Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Rise of Polymorphic Malware

Posted by Unknown on from the dot-zip-dot-pdf-dot-virtual-exception dept.

twoheadedboy writes "The level of aggressive, polymorphic malware intercepted by Symantec doubled in July, when compared to figures from six months ago. This kind of malware has been typically found inside an executable within an attached ZIP file disguised as a PDF file, and is pretty darn good at getting around traditional anti-virus products. 'There are powerful Darwinian forces acting on the development of malware by criminals,' said Martin Lee, senior software engineer at Symantec. 'Those who look to innovate and improve their malware tend to infect more computers and acquire the resources to reinvest in further development and innovation.'"

8 of 202 comments (clear)

  1. Re:It's 2011, don't open the attachment by fuzzyfuzzyfungus · · Score: 4, Insightful

    Given the frequency with which a cracked webmail account or compromised PC with an email client will immediately start spamming its former owner's entire address book, expecting the "people you know" rule to save you is fairly naive...

  2. Polymorphic Software by Atmchicago · · Score: 4, Informative

    Polymorphic Software
    Prerequisite: Industrial Base, Information Networks
    Technology: Advanced Subatomic Theory, Optical Computers, Adaptive Doctrine
    Special Ability: Heavy Artillery
    Improves Probe Team success rate.
    Track and Level: Discover 2
    "Technological advance is an inherently iterative process. One does not simply take sand from the beach and produce a Dataprobe. We use crude tools to fashion better tools, and then our better tools to fashion more precise tools, and so on. Each minor refinement is a step in the process, and all of the steps must be taken."
    -- Chairman Sheng-ji Yang,
    "Looking God in the Eye"

    --

    You can lead a horse to water, but you can't make it dissolve.

  3. Re:It's 2011, don't open the attachment by CohibaVancouver · · Score: 5, Insightful

    If you use Adblock and Noscript, it is nearly impossible to get infected. Why that functionality is not in every browser and enabled by default I simply don't understand.

    I have good enough karma with Slashdot that I'm given the option to disable ads. I don't. Why? Because ads fund Slashdot and keep it free. If ad blockers were on by default most of the sites people like and use would go out of business.

  4. Process Permissions by Doc+Ruby · · Score: 4, Insightful

    I'd like to see the OS, especially one like Android in the hands of unsupported, naive, and promiscuous users, require permissions for InterProcess Communication the it does for files. And for DB access. All strongly typed. Those kinds of familiar patterns in combination, upon every access between processes on objects. Mediated by an OS capable of supporting the user and using a support Internet to warn others when threats (or patterns that represent threats) appear to correlate to risky objects of the same kind.

    The OS and Internet should act as an integrated immune system bathing our objects, not just a special case intervention when opening the first file from an email. Dedicate one or two cores of these multicore CPUs (and prefilter at servers for smaller/mobile devices). Attacks are now the norm, not the exception. The network and OS infrastructure design should recognize the new reality.

    --

    --
    make install -not war

  5. Re:It's 2011, don't open the attachment by Grishnakh · · Score: 4, Interesting

    While "the club" really isn't very effective as an anti-theft device, wanting to protect your car from theft at a Walmart is actually pretty sensible, as that's an extremely likely place for it to be stolen. And there's no such thing as a Walmart "in the middle of no where": Walmart always locates stores in locations where there's plenty of customers. Even if that's some small town, it's the nexus for a large number of customers from surrounding areas and towns, so just putting the Walmart there will draw lots of people to that place, and consequently it is no longer "the middle of no where", it's actually a giant gathering place.

    Here's a better anecdote: a couple months ago, I visited a place called Arcosanti, north of Phoenix in Arizona. It's a strange little artists' community built by an architect named Paolo Soleri, who has dreams of a Utopian city where everyone lives together in harmony in shared buildings (i.e., there's no separate houses, everyone has a small apartment, that kind of thing). His dreams are much bigger than the reality, which is a small community of people who've basically given up their normal lives to come live with him and, as they get enough money for concrete, build more of his vision. They basically live off selling some weird wind chimes they make there, and tour fees. Anyway, my wife and I went up there to check it out and take the tour, as it's a cool idea although not that realistic, and there were only two other visitors, one single woman and one older couple. This older couple pulled up into the parking lot right after us and parked next to us, and what did the man do when he stopped? He got out The Club and put it on his steering wheel! Now, keep in mind (take a look at Arcosanti on a map if you want), this place really IS "in the middle of no where": it's in Arizona's high desert, about 2 miles down a gravel road from the nearest civilization, which is nothing more than a couple of gas stations at an interstate exit, about 3 miles from a tiny development called Cordes Lakes, and about 20 miles from the nearest real town called Camp Verde. There really is nothing there, except some funny-looking concrete buildings with a few dozen residents, and it's probably the safest place for your vehicle to be in the whole state. The idea of needing additional vehicle security in such a place is laughable. Car thieves don't go out to remote destinations to steal peoples' vehicles, they go to population centers (i.e., cities), and crowded locations in those population centers such as shopping center parking lots, apartment parking lots, etc.

  6. Re:It's 2011, don't open the attachment by jdgeorge · · Score: 4, Insightful

    Isn't the problem that the application that renders the PDF/Flash/etc attachment has access to resources on the system that shouldn't be allowed?

    In other words, why aren't all attachments files rendered by applications running in a "jail"?

  7. Antivirus makes a better suggestion than solution by sl4shd0rk · · Score: 5, Interesting

    Several reasons why Antivirus is a fail:
        1) 0-day. Your AV will never pick it up
        2) polymorphism - if the virus sig changes, you're hosed
        3) People think: "Since I have AV, I can't get infected"
        4) People think: "AV didn't find anything wrong, so I must be clean"
        5) When AV doesn't work, people assume it's broken

    Antivirus has evolved into a "solution" when it's clearly not capable. How many infected windows installs have you found where Norton took a head-shot, or some kind of AV *was* installed at one time but got smoked?

    What's needed: OSs need to plug their holes. Browsers could be fixed so it doesn't hand off malicious content to system executables. The OS itself should be trimmed down so not everyone is running SMB/RPC (or other commonly exploited services) by default. Executables which handle web contect could be sandboxed and run by a lower privilege user (this can be done in Unix, so why not windows?). Why do these things not happen?

    AV is great when it works but it's proving not to be enough.

    --
    Join the Slashcott! Feb 10 thru Feb 17!
  8. Sigh by Sycraft-fu · · Score: 5, Insightful

    I get real tired of this one. This naive geek idea that OSes can be made perfect and somehow immune to viruses. News flash: They can't, at least not if you wish to keep the ability to run arbitrary code. The only way to make an OS safe against viruses is the Apple "walled garden" idea where only authorized apps run. Even then, you could potentially sneak something by the authority that says if apps are ok. However so long as you can run arbitrary code, you can run evil code. There is no evil bit, the computer will execute anything it is given.

    Please remember when talking about malware as opposed to worms you are talking about stuff that comes in to the computer through user action. It is bundled with an application, or is an app all by itself. The user downloads and runs it. There is no patching against that.

    Also you have the silly idea of "if something isn't 100% effective it shouldn't be used." Bullshit. Look at security in the real world some day, where there is no such thing, ever, as perfect security. You get used to the concept that everything is fallible and you need defense in depth. Virus scanners help provide that defense in depth. They scan incoming things for known threats (by the way good ones are updated more than once a day). It is not your only line of defense, but one of them.

    Run a virus scanner, and run as a deprivledged user, and patch your OS, and make sure to get software from trusted sources, and monitor your system, and so on. Don't have a defense, have layers. Only then do you have a real security solution.

    PS, web executables can be sandboxed on Windows, IE does this, other browsers just don't care to use the interface to do so.