Malware vs. Anti-Malware, 20 Years Into The Fray

jcatcw writes "Steven J. Vaughan-Nichols considers the dissimilarities between malware of yore and current infiltrations as we approach the 20th anniversary of the Robert Morris worm. Modern malware apps curl up and make themselves at home in your system, where they wait for a chance to snatch an important password or a credit card number. Welcome to the era of capitalist hacking. Any self-respecting malware program today is polymorphic, making signature-based antivirus approaches difficult. Heuristics and virtual sandboxes offer alternatives, but all such methods are reactive. Unfortunately, monitoring lists and networks is about the only current alternative."

There is no cleanup anymore

Some malware i've seen has become seriously soffisticated, so much so cleaning it is basically impossible.

Non-admin rights, client-side file-scanners, web-side black-lists, and user training is the only way malware is going to go away.

Re:

not only that but a more varied OS/software environment would lessen the damage that could be caused by malware/baddies in general. homogenization is likely one of the worst things to have ever happened to software in general.

Re:

more varied OS/software environment would lessen the damage

Only if we don't unify our code, which probably won't happen because people will want to target broad user bases. When code can be compiled on a Windows machine to target a Linux machine, you st

Re:

Surely then youd need to bundle GCC with your virus because most people dont have a compiler, meaning all viruses would be GPLd and you have to have to offer every machine you infect the source...hmm

either that or you have to develop a self compiling virus

Re:

I work for an ISP and my user base is a range from large corporations to grandma. I can't enforce 3 of your 4 suggestions, and the fourth could get me sued for violating someone's first amendment rights if I black-list the wrong IP range.

Non-admin rights a

Robert Morris, OMG

Come on, the guy's name is Robert Morris:

http://pdos.csail.mit.edu/~rtm/

You're thinking of the William Morris talent agency in Hollywood, or something. Mods, please correct this.

Re:

I prefer to think of this William Morris. [wikipedia.org]

Wyrm with Nicely Textured Paisley Wallpaper

That was the William Morris I thought of first as well:-)

Re:

Robert T Morris, in fact: he claimed the worm was an unintentional result of not having understood an API he was using, and the worm was immortalized as the "RTM worm", or the "RTFM worm" to some. I still think of his as "Robert T Fucking Morris" because

Re:

"You're thinking of the ..." Aren't you nice! Thinking you say. Apparently not.

Some ways to win.

Don't install system wide untrusted software, only use signed software from your public repository or from trusted vendors.

Prevent any other changes from being made to the system, mount system partitions read only.

Where users are installing software, force it into a sandbox (one for each application). Each sandbox will have limited access to the network, user files and hardware (such as web cams and microphones).

The simplest solution is to never allow software from users to run (mount home partition as no-exec). However, this doesn't cut it much of the time, which is why I would suggest doing something similar to no-exec, but as a sandbox rather then not running the file at all. I'm not sure how hard that would be, but I'm sure it is possible.

(Oh wait, are we talking about MS Windows here? I guess you can ignore what I said then...)

How does a vendor become trusted?

only use signed software from your public repository or from trusted vendors.

How does a vendor become trusted under your best practices?

Who the hell is William Morris?

Wish I could get paid just for clicking "approve" and filling in the text in the "from the ____ dept".

Criminals and Elections

Between spam, malware, and credit card fraud, the criminals are winning, big time.

The eventual consequence of this is a faltering of trust in our financial systems and economies, and the rise of new kinds of criminal mafias, with billion dollar portfolios. If you thought the mob was scary, wait until you see what rises out of the ashes of the current system.

The solution to this, I believe, is first to limit the information transferred in any transaction to that which is necessary for the transaction (no grocer, you don't need to know where I live); second to implement electronic cash (in the current credit card system you give authorization to perform transactions at any time in the future without verification); and third to establish and teach strong cryptography for communications, transactions, and identity.

But the biggest thing we can do now is get the world's police forces to get off their asses. As long as these things are not prosecuted, criminals will flourish, and they are.

It's time to make this an important issue in elections, before we all lose big.

Re:

But the biggest thing we can do now is get the world's police forces to get off their asses. As long as these things are not prosecuted, criminals will flourish, and they are. Word. The behavior you reward is the behavior you will get. The current non-sy

Re:

Really, voters don't like malware, why hasn't some ambitious commonwealth's attorney or state attorney general gone after this?

One did, but then they made him governor and he got caught banging a hooker or something.

Re:

well, he can't be the only ambitious AG, they can't ALL be clients for hookers.

Throw out 2 level access control!

The whole way security is treated needs to be changed. Having root and an ordinary user just doesn't offer the level of granularity that users need. As a user I want to be able to do everything on my computer, what's really needed is fine grained access control per program. Of course, that has issues with users having to grant those privileges but you could have profiles. Imagine installing Evolution or something and it pops up and says "This software says it's a mail client, does that sound right to you?" and then what privileges it gets granted will be set by a "mail client" profile already installed on the system.

When you need to install something esoteric then you would have to do some more advanced steps but if you are installing something strange then you probably know what you are doing anyway.

This could maybe be combined with some sort of trust network. Say your friend installs something that needs non-standard access rights, they could grant the required permissions and create a new profile. You would have them in your trusted list and would have access to all of their profiles so when you install that application, it can categorise it using the info your friend provided.

I think this system provides a good balance between really fine grained permissions and not blindly clicking through loads of confirmation dialogs.

time to throw malware in jail

I just don't understand why malware isn't considered a form of vandalism and prosecuted as such.

"Capitalist" hacking?

"Welcome to the era of capitalist hacking."

What does the theft of personal information have to do with the private ownership and exchange of wealth?

NOT William Morris

Everyone knows it was Philip Morris, the guy who makes the cigarettes.

There ARE other alternatives

In re: "Unfortunately, monitoring lists and networks is about the only current alternative."

There are many alternatives to this, starting with: "Recognize that operating systems which are readily compromised by malware are broken and not acceptable for use." If you choose to use an OS which is so intrinsically weak that it cannot survive exposure to the (unfirewalled) Internet without anti-virus, anti-spyware, anti-adware, etc., then you have chosen poorly, and no subsequent choice you make will compensate for that.

A followup point would be "Understand that it is not possible to 'clean' a malware-contaminated system. The only acceptable course of action is to wipe to bare metal, reinstall, and restore from backups." While it might have been partially true in a limited sense that some malware could be removed by anti-whatever products, that's certainly not the case now: it's much more likely that malware will evade detection and removal. Of course, it serves the purposes of both anti-whatever companies and lazy system administrators to continue propagating this fiction, because if they actually had to scrub and rebuild systems as often as they're infested, they might have to face some hard choices that they'd rather not.

And an excellent set of auxiliary points may be found in Marcus Ranum's The Six Dumbest Ideas in Computer Security [ranum.com], where he enumerates the most egregious (and sadly, most common) mistakes made by nearly everyone, including supposed "experts" with strings of meaningless, worthless certifications after their names.

So there are plenty of alternatives -- but choosing them and implementing them requires vision and insight, two qualities badly lacking in many in the profession.

Alarmist

Sorry, I'm not paranoid. Go peddle your fear somewhere else. Yes, there are real threats. There is also a cost both in money and peace-of-mind of fighting them.

There is a balance to be struck, and "Better safe than sorry" can be answered "better neither than either".

Re:

"It also benefits certain software companies that there is no real clean up."

It further benefits computer shops and geeks who get paid to nuke and pave compromised systems. If Windows were robust and easy to "disinfect" I would have far fewer free computer

Re:

Do we really have to remember the anniversary of every crap "invented"?

No we don't but people who are interested in that particular "crap" will. You can move on to the next article if you're not interested. You can accomplish this either by utilizing the scroll bar at the right of your screen or your down arrow key. Glad I