty decent alternative to Netscape.
And how many users, pray tell, do you think would understand what those options are, or which one to pick for any given program. If your answer is > 1 %, you have a much higher opinion of the average computer user's understanding of what they're doing than I do.
Good, inexpensive web hosting
Every few years the malware comes out newer, shinier and costs about $100-400 depending on if you get the Home Basic or Ultimate versions.
How about giving the user more choices? You might want to let them run it in a sandbox, or run it without internet access, or chroot it.
If they had a way to express their intent, and actually control how much they give away when they click... it would go a VERY long way towards fixing things, probably 99%.
Have you ever tried Comodo's free firewall or free antivirus???
Both of them use whitelisting / safelists. Anything not whitelisted needs explicit permission from the user before they're able to read/write/delete/create a file or directory or access the internet. These two FREE (as in beer) products literally give you a similar level of control over what runs on your computer.
The Comodo antivirus doesn't work on Vista right now but will soon. Then again, this is Slashdot so we're all running XP right ?!?
For sandboxing, you can use VMWare Server (free as in beer) to generate an image to run in VMPlayer (also free as in beer) which you can then use within Windows. If you get VMWorkstation (not free but well worth it), you can get fine-grained control over snapshotting.
.dll = .Framework, .bundle, .dylib,.so
The system runs at ring 0, the local applications at ring 1, the intranet applications at ring 2, the internet applications at ring 3. Thus no malware can do anything, unless there is a bug in the software interfaces between the rings.
Not so. Not with Vista anyway. That's precisely what I did, yet for some reason, from time to time IE randomly opens up to an ad page. AVG doesn't know why, AdAware, Windows Defender (joke), and other programs couldn't figure it out either. I think it started when I installed itunes and quicktime. The weirdest thing is, it seems to occur when they system *sees* certain files, like when explorer opens the folder they are in. I don't know what kind of files though. It's rare and inconsistent, so I can't trace the cause. But without the IE executable, this wouldn't be a problem. I thought about accessing the HD from another computer and replacing IE with another executable, but that would probably brick windows. Oh, the humanity!
The path to enlightenment is truly through homemade drugs!
What exactly is a "non rules-based monitoring process?" I thought I had some clue about security procedures, but I'm be hard pressed to describe what such a process might be. Even more importantly, what would it cost to implement? TFA is no help here, consisting of the usual hand-waving about the never-ending arms race between malware writers and the rest of us.
He's talking about computer immune systems. Here's a link to an IBM research paper from the top of the Google results for "virus immune system computers":
http://www.research.ibm.com/antivirus/SciPapers/Kephart/VB97/
The basic idea is that computers and viruses are so advanced, that it's time to implement immune systems. Instead of comparing one's system against a large list of fairly static virus signature rules, an immune system could evolve and build the "rule" dynamically as it encounters and interacts with the virus. The semantic ambiguity in the statement is that he's referring to a "rule" as a state-based virus signature. In a "non rules-based system", such as an immune system, there would be behavioral standards, such as "only send out traffic on one port at a time, and send it out consistently on the same port". There might also be structural standards (ie. digital signatures on executable code) or functional standards (i.e. return an application manifest upon request that can be compared to a reference site). If an application doesn't conform to the behavioral, structural, and functional standards, then the immune system has leeway to gobble it up and dispose of it. One might argue with his semantics, and claim that the behavioral, structural, and functional standards in an immune system are also 'rules'. The thinking behind computer immune systems, however, is more along the lines of activation networks and neural nets which implement behavior standards as functional evaluations of code performance, rather than lists of static state-based virus signatures (which are called 'rules' in the jargon).
Put another way, instead of having a long list of 'rules' such as "foo.exe is a virus" or "any file with signature xyz is a virus", there would be standards such as "a process should communicate consistently on the same port and not port hop" or "a file shouldn't try to access certain areas of OS memory if it doesn't have a certain type of application manifest registered to OS developers". Yes, you could call those 'rules' also. But that's not what he's referring to in the article. In the article, when he says 'rules', he's referring to state-based virus signatures. A "non rules-based monitoring process" wouldn't use state-based signatures; instead, it would monitor the behavior of code against performance standards.
(yes, a 'standard' might be considered a "rule", if you want to argue semantics. They just happen to be using the term 'rule' in a jargon-specific manner.)
I'm sorry if my writing wasn't up to snuf.
A lot of people will tell you that an Object Capability System can't do anything more than one based on Access Control Lists. This argument is much like the ones posed against Structured programming when it came out... the opponents to change all said "well.. it doesn't really do anything new"... and if you picked enough nits, you could technically say they were right, in terms of the expressiveness of the program.
However, in practice it's not just about the types of computation your code you can express, but rather the programmers productivity. Structured programming made it easier to get things done. It saved programmers time.
In theory, in an ACL based system, you can run a program inside of a sandbox. You first create a new account for a program to run inside of, and then lock down the permissions of the rest of the system to make it safe. This is a non-trival task, which must be done perfectly if your program you wish to run turns out to be malicious.
A capabilities based system is designed from the start to enforce a policy of least privilege. That means that a program should given only the capabilities it requires to execute the task at hand, and nothing more. To run a program in a "sandbox" requires no more action that only giving it a sandbox to play in, the system enforces the rest. Not only that, it makes it possible for an end user to decide what rights to give a program without having to check all of the rest of the system.
The lack of awareness of the Capability Object Model severely constrains the possible futures that can be imagined by most of us, and we're making bad choices because of that ignorance.
I'm just trying to shine some light into the darkness.
--Mike--