The Rise of Polymorphic Malware

twoheadedboy writes "The level of aggressive, polymorphic malware intercepted by Symantec doubled in July, when compared to figures from six months ago. This kind of malware has been typically found inside an executable within an attached ZIP file disguised as a PDF file, and is pretty darn good at getting around traditional anti-virus products. 'There are powerful Darwinian forces acting on the development of malware by criminals,' said Martin Lee, senior software engineer at Symantec. 'Those who look to innovate and improve their malware tend to infect more computers and acquire the resources to reinvest in further development and innovation.'"

OOPS

[mehrotra.akash]

Virus writers discover OOP??

Re:OOPS

polymorphic means "many forms" it isn't just a programming concept (i.e. "runtime polymorphism").

Re:OOPS

Time to actually start hunting down these fuckers and give them a lead virus.

Re:OOPS

[snemarch]

Context comprehension fail.

See the other wiki article on polymorphism.

Re:OOPS

Sarcasm detection fail.

Re:OOPS

[snemarch]

Sarcasm? On the intarwebs? Wow, that'd be a frist!

Re:OOPS

Time to actually start hunting down these fuckers and give them a lead virus.

That would be nice. Invading Nigeria would be easy (though what we did when we got there would be tricky).

Invading Russia and China would be hard.

A better solution would be stricter and more limited communications between sections of the net demonstrated to have high sources of malware. Problem is it would also be used for censorship generally.

Better financing controls would work--if the banks and merchants tacity involved were actively denied access to the banking and credit systems, there would be far less profit in it. Add a more secure ID on credit cards and maybe SS cards--say a FOF system--and you'd be sweet.

Re:OOPS

No it wouldn't!

Re:OOPS

[MidGe]

A better solution would be stricter and more limited communications between sections of the net demonstrated to have high sources of malware.

But that would mean I could not access rthe US internet anymore as the US is one of the largest, if not the largest, source of spam, and therefore malware(?).

Re:OOPS

[lennier]

It's not a fail, it's just late binding of method lookup...

college drop outs

so college drop outs have finally found a way to pay off all that school debt?

Re:college drop outs

Or in this economy, college grads even.

Getting out of student loans is easy if you know how, and are willing to bend the rules. I was able to permanently evade over 30k in loans. It felt good being the one doing the screwing for a change, instead of getting screwed. It must be how bankers and Wall Street scum feel every day.

Re:college drop outs

[ChikMag777]

Proudly proclaiming what a deadbeat you are isn't going to win you any points around here.

Re:college drop outs

[Mitchell314]

Hm . . . I wouldn't be surprised if there was a +5 "I'm a deadbeat post" somewhere on /. .
- Your friendly neighborhood dead beet

Re:college drop outs

When an individual does it, they are a deadbeat; when a corporation does it they get a bailout and the CEO gets a huge bonus.

Re:college drop outs

[treeves]

When an individual does it, they are a deadbeat; when a corporation does it [they are also a deadbeat, but] they get a bailout and the CEO gets a huge bonus.

Is more to my liking.
As much pizza as I would like to eat, I still can't get up to "too big to fail" size.

Re:college drop outs

[Ihmhi]

He's doing the exact same things corporations have done for hundreds of years. They've shrugged off their debts and destroyed our money, and I find it a bit difficult to speak out against someone who's decided to do the same thing back to them.

It's 2011, don't open the attachment

[ThinkWeak]

It still blows my mind that people open attachments from individuals they do not know. Despite years of computer virus education and the general public becoming "aware" of tainted files and links, people still do it. They'll put "the club" on their car parked at a Walmart in the middle of no where, but open up random attachments and video links to spiders under the skin from people they don't know. Amazing.

Re:It's 2011, don't open the attachment

[m2vq]

Yes, because all malware comes from emails, and you've never ever searched or done anything new or something you don't really know about on the internet.

Re:It's 2011, don't open the attachment

[Ross+R.+Smith]

Never underestimate the stupidity of the human race.

Re:It's 2011, don't open the attachment

[fuzzyfuzzyfungus]

Given the frequency with which a cracked webmail account or compromised PC with an email client will immediately start spamming its former owner's entire address book, expecting the "people you know" rule to save you is fairly naive...

Re:It's 2011, don't open the attachment

[oneiros27]

My ISP e-mailed me 'my invoice' as an attachment last week, when they had previously sent a summary in text, and a link to their site to view the invoice.

I e-mailed and told them that I wouldn't open attachments from them, and I wanted the plain, boring, text summary ... and I get a response back about how the invoice has always been PDF, and they closed the ticket.

So, anyone know of any good ISPs in the Maryland/DC area? (and Verizon and Comcast don't qualify as 'good' in my opinion).

Re:It's 2011, don't open the attachment

[Chemisor]

If you use Adblock and Noscript, it is nearly impossible to get infected. Why that functionality is not in every browser and enabled by default I simply don't understand.

Re:It's 2011, don't open the attachment

[Culture20]

It still blows my mind that people open attachments from individuals they do not know.

"But Culture20, the email came from you, and you're our systems administrator."
"Did it contain my gpg/pgp signature?"
"What?"
"That gobbledygook at the beginning and end of all my emails that you apparently don't pay attention to."

Malware spreaders using people's address books stand a good chance of faking an email from someone the target knows and trusts. Users are still surprised that identities can be faked in an email.

Re:It's 2011, don't open the attachment

[m2vq]

If you use Adblock and Noscript, it is nearly impossible to get infected. Why that functionality is not in every browser and enabled by default I simply don't understand.

Because it's pain in the ass even for us geeks, and much more so for normal users. Build-in adblock with filters in every browser would also put most of the sites out of business, or they would start charging subscription fees to access their content. I rather take the possibility to install such myself if I want to rather than destroy the existing "free" models that currently make the internet possible the way it is.

Re:It's 2011, don't open the attachment

[snemarch]

AdBlock implemented default in browsers? Oh my an outcry there'd be... and there'd be a lot more incentive for trying to circumvent AB, leading to more websites where those of us running AB wouldn't have ads automatically blocked - ugh.

NoScript is simply a too advanced feature for Regular Joe & Jane. They'd be confused to death why 90% of the internet suddenly breaks for them, and they don't have the skills to selectively whitelist just the non-dangerous stuff. If you think noscript is trivial, your whitelist is probably too permissive.

Re:It's 2011, don't open the attachment

Last major infection I got was from reading an article on a professional news site. I clicked the article link, by browser closed, and I was greeted by an unfamiliar "virus scanner" dialog. My guess is one of the embedded ads had been hacked. Took quite a while to remove the little bugger because it closed everything I opened.

You can never be 100% safe. If the newest malware has been placed on a trusted site, all bets are off. While I'm leery of trusted computing, it would be nice to have something like a scrambled addressing scheme. When the app runs, its memory space (or alternately its data values) could be scrambled according to a value assigned by the OS, and any attempt to inject foreign code into memory will fail. I remember some early arcade games did this make it difficult to disassemble the ROM code.

Re:It's 2011, don't open the attachment

[arth1]

If you use Adblock and Noscript, it is nearly impossible to get infected. Why that functionality is not in every browser and enabled by default I simply don't understand.

How is Adblock and Noscript protecting against e-mail attachments?

Only people engaging in rational thinking will stop this. And that isn't going to happen.

Re:It's 2011, don't open the attachment

[Nanosphere]

Noscript functionality is in Chrome and IE, just not enabled by default. In Chrome go to Options > Under the hood > Content Settings and disable then add your white-listed domains. In IE its a little more complicated, Internet Options > Security > Set Internet to HIGH then go to Trusted Sites and add your white-listed domains. Then go to Internet Options > Programs > Manage Addons > Toolbars and Extensions > Disable any addons you will not use, for addons you do use right click them > More Information > Remove all sites and add only white-listed domains.

Re:It's 2011, don't open the attachment

You mean "don't open the attachment in the attachment in the attachment." How the hell does an executable within an attached ZIP file disguised as a PDF get launched anyway?

Re:It's 2011, don't open the attachment

[CohibaVancouver]

If you use Adblock and Noscript, it is nearly impossible to get infected. Why that functionality is not in every browser and enabled by default I simply don't understand.

I have good enough karma with Slashdot that I'm given the option to disable ads. I don't. Why? Because ads fund Slashdot and keep it free. If ad blockers were on by default most of the sites people like and use would go out of business.

Re:It's 2011, don't open the attachment

[Grishnakh]

While "the club" really isn't very effective as an anti-theft device, wanting to protect your car from theft at a Walmart is actually pretty sensible, as that's an extremely likely place for it to be stolen. And there's no such thing as a Walmart "in the middle of no where": Walmart always locates stores in locations where there's plenty of customers. Even if that's some small town, it's the nexus for a large number of customers from surrounding areas and towns, so just putting the Walmart there will draw lots of people to that place, and consequently it is no longer "the middle of no where", it's actually a giant gathering place.

Here's a better anecdote: a couple months ago, I visited a place called Arcosanti, north of Phoenix in Arizona. It's a strange little artists' community built by an architect named Paolo Soleri, who has dreams of a Utopian city where everyone lives together in harmony in shared buildings (i.e., there's no separate houses, everyone has a small apartment, that kind of thing). His dreams are much bigger than the reality, which is a small community of people who've basically given up their normal lives to come live with him and, as they get enough money for concrete, build more of his vision. They basically live off selling some weird wind chimes they make there, and tour fees. Anyway, my wife and I went up there to check it out and take the tour, as it's a cool idea although not that realistic, and there were only two other visitors, one single woman and one older couple. This older couple pulled up into the parking lot right after us and parked next to us, and what did the man do when he stopped? He got out The Club and put it on his steering wheel! Now, keep in mind (take a look at Arcosanti on a map if you want), this place really IS "in the middle of no where": it's in Arizona's high desert, about 2 miles down a gravel road from the nearest civilization, which is nothing more than a couple of gas stations at an interstate exit, about 3 miles from a tiny development called Cordes Lakes, and about 20 miles from the nearest real town called Camp Verde. There really is nothing there, except some funny-looking concrete buildings with a few dozen residents, and it's probably the safest place for your vehicle to be in the whole state. The idea of needing additional vehicle security in such a place is laughable. Car thieves don't go out to remote destinations to steal peoples' vehicles, they go to population centers (i.e., cities), and crowded locations in those population centers such as shopping center parking lots, apartment parking lots, etc.

Re:It's 2011, don't open the attachment

[jdgeorge]

Isn't the problem that the application that renders the PDF/Flash/etc attachment has access to resources on the system that shouldn't be allowed?

In other words, why aren't all attachments files rendered by applications running in a "jail"?

Re:It's 2011, don't open the attachment

[TheLink]

I just run my browser as a different user account from my main account. You can do it on Unix or Windows. Just set the permissions so that your main account can access the downloads if necessary, and the browser account can't access much.

It's not 100%, but as the joke goes, I don't have to run faster than the bear, I just have to run faster than the average person ;).

Re:It's 2011, don't open the attachment

[TheLink]

Is it possible to pay their bill by credit card, 1 cent at a time?

Re:It's 2011, don't open the attachment

[BenoitRen]

Given that most advertising formulas are pay-per-click, I doubt people who want to block ads would make a difference. They are the type to not click ads, so they actually save the advertisers bandwidth.

Re:It's 2011, don't open the attachment

[ColdWetDog]

How the hell does an executable within an attached ZIP file disguised as a PDF get launched anyway?

Click
Click
Click
WHAM

Re:It's 2011, don't open the attachment

[BenoitRen]

If you don't click the ads you're likely not funding anyone.

Re:It's 2011, don't open the attachment

[g0bshiTe]

What would Adblock and Noscript do to prevent this in the form of PDF, or say an IE image processing buffer overflow?

Re:It's 2011, don't open the attachment

[poena.dare]

We learn to put on the club out of habit so that when we do go to Walmart our car is left alone. Sometimes it's a good idea not to interrupt automatic processes with rational thought... believe it or not.

Always wanted to go to Arcosanti...

Re:It's 2011, don't open the attachment

[FoolishOwl]

In fairness to the person using the club, it only takes a couple of seconds to put it on, and routines tend to be all-or-nothing: if you look around and try to assess whether your current surroundings justify using the club, you're likely to fall out of the habit of using it at all.

I've been wanting to visit Arcosanti, by the way. It sounds like a crazy utopian scheme, but with something to it. I've wondered if Soleri was an influence on the design of the Marine Towers in Chicago.

Re:It's 2011, don't open the attachment

It still blows my mind that people open attachments from individuals they do not know.

Good comments, but it's not enough just to avoid opening attachments from individuals you do not know. A common virus behavior is to send infected messages to all an infected person's contacts. So a better rule of thumb is to never open an attachment unless you both know and trust the sender, and also have reason to be very confident that the attachment itself was created by the sender, and not by the sender's account under the control of a botnet.

Re:It's 2011, don't open the attachment

[loxosceles]

If you use noscript, about 90% (made-up large percentage) of the web is broken or functionally degraded.

Re:It's 2011, don't open the attachment

[Grishnakh]

A few seconds with a hacksaw and your Club is rendered useless. Get an alarm that disables the ignition and stop wasting your time with something that doesn't work.

Re:It's 2011, don't open the attachment

[Jaysyn]

Sorry, but those steps aren't really comparable to the two clicks it takes to white-list something in with NoScript / Firefox.

Re:It's 2011, don't open the attachment

When I lived there, I used Smartnet. I don't know if they're still around, though.

Re:It's 2011, don't open the attachment

[starfishsystems]

The only real need for sandboxing is for executable content. The data itself is harmless. Rendering it is not an issue. But you're absolutely right, sandboxing is necessary whenever an application might treat stray content as instructions ordering the application to perform some potentially unsafe action. Java bytecode is a good example, and consequently the Java Virtual Machine is sandboxed. But JavaScript, PDF, and Flash are other good examples, and they're not sandboxed.

It's ironic therefore that the article is talking about a considerably more trivial exploit.

This kind of malware has been typically found inside an executable within an attached ZIP file disguised as a PDF file, and is pretty darn good at getting around traditional anti-virus products.

To me, this explanation seems outrageous. Exploits of this kind can only be successful on systems that are so badly designed that they will indiscriminately treat everything as executable content, even content posing as something else. That's a big problem, but it's easy to solve with a bit of care in system design. Most operating systems don't have this problem, and so they're not vulnerable. As far as I know, Microsoft Windows is the only exception.

Re:It's 2011, don't open the attachment

[maxume]

Wait, is Walmart really an extremely likely place for a car to be stolen?

I can believe it in areas where there are chop shops (or whatever) that will move popular stolen parts, but in smaller population centers where that activity is a little harder to hide, not so much.

Re:It's 2011, don't open the attachment

[Mitchell314]

I thought modern OSs already did this? http://en.wikipedia.org/wiki/Address_space_randomization

Re:It's 2011, don't open the attachment

[Nanosphere]

Actually in Chrome it does have a little icon that shows up in the URL bar when it blocks something, two clicks and the domain is added to the white-list.

Re:It's 2011, don't open the attachment

[Grishnakh]

Obviously, certain cities and places are going to have higher theft rates than other places.

However, for any given area, think about it: imagine you want to steal a car. Where are you going to go? Are you going to go to a subdivision, and drive from car to car looking for one that's a good target? Or are you going to go to a parking lot that's literally full of cars, and find one that's a good target? Now, where's the biggest parking lot around? In big cities, it's the mall, but everywhere else, it's Walmart. Here in Phoenix, it's pretty common for the cops to put "bait cars" in mall parking lots, outfitted with cameras and remote controls; the thieves get in, start driving, and then before they've left the lot the car shuts itself down, locks them inside, and the cops come and grab them.

Now again, your chances of having your car stolen at the Walmart in Hicksville are pretty small, but cars do get stolen even in smaller towns, and your chances at the Walmart parking lot I think are much higher, relatively, than anywhere else in that area.

Re:It's 2011, don't open the attachment

[maxume]

Adobe Reader X is sandboxed. I think later versions of Foxit are also.

And readers that don't support javascript don't need it quite as much.

Re:It's 2011, don't open the attachment

[Hatta]

The rule is, never open an attachment you weren't expecting. If you weren't notified in advance by a trusted party of the attachments impending arrival, assume it is malware.

Re:It's 2011, don't open the attachment

[TheRaven64]

Java bytecode is a good example, and consequently the Java Virtual Machine is sandboxed. But JavaScript, PDF, and Flash are other good examples, and they're not sandboxed.

Nope. Java code running in the VM is sandboxed, but usually the VM itself is not. Similarly JavaScript code running in a web browser or PDF viewer, or ActionScript in the Flash plugin are sandboxed, but the applications running them are not. Java and Flash's sandboxes are not enforced by the OS (beyond normal process isolation), so they are no stronger than the applications themselves. These are large and complicated programs, which must be bug free in order for the sandbox to be secure. This is the same on Windows, OS X, and most *NIX systems, so the rest of your rant is just plain wrong.

Re:It's 2011, don't open the attachment

[operagost]

The club sucks, BTW. Your steering wheel is purposely made of soft metal.

Re:It's 2011, don't open the attachment

[quacking+duck]

If everyone did start doing this (they won't; those who'd open anything without thinking will want to send the latest lolcat thing NOW) then the spammers just modify the emailer script to send a "Hi [firstname], expect a Powerpoint from me shortly", and then send the malware in the next email to them, with a couple minutes' delay to simulate an actual person attaching a document and sending it.

Re:It's 2011, don't open the attachment

[m2vq]

Just because you know Google's ads and AdSense doesn't mean you know the whole online advertising business.

But instead of just talking without actual facts, why not look at what GeekNet (Slashdot's parent company) offers. For example Slashdot seems to be offering Standard Display advertisement, which is based on CPM (ad views) that go up to over $100 per 1000 views. Clicks doesn't matter. Then there is Poll Advertising, which costs $50000 a month, and Powerswitch, exclusively designed for Slashdot and goes at $90 per 1000 views. But don't let the facts get in your way.

Re:It's 2011, don't open the attachment

[Quirkz]

On the other hand, I don't think I've ever gotten spam from a compromised account (or spoofed as such) that wasn't immediately obvious as spam. For the most part my friends don't have much in common with spammers in terms of writing style. I've called my friends on a couple of false positives ("did you really just email me this flash file out of the blue with a subject titled 'sooo funny!!!!' with no other text? yeah? I see ...") but the spam is always pretty clearly spam, to me.

Re:It's 2011, don't open the attachment

[Jaysyn]

In that case I take back my previous statement regarding Chrome.

Re:It's 2011, don't open the attachment

[flappinbooger]

Noscript functionality is in Chrome and IE, just not enabled by default. In Chrome go to Options > Under the hood > Content Settings and disable then add your white-listed domains. In IE its a little more complicated, Internet Options > Security > Set Internet to HIGH then go to Trusted Sites and add your white-listed domains. Then go to Internet Options > Programs > Manage Addons > Toolbars and Extensions > Disable any addons you will not use, for addons you do use right click them > More Information > Remove all sites and add only white-listed domains.

99.999999% of the people getting malware like this don't know what a script IS, let alone anything you just typed there. Believe it or not, there are people who when you ask them what browser they use they will say "I gots the Winders XP". Those are the people who are targeted by malware writers. People running no-script and adblock and sandboxes are simply such a small percentage of the masses on the internet it's a drop in the bucket.

However dell and hp and lenovo and the other OEM ship out their boxes and laptops - that is how the people use them. They take them out of the box and plug them in and use them.

Realistically how many people out there know what google chrome is, except that they get it along with maybe their PDF reader or some other bundle? How many typical users know what firefox is? How many know that you can have a different browser- PERIOD?

There is an article about bing right now on slashdot. The ONLY reason ANYONE would use bing is because microsoft makes that the default search on the browser which is how it comes out of the box from walmart. How many people who use bing know it isn't google, or that there is a difference between them? Seriously, it is THAT BAD - the way people use their computer is purely random chance after random chance. Think about it, that's why you see comps with 16 toolbars on the browser. "why do you have 16 toolbars? Do you want all of them?" "No, I don't know how they got there, can you get rid of them?" "Why do you have 3 registry defraggers installed and running all the time, do you want that?" "I have no idea what you are talking about"

My point is, people need a no-brainer solution to malware because that is the type of user you need to protect. Otherwise you can't waste the emotional overhead to worry about them - it's simply too hard for them otherwise and there are too many of them. It's as if superman is trying to save 2 BILLION Lois Lanes with diarrhea who are blindfolded and running around a mine field the size of the earth with clown shoes on looking for the one port-o-potty.

Re:It's 2011, don't open the attachment

[X0563511]

If they are hidden out-of-the-box though, what chance do they have to reach those who would click if they saw it?

That tiny percentage drops to approaching-zero. Kaboom.

Re:It's 2011, don't open the attachment

Sure, the possibility of getting your car stolen there is extremely remote - all the same, it sounds like a particularly crappy place to have your car stolen.

Re:It's 2011, don't open the attachment

[thsths]

I think they real question is why in 2011, there is still no way to open an attachment without risking the security of your system. Attachments were invented in 1990, and yet they still don't work as they should. I think this says more about the state of the software industry than about people.

Re:It's 2011, don't open the attachment

[Grishnakh]

You have a point there. I'm not sure there's even cellular coverage there, and it'd probably cost a fortune to have a cab come pick you up there.

Re:It's 2011, don't open the attachment

A few seconds? Didn't some of the club models (or knockoffs) have the problem of being defeated like a bike lock by a ball point pen?

Re:It's 2011, don't open the attachment

[Grishnakh]

Yep, that too. But if that fails, it's pretty easy to hacksaw through a steering wheel.

Re:It's 2011, don't open the attachment

[DamnStupidElf]

Hacksaw? Wouldn't any car thief worth their salt use a dremel or other battery operated cutting tool by now?

Re:It's 2011, don't open the attachment

[DamnStupidElf]

On a von-Neuman machine instructions *are* data, and vice versa.

Sandbox everything.

Re:It's 2011, don't open the attachment

[Grishnakh]

Well yes. The best option is a battery-powered reciprocating saw with a general-purpose demolition blade.

Re:It's 2011, don't open the attachment

Best place to get a car is at a daycare, around here there is your choice of cars with the keys in and running at every daycare from 7 - 10am, and 3 - 6 pm. You know they will be inside at least 5 - 10 minutes, plenty of time to hop in, and drive off! I can't believe people do it! But they do...

Re:It's 2011, don't open the attachment

[mgblst]

Really? Are you that stupid? I sure hope you don't work in security.

It is a perfectly natural thing for people to do, and most of them will be fine. It is only the odd one that has a virus, and that should have been filtered out anyway.

Re:It's 2011, don't open the attachment

[lennier]

It still blows my mind that people open attachments from individuals they do not know.

Yes, because the main point of information technology is to do one's utmost to avoid actually exposing oneself to any information. Everyone knows that if you do anything the least bit creative on a computer, it might explode! Best to leave all that "exploring" and "learning" stuff to the experts, right?

How about if email client developers designed their software so that it didn't automatically execute high-privilege binary code from strange computers it didn't know? And then the user could get back to being able to actually read their mail without worrying if it was a letter bomb?

Re:It's 2011, don't open the attachment

[lennier]

Malware spreaders using people's address books stand a good chance of faking an email from someone the target knows and trusts. Users are still surprised that identities can be faked in an email.

Yes, whatever did happen to SPF? I seem to recall it's been out there for around eight years now and still not widely adopted. Does the email industry actively want fraudulent from: fields, or something?

Re:It's 2011, don't open the attachment

[DangerFace]

I don't tick that box, and I added an exception to AdBlock for *.slashdot.org. I still don't see any adverts here, because I won't add a known malware distributor to my NoScript whitelist. I'm not strictly against advertising, but I'm not going to just run any crap coming from anywhere to give away a few pennies a month. I try to subscribe but I won't use PayPal and nothing else comes up on the subscription page. I told them about this, but got no response. So, since they don't seem to want my money, I haven't yet flown a few thousand miles just to shove a wad of cash through the letter box.

Re:It's 2011, don't open the attachment

[renoX]

While I agree that on theory OS correctly designed shouldn't have an issue with decoding data, the notion that only Windows is poorly designed is very, very wrong: Unixes have also the same issue with "ambiant capabilites".

Re:It's 2011, don't open the attachment

[Chemisor]

> Why? Because ads fund Slashdot and keep it free.

Only because there are some suckers out there who still pay for views instead of clicks. It is not illegal, but is it moral? Whenever I see an ad, I'm so affronted, I resolve not to buy whatever's being advertised, and I know there are many others who feel the same way. Showing ads to me will definitely have a negative impact on whatever they're trying to sell, reducing their profits rather than increasing them. The easiest way to differentiate between ad-hostile crowd like me and naive ad-lovers is by paying per click, since I have never in my life intentionally clicked on an ad.

Re:It's 2011, don't open the attachment

[BenoitRen]

I stand corrected when it comes to Slashdot, sir. Lots of sites use Google's AdSense, though.

Re:It's 2011, don't open the attachment

[CohibaVancouver]

Whenever I see an ad, I'm so affronted, I resolve not to buy whatever's being advertised

Wow. Life's too short for me to get 'affronted' over something like this. I save my energy for stuff that matters. What do I care if there's some Intel or Dell ad above an interesting article on Slashdot.

Re:It's 2011, don't open the attachment

[Chemisor]

The only people who never get upset by anything are the ones who have no values or strong opinions or a sense of self-preservation. Because ads are there to attack you - make you believe something by appealing to your emotions, bypassing your rational response (which would otherwise realize that whatever is being advertised is never the best deal available), and inducing you to buy without thinking. To attempt to do such a thing is an insult to my intelligence and a generally malicious act in my book. My response is only a natural reaction to both.

Re:It's 2011, don't open the attachment

[CohibaVancouver]

The only people who never get upset by anything are the ones who have no values or strong opinions

I have tons of values and strong opnions - They're just about things that matter. Issues affecting the planet, my children - whatever. Some banner telling me about a Dell & Trend Micro security bundle is innocuous and not something I bother thinking about.

Re:It's 2011, don't open the attachment

[Nyder]

If you use Adblock and Noscript, it is nearly impossible to get infected. Why that functionality is not in every browser and enabled by default I simply don't understand.

I have good enough karma with Slashdot that I'm given the option to disable ads. I don't. Why? Because ads fund Slashdot and keep it free. If ad blockers were on by default most of the sites people like and use would go out of business.

That is stupid. Ad revenue is by clicks, not by showing it.

Re:It's 2011, don't open the attachment

Speaking as someone who knows a bit about stealing cars let me assure you that your club will deter joyriders and those looking for quick wheels for larcenous purposes. If someone really wants to take your car who knows what they are doing your club wil be tossed out of the window in pieces within 15 seconds.

"powerful Darwinian forces"

[tripleevenfall]

"powerful Darwinian forces" is an interesting way to describe the process by which the designers of these viruses are using progressively more intelligent designs.

Re:"powerful Darwinian forces"

[Chemisor]

Which brings up an even more interesting question: were humans designed by God or malware hackers? Or are we God's malware?

Re:"powerful Darwinian forces"

[arth1]

I find it quite fitting. It's not the most advanced or strongest of the species that survive, but those that can adapt.
This is evolution in a nutshell.

Re:"powerful Darwinian forces"

[Dunbal]

On the other hand what does this say about the evolution of computer users... it seems that there isn't any.

Re:"powerful Darwinian forces"

[debrain]

I find it quite fitting. It's not the most advanced or strongest of the species that survive, but those that can adapt.
This is evolution in a nutshell

Sir –

I agree that evolution is present, but it is not of the Darwinian sort. The Darwinian theory of evolution is based upon natural selection, as distinguished from (even in his day) widely understood and accepted forms of artificial selection (e.g. husbandry, horticulture). Darwinian selection is controversial because it removes from the equation of evolution the guiding hand of God – Darwin posited that we "advance" not because of some divine purpose, but as a response to criteria set out in our environment that permits certain individuals who are subject to random mutation that confers upon them some sort of benefit in that environment as it relates to the likelihood of breeding. Artificial selection as a form of evolution was widely accepted before Darwin; where we would steer the animals and plants in the direction we chose by culling or inhibiting the breeding of undesired characteristics, so God would steer our evolution.

The selection process for the advancement of computer viruses is based upon the contrived criteria of their creators, namely avoidance of detection by anti-virus software. Further, computer viruses at present lack the autonomy to advance beyond the confines of what is generally a limited (albeit perhaps complex) instructions, and in any case the mutation rate for computer viruses is effectively zero, meaning survivability for preferable characteristics does not arise from random chance but from (re)design by human authorship.

While we often seek those comfortable references to Darwin as his ideas relates to all forms of evolution, the reference in this case was completely inappropriate in the scientific sense. The author misspoke or misunderstood Darwin's theory of evolution. There is evolution at work as virus manufacturers and their anti-virus counterparts address the advancements of the other, but this evolution is not due to any form of natural selection or evolution from random probabilities, therefore it is not Darwinian.

Re:"powerful Darwinian forces"

[wikdwarlock]

What's even scarier is that those Powerful Darwinian Forces have slipped their insidious malware genes into the news reports about themselves!

Re:"powerful Darwinian forces"

[Q-Cat5]

The apt response can be found in the Wikipedia article for Natural Selection :

As opposed to artificial selection, in which humans favor specific traits, in natural selection the environment acts as a sieve through which only certain variations can pass.

The environment, in this case, is the realm in which Malware attempts to propagate, and the increasing effectiveness of the predators (Anti-virus, Firewalls, IDS/IPS, &c) which can curtail that propagation. The need for a random mutation capability is overstated in your response. In Darwinian selection, that is merely the proposed mechanism of phenotypic change. The same is accomplished here by a diverse body of malware authors adding their own flavor to the individual bits of code. This is still an environment of natural selection. The environment itself provides the selection pressure, rather than conscious arbitration on the part of humans, as to what variants are successful.

For your assertion that this is artificial selection to be true, humans would have to be making a conscious choice as to which kinds of malware is allowed to propagate in order to strengthen certain traits. That is to say, Symantec makes a conscious decision like "We're going to make our AV not eradicate foobar.A because we like the traits it has, and we want to see more malware like that." Clearly, that is not what is happening.

Re:"powerful Darwinian forces"

[lennier]

More to the point, there seems to be a mix of both natural selection (in terms of what viruses propagate) and intelligent design (of new variants of virus); the viruses are competing with one another for resources, and they are mutating, but they are not mutating randomly, they are mutating under the direct influence of conscious agents (the various botnet authors and hackers and intelligence agencies) with their own, often conflicting, agendas.

It's an interesting laboratory actually.

Re:"powerful Darwinian forces"

[Q-Cat5]

This presupposes "intelligence" on the part of malware designers which, given the amount of script-kiddie nonsense out there, is not a universal fact. =)

Vendor SPAM

Hooray! Another vendor advertisement disguised as a /. article.

Yet another free advert for Symantec

But nobody uses Macs or Linux, so it's not worth bothering writing malware for those platforms ...

Some good readings

[Ceriel+Nosforit]

Polymorphic Shellcode Engine Using Spectrum Analysis
http://www.phrack.org/issues.html?issue=61&id=9
Release date : 13/08/2003

Naturally I'm paranoid about what AVG and Comodo have not detected since then. NOD32 didn't say anything either about my normal use, but I'm actually glad the technique is becoming a threat that AV suppliers must address.

Not News

[mikazo]

Polymorphic and metamorphic malware has been around for years. They're probably seeing a rise in detections simply because of the popularity of a certain malware generation tool or something. You can read about polymorphic and metamorphic malware in a book written by a guy from Symantec that was published in 2005: http://www.amazon.com/Art-Computer-Virus-Research-Defense/dp/0321304543

Re:Not News

There is also lots of free information on metamorphism and polymorphism. There are articles on polymorphism that date back to 1992. The basic techniques are relatively easy to implement, however, I guess in most cases using polymorphism has just not been necessary for malware writers until now.

Re:Not News

[elsurexiste]

Thank you! I thought I was the only one that knew this. I even programmed a little polymorphic program in 2004.

I was beginning to think I had lost a great opportunity. :P

Re:Not News

[treeves]

Polymorphic and metamorphic malware.

As for me, I prefer sedimentary software that accretes little bits of code over many years, or igneous software that erupts, molten and sulfurous, from a glowing fissure in the earth's crust, then freezes into brittle glass-like applications.

Re:Not News

[Q-Cat5]

Someday, they'll drill for old malware deposits that have metamorphosed over time, to refine it into an energy source to power the cars AI will drive in cyberspace.

The Giant Black Book all over again

In the middle 90's I ordered a book called "The Giant Black Book of Computer Viruses". Loved it. Still have it. Signed by the author even. Some good info in the book about polymorphic and genetic viruses.

Rollback and recovery - what a concept?

[davidwr]

Future devices that are not in a "walled garden" ecosystem will have to provide users with an easy, virus-immune way to roll back to a previous state then automatically "roll forward" with scrutiny on every "going forward" change.

To make this work, OS and machine vendors will need to give their customers a way to "clean boot" into a read-only-boot-media recovery environment, a way to store changes, and a way to store one or more "roll-back-to" points in a form that viruses cannot write to.

Nothing here is really new - rollback and recovery have been around for decades. Making it easy for Joe User to do is the hard part.

Oh, and this still won't completely solve the problem - a few viruses WILL find a way to tamper with data that's supposedly "read only," but if 99% of today's malware infections that can't be easily treated today can be treated with "roll back and attempt recovery of safe changes since last commit date" then there will be a lot fewer "wipe the drive and reinstall" scenarios.

Re:Rollback and recovery - what a concept?

Future devices that are not in a "walled garden" ecosystem will have to provide users with an easy, virus-immune way to roll back to a previous state then automatically "roll forward" with scrutiny on every "going forward" change.

Samsung laptops are already providing this to some extent with their recovery disc solution. Unlike other vendors, Samsung's "recovery disc creator" does not simply take the windows pre-install partition and copy it to discs in an executable form but rather images the system in its current state and burns it to recordable media. This allows users to build up their software infrastructure prior to imaging and makes a regression in the event of an infection much less painful, assuming of course the original system image isn't compromised.

It's a small change, but one for the better imo. It's one thing to have to reinstall Windows, but add another 2-10 hours to reinstall software and it's truly painful.

Polymorphic Software

[Atmchicago]

Polymorphic Software
Prerequisite: Industrial Base, Information Networks
Technology: Advanced Subatomic Theory, Optical Computers, Adaptive Doctrine
Special Ability: Heavy Artillery
Improves Probe Team success rate.
Track and Level: Discover 2
"Technological advance is an inherently iterative process. One does not simply take sand from the beach and produce a Dataprobe. We use crude tools to fashion better tools, and then our better tools to fashion more precise tools, and so on. Each minor refinement is a step in the process, and all of the steps must be taken."
-- Chairman Sheng-ji Yang,
"Looking God in the Eye"

Re:Polymorphic Software

i loved that game.

Re:Polymorphic Software

[FoolishOwl]

I'd love to see a remake of that game -- overhaul the graphics, maybe tweak the gameplay a little but not too much, but keep all the writing.

Re:Polymorphic Software

[TangoMargarine]

YES!! Alpha Centauri for the win.

Random E-Mail Attachments = Sidewalk Cuisine

[Lance+Dearnis]

A lot of people just innately trust anything on the PC. Not just their address book, but anything they find. What we need to do is, yes, build a culture of suspicion into this - Why is this thing you want available? Why is someone sending you this offer? Why are you receiving an attachment from this person? If you can't figure it out, then you need to either realize you're taking a risk and search for more info/evalute if it's worth it (What we do, particularly if we're searching for pirated software or the like where there IS a risk), or just back away and don't do it.

What most people do is find out by clicking - the equivalent of taste-testing stuff off the New York Sidewalk. Maybe if someone started a seminar where attendees who blindly open attachments are forced into such unsavory blind taste tests, we'd see a little improvement. Even the BEST viruses I've seen as far as making a 'believable' e-mail, are obvious to me. Even if it came from my brother I wouldn't click on 'em. Because I have some healthy mistrust and suspicion of the internet.

Re:Random E-Mail Attachments = Sidewalk Cuisine

[arth1]

As an antivirus author myself, I think that antivirus programs are partly to blame. They give people a false sense of security, believing they cannot get a virus if they have an antivirus program. So they let all caution out the door; it becomes the responsibility of the AV program to keep them safe.

It's as mindboggling as if people thought that wearing a seat belt and having air bags means they can drive without looking at the road. Mind, there seems to be a few drivers like that.

Re:Random E-Mail Attachments = Sidewalk Cuisine

[TheLink]

As an AV author, how would you deal with polymorphic malware written in perl or similar? OSX supports perl out of the box.

Re:Random E-Mail Attachments = Sidewalk Cuisine

[Joce640k]

All perl code looks polymorphic to me. I don't ever recall seeing the same perl code twice.

Re:Random E-Mail Attachments = Sidewalk Cuisine

[Lance+Dearnis]

Oh, for sure. I remember dealing with one system as the Family Tech Guy that had Anti-Virus software - that had not been updated since I first installed it 850 days ago. When I informed them they had a virus, they thought it was impossible. Didn't I put Anti-Virus software on it?

The computer wound up trashed because it needed a reformat and they had long ago thrown out things like their Windows discs, and I wasn't going to bother with that much work for free.

Re:Random E-Mail Attachments = Sidewalk Cuisine

[arth1]

By not allowing scripted languages to be executed without permission.

SElinux does a lot of good here, and I wish OS-X had it. Anything you get from your browser or e-mail app will (on a strict system) not be allowed to do anything until you change the context, and depending on the context you set it to, even then it can be prevented from many actions. Like writing to /bin or /usr/bin or making a network connection, even if run as root.

Why the hell should PDF allow zipped executables?

[david.emery]

I think a lot of our problems come from these 3rd party packages that have grown WAY too complex and provide too many vulnerabilities. Why, for example, should the PDF format permit -anything executable or coded-, whether it's JavaScript or ZIP files? It's time in my view for the developer and system integrator community to simplify; let's get back to the idea of tools and programs that have well-defined scope and do a few things well, rather than turning into Yet Another Vendor Platform that can be used to distribute viruses/trojans/malware/crapware/etc.

Flashblock

[tepples]

AdBlock implemented default in browsers? Oh my an outcry there'd be

Then let's backpedal a bit. I'd recommend implementing content-type blocking (e.g. Flashblock) by default in browsers. That'd keep the user safe from untrusted rich media in an exploitable non-free player, and the circumvention (advertise using a medium other than Flash) wouldn't be much of a burden for advertisers.

Re:Flashblock

[snemarch]

That's something I can fully agree with - I like what Chrome does with Java content (too bad it doesn't do the same for flash). It's good for helping against drive-by exploits, and it's simple enough to not confuse the Johns and Janes too much.

Of course it doesn't help for sites that lure people to enable whatever with the promise of "zomg hilarious pictures" or "britney dyking out with olsen twins", but you can't really help people who fall for that anyway.

Re:Flashblock

Chrome -> about:flags -> Click to play

Problem solved.

"Powerful Darwinian Forces" huh

[pathological+liar]

Whale is more than 20 years old now, and it was polymorphic. An issue of 40hex from 1993 provides source for a polymorphic engine. This isn't a new development, the technique was "mastered" 20 years ago :P

Maybe they've seen a recent spike in it, but... who cares? Well, unless it means they'll put a little more thought into AV than signature-based bullshit. "heuristics"-based detection that isn't a complete joke, for a start.

Re:"Powerful Darwinian Forces" huh

Please, don't interrupt this important commercial announcement from Symantec. There has been a spike.....a SPIKE...in the number of these types of infections, and we need Symantec, and their amazing suite of products, now, more than ever. So please, a litlle respect.

Next you'll be telling me that corporations use press releases in the media as a free advertising service. Slanderous!

Passphrase to access an address book

[tepples]

Malware spreaders using people's address books

If malware can sniff the passphrase to read an address book, it can sniff the passphrase to sign mail.

Re:Passphrase to access an address book

[Culture20]

The address book can be (and probably is) a third party's; usually the people in "from" and "to" are paired up from similar domain names.

Process Permissions

[Doc+Ruby]

I'd like to see the OS, especially one like Android in the hands of unsupported, naive, and promiscuous users, require permissions for InterProcess Communication the it does for files. And for DB access. All strongly typed. Those kinds of familiar patterns in combination, upon every access between processes on objects. Mediated by an OS capable of supporting the user and using a support Internet to warn others when threats (or patterns that represent threats) appear to correlate to risky objects of the same kind.

The OS and Internet should act as an integrated immune system bathing our objects, not just a special case intervention when opening the first file from an email. Dedicate one or two cores of these multicore CPUs (and prefilter at servers for smaller/mobile devices). Attacks are now the norm, not the exception. The network and OS infrastructure design should recognize the new reality.

Re:Process Permissions

[gl4ss]

oh you want symbian? you want to go insane developing applications someone could actually use for it too? I mean, I even went and bought a book for it, a highly recommended one. you know what it said about IPC? that't it's too fucking complicated to go into in the book as thick as harry potters.
 
  and for the record android asks for permission (install time, but anyways) for just about anything. you know what's wrong with it? you can't know what the app will actually do with those permissions - if you always did, like if all file api access always told you which file and asked for every operation.. the programs would be unpractical to use(choose any nokia with default permissions, or hell, even a signed j2me app).

  if you want real security, do your computing on a j2me device. but most people don't want to give up so much practicality.

Re:Process Permissions

[Doc+Ruby]

I don't want Symbian, but I do want the kind of IPC I described. I don't want it to be insanely complex, nor need it be - which I guess is one reason I don't want Symbian.

Actually Android's permissioning sounds similar to what I want, but not quite good enough. I'll have to look into it. Install time is the time to ask for permission to IPC to other apps/processes, but the GUI should describe it by service role rather than app/data, because users can make sense of roles rather than the techical implementations of them. And it's got to mediate all IPC at all runtime.

Re:Process Permissions

new reality: smoke less crack

Re:Process Permissions

[EdIII]

What fucking planet are you from dude? :)

That's an extremely logical and well thought out plan for a system design for non-humans.

A computer can warn a human of all the threats in the world. However, if there is a promise of a fuzzy kitten doing something cute, or a fuzzy kitten in between a pair a nice tits, all the warnings are useless.

If I had a nickle for every time somebody I know said they clicked on the link anyways because of the promised content I would be retired on an island.

I think the better idea is that we draw a hard line in the sand. You have documents that can be rendered, PERIOD. You also have programs which can be installed, verified with MD5 hashes and certificates.

Never the two shall meet.

The problem is, and always shall be, the morons who infected document rendering with the execution of processes on the system. An HTML document cannot possibly harm any system in any way whatsoever (goatse excepted). However, a HTML page that also loads some flash and javascript can own you.

Gee why is that?

I think you explained and proposed a secure operating system. It does not address the cause, but the symptom. To address the cause make document rendering exactly that.... rendering a farking document. Then all you have to do is worry about buffer overflows and exploits that exist in the rendering software. Something of which can be done fairly well if you spend some time on it.

Antivirus makes a better suggestion than solution

[sl4shd0rk]

Several reasons why Antivirus is a fail:
    1) 0-day. Your AV will never pick it up
    2) polymorphism - if the virus sig changes, you're hosed
    3) People think: "Since I have AV, I can't get infected"
    4) People think: "AV didn't find anything wrong, so I must be clean"
    5) When AV doesn't work, people assume it's broken

Antivirus has evolved into a "solution" when it's clearly not capable. How many infected windows installs have you found where Norton took a head-shot, or some kind of AV *was* installed at one time but got smoked?

What's needed: OSs need to plug their holes. Browsers could be fixed so it doesn't hand off malicious content to system executables. The OS itself should be trimmed down so not everyone is running SMB/RPC (or other commonly exploited services) by default. Executables which handle web contect could be sandboxed and run by a lower privilege user (this can be done in Unix, so why not windows?). Why do these things not happen?

AV is great when it works but it's proving not to be enough.

What?

[elsurexiste]

There have been polymorphic viruses since the dawn of time. I even wrote one in 2004. Why is this news?

Re:What?

Would they meant "metamorphic" ? that is "somewhat" news. Geez... what happened to my slashdot :(

Fear not, good citizens! Symantec will save us!

Malware authors are combining ever more powerful buzzwords to create frightening malicious software packages that could, in theory, cause system slowdowns and system crashes more severe than those caused by Symantec software. Symantec researchers anticipate seeing examples of this malware "in the wild", rather than only on their testing lab dev boxes, at any moment.

This malware uses code so sophisticated and complex, and yet somehow so compact, that it cannot currently be detected, even as it hides in PDFs and ZIP files -- file types familiar to most people who sign purchase orders.

Fortunately, Symantec is almost ready to release its new software to fight this menace, available for $69.99/year; estimated release date is when "polymorphic malware" peaks on Google Trends.

God's son had to die to pay the ransom

[tepples]

What I gather from the Christian Bible is that humans were designed by God (created in his image) but has had malware implanted by a hacker named Satan. God's son had to die to pay the ransom for the self-destruct code for Satan's malware, and this code will be applied after the tribulation.

Re:God's son had to die to pay the ransom

[djdanlib]

It's more like this, although it may tread into slightly blasphemous territory by being written like this:

God has a good old time livin' it up with the angels. Then one day Lucifer, a great leader of angels, gets dissatisfied with his position and jealous and decides he wants to be like God. A whole bunch of angels follow him. God isn't pleased and decides to kick them all out of His presence.

Meanwhile, God creates the universe and a man for companionship, and then a woman to keep the man company, in a perfect walled garden where they can do basically whatever.

God decides it's pointless to force people to love Him, and gives them the choice - opt out by way of partaking of an Apple product. (Oh, I went there.)

At some point right around here is when Satan gets kicked out of heaven and winds up near the people. Satan comes in with the latest iGoodVsEvil and sends out some brilliant spam. Eve goes for it first and opens that totally_awesome_knowledge.doc.exe attachment. Adam goes "Hey, whatcha got there?" and opens the same attachment. God is displeased by the choice, but decides to let us deal with the consequences rather than nuking everything from orbit. Now we've each gotta opt back in and get our redemption.

Fast forward a few thousand years and a few close calls where our debauchery almost cost us our existence. Those ancient people really partied hard sometimes and did stuff that's illegal in most civilized cultures today, and man did they do a lot of dumb stuff. Up until Jesus' existence, people had to play by the rules. And there were quite a few which were mostly to keep people alive and relatively disease-free, and some of them still hold up scientifically - you know, like you can get trichinosis from eating undercooked pork, or how the Black Plague spread by not properly disposing of fecal matter or washing bedclothes or quarantining the sick, that kind of stuff. Things that we have medicine and technology for now, that we didn't then.

You also had to pay up on your anti-malware subscription every once in a while (price: goats, sheep, etc) so it wouldn't run out. That malware was pretty bad news - the payload executes when you die, and it's real bad.

But then, God decided we really needed something better. He manifested His son Jesus to live among us for about thirty years, who bought us all an infinite subscription by being executed as the ultimate sacrifice. Ka-ching, paid for in full! We've still gotta realize there's a problem and opt into the subscription and stop logging in as root in our lives, otherwise we don't get it. Hey, now we don't have to sacrifice animals!

And you know what, people still don't want it, and would prefer to take their chances with malware because living on the outside is more fun for a little while. But it catches up with you eventually, as anyone who surfs around the shadier parts of the 'Net as root all the time can tell you. But man, once you opt in, that's some powerful stuff and it comes with a great benefit of being allowed into the presence of God when you're kickin' up gold dust.

I dunno if that tweaks your geek the way it should, but that's a lot more accurate.

Re:God's son had to die to pay the ransom

[Q-Cat5]

So 'god' is the original engineer, and 'the serpent' is the original malware hacker, and the apple is the original trojan. Suggesting that 'god' did not follow secure coding practices, and as far as anyone can tell, did not do a requirements review. (Nipples on men? A clear case of including an object without ever calling its methods.)

Re:God's son had to die to pay the ransom

[Q-Cat5]

Hmm... the problem here is that a lot is promised for the next release, but apart from some very shaky Gant charts at the end of the requirements doc, no actual detailed build plan has been revealed. I'm calling this Vaporware.

Re:God's son had to die to pay the ransom

[djdanlib]

Eh, the worst that could happen is that people ridicule and troll you your whole life, for trying to be a decent human being to the other people around you. I'll take it.

Re:God's son had to die to pay the ransom

Uhh, ever heard of bloatware? If Firefox 2000 represents humans today, then remember that God started coding with Netscape. And FF4,5,6,7... represents the Cambrian explosion. I'm guessing the codebase of most common programs that haven't been rewritten from scratch still contain silly hacks to get around limitations that were present in Windows 3.x.

Re:God's son had to die to pay the ransom

[PRMan]

Awesome. I love it. Can I steal this to read in a class that I teach?

Re:God's son had to die to pay the ransom

[Q-Cat5]

So, 'god' is either a cargo cult programmer, or doesn't pay attention to his compiler warnings. Either way, I'm thinking he needs some time in a SDLC class, and maybe next time submit the code for peer review and maybe run a vulnerability scan or two.

Re:God's son had to die to pay the ransom

[Q-Cat5]

Being a decent human doesn't require this software. As for people ridiculing and trolling, well, consider Apple fanboys as your model here. Frequently, they bring it upon themselves.

Re:God's son had to die to pay the ransom

[djdanlib]

I guess? As long as the point is something pro-Christianity I don't mind :)

Re:God's son had to die to pay the ransom

[mcswell]

"Nipples on men? A clear case of including an object without ever calling its methods." On the contrary, I'm rather attached to them. And they do come in er, handy, once in awhile.

Re:God's son had to die to pay the ransom

[Q-Cat5]

Ha. Okay, but the PRIMARY method [lactation] is not being called unless you're into some serious hormone treatments.

Re:God's son had to die to pay the ransom

[mcswell]

I imagine you were at least partly in jest, but: you could say that evolution has developed a new method for nipples. That seems to be a common way that evolution works--IIUC, many (maybe most) proteins are slightly modified versions of other proteins. Not sure how good this site is:
http://www.kavlifoundation.org/science-spotlights/kavli-futures-symposium-evolution-new-functions-big-questions
but the second bullet explains the idea.

In the case of humans, I would say that evolution has come up with a new use for nipples, namely as erogenous areas. And they do function that way on at least some men. Whether that's the primary 'method' is a different question, and probably not one that can be answered scientifically!

Re:God's son had to die to pay the ransom

[Q-Cat5]

Of course, I'm being entirely tongue-in-cheek and pointing out that as a design function, the nipples on men don't serve the same function as on women, even though all the same structures (e.g. from an OOP perspective, the object's methods) are still in place. Hormone therapy can cause men to lactate because of this, but there's no known condition in nature that would cause men to naturally lactate.

I could continue the flippancy with a reference to overload methods, but I think I'm already getting a bit obscure.

Hey... grep can only do so much...

[mark-t]

One has to wonder, as viruses get more sophisticated and are able to obfuscate their own signatures, what methods are going to be utilized in the future to detect them... because I can't see it.

For some reason, this is reminding me of the Turing Halting Problem.

And even trying to practice safe web surfing habits isn't always effective. I have seen a virus get onto a work computer that was behind the company's firewall, where the user did not install any software at all, used mozilla for 100% of his browsing, and did not download or install any plugins or extensions. However it got on there, it happened without any user-intervention whatsoever.

The virus was easy enough to remove as another user of course... but my point is that even what should be "safe" web practices doesn't always work.

Re:Hey... grep can only do so much...

[arth1]

One has to wonder, as viruses get more sophisticated and are able to obfuscate their own signatures, what methods are going to be utilized in the future to detect them... because I can't see it.

I wrote the first heuristic AV program back in the late 80s, which would not just look at signatures, but what the code actually did and whether THAT posed a risk. A mini disassembler and risk analysis tool, if you like.
Unfortunately, it requires that the user doesn't blindly trust the AV software, but makes decisions too. Perhaps there's a good reason why a program would patch an IO vector, and the AV software can not know this for certain. But it can point it out.

AV software can also patch an OS to make known attack vectors inoperative, but that is never future proof.

Re:Hey... grep can only do so much...

magic

Re:Hey... grep can only do so much...

[orange47]

whitelisting, perhaps. or make an ''debugger antivirus' that would allow advanced users to analyze suspicious small executables by themselves. or 'behaviour analysis' but thats already used, I guess.

Doubled in July?

[flibbidyfloo]

[grammar_nazi_mode=ON]

This may win me the pedant of the year award, but the summary says "The level ... doubled in July, when compared to figures from six months ago." This is incorrect and doesn't even make sense. Reading the original article reveals the truth. The level doubled in the six months leading up to July. I suppose it's theoretically possible that the level stayed perfectly flat for 5 months, then suddenly doubled, but I think the article would have mentioned that.

[grammar_nazi_mode=OFF]

This headline brought to you by the year 1989

[rickb928]

And the 1260 virus.

The 'methods' of encryption have changed (once was ZIP, now ZIP AND PDF, requiring a PDF reader in addition to ZIP libraries), but the concept isn't new, and I;m surprised has not been in continuous use since then.

And this passes as either new or unusual for /.? Doubling the deteciton volume for a month? July? And July isn't even over yet?

So was it the word 'darwinian' that justified this as interesting?

feh.

Re:Antivirus makes a better suggestion than soluti

There are problems with AV software, not the least of which is that it's a system resource-hog, usually far worse than the malicious code it's supposed to defend against.

I've been ok for a few years now running Windows XP without any full-time anti-virus software, but I'd hesitate to recommend that for non-technical users. Of course, most of the time I run Linux, and I only boot Windows when I have to...

Re:Antivirus makes a better suggestion than soluti

Some time ago, I was doing experiments where I wanted a Windows desktop to automatically send experiment results back to the server. Using sftp wasn't very attractive due to the need for passwords or usernames, so sending an E-mail seemed the best way to go. But the problem was the anti-virus/anti-spam software which didn't like unknown applications sending E-mail. Problem was solved by renaming the application "agent.exe". Problem solved.

Re:Antivirus makes a better suggestion than soluti

[twocows]

Follow the money. Who stands to profit from a market of security vulnerabilities? I can tell you, Symantec sure isn't hurting for cash right now.

ahhh

[Nyall]

I've been wondering about this for 13 years now (when I started learning z80 and 68k assembly) if antivirus software was smart enough to analyze for things like:

  jmp lbl_1 .ds 50 /* declare 50 bytes of storage */
lbl_1:

And those 50 bytes are filled in with random patterns. But this article makes it sound like there are multiple jumps that are being generated which I've also considered. Or dummy for loops.

I'm surprised virus writers are only starting to do this. Any assembly coder worth his salt should be smart enough to think of this.

Re:ahhh

[Nyall]

Sorry there should be a carriage return between the the "jmp lbl_1" and the ".ds 50"

Re:ahhh

[Arker]

Competent malware authors have been doing this for many years.

The news is the techniques are becoming more common even amongst the level that produces stuff Symantec can actually catch.

Re:Antivirus makes a better suggestion than soluti

1) you forgot that root/administrator is for installing software and not a user.

2) a system user should not exist. All software needs to run as the user who initiated it (sandbox).

Re:Antivirus makes a better suggestion than soluti

What's needed: OSs need to plug their holes.

Problem is, the biggest hole sits in front of the computer and can't be plugged (no pun intended).

Polymorphic is old news

[Nimey]

MS-DOS had polymorphic viruses in the early '90s.

0) People didn't think.

[davidwr]

3) People think ...
4) People think ...

0) People didn't think.

Oh wait, this is redundant to one of the existing replies. Sorry for wasting your time guys.

Re:Antivirus makes a better suggestion than soluti

[Caerdwyn]

The first polymorphic file-infecting virus that saw wide dispersion was DAV (Dark Avenger), back in 1991. It was detected just fine.

Not all virus detection is performed via signature-checking. In the case of Dark Avenger, McAfee used curve-fitting. A histogram of the frequency of various byte values in specific locations within an executable file was generated, and a frequency-distribution curve generated from that. This curve was compared to the curves of legitimate executables and to what the DAV virus tended to create as it altered the files it infected. How well the curves matched, and where any anomalies in otherwise-perfectly-matching curves were, became the basis of determining confidence that there was a"hit". This technique proved to be extremely accurate, moreso than string-matching. While false-negative (failed detection) and false-positive rates were never perfect, they were in the "many 9's" of accuracy. In many cases, this heuristic was more accurate against DAV than string-matching was against other non-polymorphic viruses

Point 1 is incorrect. Heuristics will often pick up a 0-day virus, as will behavior-based (anomaly detection) systems. String-based virus detection is only a part of modern antivirus products.
Point 2 is incorrect, and has been for 20 years. Polymorphism is no more a perfect virus cloaking mechanism than antivirus software is perfect malware defense.
Points 3 and 4... no antivirus software will ever stop infection if the user explicitly grants permission for something to run. There is no functional difference between malware and legitimate software; everything that malware does (from a functional perspective) is something that some piece of legitimate software or another can do. Malware is defined by deception, not function. Antivirus software does not detect deception, nor should it be expected to.
Point 5... yeah. People expect magic bullets. People demand perfection for free. People can go fuck themselves and their slimy little tort lawyers.

And... stack-based exploits are not viruses. Antivirus software is not intended to defend against such attacks.

But yes, all applications should run in their own sandboxes, memory-wise, file-system-wise, privilege-wise. This isn't a perfect defense either, as the software which attempts to enforce the sandbox is itself subject to attack. And there are many components of a system which are user-installed but are not sandboxed (device drivers, maintenance utilities). As long as operating systems and applications are architected as they are, there will be vulnerabilities which are deception-based. The only defenses there are education and reputation.

Sigh

[Sycraft-fu]

I get real tired of this one. This naive geek idea that OSes can be made perfect and somehow immune to viruses. News flash: They can't, at least not if you wish to keep the ability to run arbitrary code. The only way to make an OS safe against viruses is the Apple "walled garden" idea where only authorized apps run. Even then, you could potentially sneak something by the authority that says if apps are ok. However so long as you can run arbitrary code, you can run evil code. There is no evil bit, the computer will execute anything it is given.

Please remember when talking about malware as opposed to worms you are talking about stuff that comes in to the computer through user action. It is bundled with an application, or is an app all by itself. The user downloads and runs it. There is no patching against that.

Also you have the silly idea of "if something isn't 100% effective it shouldn't be used." Bullshit. Look at security in the real world some day, where there is no such thing, ever, as perfect security. You get used to the concept that everything is fallible and you need defense in depth. Virus scanners help provide that defense in depth. They scan incoming things for known threats (by the way good ones are updated more than once a day). It is not your only line of defense, but one of them.

Run a virus scanner, and run as a deprivledged user, and patch your OS, and make sure to get software from trusted sources, and monitor your system, and so on. Don't have a defense, have layers. Only then do you have a real security solution.

PS, web executables can be sandboxed on Windows, IE does this, other browsers just don't care to use the interface to do so.

Re:Sigh

[renoX]

While I agree with what you said, there's a big difference between Virus scanners and the other OS security mechanism: they are much more CPU and "latency" consuming that the other security mechanisms.

So sandboxing/capabilities are much better security mechanism than virus scanners..

Re:Sigh

[lennier]

This naive geek idea that OSes can be made perfect and somehow immune to viruses. News flash: They can't, at least not if you wish to keep the ability to run arbitrary code.

But why do we need the ability to run arbitrary ring-0 machine code? A sensible OS design would require all applications to be written in some kind of provably-safe bytecode. That's the opposite of Apple's "you can't even implement an interpreter" legal approach.

even then they can still F* user data

[Joe_Dragon]

even then they can still F* user data and maybe even infect data files.

NULL

[Artem+S.+Tashkinov]

A very good article about ... nothing.

Ah, sorry, Symantec is good for you! how could I have missed that?

Re:Antivirus makes a better suggestion than soluti

There are two things from AV which are useful:

First, is catching non zero days. A machine gets infected at an AV lab, someone finds the culprit, and pushes out an infected signature library. This at least forces malware to have to be polymorphic or at least change with each push out.

Second is a host intrusion protection system. A HIPS is a good thing to have to catch unknown things. For example, if a game started wanting to read and erase everything in the home directory, or Excel wanted to make low level hard disk writes to the MBR. Heuristics are a very useful tool, especially when combined with whitelists.

However, against 0-days, which most drive-bys tend to be, I have found blocking ads far more effective than any AV program out there. Because ads are an ecosystem that allows for content without having to do microtransactions, in return, I try to donate something or purchase a subscription at the sites I go to. This way, the provider gets cash even though I don't see their ads, and I keep my security.

Re:Antivirus makes a better suggestion than soluti

[Jeng]

How many infected windows installs have you found where Norton took a head-shot, or some kind of AV *was* installed at one time but got smoked?

Normally it is because the AV subscription hasn't been paid up. I don't think I have seen an infection on a computer with a working anti-virus.

Then again if you are basing this on Norton, well yea then All AV's are crap if you only judge it by Norton, they may have name recognition, but that is about all.

powerful Darwinian forces

[mevets]

Then these must affect OS X.....

I suppose we should be thankful he didn't go for something like:

These Darwinian forces are causing an acceleration of Moore's Law in the prevalence of super-intelligent malware.

sigh.

"OMG WTF PDF" lecture

[molo]

If you're wondering what they're talking about you should watch this video. http://www.youtube.com/watch?v=54XYqsf4JEY

For a demo, see the 38:00 mark. The windows "calc.exe" is modified to simultaneously a valid windows exe, a valid zip archive, and a valid PDF. The same file can appear benign to anti-virus tools even though there is malware contained in the file when interpreted in certain ways.

-molo

Re:"OMG WTF PDF" lecture

[TangoMargarine]

The windows "calc.exe" is modified to simultaneously a valid windows exe, a valid zip archive, and a valid PDF

Calc simulataneously an exe, zip, and pdf? Is this a problem?

Re:"OMG WTF PDF" lecture

[molo]

The problem is you can hide different payloads in each, including malware. If a program (or antivirus) treats it as one file type and not the other, then the remaining data will be ignored.

-molo

Re:Antivirus makes a better suggestion than soluti

that would hurt the economy, stupid! lol

Re:Antivirus makes a better suggestion than soluti

[HeckRuler]

Symantec and the AV industry is actually fueled by fear. Every real threat costs them money. Those are jobs that need actual work to overcome. Or at least enough to placate their customers. False threats, scaremongering, and the general fear of malware is what makes money in the AV industry.

Re:Antivirus makes a better suggestion than soluti

[robbo]

Best clean-up I ever did was a Norton install done by my father-in-law's 'computer guy', complete with trojan masquerading as a key generator.

Re:Antivirus makes a better suggestion than soluti

[djdanlib]

You hit the nail almost on the head. I work in IT, and I see a lot of dumb stuff happen because people trust their computers to magically keep them safe.

AV software usually has features that plug some of the holes - like blocking IRC communication, or preventing execution of attachments, or things in temp folders, or things on network shares. You have to configure it right. That's not a skill most users are going to have, unfortunately. The overhead of doing all this can be pretty intense sometimes, too, which makes people say "forget it, I'll take my chances so I can get more work done."

There's also something to be said about configuring your OS right. Most people are totally unaware of group policy (on Windows) and wouldn't know what most of those settings do. But if you set it up right, it prevents a large amount of malware from working, straight up. The same goes for updates. People get really lazy with those - Conficker spread more AFTER the update that closed the hole was released. It's still out there, too.

Things happen because people happen. It's not really doable to educate everyone, since we all know we'll take shortcuts when we see them.

You wonder why these things aren't optimized for security by default, but I think the answer is that they set them to something that strikes a balance between compatibility with the most software, and the current security environment upon release. Maybe it would be a lot better if Microsoft were to update group policy to meet the current trends via Windows Update... I'd almost support silent updates, if it wouldn't cause such a backlash.

I guess that's why infosec staff is so useful, right?

Um, bait cars!

[Latent+Heat]

A bait car with cameras, remote control, and remote locking? Where can I get me one?

Re:Um, bait cars!

[PRMan]

The mall parking lot. You really weren't paying attention, were you?

Is it time for digital postage yet?

[grapeape]

Between the spam and viruses, perhaps the time has come for some sort of digital postage? Its been discussed and shot down before but its reached a point where the ongoing costs of fighting spam, viruses and malware are outpacing previously proposed pricing for emails. It just seems ridiculous that I end up spending so much time and effort with my clients just trying to keep up with idiots who want to fuck up peoples computers and dealing with the ignorant (who admittedly shouldn't have to know all about that kind of crap) who find new ways to get infected on a seemingly weekly basis. Its not my favorite idea but what else can be done?

Re:Is it time for digital postage yet?

[Q-Cat5]

Nope.

Digital postage will only hurt people who aren't planning to make money from their e-mail.

Just as with DRM, the honest pay, and the dishonest either find a way around it, or are making so much off of it that it's a mere "cost of doing business".

what about the malware called norton

[Osgeld]

you can uninstall it, delete it, manually remove it from the registry, use specialized tools, and even beg for the authors to provide help , but BAM there is a fucking windows installer asking you to insert the disk every time you fart

Re:what about the malware called norton

Wow, how many years has it been since you've used Norton? It hasn't even used the Windows Installer technology since 2007. Currently it is the fastest and smallest memory footprint AntiVirus available (and has been for a couple of years now). and the installation routine is custom-coded to install and begin protecting the system in ~ 20 seconds without the need to reboot the computer.

Re:what about the malware called norton

2005 called, they want their McAfee advertising campaign back.

Re:Antivirus makes a better suggestion than soluti

[iviv66]

I assume you don't lock your doors or windows when you go out then? Afterall if somebody wants to burgle your house they'll just smash a window or break down the door anyway, so there's no point locking everything.

Re:Antivirus makes a better suggestion than soluti

I've seen plenty of infected Windows machines (XP, Vista and Win7) running AV with current subscriptions. Granted, they often haven't installed patches or they're doing file sharing and running IE but AV doesn't make you immune. Ironically, most of the infected machines are running McAfee or AVG/Avast. Occasionally we see a machine with an updated version of N360 or IS2011 or the like but thats rare. I've honestly NEVER seen one with Avira or MSE come in

Re:Antivirus makes a better suggestion than soluti

[orange47]

1) thats why you wait for a week or two while someone else trains the AV.
2) some things stay the same, it still has to infect to be a virus.

Re:Antivirus makes a better suggestion than soluti

The real solution is to start sentencing these malware writers to a life as a pc tech for a poorly funded state agency without possibility of vacation.

Risk of losing car in middle of nowhere

[Atmchicago]

Since you're in the middle of nowhere, the cost of losing your car is ever so much greater. Therefore, it makes sense to protect your car. Cost/benefit.

Re:Antivirus makes a better suggestion than soluti

[Cruciform]

There was a guy in one place where I worked who would constantly click on shit he shouldn't have, and so a lot of time was spent helping him out. He got infected by one trojan that had a chopped-up payload, so when you got rid of the main program it would just piece it together from bits scattered over the drive, registry entries, etc. on reboot.
Someone in the office probably gave it to him. It was insidious.

Seriously...

[idbeholda]

This is why you don't open or look at non-plain text documents unless you're absolutely sure you know what you're doing. Especially if that document comes from someone over the internet. This isn't just with PDF files, but any kind of file/document that allows embedded scripting. This basic security flaw has been known about for ages (20+ years and little has actually been done to stop the problem), and yet people still continue to ignore these very obvious red flags.

Re:Antivirus makes a better suggestion than soluti

I mostly agree, with a few remarks however:

• while it's true that heuristics will pick up many 0-days, those are often only the most trivial pieces of malware. It is easy to test for a malware writer if his malware is detected by heuristics or not, so he can refine it until it passes under the radar.
• Yes, polymorphism is far from a perfect virus cloaking, however, it is in most cases perfect to defeat heuristics. Yes, some emulation-based techniques can detect an encrypted virus, but at the moment, they are just to rudimentary to be effective. So polymorphic viruses are mostly detected by a signature of the decryption code. If you don't believe me, just try it

Agreed 110%, on "defense in depth"

OR, as I call it, "layered security". I, & others I know that do the guides I have written since 1997 online (& before that) for Windows do well using it (I haven't had a "malware-in-general" infestation since 1996 in fact because of it):

"You get used to the concept that everything is fallible and you need defense in depth. Virus scanners help provide that defense in depth. They scan incoming things for known threats (by the way good ones are updated more than once a day). It is not your only line of defense, but one of them." - by Sycraft-fu (314770) on Tuesday July 26, @02:24PM (#36886646)

Correct, & they all "compliment one another" + tend to make up for each others' "shortcomings"... because "layered-security/defense-in-depth" IS really the best thing we have going... IF you take the time to implement it.

On Windows NT-based systems of "more modern varieties" (ala 2000/XP/Server 2003/VISTA/7/Server 2008), that takes about 1-2 hours of your time, albeit gaining you YEARS of uptime into the distance as your "ROI" for effort expended...

This takes time, but it's well worth doing if you value a stable long-term setup of a computers.

This means:

---

1.) OS & app patching conscientiously

2.) Updating antispyware/antivirus

3.) ONLY using java/javascript ONLY WHERE IT'S ABSOLUTELY NEEDED ONLINE (think ecommerce sites), as well as the same for frames/iframes/plugins to browsers

4.) Email in TEXT ONLY

5.) Securing rights to filesystems ACL/MAC-wise

6.) Securing group & local system security policies (which are NOT setup as strong as possible by default mind you in shipping OEM init. default setups by the makers of them)

7.) Disabling unneeded potentially "dangerous" services that establish "listeners" on the internet (thus, possible "handles" to grab for illegal ingress)

8.) The use of custom HOSTS files (for both speed & security, more on that below)

9.) Using filtering DNSBL utilizing DNS servers to compliment them (more on that below with examples of DNS servers that do that)

10.) Firewall rules tables (both in routers &/or software firewalls in combination), if not also the "poor man's firewall" of IP filtering @ both the TCP/UDP portions of the IP stack.

... and more...

All of those measure work on a very, Very, VERY SIMPLE PRINCIPLE TOO:

"You can't get burned if you don't go into the malware-in-general kitchen", or better yet "If you don't get in bed with the devil, you can't F**** & get impregnated by he" either...

That, along with educating users is the most important part!

(This last one, it is the most important part imo, so they understand as best they can in laymen's terms when possible, on HOW/WHY/WHEN/WHERE malware-in-general works on them to steal their information or money, or to enslave their systems for nefarious purposes, etc./et al!).

---

To "immunize" a Windows system thus, I effectively use the principles in "layered security" possibles!

I.E./E.G.-> I have done so since 1997-1998 with the most viewed, highly rated guide online for Windows security there really is which came from the fact I also created the 1st guide for securing Windows, highly rated @ NEOWIN (as far back as 1998-2001) here:

http://www.neowin.net/news/apk-a-to-z-internet-speedup--security-text

& from as far back as 1997 -> http://web.archive.org/web/20020205091023/www.ntcompatible.com/article1.shtml which Neowin above picked up on & rated very highly.

That has evolved more currently, into the MOST viewed & highly rated one there is for years now since 2008 online:

http://w

How?... What? ... Can someone please explain!

This kind of malware has been typically found inside an executable within an attached ZIP file disguised as a PDF file.

Is the zip-file attached to an email?

How the heck can a zip-file be disguised a pdf-file?

Why does it open as zip-file if it is marked as a pdf-file?

Why does an exe-file run if a zip-file is opened?

Is this some kind of microsofty-windowsy-thing, because I know of no OS or email-application where the above could happen and I have used a lot of both (but I have very little recent experience in using Windows (except w95))?

Re:Antivirus makes a better suggestion than soluti

[jackbird]

What user does the login validation process run as, then?

Free will is an important part of the experiment

[tepples]

Either way, I'm thinking he needs some time in a SDLC class

Free will is an important part of the experiment. Is the SDLC teacher going to encourage God to leave out free will next time?

pun alert.

[hesaigo999ca]

Finally, some malware writers with class.....

Re:Antivirus makes a better suggestion than soluti

[Caerdwyn]

Many of the malware packages which are out in the wild, successfully infecting people, are kit-based. If someone uses a virus construction kit, it's pretty easy to detect anything created by that kit. The reason that these script-kiddie packages work is that people don't patch and don't keep their AV software, if they have any, current. Given the large number of people who fall into that category, polymorphism is irrelevant, and if you can fool (or numb) someone into clicking Yes on Grant Admin Privileges, nothing in the world is going to save that person.

So, unless a malware author is good (most aren't), or is targeting a specific organization, they just don't care whether AV catches their package, because they won't be coming into AV often enough to matter.

Contrary to what a sensationalist press corps would have you believe, there aren't that many people capable of writing original, robust viruses or exploit packages. The ones who do tend to be on the payroll of large organized crime groups, and don't release their code to other would-be botnet herders. When something new and effective does come out (which isn't all that often), it will spread quickly, but it's just the one package.

Having seen first-hand from my time working at McAfee and a not-named-here IDS company, I can say with certainty that the overwhelming majority of infections use a small handful of vulnerabilities which have been known for a while (count the number of variants of MS-06-040 sometime) and simply aren't being patched. Headline-grabbing new hotness is always interesting, but people who don't patch their systems will be equally vulnerable to legacy exploits (so the new exploit is irrelevant), and people who DO patch their systems will quickly become protected as the AV vendors and OS vendors provide a solution once the exploit gets noticed.

Note also that application-based exploits (browsers, Flash, Adobe Reader, etc.) are becoming the dominant means of exploit. OS vulnerabilities are still out there, and in large numbers, but it's the applications that will get you... particularly for targeted attacks. You can tailor an exploit-document to look tempting to your target, and even folks who patch their OS (or let it autopatch) don't always stay on top of application patches. Sure, you patch your browser, but how often do you patch your office suite? How do you know you need to?

As for polymorphism... yes, it's the decryptors (even the obfuscated ones) which are detectable. Have been since 1991. And as I said, it's not signatures that give them away.

I have "just tried it". Got the paychecks to prove it.

Re:Free will is an important part of the experimen

[Q-Cat5]

So, by way of experiment, we're going to put two naïve naked people, wired for curiosity, into a lush garden, tell them to eat anything except for one thing, and when they (predictably) eat the verboten thing, jump out from behind a bush and yell "gotcha!". Then let them be cursed with painful childbirth and early death. And not just them, the perpetrators . . . but also the countless generations of progeny they've been ordered to put forth (miraculously, since they have only themselves as a breeding population . . . oh, except for those unexplained people in Nodland to the East) until the experimenter gets tired of it all and wipes the program . . .

This sounds less like an experiment, and more like a soap opera written by the Marquis de Sade and directed by Alan Funt.

As for what an SDLC instructor would tell 'god'? Probably, "Do module testing instead of trying to debug the whole system."

Re:Free will is an important part of the experimen

[tepples]

So, by way of experiment, we're going to put two naïve naked people, wired for curiosity, into a lush garden, tell them to eat anything except for one thing, and when they (predictably) eat the verboten thing, jump out from behind a bush and yell "gotcha!".

That was God saying "Have it your way." The goal of this experiment is to prove that Satan's idea for how to manage creation is unworkable. Sometimes you have to break a few eggs to make an omelet.

miraculously, since they have only themselves as a breeding population

Before the population bottleneck caused by the great flood of 1656 A.M., inbreeding depression wasn't a problem.

As for what an SDLC instructor would tell 'god'? Probably, "Do module testing instead of trying to debug the whole system."

This is a module test. I believe tests of other modules are happening on other class M planets in this galaxy. The coming system of things is even grander.

Re:Antivirus makes a better suggestion than soluti

[lennier]

And... stack-based exploits are not viruses. Antivirus software is not intended to defend against such attacks.

Then antivirus software is pretty pointless today, isn't it? Because botware using exploits seems a lot more prevalent these days than old-school "infect every .COM file on my 5.25" floppy disk" viruses.

1 word answer = PERFORMANCE

And, in the case of the OS &/or drivers? Also memory/process accessability...

That being the OS + drivers having said access, to Ring 3/RPL 3/Usermode code!

Yes - & this is WHY a driver-driven rootkit is SO dangerous:

It can even bypass object-oriented code protections too (that's right, because drivers have access to ALL MEMORY in usermode, or else you couldn't for instance, use your keyboard even).

E.G.-> A former professor of mine in academia years ago, was telling us all about how "good oop is" for memory protection, & he was "ex-Navy" (which matters here) - I pointed out that Naval subs were infiltrated by driver-driven malware, & for THAT VERY REASON (to bypass ADA &/or C++ oop design memory protective schemes)... he had to admit I was "spot on/top marks" on that in fact, though I suspect he was "loathe to admit it"...

However - There ARE experimental OS' out there, like MS' "singularity" iirc, that implement the other "rings of access" & .NET runtime driven protection, but as long as things run from Ring 0/RPL 0/kernel-mode privelege even THAT is useless for the MOST part, because OS & drivers can "peer into" anything, & why tools like ProcessExplorer can even be deceived by such machinations, via API call intercepts & redirections!

(Now, as far as Ring 0/RPL 0/Kernel mode level of privelege? Well, iirc, ONLY the "debug" privelege is higher)

Thus - You have what you complain of, & also what I noted in drivers being used maliciously (only thing more "dangerous" would be firmware implemented malware, & that's been coming out for years too)...

APK

P.S.=> I did my 1st presentation on computer security back as far as 1984 in collegiate academia, & the conclusion of myself & my group? Well, simple:

"What one man can secure & lock down, another man will unlock & unsecure, eventually..."

It's a "cat-N-mouse"/"Cops-N-Robbers" game, & always has been + will be... this, is life!

... apk