Forgot your password?
typodupeerror
Security Worms

The Current State of the Malware/AntiVirus Arms Race 139

Posted by Zonk
from the watch-out-for-weblife dept.
An anonymous reader writes "An article at Net Security explores how malware has developed self-defense techniques. This evolution is the result of the double-edged sword of the malware arms race. Anti-virus technology is ever more advanced, but as a result surviving viruses are increasingly sophisticated. What Net Security offers is a lengthy look at the current state of that arms race. 'There are many different kinds of malware self-defense techniques and these can be classified in a variety of ways. Some of these technologies are meant to bypass antivirus signature databases, while others are meant to hinder analysis of the malicious code. One malicious program may attempt to conceal itself in the system, while another will not waste valuable processor resources on this, choosing instead to search for and counter specific types of antivirus protection. These different tactics can be classified in different ways and put into various categories.'"
This discussion has been archived. No new comments can be posted.

The Current State of the Malware/AntiVirus Arms Race

Comments Filter:
  • by Coraon (1080675) on Tuesday July 03, 2007 @11:49AM (#19731489)
    it's the computers that suffer. Wont someone please think of the computers?!
    • Re: (Score:3, Funny)

      by Dimentox (678813)
      WARNING WORM DETECTED: By reading the parent you have been infected with the new slashdot worm. To remove it Please click here
      • by Dunbal (464142)
        maybe not the slashdot worm but I HAVE noticed that a small flash window appears over my username (under "Slashdot it is what IT is", top left) from time to time. Seems like I can't see my personal info without clicking this flash window unless I manually close it.
    • Re: (Score:1, Offtopic)

      by truthsearch (249536)
      I'm not sure which is funnier, your comment or the fact it was moderated insightful.
    • No, but the user sufferx when they have to upgrade the CPU and RAM just to handle the code bloated protection. Without it, their machine is 0wned.

      Pick your poison indeed!
  • by Rosco P. Coltrane (209368) on Tuesday July 03, 2007 @11:54AM (#19731549)
    not because virus writers are clever, but because A/V companies are always very careful not to make too successful products, otherwise they'd kill the golden goose.
    • by doti (966971) on Tuesday July 03, 2007 @12:01PM (#19731655) Homepage
      And how will they compete with Free software anti-virus?
      • Re: (Score:2, Insightful)

        F/OSS, itself, is the ultimate anti-virus.
        a) keeping the source code in plain sight,
        b) having a plethora of distributions similar enough that skills transfer, but sufficiently different that many kinds of attackes are harder,
        c) not treating the users and admins like a bunch of sheep, but instead requiring they learn a bit
        are three reasons you hear far less about virus attacks in the non-proprietary world.
        Someone will supply the counter-argument that lack of market penetration == lack of virus penetrati
      • ClamAV (Score:4, Interesting)

        by DrYak (748999) on Tuesday July 03, 2007 @07:02PM (#19737113) Homepage

        And how will they compete with Free software anti-virus?

        Actually, by cheating ;-)

        Funny little anecdote in the world of virus scanning (harmless although dishonnest).

        CalmAV [clamav.net] is such an open-source virus engine (with ClamWin [clamwin.net] as a Windows port).

        There have been several studies done about it (links on ClamAV's site) which reported that ClamAV, despite not being a non-commercial project, has among the fastest response time when new threats emerges.

        The studies also surprisingly uncovered a small cheating : some companies did small update that didn't bump up the signature release number, but that included the new virus detection. Normally such non-upped releases should be reserved for modification of the sig library that don't affect the number of detected viruses (like repacking the data more efficiently or whatever). But the companies nonetheless tried to slip in newer sigs, hoping that users would not notice it. When doing a retrospective study, unsuspecting users will read that virus XYZ is detected since Sig-file release A.B.C and they will see that Sig-file release A.B.C was released on YYYY-MM-DD HH:mm, thus will come to the conclusion that the virus was detected earlier than the concurrene. (Source [informationweek.com], paragraph A dirty little secret).

        But anecdote aside, ClamAV is a nice anti-virus engine, that has plugins (either bundled in or 3rd party) that enables on-the fly scanning of data at usual entry points (ClamAV is popular for mail filters in Unix. ClamWin has plugins for mail clients and FireFox's downloader [mozilla.org], etc.) and is a nice stuff to put in the "post-download script" of your usual peer-2-peer software. Please note that ClamWin still lacks a on-access scanning mode (although some 3rd party application like Winpooch [winpooch.free.fr] can start scanner before executing or reading files).
    • Its true! All the anti-virus companies got together and decided it. They sat around in suits smoking cigars and cackling. Yeah... Yeah... Thats it!
    • Oh please... (Score:5, Insightful)

      by Opportunist (166417) on Tuesday July 03, 2007 @12:11PM (#19731847)
      This conspiracy is about as old as the AV industry. At least you spared us this time the drivel about AV vendors first of all creating malware so they can sell their stuff.

      Basically it's impossible to write the perfect AV software. It simply does not work. The perfect AV software could, of course, exist: Simply disallowing ANY kind of user interaction and installation of additional products. Perfect computer. Useless, but perfectly safe.

      The problem is that malware does not use anything "special" that makes it easy to say "something that uses function X or accesses Y is malware". Doesn't work that way. What malware does it usually not much different from normal program activity. They access the windows registry, create keys there, they create and alter files (not necessarily system files, which would be "suspicious" behaviour to say the least), they plug into Internet Explorer, they open ports for incoming connections, they transfer data to and from the computer.

      It's not anything that is by defintion "bad". How'd you want to create the "perfect" AV product?
      • Re: Oh Please... (Score:2, Insightful)

        by a-zarkon! (1030790)

        It seems to me that the malware authors are putting at least if not more effort into research, development, and quality assurance than the major OS and AV vendors expend on improving their products. I wonder if that is a function of the malware authors being compensated more directly as a result of their efficiency? They don't appear to be trying to bundle a "malware suite" or get additional revenue from licensing and support.

        I wonder if AV vendors would be able to deliver a better product if they cut

        • I wonder if AV vendors would be able to deliver a better product if they cut overhead and simply focused on developing and maintaining a product that worked efficiently and effectively for a decent price. I know I would prefer an AV solution that just did anti-virus very well and didn't involve a hard-press sales call every other week to evaluate their "security suite."

          I've been using NOD32 on my windows machines for a while now and have been quite pleased with it... my machine has been squeaky clean since

        • by doti (966971)

          I wonder if AV vendors would be able to deliver a better product if they cut overhead and simply focused on developing and maintaining a product that worked efficiently and effectively for a decent price. I know I would prefer an AV solution that just did anti-virus very well and didn't involve a hard-press sales call every other week to evaluate their "security suite."

          You just described a Free anti-virus.
          Just substitute "vendors" for "developers/contributors", and "decent price" for "free".

      • by FJGreer (922348)
        Make some software that does your idea of Perfect AV (no user interaction) until the user an answer five questions about practical computer security correctly--every time they log in. If that doesn't have them getting wise in droves, I'll start giving the software away and charging to remove it (by answering 5 questions and hitting 'Uninstall').
        • Hear the uproar, and watch clueless people try to get rid of your system.

          You are aware that what you describe (i.e. keep functions from the owner of the PC until he complies with some rules you, the OS vendor, set) is pretty much what ruffles geek feathers about DRM and TCPA?
      • Re: (Score:3, Interesting)

        by Vitriol+Angst (458300)
        Wow.

        Thanks for the usual post about; "there aren't any conspiracies" -- now THAT is a pretty flimsy theory. People get together in groups to figure out how to profit from others, or do something that they don't want people to know about. Wow, that NEVER happens. What was I thinking?

        I think the almost PERFECT AV software can be made. You basically TRUST the applications and processes already running on a system. Any NEW process that enters the system, but be acting in a defined way and only allowed access to
        • by QuoteMstr (55051)
          How is an AV program supposed to distinguish an in-process Explorer COM extension from Explorer itself?
          • That's actually possible. What's way harder is to find out which of those page-altering plugins is benign and which one is hostile.
        • Re: (Score:3, Interesting)

          by Opportunist (166417)
          Know what? Sit down and write it. Yes, it's gonna put me out of work, and I'll probably have to do something sensible instead of prodding at malware all day, but that would be worth it. It's no fun to dig through disassembled trojans and learn every day a new flaw about Windows. And to make matters worse, I can't even talk about it.

          What you suggest first of all requires a sensible distinction between system and user space. Which doesn't exist in Windows, at least until Vista. Be aware that you're dealing wi
          • You are obviously well ahead of me on this -- especially when you talk about inserting code into memory spaces of running memory.

            What I am talking about is that the OS look at applications and trust certain types of "actions." The first time an application tries to write to disk or modify something, the OS asks the user. The re-entrant code doesn't get run to escalate these privileges until it has permission to modify running code.

            Anywho, there was a great application for OS9 called "GateKeeper" that did al
            • Ah, I see where you come from. You use an OS, not Windows. :)

              The core problem is that Windows, the system itself, relies heavily on the "shady" calls. IIRC the keyboard driver that gives you different keyboard layout actually uses keyboard hooking (something used in keyloggers) to do its magic. Yes, it's insane. But prolly was the fastest way to do it.

              The same applies to code injection. You'd be amazed just how many system programs use it.

              And did you know that a registry key exists that tells Windows to loa
      • How'd you want to create the "perfect" AV product?

        Well, for starters, let's limit the attack surface significantly by blocking all executable code that is not on the guestlist (think "whitelist" or "default deny"). We'll certify apps we want on our systems and block everything else. That's the only way we can effectively eliminate all of the grayware and stop today's typical new virus variant (which, although not technically a zero-day, is similar in nature to the sysadmins since the AV signatures have

        • by Talgrath (1061686)
          The problem is, what you describe isn't convenient for the consumer. Anti-Virus programs and Firewalls cause enough trouble with software installation as is, nevermind what you're suggesting. Don't get me wrong, what you're suggesting is GREAT for users who know what they are doing, but the vast majority of consumers are complete idiots when it comes to computers; I've worked tech support long enough to know that. Yeah sure, when I install a program, I simply disable my Anti-Virus program anyway, but how
      • by Bombula (670389) on Tuesday July 03, 2007 @03:30PM (#19734531)
        At what point is it simply not worth the effort to write a new virus?

        I assume it's getting more and more difficult to write viruses as time goes by - is that correct? If this is indeed an arms race, then one side or the other is going to run out of time and energy and money sooner or later, and I'm guessing it won't be the AV companies since there's so much at stake.

        • by Opportunist (166417) on Tuesday July 03, 2007 @08:39PM (#19738143)
          Actually, surprisingly it's getting easier. Think game development. With the advent of DirectX, you needn't know too much math anymore to get some cool looking 3D graphics on the screen. The same applies to malware. Back in the good ol' days of DOS, you had to know quite a bit about the inner workings of the system to get your virus in. You had to redirect software resets, trap a few interrupts, essentially you had to write a driver. Today, most of the malware that circulates could be written in VB. Some is.

          Obfuscation is also easier than ever, with a lot of runtime packers and scramblers existing. It's easy to repack a file in batch mode that ensures that no two samples an AV company could get are the same. Thus the simple "signature" approach someone suggested earlier won't find a thing anymore.

          It's also not getting trickier to hook into the system. Since there are still the majority of crates running with users having admin access, the same ol' tactics that worked 5 years ago still work. It's also not simple to track the use of "suspicious" calls, since Windows itself makes quite liberal use of functions that e.g. hook keyboard input or inject code into other processes.

          Writing malware is also no longer the pastime of bored adolescent geeks. It's business. We're talking organized crime cartels here and that a "virtual" bank robbery (by hijacking online banking sessions) is more profitable and less risky than the real counterpart is a given. When I see the figures, I sometimes wonder why I stay on this side of the fence...

          It still is an arms race, but with the AV companies in the defense. Constantly. An AV company can only react to a development, anticipation is pretty much impossible. There are far too many roads the next attack can come from that it's not feasible to develop in a certain direction without anything warranting it.

          A few years ago, malware authors started to obfuscate their code. AV companies reacted by developing ways to crack that obfuscation. Then malware attacked certain AV software directly, as mentioned in TFA. The software was adapted to thwart such attempts. Malware started to contain rootkit functionality to hide itself. AV tools started to come with their own file system drivers to read the HD directly instead of relying on system calls.

          You cannot anticipate that sensibly. What will be next? I don't know. I can only see trends and development in the malware that runs through my fingers. Which is a very tiny amount of the malware that gets written every day. It's a bit like trying to sieve a beach with a toy sieve. The big thing in malware today is (and has been for about a year or two) remote controlling, setting up servers somewhere and making the malware phone home. Yes, it's no longer IRC. It's a server in Belarus, Kazakhstan or Brazil (or some other country where the police has better things to do than being bothered by a server that doesn't really do any damage in their own country). So some malware packages started implementing tools that can monitor traffic and find "suspicious" traffic, just in case they can't find the corresponding malware. Possibly because the malware itself doesn't exist anymore, it was only an installer that manipulated some system file in such a way to send that info... and so on.

          The current thing is (aside of what's been here for ages) id theft. Your amazon or your ebay account, your online banking information, your credit card information, and of course your machine, as a place to spew malware from, as a spambot or simply as a relay to route traffic through to obfuscate the real destination. With broadband becoming the norm and computers running 24/7 to download .torrents, they turn into the ideal dead drop.

          There's much at stake. For both sides. I don't see a winner on either side too soon. Well, it's good for my job security, that's a given, but I didn't go into this venue just to make money (it's not THAT well paid). If I wanted that, I'd have learned ABAP.
    • "...because A/V companies are always very careful not to make too successful products, otherwise they'd kill the golden goose."

      While you may have something there, I tend to believe that anyone who is constantly aiming at a moving target is going to come up a little short. What is an O.S. but a moving target?

      IMHO the true golden goose is the consumer (or corporate buyer) who has been trained to believe that newer is synonymous with better... I believe this is the mindset that allows software vendors to pawn
    • Re: (Score:2, Troll)

      by freedom_india (780002)
      Actually i had a bad experience yesterday just a clean install of XP with all updates.
      I had installed Avast, Spyware blaster, XP firewall (enough as my prior experience with kerio led to a reinstall).
      I paused avast ondemand scanner to rip a DVD. XP prompted me and i just dismissed it.
      Then after 1 hour i forgot to resume avast, and connected to net.
      Somehow i got infected even though used opera.
      Avast full scan picked it, but could not completely wipe it.
      An update and a call later i was able to remove it.
      It wa
      • Re: (Score:3, Insightful)

        by kestasjk (933987)
        This XP install has been going for over a year and hasn't got malware yet, and I don't use any anti-virus or anti-spyware apps. If you don't download spyware, use some common sense, and run under a user account and not an admin you don't get malware.
        • by gardyloo (512791) on Tuesday July 03, 2007 @02:23PM (#19733655)
          This XP install has been going for over a year

              Geez, and I thought Gentoo was supposed to take a while.
        • Re: (Score:2, Insightful)

          by MajinBlayze (942250)
          This always makes me laugh:

          hasn't got malware yet

          followed by:

          I don't use any anti-virus or anti-spyware apps

          Honestly, I used to have the same view; Then one day I was having some hd problems, and started watching traffic. After restarting my computer, it wouldn't boot, as something had corrupted my MBR. After that, I learned not to trust so much, and ultimately got interested in Linux. If for nothing more than the fact that there are fewer viruses/malware for the platform.

          • by kestasjk (933987)
            Who's more trusting? The guy who takes scrupulous efforts to avoid installing malware or the guy who trusts his anti-malware products to stop them once they're already on your system? I can be confident I don't have malware because there's no real way for it to get on; no shareware or warez, only commercial products and reputable FOSS software.
            • by Don_dumb (927108)

              I can be confident I don't have malware because there's no real way for it to get on.
              Presumably your XP box is not connected to the internet then?

              There's confidence in knowledge and then there's complacency. Anti-virus/-spyware programs are not there as a defence *to* clean, they are there to serve as a 'confirmation' that you *are* clean. Except when used to vet incoming emails, remember the really bad ones come from people you know.
              • by kestasjk (933987)
                Your computer can't just "catch" a virus from being on the internet. Unless there's a remote exploit (that's exposed with the firewall on) the user has to actively run malicious code. If you just take some care and use some common sense you don't accidentally run malicious code.
        • by 228e2 (934443)
          Can I have your IP? I need a new daemon.
        • by StikyPad (445176)
          $20 says that if you install Avast you'll find at least 1 piece of malware you didn't know you had, and I'm not counting "tracking cookies" or crap like that. That's not to say the steps you use are ineffective or worthless -- they're certainly best practices -- but as someone else pointed out, a multilayered strategy is more effective.
    • No. They don't.

      This is just a tired old cannard. It's the same nonsense as "t3h AV companies write the VIRUSES!!1!".
      • Re: (Score:2, Interesting)

        Are you saying that every single one of the best AV software authors are too stupid to be able to write malware?

        Or are you suggesting that every single one of the best AV software authors are, by some supernatural intervention, of such outstanding moral and ethical calibre that they would never do such a thing?

        Or are you implying that every single one of the best AV software authors are so completely, single-mindedly, dry that they would never consider the academic exercise of writing extremely low-level "s
        • Re: (Score:1, Informative)

          by Anonymous Coward
          And I suppose that the Home Security System people are also the ones who rob people's houses, since they know who does and doesn't have an alarm installed, eh? All those people at ADT are just part of a big protection racket I tells ya...

          Lets face it, there's enough bad people in the world to blame crime on without resorting to conspiracy theories to explain it.
        • You are confusing "AV companies may write Viruses" (regardless of whether they release them)with "All viruses are written by AV companies"
    • Said another way;
      As long as you have Anti Virus companies that profit from virus protection -- you won't get rid of viruses. Just look at the bounty system for entrepreneurial people who submit new viruses to the major venders and you will see part of the problem. In this one case, I think it is right for Microsoft to build virus protection into the OS -- because then malware becomes a cost to their OS profit and a support headache. Unless there is an incentive for a CURE -- you won't get any.

      Same reason yo
  • Evolution? (Score:3, Funny)

    by truthsearch (249536) on Tuesday July 03, 2007 @11:56AM (#19731585) Homepage Journal
    Malware evolution? That's just theory and conjecture. If god had wanted our computers to be free of viruses he wouldn't have invented Microsoft.

    (There goes some karma.)
  • From TFA (Score:5, Informative)

    by Chris Tucker (302549) on Tuesday July 03, 2007 @11:57AM (#19731589) Homepage
    "This article will only examine malicious programs written for the Windows operating system (and its predecessor, DOS) due to the rarity and relatively small number of malicious programs for other platforms."

    OK, you had to go to the second page of TFA to see this, but at least they came right out and said that Windows is the primary and almost exclusive target of malware.

    Unlike almost every other article about viruses and malware in recent years.

    Mac OS X: Because it was easier to make UNIX user friendly than it was to fix Windows!
    • by Uthic (931553)
      Or at least it's partly because Windows has a larger user base. More targets justify the time to attack, after all. Interesting read though, this must be interesting work for, well I guess both malware and anti-malware app authors. :P Not liking the ads on the site though
    • Re: (Score:3, Insightful)

      by Opportunist (166417)
      Hey, there is rather little malware for Vista! For the same reason there is virtually none for Mac or Linux: It doesn't pay.

      Why is there very little "commercial" malware for Firefox? Firefox has quite a few security bugs and holes that can be exploited for phishing and identity theft, still, virtually all commercial malware relies on WinXP and IE. Why? Because of the numbers.

      Writing malware for IE means that you can infect about 3/4 if not more of possible targets, while malware for FF means you will reach
      • Re:From TFA (Score:4, Insightful)

        by kebes (861706) on Tuesday July 03, 2007 @12:42PM (#19732267) Journal
        Market share is certainly a factor, but I think it's a stretch to say that it's the only factor.

        Let's say some nefarious guys are trying to get their malware installed on everyone's computers. So they buy some exploit code that targets IE. They say "Great, this will infect 3/4 of the computers out there!"

        Now if these malware distributors are approached by some other guy who says "I can sell you exploit code that targets Firefox"... do you think the malware distributors will say "no thanks" or will they say "Great, that covers the other 1/4 of computers out there!" (Maybe they will pay less for that exploit, but they will surely use it if it's available.)

        Since Firefox's market share is not insignificant (10% to 25%?), there should be a market for such exploits. Similarly, there should be a market (perhaps smaller, but still a market) for the 4% Mac users. It appears that despite this, the targeting of Mac and Firefox is very much less than Windows/IE (more than can be accounted for by market share alone).

        I'm sure that part of it has to do with market share. However inherent security is also part of the equation. (And frankly I don't know why such a statement is so controversial on Slashdot... why should security be based on only one factor in the first place?)
        • Re:From TFA (Score:5, Informative)

          by Opportunist (166417) on Tuesday July 03, 2007 @01:54PM (#19733215)
          Security is by definition the minimum of the system's capabilities and the user's. When the system can't hold its water (or data), the user can be the best security guru in the world and it is insecure. Likewise, the system can be as tight as possible, with a clickmonkey at the helm it is hopeless (provided it's an all purpose machine that doesn't restrict the user's ability to cause havoc).

          Still, market share is a key factor when it comes to malware. Malware "kits" cost a wee bit of money, ranging from a few hundred to a few thousand USD, depending on sophistication and "additional services" (let's not get into too much detail, you get the idea). Basically, everyone develops for IE on a WinNT core machine. Why? Market.

          Yes, there would be a market for FF exploits. But it's smaller. Development costs are pretty much equal for FF and IE exploits, and you can not really develop a "generic" exploit that targets both, unless you target the OS underneath and not the browser itself (that happens too, but generally requires a lot more knowledge about the OS itself, and it is by far less flexible). Since the cost of spreading malware is roughly equal for whatever you want to land, and doing so is not really cheap, attackers usually try to maximize their efficiency by limiting themselves to the most popular OS/browser combination (provided they want to do ID theft attacks). At the very least, they will limit themselves to the most popular OS.

          The limiting factor here isn't that the "kit" itself would be costy. Yes, you might have a FF exploit kit available and you'd sell it for a fraction of the IE kit (but why should you, you could more easily develop an exploit kit for IE (there are effing templates for it in VC!) and cash in). But the spreading cost for either malware stays the same.

          Thus the usual exploit targets IE/WinXP. Should the market share of FF rise, I'd wager to about 35-40%, we'll probably see mass spam of FF targeted malware, due to people using FF feeling secure and are thus maybe less wary. It might happen. But generally, you'll never see masses of malware for non-mainstream targets (OS, browser, webserver...). The cost of spreading is the same, no matter what your target is. So why shoot at something but the biggest target?
          • Re: (Score:3, Insightful)

            by sid0 (1062444)
            Not to mention the fact that the average Firefox/Linux/OS X user is smarter than the average Windows n00b, and would never open an executable email attachment.
            • Also, in Linux, the attachment might not be marked as executable.
            • Pardon my ignorance, but what sort of mail client these days actually lets you do that?

              Most if not all mail servers scrub anything that remotely looks like an executable. If it somehow does get through, any remotely intelligent mail client won't let you open it without displaying a very obvious warning.

              Of course, there are some very fundamental security flaws in Windows that need to be addressed. I really don't buy the argument that there's not much malware for Linux/Mac/Firefox simply because of a small
              • The catch22 here is that Outlook works with the same options Windows Explorer does. If you don't see the extension in Outlook, you don't see it in Explorer either.

                Now, the standard behaviour with executable files (or maybe all files, I'm not certain) for Outlook is to save them, then allow you to launch them. And, well, if you didn't see it's an executable, you'll only see it as "invoice.pdf" in Explorer either. And it will have an Adobe Acrobat icon for sure, so...
            • Not to mention the fact that the average Firefox/Linux/OS X user is smarter than the average Windows n00b, and would never open an executable email attachment.

              That is only true while Firefox/Linux/OS X users are more geeks than commonfolk. As soon as Linux is "user-friendly" (read: easy-enough-to-migrate-from-Windows) and widespread enough that Aunt Millie is using it, you'll have plenty of "average Windows n00bs" using Linux and it will become a tastier target.

              • Actually, as long as MS keeps their policy of spewing their cra... OS with every newly sold machine, this will stay that way for a long, long time.

                Aunt Millie and Joe Average won't go hunting for an alternative system. They're happy that their stuff "works". And, well, if there's already something "working" installed, why bother opening a can of worms that might get you a "non working" machine?
      • Hey, there is rather little malware for Vista! For the same reason there is virtually none for Mac or Linux: It doesn't pay.
        It's the same reason you don't need to be the fastest swimmer to get away from a shark. As long as you aren't the slow one, you're set!
  • by Cr0w T. Trollbot (848674) on Tuesday July 03, 2007 @11:59AM (#19731621)
    My brief overview of the article leads me to believe that it's long on general malware theory, and short on the specifics of current malwear infection vectors as opposed to techniques. I believe that most of the readers of Slashdot are familiar with how a rootkit works. Far more valuable would be a breakdown of the most common infection vectors for rootkits right now. Is it TCP/IP stack overflows, Active-X controls, e-mail trojans, or old-fashioned human error?

    Fruthermore, "trends" in malware construction obscure the reality that certain software packages (Windows, IIS) are otrders of magnitude more vulnerable than others (OS X, Linux, Apache). The unstated elephant in the room is that 95-99% of malware attacks are due to Microsoft vulnerabilities.

    Crow T. Trollbot

    • Re: (Score:2, Informative)

      The unstated elephant in the room is that 95-99% of malware attacks are due to Microsoft vulnerabilities.
      Microsoft's dominance over the market makes it more enticing to malware writers, regardless of how many vulnerabilities it has. If damage is their desire, they want the most damage; if it is a zombie network, they want the biggest zombie network.
      If linux ever manages to overtake windows, it will become the primary target.
      • by FJGreer (922348)

        If linux ever manages to overtake windows, it will become the primary target.

        A much harder to hit target. Honestly, while I can think of scores of ways to attack a system through running services (SQL injection, the occasion buffer problem, etc) I can't think of a single way a worm or virus could work effectively. The one proof-of-concept Linux worm I have seen (can't remember a reference) could only infect a regular account that ran a certain version of Firefox. One might lose data, yes, but it would a be a trivial fix. (mount -o ro /home, judicious file removal) You could wri

    • From my point of view, at least. Most malware today comes along as "invoice.pdf.exe" attachment to mails that allegedly come from "lawyer" (no, no name. "lawyer"). And similar rubbish.

      The lastest big thing are hijacked server pages that serve you malformed frames for infection, but even that still needs a bit of user interaction to become really "useful".

      Essentially, what it comes down to is the user. There is of course the bimonthly exploit in some MS package, usually with surprisingly little impact in the
  • by Anonymous Coward
    There doesnt seem to be any mention of whitelisting in the arms race between malware and desktop management systems in this article. Companies like Trinamo are championing the approach of designating only a handful of applications as being "approved" for execution, denying viruses, trojans, malware, and other junk like toolbars a chance to run before they can do any harm. They have a bunch of free information on the subject online. http://www.trinamo-solutions.com/downloads/downloa d.html [trinamo-solutions.com]
    This story is all
    • This reminds me of the first anti-virus software (and of course, I can't find a reference on the web...). Apparently, the software simply took a "snapshot" of the system and if anything changed, reverted it back.

      This is a great way of doing things for corporate systems. Lock the system down so tight that no software not approved can modify any system files (or even, make it so that no software can modify system files...).

      For home systems it is slightly more complicated 'cause there isn't a central IT team.
      • Re: (Score:3, Insightful)

        by Control Group (105494) *
        Your idea boils down to making the computer no longer a general-purpose device. This, obviously, defeats the purpose of having a computer in the first place.

        An awful lot of modern malware doesn't comprise "viruses" in the classical sense, it comprises trojans. The only way to absolutely prevent a trojan from running is by preventing the user from running arbitrary software. This may fly in a corporate environment, but never for home use.

        Basically, it comes down to either being vulnerable to malware, or not
        • Actually, not quite...

          For a corporate environment, yes prevent the user from running any software that isn't installed (which does prevent it being a "general-purpose device", but only to the extent that you can't run everything).

          For the home user, set up the system so that the system files (and all the applications) are installed in a place where ordinary users can't change them. Then you force them (ordinary users) to run any other software that they want, in a sandbox.

          Of course, you don't do away with ad
          • "For a corporate environment, yes prevent the user from running any software that isn't installed"

            You mean Microsoft Office cannot be used on a corporate environment, do you? I knew about malware exploiting due to Microsoft Office usage, so you either don't use Microsoft Office or you are exposed to malware.
          • Absolutely rediculous:

            Actually, not quite... For a corporate environment, yes prevent the user from running any software that isn't installed (which does prevent it being a "general-purpose device", but only to the extent that you can't run everything). For the home user, set up the system so that the system files (and all the applications) are installed in a place where ordinary users can't change them. Then you force them (ordinary users) to run any other software that they want, in a sandbox. Of cours

        • "Basically, it comes down to either being vulnerable to malware, or not letting the computer do what the user tells it to."

          Basically, I've using my computer in whatever way I saw fit, with no antivirus, for more than six years with no direct malware sufferings. On a side note, that's exactly the same time span that I didn't use any Microsoft product.

          Somehow, it seems it's possible.
    • Re: (Score:3, Funny)

      by Brad1138 (590148) *
      Maybe Microsoft could have a pop up for every process that tries to run, then YOU would have controll. Ya, that sound likes a great idea.
  • What's funny is that virus writers fight with each other [whitedust.net] too.
  • A few days ago I was infected with PurityScan, several droppers, and a trojan or three.

    I have no idea how they got there, but all I saw was a command prompt window pop up for a half a second and then I started getting IE popups (I used Firefox).

    A virus scan/adaware/spybot would remove them, but they'd reappear on the next reboot.

    A safemode scan of those would remove them, but they'd reappear on the next reboot.

    As a result I formatted my Windows drive and reinstalled.

    There's no telling how many root kits wer
    • Or you can *drumroll* stop running Windows from an account with Administrator privileges.
      • by Renraku (518261)
        Running in an admin mode is only dangerous for this reason. Most exploits can find admin mode anyway, if you're in it or not.
      • by Vexorian (959249)

        I guess/hope vista fixed this. But I actually found a USB virus that runs automatically thanks to one of XP's 'features' (even if you got autorun disabled...) Then it copies itself to certain location I won't ellaborate about since I don't want more deadly viruses spread, it causes itself to be executed with admin rights the next boot (awesome isn't it?)

        Once you try to clean it, it becomes a biotch , if it detects the string ".exe" in any title bar, it will send the OS a reboot command, this kind of makes

    • Hopefully, in a corporate setting, having machine group policies to prevent execution from a USB driver, even better, restrict execution to designated drives and directories would stop this infection from spreading.
  • I thought these problems ended years ago when the year of the linux desktop came and everyone stopped using windows... You mean there are still poor souls out there that don't use linux or mac?

    Sam
  • by Anonymous Coward
    FTA

    | ...The earliest signature-based detection methods focused on searching for exact byte sequences... Later heuristic detection methods also used file code. ... |

    result evil hacker just wrote

    |...polymorphic code is a highly time-consuming task ...|

    minor really point, better tools are out now with complete tools and associated databases (see mesasploit and ruby)

    Actually until Microsoft (since they own 90% of the computer OS's out there) gets rid of the "Hide everything from the User" the status quo
  • ..people who decide to not run them. Whenever someone emails you a virus, or offers you a virus on their webpage, if you decide to not save it, chmod +x it, and run it (whether as root pr your usual level of access), then for some geeky technical reason I don't understand, its defense code fails to activate.
  • I challenge cybercriminals and conceptualists to reconsider their intentions and motives behind publishing a PoC that will only add fuel to the fire.

    In other words, security by obscurity is still best. Well, I still believe that exposing the flaws is the best way to protect ourselves. Too many programs "phone home" and contain other spyware as it is. Proof of concept also helps to protect us from that.
  • Here is Fred Cohen's take on the general subject:

    http://all.net/resume/bio.html [all.net]

    http://all.net/journal/newsletter/index.html [all.net]

    http://all.net/Analyst/index.html [all.net]

    Ref.

    http://all.net/ [all.net]

    Paper:
    An Undetectable Computer Virus

    http://www.research.ibm.com/antivirus/SciPapers/VB 2000DC.htm [ibm.com]

    Could this be the end of the Mac - PC flamewar?

    Logic:

    "... we can't stop here, this is bat country."

    Fear and Loathing in Las Vegas, A Savage Journey to the Heart of the American Dream
    Hunter S. Thompson
  • Please, there oughtta be a law that multi-page articles with text squeezed between massive, obnoxious graphics, have a PRINT FRIENDLY LINK!! ARGH!
  • by rickb928 (945187) on Tuesday July 03, 2007 @02:35PM (#19733811) Homepage Journal
    ...extends beyond poor performance, spam, cost of software, etc.

    We got hit here with a collateral listing of one of our tools as 'spyware'.. It shut down our software across the U.S.

    We used a toolkit from a vendor to encrypt and compress files for transmission and for patch distribution. It was slick, lightweight, and sufficiently secure. it was also a commercial product, and was sold to another publisher who used it in their software.

    One of their packages is an IM logging and monitoring tool. Good for AOL IM, and others. You have to either download it as shareware, or buy it outright, and then you have to install it, with the usual requirement that you actually have access to the PC. It's not and has never been distributed as 'spyware' in the sense of an unexpected or unsolicited install, nor was it ever distributed from a website or as part of another package - unless you repackaged it yourself. The biggest users were corporate IT departments monitoring IMs for compliance, and parents/spouses/etc snooping on others.

    Not what I think of as 'spyware'. But someone else thought differently.

    The IM logger got reported to either Trend Micro or McAfee as 'spyware' more than a year ago. Sporadic reports continued, until the latest (?) release came out and got popular. Then the flood of reports ensued. And when I say 'flood', I mean 'dozens'. I suspect some HijackThis logs started showing it, and after a few more reports, it was assumed by someone that this application was part of other kits. Listing the application by one anti- company leads to everyone else listing it. No one wants to be left behind, and none of the 'security' companies wants to be the one that lets bad stuff in, just because they actually evaluated the listing. No, it got listed by everyone.

    And the controls along with it. Including the one we used for everyday, legitimate encryption and compression.

    Our customers started reporting failed installs and reinstallations. One reported they got a virus alert. We looked things over. Why now? We hadn't changed anything substantial in years.

    Then, on a whim, I Googled for it. BAM! Our control was listed as malware. WHA?

    We figured it out an an hour. I asked around some of the contacts I knew at Symantec, etc. Their advice was simple - give up. Go get a new tool, recode, and move on. Surrender. Even though the module we used was by itself harmless, it was guilty by association. So we did. So far as I know, the company that produced these tools & modules is struggling with this. After all, their code signatures are now officially 'malware'. Kinda like banning drills 'cause someone drilled a hole in their finger by accident. Pretty soon, nothing gets drilled. Not a good state of affairs for the drillmakers.

    And not a good state of affairs for drill users, either.

    That IM logger that started all this? It was commercial software, and other than being highly annoying for kids who value hiding their IMS from snooping parents ("Hey, who's paying the Internet bill around here?"), or spouses caught on dating sites, the businesses forced by law to treat IMs as if they were business correspondence found this to be a good tool. Not so good any more. About the only way to use this is to keep writing exceptions to your anti- software. If you can. And keep re-writing these exceptions every damned update. Maybe more than twice a day.

    It looks like this application is dead. Kinda sad.

    We survived, though some of our customers did get concerned. In our business, being labelled as 'spyware' could cause massive problems, beyond the usual. It could be front-page of the fishwrap stuff.

    In the midst of the virus/spyware/malware/anti- battle, this is one small story of how unintended consequences have real costs. We had to scurry to buy new stuff, re-code, and distribute. Our original tool vendor has had to give up on a good product, through no fault of their own. The application vendor that 'st
    • by StikyPad (445176)
      Sorry, but if my girlfriend/roommate/kids are trying to install key logging software on my computer then I want to know about it. You may have had the best intentions in the world when you wrote the software, but any tool can be used with bad intentions. I would find my AV software remiss if it didn't report a known key logger.
  • Cleaning out a virus/trojan problem has become close to impossible for the average person. Most people and even actual computer service shops just format and re-install.

    I have only moderate PC service skills and this weekend my family's computer popped up a AVG warning that a Trojan was detected. This is not my computer but it shares my net connection via wireless. When I saw that detection warning I pulled the plug on it's net connection and then investigated. My brother had been downloading wma to mp4 con
  • When I RTFAH (where H = headline), an image comes to mind of a diverse bunch of penguins standing together in the primordial swamp of the prehistoric world, watching on with a mixture of fascination and pity as the once all-powerful dinosaurs drop one by one ... bought to their knees by ever more sophisticated microbes, bacteria and viruses.

    Yes junior, its horrible to watch, but the world is going to be a much safer place without them ...

Real computer scientists don't comment their code. The identifiers are so long they can't afford the disk space.

Working...