Slashdot Mirror
The Rise of Polymorphic Malware
twoheadedboy writes "The level of aggressive, polymorphic malware intercepted by Symantec doubled in July, when compared to figures from six months ago. This kind of malware has been typically found inside an executable within an attached ZIP file disguised as a PDF file, and is pretty darn good at getting around traditional anti-virus products. 'There are powerful Darwinian forces acting on the development of malware by criminals,' said Martin Lee, senior software engineer at Symantec. 'Those who look to innovate and improve their malware tend to infect more computers and acquire the resources to reinvest in further development and innovation.'"
Virus writers discover OOP??
Given the frequency with which a cracked webmail account or compromised PC with an email client will immediately start spamming its former owner's entire address book, expecting the "people you know" rule to save you is fairly naive...
"powerful Darwinian forces" is an interesting way to describe the process by which the designers of these viruses are using progressively more intelligent designs.
My ISP e-mailed me 'my invoice' as an attachment last week, when they had previously sent a summary in text, and a link to their site to view the invoice.
I e-mailed and told them that I wouldn't open attachments from them, and I wanted the plain, boring, text summary ... and I get a response back about how the invoice has always been PDF, and they closed the ticket.
So, anyone know of any good ISPs in the Maryland/DC area? (and Verizon and Comcast don't qualify as 'good' in my opinion).
Build it, and they will come^Hplain.
Polymorphic and metamorphic malware has been around for years. They're probably seeing a rise in detections simply because of the popularity of a certain malware generation tool or something. You can read about polymorphic and metamorphic malware in a book written by a guy from Symantec that was published in 2005: http://www.amazon.com/Art-Computer-Virus-Research-Defense/dp/0321304543
I was only 28,931 registrations away from having a 6-digit UID
It still blows my mind that people open attachments from individuals they do not know.
"But Culture20, the email came from you, and you're our systems administrator."
"Did it contain my gpg/pgp signature?"
"What?"
"That gobbledygook at the beginning and end of all my emails that you apparently don't pay attention to."
Malware spreaders using people's address books stand a good chance of faking an email from someone the target knows and trusts. Users are still surprised that identities can be faked in an email.
Polymorphic Software
Prerequisite: Industrial Base, Information Networks
Technology: Advanced Subatomic Theory, Optical Computers, Adaptive Doctrine
Special Ability: Heavy Artillery
Improves Probe Team success rate.
Track and Level: Discover 2
"Technological advance is an inherently iterative process. One does not simply take sand from the beach and produce a Dataprobe. We use crude tools to fashion better tools, and then our better tools to fashion more precise tools, and so on. Each minor refinement is a step in the process, and all of the steps must be taken."
-- Chairman Sheng-ji Yang,
"Looking God in the Eye"
You can lead a horse to water, but you can't make it dissolve.
AdBlock implemented default in browsers? Oh my an outcry there'd be... and there'd be a lot more incentive for trying to circumvent AB, leading to more websites where those of us running AB wouldn't have ads automatically blocked - ugh.
NoScript is simply a too advanced feature for Regular Joe & Jane. They'd be confused to death why 90% of the internet suddenly breaks for them, and they don't have the skills to selectively whitelist just the non-dangerous stuff. If you think noscript is trivial, your whitelist is probably too permissive.
Coffee-driven development.
I think a lot of our problems come from these 3rd party packages that have grown WAY too complex and provide too many vulnerabilities. Why, for example, should the PDF format permit -anything executable or coded-, whether it's JavaScript or ZIP files? It's time in my view for the developer and system integrator community to simplify; let's get back to the idea of tools and programs that have well-defined scope and do a few things well, rather than turning into Yet Another Vendor Platform that can be used to distribute viruses/trojans/malware/crapware/etc.
Noscript functionality is in Chrome and IE, just not enabled by default. In Chrome go to Options > Under the hood > Content Settings and disable then add your white-listed domains. In IE its a little more complicated, Internet Options > Security > Set Internet to HIGH then go to Trusted Sites and add your white-listed domains. Then go to Internet Options > Programs > Manage Addons > Toolbars and Extensions > Disable any addons you will not use, for addons you do use right click them > More Information > Remove all sites and add only white-listed domains.
Whale is more than 20 years old now, and it was polymorphic. An issue of 40hex from 1993 provides source for a polymorphic engine. This isn't a new development, the technique was "mastered" 20 years ago :P
Maybe they've seen a recent spike in it, but... who cares? Well, unless it means they'll put a little more thought into AV than signature-based bullshit. "heuristics"-based detection that isn't a complete joke, for a start.
If you use Adblock and Noscript, it is nearly impossible to get infected. Why that functionality is not in every browser and enabled by default I simply don't understand.
I have good enough karma with Slashdot that I'm given the option to disable ads. I don't. Why? Because ads fund Slashdot and keep it free. If ad blockers were on by default most of the sites people like and use would go out of business.
I'd like to see the OS, especially one like Android in the hands of unsupported, naive, and promiscuous users, require permissions for InterProcess Communication the it does for files. And for DB access. All strongly typed. Those kinds of familiar patterns in combination, upon every access between processes on objects. Mediated by an OS capable of supporting the user and using a support Internet to warn others when threats (or patterns that represent threats) appear to correlate to risky objects of the same kind.
The OS and Internet should act as an integrated immune system bathing our objects, not just a special case intervention when opening the first file from an email. Dedicate one or two cores of these multicore CPUs (and prefilter at servers for smaller/mobile devices). Attacks are now the norm, not the exception. The network and OS infrastructure design should recognize the new reality.
--
make install -not war
While "the club" really isn't very effective as an anti-theft device, wanting to protect your car from theft at a Walmart is actually pretty sensible, as that's an extremely likely place for it to be stolen. And there's no such thing as a Walmart "in the middle of no where": Walmart always locates stores in locations where there's plenty of customers. Even if that's some small town, it's the nexus for a large number of customers from surrounding areas and towns, so just putting the Walmart there will draw lots of people to that place, and consequently it is no longer "the middle of no where", it's actually a giant gathering place.
Here's a better anecdote: a couple months ago, I visited a place called Arcosanti, north of Phoenix in Arizona. It's a strange little artists' community built by an architect named Paolo Soleri, who has dreams of a Utopian city where everyone lives together in harmony in shared buildings (i.e., there's no separate houses, everyone has a small apartment, that kind of thing). His dreams are much bigger than the reality, which is a small community of people who've basically given up their normal lives to come live with him and, as they get enough money for concrete, build more of his vision. They basically live off selling some weird wind chimes they make there, and tour fees. Anyway, my wife and I went up there to check it out and take the tour, as it's a cool idea although not that realistic, and there were only two other visitors, one single woman and one older couple. This older couple pulled up into the parking lot right after us and parked next to us, and what did the man do when he stopped? He got out The Club and put it on his steering wheel! Now, keep in mind (take a look at Arcosanti on a map if you want), this place really IS "in the middle of no where": it's in Arizona's high desert, about 2 miles down a gravel road from the nearest civilization, which is nothing more than a couple of gas stations at an interstate exit, about 3 miles from a tiny development called Cordes Lakes, and about 20 miles from the nearest real town called Camp Verde. There really is nothing there, except some funny-looking concrete buildings with a few dozen residents, and it's probably the safest place for your vehicle to be in the whole state. The idea of needing additional vehicle security in such a place is laughable. Car thieves don't go out to remote destinations to steal peoples' vehicles, they go to population centers (i.e., cities), and crowded locations in those population centers such as shopping center parking lots, apartment parking lots, etc.
Isn't the problem that the application that renders the PDF/Flash/etc attachment has access to resources on the system that shouldn't be allowed?
In other words, why aren't all attachments files rendered by applications running in a "jail"?
Several reasons why Antivirus is a fail:
1) 0-day. Your AV will never pick it up
2) polymorphism - if the virus sig changes, you're hosed
3) People think: "Since I have AV, I can't get infected"
4) People think: "AV didn't find anything wrong, so I must be clean"
5) When AV doesn't work, people assume it's broken
Antivirus has evolved into a "solution" when it's clearly not capable. How many infected windows installs have you found where Norton took a head-shot, or some kind of AV *was* installed at one time but got smoked?
What's needed: OSs need to plug their holes. Browsers could be fixed so it doesn't hand off malicious content to system executables. The OS itself should be trimmed down so not everyone is running SMB/RPC (or other commonly exploited services) by default. Executables which handle web contect could be sandboxed and run by a lower privilege user (this can be done in Unix, so why not windows?). Why do these things not happen?
AV is great when it works but it's proving not to be enough.
Join the Slashcott! Feb 10 thru Feb 17!
The first polymorphic file-infecting virus that saw wide dispersion was DAV (Dark Avenger), back in 1991. It was detected just fine.
Not all virus detection is performed via signature-checking. In the case of Dark Avenger, McAfee used curve-fitting. A histogram of the frequency of various byte values in specific locations within an executable file was generated, and a frequency-distribution curve generated from that. This curve was compared to the curves of legitimate executables and to what the DAV virus tended to create as it altered the files it infected. How well the curves matched, and where any anomalies in otherwise-perfectly-matching curves were, became the basis of determining confidence that there was a"hit". This technique proved to be extremely accurate, moreso than string-matching. While false-negative (failed detection) and false-positive rates were never perfect, they were in the "many 9's" of accuracy. In many cases, this heuristic was more accurate against DAV than string-matching was against other non-polymorphic viruses
Point 1 is incorrect. Heuristics will often pick up a 0-day virus, as will behavior-based (anomaly detection) systems. String-based virus detection is only a part of modern antivirus products.
Point 2 is incorrect, and has been for 20 years. Polymorphism is no more a perfect virus cloaking mechanism than antivirus software is perfect malware defense.
Points 3 and 4... no antivirus software will ever stop infection if the user explicitly grants permission for something to run. There is no functional difference between malware and legitimate software; everything that malware does (from a functional perspective) is something that some piece of legitimate software or another can do. Malware is defined by deception, not function. Antivirus software does not detect deception, nor should it be expected to.
Point 5... yeah. People expect magic bullets. People demand perfection for free. People can go fuck themselves and their slimy little tort lawyers.
And... stack-based exploits are not viruses. Antivirus software is not intended to defend against such attacks.
But yes, all applications should run in their own sandboxes, memory-wise, file-system-wise, privilege-wise. This isn't a perfect defense either, as the software which attempts to enforce the sandbox is itself subject to attack. And there are many components of a system which are user-installed but are not sandboxed (device drivers, maintenance utilities). As long as operating systems and applications are architected as they are, there will be vulnerabilities which are deception-based. The only defenses there are education and reputation.
Everybody gets what the majority deserves.
I get real tired of this one. This naive geek idea that OSes can be made perfect and somehow immune to viruses. News flash: They can't, at least not if you wish to keep the ability to run arbitrary code. The only way to make an OS safe against viruses is the Apple "walled garden" idea where only authorized apps run. Even then, you could potentially sneak something by the authority that says if apps are ok. However so long as you can run arbitrary code, you can run evil code. There is no evil bit, the computer will execute anything it is given.
Please remember when talking about malware as opposed to worms you are talking about stuff that comes in to the computer through user action. It is bundled with an application, or is an app all by itself. The user downloads and runs it. There is no patching against that.
Also you have the silly idea of "if something isn't 100% effective it shouldn't be used." Bullshit. Look at security in the real world some day, where there is no such thing, ever, as perfect security. You get used to the concept that everything is fallible and you need defense in depth. Virus scanners help provide that defense in depth. They scan incoming things for known threats (by the way good ones are updated more than once a day). It is not your only line of defense, but one of them.
Run a virus scanner, and run as a deprivledged user, and patch your OS, and make sure to get software from trusted sources, and monitor your system, and so on. Don't have a defense, have layers. Only then do you have a real security solution.
PS, web executables can be sandboxed on Windows, IE does this, other browsers just don't care to use the interface to do so.
It's ironic therefore that the article is talking about a considerably more trivial exploit.
To me, this explanation seems outrageous. Exploits of this kind can only be successful on systems that are so badly designed that they will indiscriminately treat everything as executable content, even content posing as something else. That's a big problem, but it's easy to solve with a bit of care in system design. Most operating systems don't have this problem, and so they're not vulnerable. As far as I know, Microsoft Windows is the only exception.
Parity: What to do when the weekend comes.
It's more like this, although it may tread into slightly blasphemous territory by being written like this:
God has a good old time livin' it up with the angels. Then one day Lucifer, a great leader of angels, gets dissatisfied with his position and jealous and decides he wants to be like God. A whole bunch of angels follow him. God isn't pleased and decides to kick them all out of His presence.
Meanwhile, God creates the universe and a man for companionship, and then a woman to keep the man company, in a perfect walled garden where they can do basically whatever.
God decides it's pointless to force people to love Him, and gives them the choice - opt out by way of partaking of an Apple product. (Oh, I went there.)
At some point right around here is when Satan gets kicked out of heaven and winds up near the people. Satan comes in with the latest iGoodVsEvil and sends out some brilliant spam. Eve goes for it first and opens that totally_awesome_knowledge.doc.exe attachment. Adam goes "Hey, whatcha got there?" and opens the same attachment. God is displeased by the choice, but decides to let us deal with the consequences rather than nuking everything from orbit. Now we've each gotta opt back in and get our redemption.
Fast forward a few thousand years and a few close calls where our debauchery almost cost us our existence. Those ancient people really partied hard sometimes and did stuff that's illegal in most civilized cultures today, and man did they do a lot of dumb stuff. Up until Jesus' existence, people had to play by the rules. And there were quite a few which were mostly to keep people alive and relatively disease-free, and some of them still hold up scientifically - you know, like you can get trichinosis from eating undercooked pork, or how the Black Plague spread by not properly disposing of fecal matter or washing bedclothes or quarantining the sick, that kind of stuff. Things that we have medicine and technology for now, that we didn't then.
You also had to pay up on your anti-malware subscription every once in a while (price: goats, sheep, etc) so it wouldn't run out. That malware was pretty bad news - the payload executes when you die, and it's real bad.
But then, God decided we really needed something better. He manifested His son Jesus to live among us for about thirty years, who bought us all an infinite subscription by being executed as the ultimate sacrifice. Ka-ching, paid for in full! We've still gotta realize there's a problem and opt into the subscription and stop logging in as root in our lives, otherwise we don't get it. Hey, now we don't have to sacrifice animals!
And you know what, people still don't want it, and would prefer to take their chances with malware because living on the outside is more fun for a little while. But it catches up with you eventually, as anyone who surfs around the shadier parts of the 'Net as root all the time can tell you. But man, once you opt in, that's some powerful stuff and it comes with a great benefit of being allowed into the presence of God when you're kickin' up gold dust.
I dunno if that tweaks your geek the way it should, but that's a lot more accurate.
On a von-Neuman machine instructions *are* data, and vice versa.
Sandbox everything.