Forgot your password?
typodupeerror
Security Windows IT

How Viruses Evolve Into All-Purpose Malware 117

Posted by timothy
from the increments-of-evil dept.
KingofGnG writes "Computer threats are continuously evolving, and some malicious codes are a problem difficult to tackle because of their inherent complexity and an intelligent design capable of constantly putting under pressure security companies. A remarkable 'intelligent' threat is for instance Sality, the 'new generation' file virus that according to Symantec has practically turned into an 'all-in-one' malware incorporating botnet-like functionalities as well."
This discussion has been archived. No new comments can be posted.

How Viruses Evolve Into All-Purpose Malware

Comments Filter:
  • You lost me... (Score:5, Insightful)

    by Simulant (528590) on Friday May 28, 2010 @11:11PM (#32385946) Journal
    ... at "according to Symantec."
  • Our immune system has an advantage over virii and bacteria due to our greater cell specialization and intelligent response. The problem with modern botnet malware is that the infecting agent can actually be more intelligent and reactive than the host it's infecting.
    • Our immune system has an advantage over virii and bacteria due to our greater cell specialization and intelligent response.

      First of all, you're only half-right here. Our bodies evolve diverse ecosystems of bacteria, actually varying quite a bit from person-to-person. The difference is that when we transmit bacteria from person-to-person, we might make each other sick, but that's unavoidable and actually healthy, to an extent -- it boosts our immune response. Computer systems don't get smarter when they get owned, and the risk seems much higher. (It won't kill you, but it could ruin your life, and it could ruin many lives very q

    • by znerk (1162519)

      The problem with modern botnet malware is that the infecting agent can actually be more intelligent and reactive than the host it's infecting.

      This is the absolute best place to start when fighting malware. Educate the user, even if it's just "stop letting your kids use LimeWire to download music/movies/apps/trojans/viruses".
      Most of the issues that Joe User experiences are completely explainable as PEBKAC.
      --
      Problem Exists Between Keyboard And Chair. Abort, Retry, Explode?

    • by selven (1556643)

      Our main advantage is that we're all slightly different from each other, so diseases can't usually spread to everyone. The computing world, with its 94% Windows market share, lacks this feature and is thus suffering a permanent Irish potato famine.

  • by Mattpw (1777544) on Friday May 28, 2010 @11:16PM (#32385992) Homepage
    Call me defeatist but I believe there is no way the whitehats can out software manoeuvre the blackhats with software only solutions. The increasing complexity of modern systems ensures that the security holes will only grow not diminish. But maybe the next software "update" will solve all our problems this time?... The only permanent solution I can see is mass deployment of airgapped two factor tokens specifically for transaction authentication not generic OTP which the trojans are bypassing. This is the only security that I can guarantee what I am authenticating by looking at a airgapped device. I find it increasingly difficult to justify the performance loss for running anti malware software for the ever diminishing protection offered.
    • Sure there is. Whitelists, but nobody has the patience to do it.

      • Re: (Score:3, Insightful)

        by Alan Shutko (5101)

        Apple does. Look at the App Store.

        • Re: (Score:1, Interesting)

          by Anonymous Coward

          Ohh give me a break. Apple is just fortunate enough not be getting attacked right now. GNU/Linux land is much better prepared than Apple's ecosystem because unlike with Apple on the desktop you haven't got systems where users are installing software from non-repository sources. In both MS Windows and on Mac you do though. In both MS Windows and on Mac there is no system to update everything either. It is left up to applications to do the updating and then users are forced to ok every application. My MOM who

          • Re: (Score:3, Insightful)

            Apple is just fortunate enough not be getting attacked right now. GNU/Linux land is much better prepared than Apple's ecosystem because unlike with Apple on the desktop you haven't got systems where users are installing software from non-repository sources.

            One word: PPAs.

            Seriously. Think about it. Ubuntu PPAs are not vetted by Canonical or the Ubuntu Dev Team, and could, potentially, be used to spread Linux viruses.

            Of course, someone has to go through the work of adding it to the package manager, but Ubuntu as made this relatively painless by 'add-apt-repository'.

            • Re: (Score:1, Interesting)

              by Anonymous Coward

              And how many non-techies do you think would do that? Most people don't need PPAs when they have 20k+ packages in the main repositories.
              Besides, I would hardly call it a virus if you're tricked into installing it. By that account, this mail would also be a virus for Mac and Linux/UNIX:

              Please save the following program to a file, run "chmod +x" on it and execute it.
              #!/bin/sh
              echo Please enter password
              su -c "rm -rf /*"

              • by tlhIngan (30335)

                And how many non-techies do you think would do that? Most people don't need PPAs when they have 20k+ packages in the main repositories.

                A lot.

                It's just like all those jailbroken iPhones, iPod Touches and now iPads who have OpenSSH with default passwords. (Hint: username is "root" or "mobile", password is "alpine"). Why do they have OpenSSH installed? Because they were blithely following some tutorial on getting something they wanted done. Be it modifying some files, installing various .debs and the like. Tu

      • A whitelist merely outsources the need for security from the system which uses the whitelist to the system(s) which is(are) whitelisted.

        If A only allows B to connect to its services, then A implicitly relies on B not getting hacked. But if B is hacked, then that hacker can pass through A's whitelist by pretending to be B.

        The only time A gains security this way is if B's security is greater than A (more or less).

      • by Opportunist (166417) on Saturday May 29, 2010 @02:44AM (#32386924)

        Nope. Whitelisting would first of all require you to KNOW (not to assume, not to guesstimate, but to KNOW) that a given application is neither harmful (ok, that's doable to some degree, provided you invest the time, and hence money, into the whitelisting process) nor can be abused to be an infection vector. And the latter part is what makes the whole whitelisting pointless.

        Would you whitelist Flash? Would you whitelist Adobe Acrobat Reader? Would you whitelist your web browser? Or your media player, your MP3 player, your word processor, your instant messenger? Of course, you would pretty much have to or your user would go ballistic on you. Is it an attack vector? Oh, one of them currently certainly is!

        Whitelisting only solves the problem if you can ensure that the program you whitelist cannot be used as an attack vector. And you cannot do that unless you wrote the program yourself and thus know the way it handles user input. The moment a given program can open a file, a stream or a network connection, you open that program to user input. And that's the moment when security takes a cigarette break.

        • Re: (Score:3, Interesting)

          by DarkOx (621550)

          Would you whitelist Flash? Would you whitelist Adobe Acrobat Reader? Would you whitelist your web browser? Or your media player, your MP3 player, your word processor, your instant messenger? Of course, you would pretty much have to or your user would go ballistic on you. Is it an attack vector? Oh, one of them currently certainly is!

          A more granular white list will will work. What you really need is a white list + ACE/ACL system. Symantec Endpoint Protection actually can do some of this stuff if your admin people invest enough time it writing rules. Yes you whitelist Acrobat Reader but you only allow it to open file streams to files ending in .pdf and only for read. Flash might have to play a little to get that to work, but it to could probably be sandboxed effectively. Your word processor again might need read access to files in m

          • by RulerOf (975607)
            While I don't have anything to add, do you know of any writeups that detail hardened SEP configurations like the one you describe? I am quite intrigued.
        • In today's regulatory environment electricity would never be approved for use outside the execution chamber.

          Anything sufficiently powerful to be interesting and useful is also dangerous, it's almost an inherent property.
    • Call me defeatist but I believe there is no way the whitehats can out software manoeuvre the blackhats with software only solutions.

      So what do you suggest? Hardware?

      The only permanent solution I can see is mass deployment of airgapped two factor tokens specifically for transaction authentication not generic OTP which the trojans are bypassing.

      Oh. I was actually being sarcastic.

      This won't work. The biggest reason it won't is convenience. Say one credit card company requires such a device, and another promises that they'll be liable for any damages from fraud. Which would you go to? If they both make that promise, what does the consumer gain from the device?

      And even this would be spectacularly vulnerable, if you can't trust the host system through which you're accessing whatever you're accessing.

      I find it increasingly difficult to justify the performance loss for running anti malware software for the ever diminishing protection offered.

      I don't run it at a

      • by Mattpw (1777544)

        Oh. I was actually being sarcastic.

        Dont be scarcastic, didnt you know its the lowest form of wit.

        This won't work. The biggest reason it won't is convenience. Say one credit card company requires such a device, and another promises that they'll be liable for any damages from fraud. Which would you go to?

        You have only given one reason and its not a security one. I would go with the one which offered me the best security and convenience, you didnt consider the inconvenience caused by having your accounts looted which the liability doesnt cover.

        If they both make that promise, what does the consumer gain from the device?

        You do realise that shifting the liability onto the banks doesnt actually prevent the theft?. The users still pay for it one way or another and its not simply a matter of cost or inconvenience to the public

        • You do realise[sic] that shifting the liability onto the banks doesnt actually prevent the theft?

          You do realize that the banks don't have liability in fraud, the merchant does? And distributions of the cost of fraud are spread equally among those who use the crazy-hard system, and those who do not? And the banks actually make money off fraud by telling the merchant to fuck off and fining them for accepting a bogus credit card?

          You have only given one reason and its not a security one

          People are the biggest

          • by Mattpw (1777544)
            You are right the merchants are getting hit probably just as hard as the banks with credit card fraud, I was thinking more of trojans like Zeus etc which are stealing users banking logins and then filtering money out of peoples accounts to their mules. This liability would or should fall squarely on the banks. The reality is we are probably all getting hit indirectly by this problem and it only seems to grow. Laziness can never be solved, agreed.
            • No one said laziness can never be solved, only that it's a security hole, which was exactly my point: Any security system has to take laziness into account. A good example of this is the Linux repository system, which has (somewhat) been adopted by Apple with the App Store -- it rewards laziness (getting your apps through a single, easy-to-use channel) with security (all apps in that channel have been vetted and signed).

        • You have only given one reason and its not a security one.

          Actually, it is. Any security system that ignores human factors will not work when used by humans, or won't be used by humans, rendering it useless.

          You do realise that shifting the liability onto the banks doesnt actually prevent the theft?

          No, but it places the responsibility on those who are most necessary for resolution. If the liability was entirely on the consumer, banks and merchants would have little incentive to improve security.

          Now, I would much rather have a bit more shifted back to the consumer, so they paid a bit more attention to stuff like this, but that's tricky -- I have to think th

      • This won't work. The biggest reason it won't is convenience. Say one credit card company requires such a device, and another promises that they'll be liable for any damages from fraud. Which would you go to? If they both make that promise, what does the consumer gain from the device?

        I'd go to the first. When a company promises it's liable for user stupidity, you pay for the stupidity of other users. Or where do you think the money to cover that liability comes from?

        • When a company promises it's liable for user stupidity, you pay for the stupidity of other users.

          So you wouldn't actually compare the rates and find out if it's actually true?

          • No. Seriously. There is only four possible options what I could find out when comparing that "covering" company vs. the one that decides not to:

            First, they're more expensive to compensate.
            Second, they're not more expensive and go out of business because they get drowned in the loss.
            Third, they notice in time that they're too cheap to stay in business and jack up the fees to compensate.
            Fourth, they hope for a bailout.

            Neither of these options is looking good.

            • First, they're more expensive to compensate.

              Could be, but you don't know this yet.

              Second, they're not more expensive and go out of business because they get drowned in the loss.

              Also a possibility, so long as you understand that this is an entire option. "Not more expensive" does not automatically imply "drowned in the loss."

              There is a fifth possibility you missed: The "secure" version gouges their customers to compensate, and is required by law anyway to assume a fair amount of the risk. So you're paying more, getting marginally more security, at a lot less convenience. That's not a tradeoff most people find attractive.

              But what I find most dis

    • Re: (Score:1, Insightful)

      by Anonymous Coward

      The problem is that the same solution that can address the Trojan problem will make DRM impossible to get around, like trusted computing, curtained memory, etc.

      Instead, what I'd like to see would be a standard for secondary access that is accepted by everyone across the board using an offline token system. The token system would allow someone to install an app on their phone (be it a WM device, Android, iPhone, or similar), or be a separate keyfob. Basically like what Blizzard offers for secondary authent

    • by Opportunist (166417) on Saturday May 29, 2010 @02:37AM (#32386900)

      Partly right.

      What we're essentially trying to do with malware is not unlike what some countries try to do to keep illegal immigrants out. They try to shut down the border. And you know how well THAT worked, right? It's like smashing all the windows in your home and then trying to keep the flies out.

      A "total" solution does not exist, and probably never will. Whitelisting, while it would be initially quite secure, won't solve it either. Why, you ask? Because then the malware will be included in "harmless" looking programs. You will get a program that actually does what it should and contains a nifty little payload. Or, if everything fails, we'll get to see an exploit or security weakness in a programm sooner or later. What? Would be detected immediately? Oh yeah, right, and that's why no consoles have ever been hacked using save game exploits. And here even EVERYONE involved in the making of the hard- and the software had the interest to NOT allow something like that to happen.

      Back on topic. We're now at the point where the number of usable exploits is down to a handful, actually. There's a reason why malware creators are reaching for exploits in third party software already (btw, Adobe, get the f... off your rear and get your act together!), simply because the useable exploits in the system itself become too few and are fixed too quickly. Recently I've seen the first exploits for popular games. Script support and the general support of user created content really opens that Pandora's box. But they're still few and far between, almost all infections today happen with the consent and actual help of the user. It's social engineering, people! Not software engineering.

      The biggest security problem is not in the box on the floor. It's sitting right next to it.

      • by sco08y (615665)

        What we're essentially trying to do with malware is not unlike what some countries try to do to keep illegal immigrants out. They try to shut down the border. And you know how well THAT worked, right?

        Sure, Mexico has been quite brutal, but fairly effective, at preventing illegal immigrants from the Honduras and other Latin American countries. I guess it would make sense to make the US's immigration laws more like Mexico's, after all, it can't be inhumane to treat them the way they treat immigrants to their own country!

    • I'm not saying it's ideal, or even desirable, but what Sony is doing with the PS3 is approaching secure. Most software requires the latest updates in order to function, and the updates stay on top of known exploits. I think it's the suckiest user experience ever, constant waiting for their slow servers to push patches, and sometimes those patches break functionality that _I_ care about, but it does seem to have kept a cap on unauthorized use, at least if you care about using the secure software base.
    • by kvezach (1199717)
      How about fine-grained security? There's no reason Flash should have access to files on your system, so make the OS support (and withhold) capabilities so Flash just plain can't read your files no matter how compromised it gets. Similarly, there's no reason the image rendering component of your web browser should be able to open a server on port 1337 - or any other port for that matter.

      It was done with users: an ordinary Unix user can't write to /usr/bin no matter how hard he tries (unless he escalates p
    • by oljanx (1318801)
      I call this job security. I expect it to last until someone manages to develop sentient heuristic AV software. Although, I'll wager that the black-hats will beat white-hats to the punch on this front and continue to out maneuver them. There's a sci-fi novel in there somewhere.
  • Security? (Score:4, Insightful)

    by tpstigers (1075021) on Friday May 28, 2010 @11:22PM (#32386036)
    I'm still confused about this whole concept of computer security. No other aspect of my life is particularly secure - why should I expect my computer to be secure? More to the point - why should I expect someone else to provide that security? In every other part of my life, my security is up to me to arrange and maintain. In my job, in my relationships, in my retirement, in my health - it's all up to me. Why do we think our computers will be different?
    • by hedwards (940851)
      I don't know about you, but I expect the police to provide security, as well as the military and intelligence agencies. They don't provide complete security, but they do go quite a ways. Computer security is like that. On top of that comes personal and community responsibility.
      • Re: (Score:3, Informative)

        by AshtangiMan (684031)
        Bad analogy. Police don't provide security, they maintain control. The military may provide security, but only for itself. As for intelligence agencies, they are largely a misnomer. So in the end all you have is yourself, and your community.
      • by roman_mir (125474)

        Police? They'll not provide you with any security at all. By the time the cops get involved there is already a body on the ground.

        Military providing security? Like how? After US military has invaded Iraq, hundreds of thousands, if not millions of civilians Iraqis were killed. Is THAT security?

    • Re: (Score:3, Interesting)

      by $RANDOMLUSER (804576)
      Too right. I've taken to asking people "You don't go to the bad part of town and have unprotected sex with junkies, why do you keep downloading this stuff?". Sadly, most people don't get the analogy.
    • Re: (Score:3, Interesting)

      by Opportunist (166417)

      It's mostly psychological.

      A computer is something you use at home, at a place where you usually feel secure, safe and untouchable. Even at work you don't expect the door to be kicked open by someone grabbing your purse at gunpoint. Hence people feel safe when using their computer. And hence their guard is down.

    • Your house isn't secure, but you do know when someone has broken in. The problem with computer security is the stealth with which the bad guys can operate, and therefore the scale they can operate on.

      My CC# isn't secure in the least, every time I use it for any purchase, I'm trusting some underpaid clerk or waiter to not steal it, but they (usually) have limited ability to profit from the theft because I would eventually notice the bogus charges (my wife checks the online statements almost nightly...)
    • by Nolaan (1541149)
      Certainly because there's no theft on earth that could do 2 millions task once he broke into your house and leave without any trace! You are a grown man/woman so i guess that you have a relativly high control over your life, that is security, the other random deadly things that happen have little probability.
  • Virus? Malware? (Score:5, Interesting)

    by virtualonliner (1278494) on Friday May 28, 2010 @11:29PM (#32386080)
    I think we are at a point where we cannot really distinguish between virus or spyware or scareware or whatever. Virus have already started doing what spyware doing a couple years ago. I mean, it sounds just pointless that we distinguish them. Bad program is a bad program. It does not matter what we call it. Guys at StopBadware came up with a good term a few years ago. It's a badware. It does not matter to the end user what it does!
    • That line has been blurred years ago. Hence I simply refer to the whole bunch of crap soft that does some harm to you as malware. Why bother with the distinction? Is it a virus, a worm, a trojan or an infector?

      Does the user care?

      No, he doesn't! He only gets confused with the amount of terms used for what is essentially the same: Software that does harm to him. "Oh, it's just a worm, phew, glad it ain't a virus, eh?" No! No, dammit! Malware, badware, whatever we call it, but let's coin ONE term for the whole

      • Actually I agree, but I prefer to call most of these things a virus.
        While I am aware that it is not always technically accurate, it has a greater emotional impact on non-technical people.
        The fact is, Joe average user is much more likely to take it serious when you say.. your computer has about 10 viruses on it.
        If you tell them your computer is infected with malware, they are likely to just say "What's that?".
        • by maxume (22995)

          So why stay so tame?

          Well ma'am, the computer-raper that you downloaded is raping your documents and your photos, and it is about to rape your financial accounts.

    • by Zerth (26112)

      It's kind of like that saying "Every program attempts to expand until it can read mail. Those programs which cannot so expand are replaced by ones which can."

      Similarly, malware will expand until it is an infectious, remotely controlled rootkit that bots MMORPGs using your credit card.

    • How else can virus checker providers up-sell?
      You want x-ware protection too? add $x.

  • Macs (Score:2, Funny)

    by Mr Pleco (1160587)

    The only solution.

    'Cause nothing runs on a mac.

    *gigglesnort*

  • by shikaisi (1816846) on Friday May 28, 2010 @11:41PM (#32386144)
    I know evolution is a much-abused word, but TFA itself states "some malicious codes are a problem difficult to tackle because of their inherent complexity and an intelligent design". Let's give the Intelligent Designer some credit, even when he's a malevolent one. This virus is not going to "evolve" into another form any time soon, it has simple been designed to make limited adaptations to local circumstances.
    • Re: (Score:3, Interesting)

      by c6gunner (950153)

      This virus is not going to "evolve" into another form any time soon, it has simple been designed to make limited adaptations to local circumstances

      That's primarily because nobody has bothered to make evolving viruses. Sure, we've made some that can change their code in order to try and avoid detection, but their "mutations" are intentionally limited because, in the end, the "intelligent designer" still wants them to continue functioning in a certain way.

      Now, if you didn't give a damn WHAT your virus did as long as it continued to replicate, there's no reason why you couldn't make one that does actually evolve. Now that you've brought it up, I'm almo

      • by shikaisi (1816846)
        That would be a very interesting experiment. After all, the replication time-scale should allow evolution to happen extremely quickly compared to biological experiment. If we found that viruses could evolve into say, GPL software or iPhone apps in order to propagate themselves, I might almost be tempted to believe in evolution.
        • If we found that viruses could evolve into say, GPL software or iPhone apps in order to propagate themselves, I might almost be tempted to believe in creation.

          There, fixed for you

      • I tried something like that a while ago. It's interesting, do it! Maybe yours can survive. Mine didn't. :)

    • by zephvark (1812804)
      It's evolution in that it's become a very much more serious predator due to competitive pressure over time. That's how it goes. The only question I feel I need to ask about "Intelligent Design" is, if intelligence is something that needs to be designed, who created the designer?
    • by sco08y (615665)

      It's not so much the abuse of the word "evolution" but the tendency to completely ignore the whole process of human beings collaborating to write this code, and that's really where the story is! Having eliminated the human aspect (deanthropomorphized?) he thus imbues computer viruses with the abilities of living things, abilities that he probably doesn't really understand and I know that, as a typical reader, I have only a basic understanding of how viruses work.

      I know editors want to dumb this stuff down,

  • But is it GPL?

  • Because when you get to the "then can execute arbitrary code" part, it becomes a fairly general purpose thing. Why not maximize potential profitability ?

    Dino

    The code looks more like someone was juggling Swiss Army Chainsaws.

  • by blahplusplus (757119) on Saturday May 29, 2010 @01:49AM (#32386720)

    ... It might be time for the OS to compartmentalize the browser to have the net enclosed from the main system within a virtual machine. This way even if the "computer" were infected by malware it would disappear whne the VM was closed down, also a whitelist of Executables on the host machine would go a long way to stopping malware and the permanent logging/monitoring of executables or dlls being loaded that are unrecognized so they can be analyzed.

    • by jimicus (737525)

      Which is fine and dandy except....

      .... the closest thing we have to a whitelist (UAC in Windows) is effectively useless because the default response of the end user is almost always going to be to click "Allow".

      .... sticking every application in a VM fails horribly as soon as you want an application to do something that may involve interaction (either with the underlying OS or another application). Example: How are you going to download ${RANDOM_APP} if your web browser can only save files within a VM th

    • Problem is if the VM gets sufficiently complex, it's still a significant loss when it gets corrupted. It's all well and good to say that you just want a browser in the VM, but that browser wants all of its plug-ins, and your bookmarks, oh and your saved passwords too... eventually the VM becomes indistinguishable from the whole machine.

      If you want to "protect yourself" when doing something unusual and risky, then a VM can be like using a condom... it diminishes the spontaneity of the act, and provides
  • by BeerCat (685972) on Saturday May 29, 2010 @11:44AM (#32389224) Homepage

    A summary that mentions "evolving" and "intelligent design" in the same sentence?
    Now that really is impressive (and guaranteed to upset both Darwinists and Creationists at the same time )

    Boffo! A good one!

1 Billion dollars of budget deficit = 1 Gramm-Rudman

Working...