Shape-Shifting Malware Hits the Web

Stony Stevenson writes to tell us that in a recent interview, Marc Henauer has revealed that security researchers are falling behind now that malware is starting to be able to change its signature every few hours. "Unfortunately the know-how and construction kits used to create this shape-shifting threat are now readily available and are unleashing a wave of malware based on social engineering techniques. [...] Sweeney believes that a non rules-based monitoring process must be set up to defend all ingress and egress points covering SMTP, DNS, HTTP(s), IM etc."

This is a GOOD thing

[$RANDOMLUSER]

Maybe now we'll stop pretending that glorified versions of grep can keep us safe.

Re:This is a GOOD thing

[ka9dgx]

Amen!
Imagine having two broken hands. You would have no way to directly take the money from your wallet and manage it yourself, you'd be forced somehow give your entire wallet to someone each time you wanted to pay. It would be almost impossible to prevent them from slipping an extra $20 unless you happened to see it. You're forced to trust someone completely.
For the foreseeable future, we're all dealing with two broken hands. There's no way to pick which parts of our set of capabilities we want to hand to a program. We have no way of stopping it from taking our personal data and sending it away, holding it hostage, or subtly sabotaging it.
I want my metaphorical fingers back.
--Mike--

Re:This is a GOOD thing

[AKAImBatman]

Self modifying code is self modifying code. If it changes its signature into a different permutation that contains the same logic (e.g. changing the registers loaded, moving memory locations, inserting no-ops that don't look like no-ops, allocating different stack size, using a different location on disk, etc.) then it becomes nearly invisible to automated tools. I'm sure the next revision of anti-viral software will aim for complex heuristics that attempt to negate this sort of hiding. Which will become the next major arms race between virus writers and anti-virus writers. (Just like spam vs. anti-spam.)

Of course, arms races are usually a bad thing. They waste resources yet deliver very little. We need to start thinking about building a new infrastructure that is not susceptible to such simplistic attacks. e.g. Managed languages, jailed environments, trust relationships for email servers, and other such steps to data security. Unfortunately, there is so much time and money invested in our current infrastructure that there's no chance the market would make such a change unless absolutely forced to do so. Thus we come full circle back to the GPP's point.

I love it.

The slashdot synopsis is longer than the article.

Re:I love it.

[corsec67]

It is a clever plan to get people to RTFA. Now people will stop bothering to read the fine summary.

Enumerating the Bad is not a good idea

[corsec67]

Enumerating the bad is usually a bad idea, since it is to easy to change what is "bad". We enumerate the good with firewalls, why should software security be any different? Distro repository + corperate repository should cover all software necessary, right?

Will we now see true evolution of software viruses?

This is pretty much #1 and #2 in this list of The Six Dumbest Ideas in Computer Security.

Can someone explain what this means?

[yuna49]

Sweeney believes that a non rules-based monitoring process must be set up to defend all ingress and egress points covering SMTP, DNS, HTTP(s), IM etc.

What exactly is a "non rules-based monitoring process?" I thought I had some clue about security procedures, but I'm be hard pressed to describe what such a process might be. Even more importantly, what would it cost to implement? TFA is no help here, consisting of the usual hand-waving about the never-ending arms race between malware writers and the rest of us.

We all know what the most effective solution to this problem would be. Funny how it's never mentioned in any of these articles.

Re:Can someone explain what this means?

[ratboy666]

Actually, it is "rules". But, it is not "patterns".

Specifically, http outbound access should be allowed for firefox. The firefox binary is /usr/bin/firefox, and has an md5 signature of 64b6c465f9919e1fa860707fb762cff2. If the signature changes (without having updated the program), a security alert is raised. And that name/hash combination is allowed outbound port 80 access.

Basically, security should be SElinux and Tripwire. Those two tools (or equivalents on alternate Operating Environments) cover most of the threats.

Malware cannot then hide as an existing program. New programs should have strict security profiles that prevent "excess" (network, disk, cpu, memory) usage.

It would be possible to create malware, but it would be worthless, in the sense that the resources that could be misappropriated would be minimal (note that Unix and Unix-like systems have had ulimit for ages -- SElinux expands on the idea). A particular malware COULD attempt escalate to root, but SElinux would prevent the attempt to escalate the "usual" way. Specifically, firefox has NO REASON to gain root, and this can be prevented.

What would the worst malware look like in this senario? A javascript in firefox because it can do almost unlimited port 80 access. Email can be limited to qmail or sendmail (and even further limited by the expected amount).

Unix-like systems (with the exception of MAC OS X, which frightens me a bit) are heading here. Intrusion alert systems coupled with execution limiting, role based security systems (apparmor and selinex).

"AppArmor is an application security tool designed to provide an easy-to-use security framework for your applications. AppArmor proactively protects the operating system and applications from external or internal threats, even zero-day attacks, by enforcing good behavior and preventing even unknown application flaws from being exploited. AppArmor security policies, called "profiles", completely define what system resources individual applications can access, and with what privileges. A number of default profiles are included with AppArmor, and using a combination of advanced static analysis and learning-based tools, AppArmor profiles for even very complex applications can be deployed successfully in a matter of hours."

Of course there is no need for malware detection with this model. Tripwire already does a better job than any "anti-malware" program could, because it snapshots the OK state of all files. *anything* that differs is then suspect. AppArmor/SElinux provides for the expected BEHAVIOR of all programs. If they differ, they are suspect.

As you have probably noted, this protection does not accomodate "rootkits". However, a rootkit cannot be "defended" against, or even detected when running under it (at least if it is a reasonably well done rootkit). But this simple approach will eliminate all, or almost all, malware seen in the wild. With no need for anti-malware updates, or subscriptions, etc.

It's just the anti-virus companies claiming that.

[khasim]

That way they can keep selling you "updated" "signature files" every hour / day / week / month / year.

The correct way to handle this is to set up your system so that the user cannot ACCIDENTALLY execute any external code.

There's no way to solve the issue of some idiot clicking on everything and putting in the root password whenever asked. So don't bother bringing that case up.

For everyone else, lock the OS files so that it cannot be infected and set the user writable portion to not execute any code. There, the majority of that problem is solved.

Then, ship the default installation without any open ports and you've pretty much solved the worm issue.

But that approach means that the anti-virus companies cannot keep selling you new signature files. So don't expect any of them to support it.

Is I told you so a meme?

[zappepcs]

All my posts about malware and virus software for some time have been doom and gloom. Seems moderators don't like that. This is nothing but the tip of the iceburg of what might be coming, and what is probably already in the wild, we just don't know it yet. I could probably think of a dozen scenarios where malware could already be hiding on your equipment, silently waiting to be signaled.

It's possibly in your router's flash by now, or your motherboard's flash, or sitting on a CD or CE player's flash, or an MP3 player. It only has to wait till it needs to start spreading, and be dormant there too, then one day you notice missing files, or there is an outbreak of serious malware globally. Yes, tinfoil hat stuff, but it is possible, and as time ticks on it is becoming more probable.

Nobody wants to believe it, but it is possible. If it is possible, it will only be a matter of time...

A Blast from the Past....

[NullProg]

1991
        Tequila is the first widespread polymorphic virus found in the wild. Polymorphic viruses make detection difficult for virus scanners by changing their appearance with each new infection.


Sweeney believes that a non rules-based monitoring process must be set up to defend all ingress and egress points covering SMTP, DNS, HTTP(s), IM etc."

Its called heuristics and its been in use for a while.

Enjoy,

Re:It's just the anti-virus companies claiming tha

[nbert]

The correct way to handle this is to set up your system so that the user cannot ACCIDENTALLY execute any external code.

Would be rather trivial to implement in XP or Vista (and I'd love it, because it would reduce the number of calls off duty. On the other hand every employee would hate it and they might call me even more because they can't download "useful" stuff). But in the end this is not the most common source of malware/virii anymore. Cross-site-scripting accompanied by security holes in common plugins causes way more compromised systems. Bugs in Flash or quicktime in earlier versions make it extremely easy to infect a system without the user noticing. When I look at the stats of my website I could infect 50 visitors by week without much effort, because they run old versions of Flash (I'm not talking about the website I list in my profile). The so called "Russian Business Network" offered $ 0.10 per infected user last year. Might be just 5 bucks per week for my small site, but in the end I must say that it has never been easier and more profitable to infect IT systems (and no, I didn't take the money).

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:It's just the anti-virus companies claiming tha

[ka9dgx]

The user has two options... click or don't.

How about giving the user more choices? You might want to let them run it in a sandbox, or run it without internet access, or chroot it.

If they had a way to express their intent, and actually control how much they give away when they click... it would go a VERY long way towards fixing things, probably 99%.

--Mike--

Re:It's just the anti-virus companies claiming tha

[adisakp]

How about giving the user more choices? You might want to let them run it in a sandbox, or run it without internet access, or chroot it.

If they had a way to express their intent, and actually control how much they give away when they click... it would go a VERY long way towards fixing things, probably 99%.

Have you ever tried Comodo's free firewall or free antivirus???

Both of them use whitelisting / safelists. Anything not whitelisted needs explicit permission from the user before they're able to read/write/delete/create a file or directory or access the internet. These two FREE (as in beer) products literally give you a similar level of control over what runs on your computer.

The Comodo antivirus doesn't work on Vista right now but will soon. Then again, this is Slashdot so we're all running XP right ?!?

For sandboxing, you can use VMWare Server (free as in beer) to generate an image to run in VMPlayer (also free as in beer) which you can then use within Windows. If you get VMWorkstation (not free but well worth it), you can get fine-grained control over snapshotting.