Slashdot Mirror
How Viruses Evolve Into All-Purpose Malware
KingofGnG writes "Computer threats are continuously evolving, and some malicious codes are a problem difficult to tackle because of their inherent complexity and an intelligent design capable of constantly putting under pressure security companies. A remarkable 'intelligent' threat is for instance Sality, the 'new generation' file virus that according to Symantec has practically turned into an 'all-in-one' malware incorporating botnet-like functionalities as well."
... at "according to Symantec."
Our immune system has an advantage over virii and bacteria due to our greater cell specialization and intelligent response. The problem with modern botnet malware is that the infecting agent can actually be more intelligent and reactive than the host it's infecting.
Call me defeatist but I believe there is no way the whitehats can out software manoeuvre the blackhats with software only solutions. The increasing complexity of modern systems ensures that the security holes will only grow not diminish. But maybe the next software "update" will solve all our problems this time?... The only permanent solution I can see is mass deployment of airgapped two factor tokens specifically for transaction authentication not generic OTP which the trojans are bypassing. This is the only security that I can guarantee what I am authenticating by looking at a airgapped device. I find it increasingly difficult to justify the performance loss for running anti malware software for the ever diminishing protection offered.
I'm still confused about this whole concept of computer security. No other aspect of my life is particularly secure - why should I expect my computer to be secure? More to the point - why should I expect someone else to provide that security? In every other part of my life, my security is up to me to arrange and maintain. In my job, in my relationships, in my retirement, in my health - it's all up to me. Why do we think our computers will be different?
Our immune system has an advantage over virii and bacteria due to our greater cell specialization and intelligent response.
First of all, you're only half-right here. Our bodies evolve diverse ecosystems of bacteria, actually varying quite a bit from person-to-person. The difference is that when we transmit bacteria from person-to-person, we might make each other sick, but that's unavoidable and actually healthy, to an extent -- it boosts our immune response. Computer systems don't get smarter when they get owned, and the risk seems much higher. (It won't kill you, but it could ruin your life, and it could ruin many lives very quickly, while in first world countries, deadly epidemics are far less common.)
Also, Apple's approval process doesn't have to restrict users from having the option to install third-party software. It just has to provide a good, safe marketplace so that users can choose to only install Apple-vetted software.
Don't thank God, thank a doctor!
I think we are at a point where we cannot really distinguish between virus or spyware or scareware or whatever. Virus have already started doing what spyware doing a couple years ago. I mean, it sounds just pointless that we distinguish them. Bad program is a bad program. It does not matter what we call it. Guys at StopBadware came up with a good term a few years ago. It's a badware. It does not matter to the end user what it does!
The only solution.
'Cause nothing runs on a mac.
*gigglesnort*
I know evolution is a much-abused word, but TFA itself states "some malicious codes are a problem difficult to tackle because of their inherent complexity and an intelligent design". Let's give the Intelligent Designer some credit, even when he's a malevolent one. This virus is not going to "evolve" into another form any time soon, it has simple been designed to make limited adaptations to local circumstances.
No left turn unstoned.
But is it GPL?
Dino
The code looks more like someone was juggling Swiss Army Chainsaws.
Face it, thanks to Open Sores we all get to suffer more malware and more powerful malware. If even Microsoft with all their programmers has a hell of a time keeping up with patches and all of that, how are average users going to stand a chance? Tell me again why closed source is such a horrible thing??
Because closed source is equivalent to security through obscurity paradigm -- which never works and worse still - is illusory. You are only asking to live in your la-la land when the reality is different.
Malicious people are going to develop such sophisticated attacks regardless of whether software is closed-source or open-source.
Making such exploits open-source lets us know what sort of channels are exploited. This leads to a better understanding of the weaknesses in the underlying protocol. This is where you have improved software that won't fall down like a house of cards when kicked at the shins.
With closed source -- you are trusting what? An obscure programmer who is under a deadline to push something out the door??
You probably are not even aware of how many times Open Sourcing has saved your a$$. Just because you pretend the problem doesn't exist, does not mean that your ignorance is the truth.
... It might be time for the OS to compartmentalize the browser to have the net enclosed from the main system within a virtual machine. This way even if the "computer" were infected by malware it would disappear whne the VM was closed down, also a whitelist of Executables on the host machine would go a long way to stopping malware and the permanent logging/monitoring of executables or dlls being loaded that are unrecognized so they can be analyzed.
While not really an MS fanboy, the main reason why there's so little malware for OSS is because there's so little market. Malware is just like any software: They want to target a market as big as possible. Why are there so few commercial games for Linux? Same reason.
Besides, it's not anymore which system is more secure. The main question today is, which system has the bigger amount of completely ignorant users who click anything promising him dancing bunnies. And you can have the tightest, most restrictive security system in place, if the user has the root password and hands it to everything promising him a dancing bunny, the security is swiss cheese. Windows, Linux, MacOS or whatever, if the user is a doofus, the system is easily compromised.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
The problem with modern botnet malware is that the infecting agent can actually be more intelligent and reactive than the host it's infecting.
This is the absolute best place to start when fighting malware. Educate the user, even if it's just "stop letting your kids use LimeWire to download music/movies/apps/trojans/viruses".
Most of the issues that Joe User experiences are completely explainable as PEBKAC.
--
Problem Exists Between Keyboard And Chair. Abort, Retry, Explode?
This work is licensed under a Creative Commons Attribution 3.0 Unported License.
You're certainly right that a sufficiently motivated idiot can compromise any system, but the system designer could probably mitigate the problem of idiot users (dancing bunnies, etc. in their inbox) into irrelevance.
It's just shoddy design that .doc files with macros can be opened directly in MS Word without any kind of sandboxing of the file system to prevent macros from rooting around the file system for other documents to infect. The way I see it, you could have a more fine-grained privilege system where it isn't all-or-nothing, but where some documents (files) get more privilege to "do things" based on where they're from (inbox, local file system, remote file system, etc.). Of course you'd need some way to elevate/demote the amount of trust you (as a user) have in a document. This could perhaps be exploited by spammers/scammers, but but if most of the documents your average user receives in their email runs fine with the lowest possible privileges, then they'd at least be more likely to actually notice when a document in your inbox needed elevated privileges to function. (As opposed to now, where you'd get the exact same warning for every single document in your inbox regardless of the documents. So your average user just learns to click "Yes, I know what I'm doing" without even reading the dialog box.)
(I'm not saying things are much better in Linux land, it's just easier to make the point using MS Word .doc's as an example since Linux email clients don't tend to be quite as fast & loose with loading documents/attachments.)
HAND.
Quite frankly, having the source doesn't help exploits much, or at least nearly as much as it helps in correcting exploits. The reason for this is most of the common methods for injecting code into privileged apps are extremely complex and rely on several different parts of the code to be in a certain key state to take place. So save from 1) being a literal genius or 2) having a ton of experience in knowing where security problems in coding tend to pop up(and even here, you will miss most), code review doesn't help much in finding actual exploits.(although it can be instrumental in determining if the architecture of the code is exploit prone, so again, better for the whitehats than blackhats)
.net app that makes lots of disorganized unsafe calls to unmanaged code is a good shot(probably a newb or incompetent programmer(disorganized) treading on dangerous ground), and you can monitor all of this just fine if not more easily sans-source, with standard debugging tools for the OS you are on(doesn't matter which).
The easier way to look for exploits now is to automate the app and then find ways to make it crash or otherwise misbehave/not behave as intended. If you can find a way to make it crash, especially segfault etc, you have found a bug that is likely to be exploitable. Many security researchers and firms have clusters of automated programs crunching night and day trying to find ways to make them crash/trigger unusually high exceptions/looking for other signs of misbehavior.
Another good way is to look for certain patterns. For example, a
Our main advantage is that we're all slightly different from each other, so diseases can't usually spread to everyone. The computing world, with its 94% Windows market share, lacks this feature and is thus suffering a permanent Irish potato famine.
Security through obscurity does work much better than open source (when measured in the number of man hours required to break a system).
The problem comes in that obscurity lends a sense of invulnerability, which is false, and the designers of obscure systems don't try as hard as the open ones.
When I am charged with designing a system that is "secure enough," obscurity adds a layer of protection, I try to ensure that there are no embarrassing holes, but at the end of it all, any system, open or closed, is vulnerable unless you control the hardware and monitor it. No matter how clever or strong a lock is, it can always be bypassed.
Always, the market share argument. And, it's more than half bullshit.
There are little geeky dweebs living in their mother's basements all over this world, who would LOVE TO HAVE BRAGGING RIGHTS. Just being known as "The guy who reliable hacked Linux" would be a wet dream come true for them.
And, they haven't done it yet.
Yeah, market share. But, real hackers aren't interested in low hurdles, they are looking at the pole vault.
Take your market share argument, roll it up and smoke it. That'a about all it's good for.
"Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
Two points:
* OS security is depended on white hats finding exploits faster than black hats. That is not guaranteed feature and shifts it back to security thou obscurity, even if obscure is in plain sight.
* Most people download OS binaries and not source that they examine and compile themselves. Binary can of course contain evil stuff. There were few issues with forks of p2p clients that included malware but which had sanitized source online. Again, obscurity and illusion of peer-reviewed software.
Remember: ALL security is throught obscurity (you hope attacker does not have knowledge of how to crack system) and is illusion (because you are never guaranteed that he does not have it).
basically, same la-la-la-land of having secure system.
-- Technology for the sake of technology is as pathetic as eschewing technology because it's technology.
A summary that mentions "evolving" and "intelligent design" in the same sentence?
Now that really is impressive (and guaranteed to upset both Darwinists and Creationists at the same time )
Boffo! A good one!
"She's furniture with a pulse"
"the main reason why there's so little malware for OSS is because there's so little market ..."
There's some truth to that. But speaking as someone who actively developed and consulted on anti-virus software back in the heyday of MS-DOS 5 and 6.22, I'll share my opinion. I freely admit that things have changed over the years, and that my knowledge is old. But I feel that the basic problems and principles are still the same.
1. Basic philosophies: Microsoft, and thus Windows, basically started on individual, personal computers. The system then "grew up" over the years. 'Nix, by contrast, has its roots in multi-user, multi-tasking environments that were more secure to start with. So ... from bootup to desktop, Unix is more secure BY INHERENT DESIGN. Windows has to *add* security to an inherently *insecure,* wide-open system. That's a critical distinction that many people miss.
2. I argued back in the DOS era that it was possible to stop most malware. My partner and I wrote a three-tiered system: (1), an "innoculator" that did integrity checking on "injected" executables; (2) a behavior blocker that literally patched the DOS kernel (deep inside!), but which granted a pass to any executable that passed a CRC test of an injected file, thus preventing false alarms; (3), an MBR with self-checking boot code. At the time (mid-80's), I could not find a virus that could get around it and infect the system.
I don't say that to boast, but to make a point: if a couple of ordinary guys could write something that effective, why couldn't the Big Boys? It was an argument I made all the time back then, and I still make it now.
People want scanners, even though they are REACTIVE, and not PRO-active. They like the positive assurance of running the scanner and seeing the happy-face, "your system is clean!" dialog. Our system, by contrast, never said a word as long as the system was uninfected. No one wanted it.
I could say a lot more (and I may later, if this thread is still living), but I've got to head to work.
Cogito, igitur comedam pizza.
Care to back it up? I have here a rather extensive amount of samples per day flooding me, more than I can sensibly analyze away (fortunately 99% are just variants of something I already have). And nearly all of them rely on social engineering at some point. And all of them are for Windows.
These asshats writing malware are not "real hackers". They're businessmen, plain and simple. They don't give a fuck whether they compromise your machine or the one of the doofus next to you. Actually, the doofus is more interesting because he probably cares less about security than you do and hands him more info.
Of course, cracking the shell of a Linux box (pardon the pun) wins you the holy grail of hackerdom, and you gain cred by the truckload. But that's not the point here. Nobody writing malware cares for fame. Quite the opposite.
It's a business. Take a look at RBN, as a prime example of how it's done. Do you think these guys care about hacker cred? Do you think they aim high at the pole vault to "prove" something? They couldn't give less of a fuck about your opinion about them. They do it for the money. Plain and simple.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Very true. I'd love to chat with you and see how the biz grew. I've only spent the last 10 years in AV development/analysis (so I didn't really do any through research for those good ol' TSR malware and the file infectors are also few and far between these days), so I'm pretty ignorant of the "old days". Your argument is pretty solid and works for DOS. It does not, cannot, for Windows for a simple reason: Multitasking, and very different ways to hide malware.
Back in the DOS days, and please infom me if I'm wrong, there was a rather limited amount of ways where you could sensibly put your malware if you wanted it to run "constantly". On top of my head, I can only think of two: MBR and TSR programs. Now, MBRs are easily inoculated: You don't change them often, it's sensible to simply lock it. Most mainboard back then offered that option already, so that was easy to plug. TSRs also needed to be started, and in DOS there were rather few ways to start TSRs (reliably, not relying on the user to execute an infected file): Config or Autoexec. Anything else?
TSRs don't exist anymore. You simply have "normal" programs running next to the other programs you're using. And for some reason MS considered it necessary to allow the starting of those programs in a few dozen different places. Aside of the Autorun folder and the Run Registry keys, you could fake it being a shell extension (also allows you to neatly ensure your malware starts before any AV kit would). Or you could make it a driver and slip it into the non-PnP driver section. A neat way to get a rootkit into the system. Or a few others (I guess you understand that I don't want this to turn into "Malware writing 101"). There is literally so much crap running on the average machine that nobody really ever notices just WHAT gets started. Anyone interested in checking out what his Windows machine is loading may take a look at autoruns (Google is your friend), and that's not even all of it!
Patching the kernel is not a good idea either. First of all, MS does not really like it if you do it. And the next time you're patching Windows all hell might break lose. Either the patch fails because MS doesn't recognize your version. Or they patch it and your kernel patch breaks. Or, the most likely version, the system is trashed.
I think a suitable analogy is that DOS was a nice little cot where you had a door and maybe a window (if you cared to make one), and putting a guard there was pretty easy. Plus, if there was someone in your little room with you that didn't belong there, you could quickly spot him because, hey, there's nowhere really to hide. Windows today is a king's castle with about as many doors, windows and balconies, and all of them offer a burglar access to it. Plus it's so friggin' huge that he can spend a whole day stealing crap and you wouldn't even know he's here because you'll never encounter him while ambling through your huge mansion.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
This is false. Windows NT was built from the ground up as a "multi-user, multi-tasking environment". With a design superior to the traditional UNIX security model.
2. I argued back in the DOS era that it was possible to stop most malware. My partner and I wrote a three-tiered system: (1), an "innoculator" that did integrity checking on "injected" executables; (2) a behavior blocker that literally patched the DOS kernel (deep inside!), but which granted a pass to any executable that passed a CRC test of an injected file, thus preventing false alarms; (3), an MBR with self-checking boot code. At the time (mid-80's), I could not find a virus that could get around it and infect the system.
How does your system prevent end users willingly infecting themselves (probably 90% of contemporary malware infections). How is the CRC whitelist both protected from modification, but also kept current ?
The malware landscape today is vastly different to it was then.
With closed source -- you are trusting what? An obscure programmer who is under a deadline to push something out the door??
As opposed to an obscure programmer who has no interest in fixing a problem because it's boring ?
There are little geeky dweebs living in their mother's basements all over this world, who would LOVE TO HAVE BRAGGING RIGHTS. Just being known as "The guy who reliable hacked Linux" would be a wet dream come true for them.
Most of the time it isn't the OS being "hacked", it's the user.
And, they haven't done it yet.
Yes they have. There are/have been hundreds - thousands - of exploits for Linux and Linux software. The difference isn't the existence or non-existence of exploits, it's the user demographic. This is particularly true today when most "exploits" are social engineering, not software flaws or bugs.
This is false. Windows NT was built from the ground up as a "multi-user, multi-tasking environment". With a design superior to the traditional UNIX security model.
In theory, yes. And up to NT4.0 it might even have been (forgive me, my knowledge of the NT line before 2k is rather fuzzy as it has never really been the mainstream line for malware... probably for just that reason).
With the merger of the 9x line with the NT line in 2k, we got, security-wise, the worst of both worlds. In other words, essentially, the 9x security. For reasons of compatibility. And it's not even MS's fault. If you want to blame that security blunder on someone, blame it on the third party software writers who were lazy enough to assume they have root rights and full access to anything, who scribbled their crap keys into the machine rather than the user tree, who dumped DLLs into the system directory and who simply assumed they have full read/write privileges everywhere, from the windows- to the program files directory.
That problem still sticks to our boots like dog shit up to Win7. Only that now MS made it convenient to switch between limited and full access rights. But only between this. All and nothing. There is still no sensible "limited" privileges system that the user can easily choose when he only wants to install a program... but then again, try to find a game these days that doesn't want to crap a driver for its protection system into your non-PNP driver list.
But even if Win7 had the security and fine grained privileges system that it maybe even has: What Joe Randomuser could possibly make use of it? I'm already happy if he grasps the idea of different privileges at all, and when I somehow get it through his skull that clicking "allow" is something he should reserve to program installations... but even then, he cannot make that decision! And that's the core problem, as you have pointed out anyway (and I guess we're in agreement here): The user is the problem. Not the system.
And no, you cannot give an unclued user "enough information to make an informed decision". He doesn't even understand what you're saying! And he is not willing to listen. He will not read pages after pages of text that could probably even tell him whether or not it would be a good decision to click yes or no. After years of cryptic, nonsensical error messages, the user is no longer willing to read them. Anyone who ever worked in tech support will tell you: Users close error messages without even reading them. "What was the error message?" "Dunno, I closed it, didn't make sense to me so I didn't read it". Error messages make people feel dumb because they cannot understand them. And years of error messages that didn't make any sense to them taught users that they do not want to read system popups. They make you feel dumb, so close them as fast as you can. That's the message the user gets from them.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
With the merger of the 9x line with the NT line in 2k, we got, security-wise, the worst of both worlds.
There was no "merger" outside of the marketing department. The security model of NT remains the same today as it was at its release (albeit with a few UI tweaks like UAC). Your premise is broken. Broken third party applications are not something that the OS or OS vendor can control.
The rest of your post essentially boils down to what I've always said - you can't secure a system where an ignorant user has full control.
I thought we were talking about working exploits. Things that work. Of course there are thousands of exploits. They are found, they are fixed, they are forgotten. Unlike Windows. Having an exploit doesn't get you into a box, after all.
Whatever. You guys keep trotting out the tired argument that it's all about market share. Linux' market share keeps growing, but the malware market share for Linux remains near zero.
"Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
As opposed to an obscure programmer who has no interest in fixing a problem because it's boring ?
Nope not really. With open source - you will usually have someone out there who needs to plug that hole because they have a genuine need for it for some reason. They migrate their solution upstream, where it ends up benefiting all.
True, open source also results in abandoned works. But the very fact that you have the code available means that if you take interest, you can do anything with it (or even own and direct its development) as opposed to a black-box that is closed-source. You just have a binary and you are stuck with it, if your programmer abandons it.
Open source is not always a polished alternative - something that closed source can always do better. But Open Source is always a fundamentally superior alternative -- because knowledge only grows when shared and incorporated with other's opinions.
This is one of the reasons why academia seems to embrace Open Source widely - because no where else is the value of collaboration more recognized.
Nope not really.
Yep, really. Or, at least, as frequently as your stereotype is also true. You do realise the majority of widely-used open source code is written by the same kinds of people writing closed source code, right ? People being paid to do it by companies like Red Hat ?
I thought we were talking about working exploits. Things that work. Of course there are thousands of exploits. They are found, they are fixed, they are forgotten. Unlike Windows. Having an exploit doesn't get you into a box, after all.
Windows exploits are fixed regularly and frequently.
Whatever. You guys keep trotting out the tired argument that it's all about market share. Linux' market share keeps growing, but the malware market share for Linux remains near zero.
It's primarily about user demographic, infection rates and consequences. "Market share" is just a simpler way of capturing those things. Most "exploits" do not leverage unpatched software bugs or flaws.
Agreed...the market share argument has been more than destroyed. It boils down to the three little pigs...the third house stood because of its construction integrity. File system engineering and permissions make Linux more secure...Runaway nailed it. Vista tried to get its users to deal with admin rights and users squealed like the first two little pigs. When the PWN 2 OWN competition ended in 2008, Linux remained untouched. The hacker involved stated that if he had "another 20 minutes" The laptop running Ubuntu 7.10 would have fallen. Well, it's been two years. I haven't heard a word from the people who made the twenty minute claim. Seems they would have announced that breakthrough. They haven't and they won't... However, there is no guarding against a stupid computer user...any OS is insecure when the user gives rights to a script or app. Yeah, the market share argument gets old and most of us just roll our eyes when it is trotted out. Sometimes it just doesn't seem worth it to correct another person who refuses to think a matter through.
Windows assumes you are an idiot...Linux demands proof.