The Current State of the Malware/AntiVirus Arms Race 139
An anonymous reader writes "An article at Net Security explores how malware has developed self-defense techniques. This evolution is the result of the double-edged sword of the malware arms race. Anti-virus technology is ever more advanced, but as a result surviving viruses are increasingly sophisticated. What Net Security offers is a lengthy look at the current state of that arms race. 'There are many different kinds of malware self-defense techniques and these can be classified in a variety of ways. Some of these technologies are meant to bypass antivirus signature databases, while others are meant to hinder analysis of the malicious code. One malicious program may attempt to conceal itself in the system, while another will not waste valuable processor resources on this, choosing instead to search for and counter specific types of antivirus protection. These different tactics can be classified in different ways and put into various categories.'"
Lack of Specifity on Infection Vectors (Score:3, Interesting)
Fruthermore, "trends" in malware construction obscure the reality that certain software packages (Windows, IIS) are otrders of magnitude more vulnerable than others (OS X, Linux, Apache). The unstated elephant in the room is that 95-99% of malware attacks are due to Microsoft vulnerabilities.
Crow T. Trollbot
It's violent territory... (Score:2, Interesting)
Re:Viruses will never go away (Score:2, Interesting)
Or are you suggesting that every single one of the best AV software authors are, by some supernatural intervention, of such outstanding moral and ethical calibre that they would never do such a thing?
Or are you implying that every single one of the best AV software authors are so completely, single-mindedly, dry that they would never consider the academic exercise of writing extremely low-level "system administration software"?
Or are you trying to spread the idea that every single one of the best AV software authors are such mindless automatons that they would never brainstorm about new and novel malware methods in their course of duties?
And, if you're going to be rational enough to point out that "every single one of" is a little bit extreme, just what percentage of the global group of AV software authors do you suppose falls into the above categories? Of those, how many of them have family members, friends, social colleagues, or professional associates who have access to their ideas and experimental code and, of those family members, friends, social colleagues, or professional associates, what percentage of them meet the criteria of saintly moral and ethical fibre?
I think it's obvious that you're very wrong to dismiss the idea that a good portion of 0-day exploits and malware comes from inside the professional sector as "conspiracy theory" or "canard".
And the collateral damage of this' war'... (Score:5, Interesting)
We got hit here with a collateral listing of one of our tools as 'spyware'.. It shut down our software across the U.S.
We used a toolkit from a vendor to encrypt and compress files for transmission and for patch distribution. It was slick, lightweight, and sufficiently secure. it was also a commercial product, and was sold to another publisher who used it in their software.
One of their packages is an IM logging and monitoring tool. Good for AOL IM, and others. You have to either download it as shareware, or buy it outright, and then you have to install it, with the usual requirement that you actually have access to the PC. It's not and has never been distributed as 'spyware' in the sense of an unexpected or unsolicited install, nor was it ever distributed from a website or as part of another package - unless you repackaged it yourself. The biggest users were corporate IT departments monitoring IMs for compliance, and parents/spouses/etc snooping on others.
Not what I think of as 'spyware'. But someone else thought differently.
The IM logger got reported to either Trend Micro or McAfee as 'spyware' more than a year ago. Sporadic reports continued, until the latest (?) release came out and got popular. Then the flood of reports ensued. And when I say 'flood', I mean 'dozens'. I suspect some HijackThis logs started showing it, and after a few more reports, it was assumed by someone that this application was part of other kits. Listing the application by one anti- company leads to everyone else listing it. No one wants to be left behind, and none of the 'security' companies wants to be the one that lets bad stuff in, just because they actually evaluated the listing. No, it got listed by everyone.
And the controls along with it. Including the one we used for everyday, legitimate encryption and compression.
Our customers started reporting failed installs and reinstallations. One reported they got a virus alert. We looked things over. Why now? We hadn't changed anything substantial in years.
Then, on a whim, I Googled for it. BAM! Our control was listed as malware. WHA?
We figured it out an an hour. I asked around some of the contacts I knew at Symantec, etc. Their advice was simple - give up. Go get a new tool, recode, and move on. Surrender. Even though the module we used was by itself harmless, it was guilty by association. So we did. So far as I know, the company that produced these tools & modules is struggling with this. After all, their code signatures are now officially 'malware'. Kinda like banning drills 'cause someone drilled a hole in their finger by accident. Pretty soon, nothing gets drilled. Not a good state of affairs for the drillmakers.
And not a good state of affairs for drill users, either.
That IM logger that started all this? It was commercial software, and other than being highly annoying for kids who value hiding their IMS from snooping parents ("Hey, who's paying the Internet bill around here?"), or spouses caught on dating sites, the businesses forced by law to treat IMs as if they were business correspondence found this to be a good tool. Not so good any more. About the only way to use this is to keep writing exceptions to your anti- software. If you can. And keep re-writing these exceptions every damned update. Maybe more than twice a day.
It looks like this application is dead. Kinda sad.
We survived, though some of our customers did get concerned. In our business, being labelled as 'spyware' could cause massive problems, beyond the usual. It could be front-page of the fishwrap stuff.
In the midst of the virus/spyware/malware/anti- battle, this is one small story of how unintended consequences have real costs. We had to scurry to buy new stuff, re-code, and distribute. Our original tool vendor has had to give up on a good product, through no fault of their own. The application vendor that 'st
Re:Oh please... (Score:3, Interesting)
Thanks for the usual post about; "there aren't any conspiracies" -- now THAT is a pretty flimsy theory. People get together in groups to figure out how to profit from others, or do something that they don't want people to know about. Wow, that NEVER happens. What was I thinking?
I think the almost PERFECT AV software can be made. You basically TRUST the applications and processes already running on a system. Any NEW process that enters the system, but be acting in a defined way and only allowed access to what it has permissions for.
So you need tokens, permissions, and a AV software that looks at what viruses DO -- rather than this mickey-mouse "signature" technique, that I'm sure has done a great job in creating a market for moving a few "1's" and "0's" around to roll out the next virus.
On the Mac, you not only have to use an Admin password to install a new application -- even running as an Admin, you have to "approve" the application opening a file the first time. The only weakness in this system is that it goes by name -- and a virus could be called "Photoshop." But with all of the reasonable actions set up on the Mac, and the fact that there is no ECONOMY for viruses -- there are few viruses.
There could be a lot more done, to protect an OS -- other than hope that every exploit like a buffer overrun on whatever the next function added to an application will be.
As long as devices communicate -- there is an opportunity for viruses -- just like in our own immune systems. But with computers, there is an opportunity to do a better job of "white listing" SAFE sources, and letting things run for a bit in a sand box, and only allow them to do certain things. It's that last bit that, even permissions don't effectively address. Should all applications be able to write ANYWHERE that the permissions allow? Perhaps not. Perhaps the permissions of WHAT an application can DO are more important than setting that on directories and files.
But the "perfect AV product" isn't the issue -- there isn't even a serious attempt to get rid of Malware in the first place. A product that could do that would kill the market.
Problem is getting harder to fix (Score:2, Interesting)
I have only moderate PC service skills and this weekend my family's computer popped up a AVG warning that a Trojan was detected. This is not my computer but it shares my net connection via wireless. When I saw that detection warning I pulled the plug on it's net connection and then investigated. My brother had been downloading wma to mp4 converters. And bingo! On top of that, no one was keeping the AVG up to date or doing regular scans. Apparently everyone assumes I'll clean up their messes for them. Pisses me off.
So, guess how hard it is to clean out a Trojan these days? Guess what, your anti-virus is useless! It may detect the virus, and clean it, but it re-installs itself.
Get ready for a loooooong process involving:
-Disable system restore and remove all restore points.
-Reboot in safe mode, run anti-virus
-Use Autoruns or any other startup/running processes program.
-Write down what is being run on startup and what is currently running.
-Hop on Google to find out which of those are legitimate processes.
-Remove the bad-uns.
-Look for a cleaner program for your specific Trojan/Virus. Careful to get it from a reputable site.
-Run the special cleaner program in safe mode and regular mode.
-Grab output from HijackThis and use google to research any suspicious entries.
-Do all this without connecting the infected computer to the net. (PAIN!!!)
-Profit!!!! (I couldn't resist saying that)
So, then you cross your fingers for a few weeks waiting to see if your AV pops up another warning. All the while doing manual updates of your anti virus. Keep it in quarantine a while longer. Then, cautiously re-connect to the web and HOPE it's clean. Then YELL at your family to stop downloading crap, and make a "nice" desktop wallpaper in msPaint to drive home the rules.
*sigh* it's a huge pain, especially for people like me that need to research every process because they don't know what's legit or not. Not to mention that my sister does her online banking on that computer, and I've had to tell her to go change her passwords, get a new CC number, and inform her bank to put a watch on her account for any suspicious activity.
I really wish these virus writers would fry.
No wonder people just format and re-install.
A question about diminishing returns (Score:4, Interesting)
I assume it's getting more and more difficult to write viruses as time goes by - is that correct? If this is indeed an arms race, then one side or the other is going to run out of time and energy and money sooner or later, and I'm guessing it won't be the AV companies since there's so much at stake.
ClamAV (Score:4, Interesting)
Actually, by cheating
Funny little anecdote in the world of virus scanning (harmless although dishonnest).
CalmAV [clamav.net] is such an open-source virus engine (with ClamWin [clamwin.net] as a Windows port).
There have been several studies done about it (links on ClamAV's site) which reported that ClamAV, despite not being a non-commercial project, has among the fastest response time when new threats emerges.
The studies also surprisingly uncovered a small cheating : some companies did small update that didn't bump up the signature release number, but that included the new virus detection. Normally such non-upped releases should be reserved for modification of the sig library that don't affect the number of detected viruses (like repacking the data more efficiently or whatever). But the companies nonetheless tried to slip in newer sigs, hoping that users would not notice it. When doing a retrospective study, unsuspecting users will read that virus XYZ is detected since Sig-file release A.B.C and they will see that Sig-file release A.B.C was released on YYYY-MM-DD HH:mm, thus will come to the conclusion that the virus was detected earlier than the concurrene. (Source [informationweek.com], paragraph A dirty little secret).
But anecdote aside, ClamAV is a nice anti-virus engine, that has plugins (either bundled in or 3rd party) that enables on-the fly scanning of data at usual entry points (ClamAV is popular for mail filters in Unix. ClamWin has plugins for mail clients and FireFox's downloader [mozilla.org], etc.) and is a nice stuff to put in the "post-download script" of your usual peer-2-peer software. Please note that ClamWin still lacks a on-access scanning mode (although some 3rd party application like Winpooch [winpooch.free.fr] can start scanner before executing or reading files).
Re:Oh please... (Score:3, Interesting)
What you suggest first of all requires a sensible distinction between system and user space. Which doesn't exist in Windows, at least until Vista. Be aware that you're dealing with a system where the normal user usually has full access to the full system, down to installing drivers and injecting code into running processes, even system processes.
Your model trusts the system. Which is allright, until someone finds a way to compromise it. Which is no big deal in Windows, since it is possible to manipulate even loaded system core dlls. The files, not only the copy in ram. And if that fails, it's no problem at all to inject code into the copies in ram (they're conveniently at the same address space in all programs, even in Vista. Yes, Vista randomizes. Well, chooses from 256 possible locations, and only ONCE per reboot...), all you have to do is make sure the program to manipulate it is loaded at reboot (which is conveniently supported by Windows through about 10 or 20 different ways, depending on just when you'd like your malware to load).
And of course that you have debug privileges. Which is, as mentioned, no issue in any Windows version up to XP, since it's near impossible to use it sensibly without. Too many programs rely on the nonexistant distinction between user and system.
So if you can write that perfect AV program, please do. I've tried for years, I failed. I admit it. Please take the torch and run with it.