When Malware Attacks Malware 135
PetManimal writes "Researchers say that the Storm Trojan/Peacomm worm has been tweaked to spread via IM programs and attack rival malware. Symantec sounded the alarm, and says that the exploit launches in AOL, Google Talk, and Yahoo Messenger windows that are already open, making it appear to be a legitimate message from a known user. The worm has modified the code from last year's Nuwar worm, and when activated, enables a DDoS attack against any site, including antispam services and servers supporting rival malware: 'Systems hijacked by Peacomm have also conducted DDoS attacks against at least five domains used by the creators of the noted Warezov (or Stration) worm. After a busy September and October, Warezov was credited by some analysts as the genesis of 2006's massive fourth-quarter spike in spam volume.'"
Stronger malware (Score:5, Insightful)
Re:Easy to kill (Score:4, Insightful)
Re:Stronger malware (Score:1, Insightful)
good point, even if it wasn't your intention.
Re:Ulimate Vulnerability! (Score:3, Insightful)
Regardless of the operating system or the applications which run upon it, the ultimate weakness at the end of the day lies upon the end user. You can only secure a system to a certain point until the user begins losing functionality, until the end user becomes more educated...well expect to see evolution in Malware.
Your comment is factually correct, but also very misleading. Users are the hardest element to harden in the chain of security, but right now they are by no means the weakest link. The OS development community and security research community could easily eliminate 90% of all malware and reduce the amount of education needed for a user to safely use a computer to a tiny fraction of what they need to know now, if Windows would be modified in order to be secure and deal with the realities of the malware ecosystem.
Right now, even in vista, the granularity of security is piss poor. You have three levels: 1) don't run software, 2) run software, and 3) run software and enter your password. This is wholly insufficient. Further, the UI used to present these levels is abysmal. I don't mean bad I mean abysmal. Whether MS hires the worst UI people in the world or whether they hire good people and their decisions are overridden by marketing and management, the end result is horrible from a UI/security perspective.
If I was running the show at MS and had a shred of human decency and respect for innovation in the industry this is what I would create. First, applications both included and third party now have a new format that is contained within a single directory including temp space for writing files and what is now a DLL. It would optionally include an ACL, one or more certificates for verification of the origin and binary, and location for updates. Based upon the certificate, users would be given the option to subscribe to verification services that provide a trust level for a given application and MS would provide the same. The trust level for an application would be determined by the consensus of verifications applied and the weight given them by the user and if it is pre-installed, downloaded, or loaded from CD or DVD. Based upon that trust level, the application would be restricted by a mandatory access controls framework to obey the ACL that shipped with the program combined with the ACL for that trust level (with the default being to restrict the application more stringently). If any application wanted to exceed that ACL, the user would be presented with a very strongly worded warning, explaining exactly what it wanted and presented via a good UI with no OK/Cancel crap.
This means if a user downloads some program via IM or the Web and if they run it the OS will look at the included ACL and cert and see what permission it wants and who will certify it as trustworthy, if anyone. Then, if it tries to exceed its authority, the OS will present a warning such as, "The program 'Storm' is not verified as trustworthy and would like to connect to the internet on a port normally used for sending instant messages. (Stop it from sending messages)(let it send messages once)(always let it send messages)(advanced options)."
If the user lets it send IM messages it can spread, but do nothing else. They also have to explicitly let it connect on other ports and access other resources if it is to be useful to a spammer or DoS user. Since almost all software on most machines is pre-installed and since most other software will be verified by at least one other party, these messages will be exceptionally rare and thus stand out as important and weird to users. Even if the attacker uses a buffer overflow to take over a thread, their malware will still be limited by the ACL for that originating application, so if they want to send spam they better find a buffer overflow in your e-mail client specifically.
When such a system is implemented the required user education will be a manageable level, a hour long class instead of a master's degree in computer technology. Then, if a user stil
Re:OS? (Score:3, Insightful)
The real problem is security models that assume very few levels of security. Either you install it and it can hose your machine and kill babies, or you don't run it and don't know if it was malware or not. That's just crazy. Back in the day MS Word used to pop up a dialogue box and say something along the lines of "this .doc file contains macros that may be viruses (ok)(cancel)." I knew a manger who offered $1000 to anyone who could add a button that said "open the file but don't let it infect my computer with anything." The problem, aside from the terrible UI, was the control was not granular enough. Sometimes people want to run software or open a file, but don't want to trust it with their computer security for all time. Software should run in a sandbox by default. The inconvenience of having to explicitly allow my new e-mail program to send e-mail, once is worth it if I know no other software I download will ever send any e-mail or access my address book until I explicitly permit it. Some executable that shows up in my e-mail or over IM should never, ever, be granted that permission by default. Until MS gets their head out of their butt and realizes that, we'll suffer from this crap.
Two wrongs make a right? / Swordfish (Score:3, Insightful)
But then again, perhaps 2 wrongs don't make a right...
Re:It begins (Score:4, Insightful)
However, there's a rather glaring flaw in the analogy, and it's this: in the biological world, the various bacteria that live in or on us do not have purpose. They are simply life forms, doing the things that life forms do (which is eat, shit, and make babies) in an environment that suits them. If they end up overrunning that environment and making us sick, it's not because they wanted to make us sick. If our bodies happen to be the perfect environment for them, and they happen to eat things in a way that is beneficial to us, it's not because they decided to help us out. They are just being bacteria. Symbiosis and infection are merely products of parallel evolution and happy coincidence.
In contrast, malware is written by people, and people do have motives for the things they do. Bacteria don't do this; they just do their thing with the eating and the shitting and the baby-making, and any macroscopic results are not due to the decisions of the bacteria.
Malware is written with purpose. That purpose could be to show the user ads, or participate in a botnet, or collect spammable email addresses, or whatever. But saying that anti-virus programs will ignore the "harmless" malware overlooks the fact that there is no harmless malware. There doesn't exist any malware that's going to go to the trouble of infecting your machine and propogating, and then not do anything. No one would program one. That means that all malware is either black hat (adware, botnet, spyware, etc.) or white hat (attacks other malware). Even if it's not using CPU resources, it is doing some other damage, such as annoying the user or enabling spam (in the case of black hat) or violating the freedom of a user to choose what software they have installed on their machine (in the case of white hat). Either way, all malware should be cleaned by anti-malware programs. In the world of software programmed by people, there's no such thing as harmless piggybacking.
****
Note: I am aware of the parallels of my argument with Intelligent Design. It was not my intent to start a flamewar.