Shape-Shifting Malware Hits the Web

Stony Stevenson writes to tell us that in a recent interview, Marc Henauer has revealed that security researchers are falling behind now that malware is starting to be able to change its signature every few hours. "Unfortunately the know-how and construction kits used to create this shape-shifting threat are now readily available and are unleashing a wave of malware based on social engineering techniques. [...] Sweeney believes that a non rules-based monitoring process must be set up to defend all ingress and egress points covering SMTP, DNS, HTTP(s), IM etc."

This is a GOOD thing

Maybe now we'll stop pretending that glorified versions of grep can keep us safe.

It's just the anti-virus companies claiming that.

That way they can keep selling you "updated" "signature files" every hour / day / week / month / year.

The correct way to handle this is to set up your system so that the user cannot ACCIDENTALLY execute any external code.

There's no way to solve the issue of some idiot clicking on everything and putting in the root password whenever asked. So don't bother bringing that case up.

For everyone else, lock the OS files so that it cannot be infected and set the user writable portion to not execute any code. There, the majority of that problem is solved.

Then, ship the default installation without any open ports and you've pretty much solved the worm issue.

But that approach means that the anti-virus companies cannot keep selling you new signature files. So don't expect any of them to support it.

Re:It's just the anti-virus companies claiming tha

The correct way to handle this is to set up your system so that the user cannot ACCIDENTALLY execute any external code.

Would be rather trivial to implement in XP or Vista (and I'd love it, because it would reduce the number of calls off duty. On the other hand every employee would hate it and they might call me even more because they can't download "useful" stuff). But in the end this is not the most common source of malware/virii anymore. Cross-site-scripting accompanied by security holes in common plugins causes way more compromised systems. Bugs in Flash or quicktime in earlier versions make it extremely easy to infect a system without the user noticing. When I look at the stats of my website I could infect 50 visitors by week without much effort, because they run old versions of Flash (I'm not talking about the website I list in my profile). The so called "Russian Business Network" offered $ 0.10 per infected user last year. Might be just 5 bucks per week for my small site, but in the end I must say that it has never been easier and more profitable to infect IT systems (and no, I didn't take the money).

Re:It's just the anti-virus companies claiming tha

The correct way to handle this is to set up your system so that the user cannot ACCIDENTALLY execute any external code.
and you do that by asking cancel or allow for each app.

Re:It's just the anti-virus companies claiming tha

Oh it's possible, but it's nasty (to quote the 0-scored AC). You try to remove the executable, and it respawns. Wha? You go looking, and you get rid of the file it's respawned from, and *that* respawns. Okay, so it's resident. You do some magic on it without the OS running to remove the two files, and bang, you have a hosed OS. That's as far as I got before I decided it wasn't worth it. Use Deepfreeze and reboot hourly, or run it in a VM with rollbacks on the fs. And have a real OS lying around for general purpose use.

Re:

I'm pretty sure that deleting all the shortcuts and then putting firefox as the default browser is a way better solution then actually trying to yank IE out of Windows.

Re:It's just the anti-virus companies claiming tha

The user has two options... click or don't.

How about giving the user more choices? You might want to let them run it in a sandbox, or run it without internet access, or chroot it.

If they had a way to express their intent, and actually control how much they give away when they click... it would go a VERY long way towards fixing things, probably 99%.

--Mike--

Re:It's just the anti-virus companies claiming tha

How about giving the user more choices? You might want to let them run it in a sandbox, or run it without internet access, or chroot it.

And how many users, pray tell, do you think would understand what those options are, or which one to pick for any given program. If your answer is > 1 %, you have a much higher opinion of the average computer user's understanding of what they're doing than I do.

Re:It's just the anti-virus companies claiming tha

How about giving the user more choices? You might want to let them run it in a sandbox, or run it without internet access, or chroot it.

If they had a way to express their intent, and actually control how much they give away when they click... it would go a VERY long way towards fixing things, probably 99%.

Have you ever tried Comodo's free firewall [comodo.com] or free antivirus [comodo.com]???

Both of them use whitelisting / safelists. Anything not whitelisted needs explicit permission from the user before they're able to read/write/delete/create a file or directory or access the internet. These two FREE (as in beer) products literally give you a similar level of control over what runs on your computer.

The Comodo antivirus doesn't work on Vista right now but will soon. Then again, this is Slashdot so we're all running XP right ?!?

For sandboxing, you can use VMWare Server (free as in beer) to generate an image to run in VMPlayer (also free as in beer) which you can then use within Windows. If you get VMWorkstation (not free but well worth it), you can get fine-grained control over snapshotting.

Re:Attention Mods! Parent is karma whoring

I'm not trying to game the system... I hit the karma cap a few years ago, and really don't care about it. I do care very much about making a what is a subtle distinction a bit more clear.

I'm sorry if my writing wasn't up to snuf.

A lot of people will tell you that an Object Capability System can't do anything more than one based on Access Control Lists. This argument is much like the ones posed against Structured programming when it came out... the opponents to change all said "well.. it doesn't really do anything new"... and if you picked enough nits, you could technically say they were right, in terms of the expressiveness of the program.

However, in practice it's not just about the types of computation your code you can express, but rather the programmers productivity. Structured programming made it easier to get things done. It saved programmers time.

In theory, in an ACL based system, you can run a program inside of a sandbox. You first create a new account for a program to run inside of, and then lock down the permissions of the rest of the system to make it safe. This is a non-trival task, which must be done perfectly if your program you wish to run turns out to be malicious.

A capabilities based system is designed from the start to enforce a policy of least privilege. That means that a program should given only the capabilities it requires to execute the task at hand, and nothing more. To run a program in a "sandbox" requires no more action that only giving it a sandbox to play in, the system enforces the rest. Not only that, it makes it possible for an end user to decide what rights to give a program without having to check all of the rest of the system.

The lack of awareness of the Capability Object Model severely constrains the possible futures that can be imagined by most of us, and we're making bad choices because of that ignorance.

I'm just trying to shine some light into the darkness.

--Mike--

Re:This is a GOOD thing

Amen!
Imagine having two broken hands. You would have no way to directly take the money from your wallet and manage it yourself, you'd be forced somehow give your entire wallet to someone each time you wanted to pay. It would be almost impossible to prevent them from slipping an extra $20 unless you happened to see it. You're forced to trust someone completely.
For the foreseeable future, we're all dealing with two broken hands. There's no way to pick which parts of our set of capabilities we want to hand to a program. We have no way of stopping it from taking our personal data and sending it away, holding it hostage, or subtly sabotaging it.
I want my metaphorical fingers back.
--Mike--

Re:This is a GOOD thing

Self modifying code is self modifying code. If it changes its signature into a different permutation that contains the same logic (e.g. changing the registers loaded, moving memory locations, inserting no-ops that don't look like no-ops, allocating different stack size, using a different location on disk, etc.) then it becomes nearly invisible to automated tools. I'm sure the next revision of anti-viral software will aim for complex heuristics that attempt to negate this sort of hiding. Which will become the next major arms race between virus writers and anti-virus writers. (Just like spam vs. anti-spam.)

Of course, arms races are usually a bad thing. They waste resources yet deliver very little. We need to start thinking about building a new infrastructure that is not susceptible to such simplistic attacks. e.g. Managed languages, jailed environments, trust relationships for email servers, and other such steps to data security. Unfortunately, there is so much time and money invested in our current infrastructure that there's no chance the market would make such a change unless absolutely forced to do so. Thus we come full circle back to the GPP's point.

Re:This is a GOOD thing

Oh, and I forgot a particularly nasty option: Compressing or encrypting the code. e.g. A piece of code can use OS services to compress data on disk. This would make it look like any other program with compressed segments. Another option is a variation of One Time Pad based on system information like hostname or MAC address. Again, it's hard to identify the stub as a definite virus header.

Even worse is that most viruses today are part of a Botnet that has Command and Control capabilities. So the hiding ability of the virus can be updated on a regular basis. Version 1 selected between compression and OTP? No problem! Version 2 will add reordering of code segments!

Quite nasty, these bugs.

I love it.

The slashdot synopsis is longer than the article.

Re:I love it.

It is a clever plan to get people to RTFA. Now people will stop bothering to read the fine summary.

Enumerating the Bad is not a good idea

Enumerating the bad is usually a bad idea, since it is to easy to change what is "bad". We enumerate the good with firewalls, why should software security be any different? Distro repository + corperate repository should cover all software necessary, right?

Will we now see true evolution of software viruses?

This is pretty much #1 and #2 in this list of The Six Dumbest Ideas in Computer Security [ranum.com].

Can someone explain what this means?

Sweeney believes that a non rules-based monitoring process must be set up to defend all ingress and egress points covering SMTP, DNS, HTTP(s), IM etc.

What exactly is a "non rules-based monitoring process?" I thought I had some clue about security procedures, but I'm be hard pressed to describe what such a process might be. Even more importantly, what would it cost to implement? TFA is no help here, consisting of the usual hand-waving about the never-ending arms race between malware writers and the rest of us.

We all know what the most effective solution to this problem would be. Funny how it's never mentioned in any of these articles.

Re:Can someone explain what this means?

Actually, it is "rules". But, it is not "patterns".

Specifically, http outbound access should be allowed for firefox. The firefox binary is /usr/bin/firefox, and has an md5 signature of 64b6c465f9919e1fa860707fb762cff2. If the signature changes (without having updated the program), a security alert is raised. And that name/hash combination is allowed outbound port 80 access.

Basically, security should be SElinux and Tripwire. Those two tools (or equivalents on alternate Operating Environments) cover most of the threats.

Malware cannot then hide as an existing program. New programs should have strict security profiles that prevent "excess" (network, disk, cpu, memory) usage.

It would be possible to create malware, but it would be worthless, in the sense that the resources that could be misappropriated would be minimal (note that Unix and Unix-like systems have had ulimit for ages -- SElinux expands on the idea). A particular malware COULD attempt escalate to root, but SElinux would prevent the attempt to escalate the "usual" way. Specifically, firefox has NO REASON to gain root, and this can be prevented.

What would the worst malware look like in this senario? A javascript in firefox because it can do almost unlimited port 80 access. Email can be limited to qmail or sendmail (and even further limited by the expected amount).

Unix-like systems (with the exception of MAC OS X, which frightens me a bit) are heading here. Intrusion alert systems coupled with execution limiting, role based security systems (apparmor and selinex).

"AppArmor is an application security tool designed to provide an easy-to-use security framework for your applications. AppArmor proactively protects the operating system and applications from external or internal threats, even zero-day attacks, by enforcing good behavior and preventing even unknown application flaws from being exploited. AppArmor security policies, called "profiles", completely define what system resources individual applications can access, and with what privileges. A number of default profiles are included with AppArmor, and using a combination of advanced static analysis and learning-based tools, AppArmor profiles for even very complex applications can be deployed successfully in a matter of hours."

Of course there is no need for malware detection with this model. Tripwire already does a better job than any "anti-malware" program could, because it snapshots the OK state of all files. *anything* that differs is then suspect. AppArmor/SElinux provides for the expected BEHAVIOR of all programs. If they differ, they are suspect.

As you have probably noted, this protection does not accomodate "rootkits". However, a rootkit cannot be "defended" against, or even detected when running under it (at least if it is a reasonably well done rootkit). But this simple approach will eliminate all, or almost all, malware seen in the wild. With no need for anti-malware updates, or subscriptions, etc.

Re:

Indeed. I don't really care if it's Linux or Open Solaris or OS X or, hell, even HP-UX. It doesn't even have to be *nix if it's built on a sound security model.

The fact that the global computing infrastructure is so homogeneously based an operating syste

It won't end until there is extreme violence

Until the people who are putting this stuff out there are seriously and literally beaten either within inches of their lives or to death, this sort of thing will get worse and worse.

These assholes call themselves "marketers." They have gotten away with it for so long, they often call a great portion of this "legitimate business." It's not enough to criminalize this stuff... especially when law enforcement generally has no idea how to prosecute or make a case against any of it.

There should be a series of web sites built that creates a "hit list" of people responsible for this crap. That's where the end of this should begin.

Is I told you so a meme?

All my posts about malware and virus software for some time have been doom and gloom. Seems moderators don't like that. This is nothing but the tip of the iceburg of what might be coming, and what is probably already in the wild, we just don't know it yet. I could probably think of a dozen scenarios where malware could already be hiding on your equipment, silently waiting to be signaled.

It's possibly in your router's flash by now, or your motherboard's flash, or sitting on a CD or CE player's flash, or an MP3 player. It only has to wait till it needs to start spreading, and be dormant there too, then one day you notice missing files, or there is an outbreak of serious malware globally. Yes, tinfoil hat stuff, but it is possible, and as time ticks on it is becoming more probable.

Nobody wants to believe it, but it is possible. If it is possible, it will only be a matter of time...

Work Uniform

I thought shape-shifting malware was the official business attire of geeks everywhere.

A Blast from the Past....

1991
        Tequila is the first widespread polymorphic virus found in the wild. Polymorphic viruses make detection difficult for virus scanners by changing their appearance with each new infection.


Sweeney believes that a non rules-based monitoring process must be set up to defend all ingress and egress points covering SMTP, DNS, HTTP(s), IM etc."

Its called heuristics and its been in use for a while.

Enjoy,

a possible solution

If you take a snapshot of your harddrive/OperatingSystem, and as long as you don't do anything to change it (no writing to disk anywhere, no launching applications) then take another snapshot a few minutes later and another and another, soon this shape/shifting malware will reveal itself, get enough glimpses of it and a picture will emerge so you will know what to look for then know how to eradicate it from your computer, I doubt the kludge like mcaffee & norton are capable but somebody has to rise to the occasion to build something good enough to do this, it would be worth it to leave your PC alone while some anti-malware runs that can deal with this shape/shifting malware and catch it so it can be removed, or reveal a method & list of files so you can manually remove it...

Re:

That doesn't help the situation. If windows goes away, the problem with just migrate to Linux.
Until we get to the point where you can assign permissions to every single program for every single role you expect that program to fulfill, it's not going to ge