How Viruses Evolve Into All-Purpose Malware

KingofGnG writes "Computer threats are continuously evolving, and some malicious codes are a problem difficult to tackle because of their inherent complexity and an intelligent design capable of constantly putting under pressure security companies. A remarkable 'intelligent' threat is for instance Sality, the 'new generation' file virus that according to Symantec has practically turned into an 'all-in-one' malware incorporating botnet-like functionalities as well."

Sometimes I think apple has it right vetting s/w

[Aargau]

Our immune system has an advantage over virii and bacteria due to our greater cell specialization and intelligent response. The problem with modern botnet malware is that the infecting agent can actually be more intelligent and reactive than the host it's infecting.

Virus? Malware?

[virtualonliner]

I think we are at a point where we cannot really distinguish between virus or spyware or scareware or whatever. Virus have already started doing what spyware doing a couple years ago. I mean, it sounds just pointless that we distinguish them. Bad program is a bad program. It does not matter what we call it. Guys at StopBadware came up with a good term a few years ago. It's a badware. It does not matter to the end user what it does!

Re:Security?

[$RANDOMLUSER]

Too right. I've taken to asking people "You don't go to the bad part of town and have unprotected sex with junkies, why do you keep downloading this stuff?". Sadly, most people don't get the analogy.

Re:How is this evolution?

[c6gunner]

This virus is not going to "evolve" into another form any time soon, it has simple been designed to make limited adaptations to local circumstances

That's primarily because nobody has bothered to make evolving viruses. Sure, we've made some that can change their code in order to try and avoid detection, but their "mutations" are intentionally limited because, in the end, the "intelligent designer" still wants them to continue functioning in a certain way.

Now, if you didn't give a damn WHAT your virus did as long as it continued to replicate, there's no reason why you couldn't make one that does actually evolve. Now that you've brought it up, I'm almost tempted to try and make one :)

Re:Software alone wont ever solve this problem.

[Anonymous Coward]

Ohh give me a break. Apple is just fortunate enough not be getting attacked right now. GNU/Linux land is much better prepared than Apple's ecosystem because unlike with Apple on the desktop you haven't got systems where users are installing software from non-repository sources. In both MS Windows and on Mac you do though. In both MS Windows and on Mac there is no system to update everything either. It is left up to applications to do the updating and then users are forced to ok every application. My MOM who is completely illiterate has figured out how to accept to security updates on GNU/Linux and she easily know not to install MS Windows software- even though she potentially could. On GNU/Linux you have a system to update every peace of software generally speaking so there just isn't a security threat like on MS Windows and Mac to even take advantage of. Everything that is going to be a core target for attack is protected well on GNU/Linux. Unlike GNU/Linux if the Mac market share grows it will become a victim even if less so than Microsoft to spyware, viruses, and the ilks. If GNU/Linux market share grows it'll be much much less likely to see serious penetration even on novice users machines by malicious attackers.

Making stupid boxes...

[blahplusplus]

... It might be time for the OS to compartmentalize the browser to have the net enclosed from the main system within a virtual machine. This way even if the "computer" were infected by malware it would disappear whne the VM was closed down, also a whitelist of Executables on the host machine would go a long way to stopping malware and the permanent logging/monitoring of executables or dlls being loaded that are unrecognized so they can be analyzed.

Re:Software alone wont ever solve this problem.

[Opportunist]

Nope. Whitelisting would first of all require you to KNOW (not to assume, not to guesstimate, but to KNOW) that a given application is neither harmful (ok, that's doable to some degree, provided you invest the time, and hence money, into the whitelisting process) nor can be abused to be an infection vector. And the latter part is what makes the whole whitelisting pointless.

Would you whitelist Flash? Would you whitelist Adobe Acrobat Reader? Would you whitelist your web browser? Or your media player, your MP3 player, your word processor, your instant messenger? Of course, you would pretty much have to or your user would go ballistic on you. Is it an attack vector? Oh, one of them currently certainly is!

Whitelisting only solves the problem if you can ensure that the program you whitelist cannot be used as an attack vector. And you cannot do that unless you wrote the program yourself and thus know the way it handles user input. The moment a given program can open a file, a stream or a network connection, you open that program to user input. And that's the moment when security takes a cigarette break.

Re:Security?

[Opportunist]

It's mostly psychological.

A computer is something you use at home, at a place where you usually feel secure, safe and untouchable. Even at work you don't expect the door to be kicked open by someone grabbing your purse at gunpoint. Hence people feel safe when using their computer. And hence their guard is down.

Re:Software alone wont ever solve this problem.

[Anonymous Coward]

And how many non-techies do you think would do that? Most people don't need PPAs when they have 20k+ packages in the main repositories.
Besides, I would hardly call it a virus if you're tricked into installing it. By that account, this mail would also be a virus for Mac and Linux/UNIX:

Please save the following program to a file, run "chmod +x" on it and execute it.
#!/bin/sh
echo Please enter password
su -c "rm -rf /*"

Re:Software alone wont ever solve this problem.

[DarkOx]

Would you whitelist Flash? Would you whitelist Adobe Acrobat Reader? Would you whitelist your web browser? Or your media player, your MP3 player, your word processor, your instant messenger? Of course, you would pretty much have to or your user would go ballistic on you. Is it an attack vector? Oh, one of them currently certainly is!

A more granular white list will will work. What you really need is a white list + ACE/ACL system. Symantec Endpoint Protection actually can do some of this stuff if your admin people invest enough time it writing rules. Yes you whitelist Acrobat Reader but you only allow it to open file streams to files ending in .pdf and only for read. Flash might have to play a little to get that to work, but it to could probably be sandboxed effectively. Your word processor again might need read access to files in many places but only needs to write *new* files in the documents directory and only needs to be allowed to write a couple hundred megs per instance so that it can't be used to DOS you.

I could go on but you get the idea. You could build a system that is usable and at the same time hardened enough to remove most of the profit in attacking it. It would cost quite a bit and take a great deal of work to maintain. The industry has simply decided its better to tolerate a certain amount of crime and clean up afterwords.

Its kinda like you house in that way. You accept there is a certain risk you will be broken into; and you just insure your stuff. Its a better alternative than the razor wire; surrounded steel walled bunker you'd otherwise have to have to keep people out.