Future Trends of Malware 179
An anonymous reader writes "What are the driving forces behind the rise of malware? Who's behind it, and what tactics do they use? How are vendors responding, and what should organizations, researchers, and end users keep in mind for the upcoming future? All these questions and more are answered in the well written (MHO) Future Trends of Malware"
What are the driving forces behind the rise of mal (Score:1, Insightful)
Re:What are the driving forces behind the rise of (Score:1)
Two Words: Titan Rain (Score:3, Interesting)
money
Look, money is a perfectly fine motivation for script kiddies and Nigerian scam artists and ex-KGB Russian/Ukrainian mafiosi.
But there's an outfit sitting behind a router in the PRC that has a different motivation; something along the lines of "Geopolitical World Dominance":
Re:Two Words: Titan Rain (Score:2)
Objective: obtain a sample of American sand.
The Soviets send a stealth submarine, which spits forth a scuba diver equipped with all the latest camoflage, who sneaks ashore in the dead of night.
The Chinese send a million tourists to the beach.
56% increase in trust in AntiVirus (Score:5, Insightful)
Re:56% increase in trust in AntiVirus (Score:2, Insightful)
note: I can too make fun of all antivirus companies. I run debian.
Re:56% increase in trust in AntiVirus (Score:4, Informative)
I haven't installed an anti-virus software on my home PC and laptop for over 3 years now (both running Windows). Never had any problems either. I just follow a few paranoid steps:
- Firewall the machines router + laptop has software firewall.
- Avoid IE like the plague.
- Avoid Outlook Express like the plague.
- Try as much as possible using a limited rights account instead of root. For some games and apps it doesn't work but for most mundane tasks like browsing, video, mp3 playback it works great.
- VMware or VirtualPC is your friend if you want to run code from ugh *cough* warez sites *cough*, but as a general step, I refuse to open any email attachment that isn't an image, video or hyperlink from a trusted source (ie: someone emailing a funny image to group of friends). I treat every email attachement that I receive on my home PC as a virus. I then lower the severity of it based on file type.
- Firefox + Adblock = golden.
Is it perfect? Nope but paranoid surfing habits as in don't click on "OMG YOUR PC IS SLOW SPEED IT UP" flashing crap helps, or when you get to a pr0n site and it offers you a plugin.exe it might also be a bad idea to execute it.
Re:56% increase in trust in AntiVirus (Score:2)
Re:56% increase in trust in AntiVirus (Score:2)
But DO remember to manually AV-scan anything you save to disk (from an attachment or a d
Re:56% increase in trust in AntiVirus (Score:2)
Resident AV isn't necessarily a magic bullet, tho. Frex, twice I've seen McAfee (Corporate version no less) ALLOW the SubSeven trojan to install, THEN complain about it.
Re:56% increase in trust in AntiVirus (Score:2)
Re:56% increase in trust in AntiVirus (Score:3, Insightful)
Seems to me he's following the same procedures any sensible person would _regardless_ of the OS - run as a limited user, avoid buggy software and don't execute code from questionable sources.
Re:56% increase in trust in AntiVirus (Score:1)
Re:56% increase in trust in AntiVirus (Score:5, Interesting)
-
They don't know spyware or viruses from a hole in the ground, and they either re-install or buy a new computer every time their machine gets too slow
-
OR they believe their firewall and/or AV product is total protection, and they convince themselves that their machine isn't slow and isn't behaving badly, even when it it
-
OR they simply accept that computers are shit and tolerate it running badly.
A certain sort of quasi-autistic geek then makes snotty comments and plays ``blame the victim'' by pointing out all the measures that the victim could have taken. The real solutions are:-
For operating system vendors to sort out their problems. Oh, OK, for one particular OS vendor to sort out its problems.
-
For law enforcement to stop treating the perpetrators as cute kids, and actually do something serious about the issue.
Blaming the victim just isn't on. `We' (ie people who provide computer and telecommunication services) sold them a machine. It's up to us to make sure it behaves reasonably. There's an ``Unsafe at Any Speed'' brewing, if but we could see it.ian
The goggles do nothing. (Score:5, Funny)
Re:The goggles do nothing. (Score:3, Insightful)
Re:The goggles do nothing. (Score:3, Funny)
Re:The goggles do nothing. (Score:2)
The background doesn't help much either. However some of the links were informative; I was unaware of the cell-phone worms (or is that a trojan?).
Re:The goggles do nothing. (Score:2)
Did the inner voice in anyone else's head switch to Captain Kirk when they read that sentence?
Re:The goggles do nothing. (Score:3, Informative)
Re:The goggles do nothing. (Score:2)
Great tip, thanks!
Re:The point I notice .... (Score:2)
Infecting P2P networks is the next logical step si
Key summary points and conclusion (Score:5, Insightful)
--------------
Malware authors update their multi-vendor anti virus signatures faster than most end users and enterprises do altogether
The high pressure put on malware authors by the experienced vendors is causing them to unite efforts and assets, and realize that it's hard to compete on their own. Yet this doesn't stop them from waging a war in between
Intellectual property theft worms have to potential to dominate in today's knowledge-driven society acting as tools for espionage
Don't matter what you always wanted to do to ecriminals, in case of a cryptoviral extortion, you'll be the one having to initiate the contact
The growing Internet population, E-commerce flow, and the demand for illegal/unethical services, would fuel the development of an Ecosystem, for anything, but legal
The "Web as a platform" is a powerful medium for malware attackers understanding the new Web
The unprecedented growth of E-commerce would always remain the main incentive for illegal activities
7.0 Conclusion
--------------
I hope that the points I have raised in this research, would prove valuable to both end users, businesses and anti-virus vendors. The Internet as a growing force shaping our ways of thinking and living is as useful, as easy to exploit as well. The clear growth in E-commerce, today's open-source nature of malware, the growing penetration of the Internet in respect to insecure connected PCs, are among the main driving factors of the scene. Do your homework and stay ahead of the threats, most of all, less branding when making security decisions, but high preferences! Please, feel free to direct your opinions, remarks, or any feedback to me, at dancho.danchev AT hush.com or at ddanchev.blogspot.com where you can directly comment on my publication. Nothing is impossible, the impossible just takes a little while!
Biometrics & RFID (Score:3, Insightful)
I still say purveyors and criminal users of malware should be subject to life prison sentences if not death.
No! (Score:3, Interesting)
Re:No! (Score:2)
Occurs to me that not only could biometric logins be captured by a program similar to a keystroke
Re:Key summary points and conclusion (Score:2)
Daemon Tools (Score:1, Offtopic)
Re:Daemon Tools (Score:3, Interesting)
Re:Daemon Tools (Score:2)
Not that i'm defending the inclusion of (mal|spy|shit)ware with genuinely useful software (I also use a slightly out of date version of Daemon Tools) but you have absolutely no right to say what the author can and can't include in his software package.
The fact that you can choose not to install the crud is a blessing (saves you ripping it out with Spybot afterward). Does an extra setup scre
Re:Daemon Tools (Score:3, Interesting)
So (for example) did nobody have any right to say that Sony should not include a rootkit in the software on their CDs? Does nobody have the right to say that Microsoft Windows should be better quality? If some software destroyed your hard disk, would you just say "it's a blessing that I could have chosen not to install it"?
Re:Daemon Tools (Score:3, Insightful)
You're comparing apples to oranges here. The difference with Daemon Tools is that it gives you an option to not install additional software and when you tell it no thanks that is the end of it. In the case of Sony's rootkit however there was no option to not install this extra software. The problem most people have with this is not that the software was there in the first place, but that the installer used vague wordin
Re:Daemon Tools (Score:3, Insightful)
Re:Daemon Tools (Score:2)
I believe that the microsoft EULA [microsoft.com] essentially states the same thing:
Re:Daemon Tools (Score:2, Interesting)
You are correct that I have no right to say what the author can and cannot do. I can simply choose not to use the software anymore, which I have done. And in this case, since it for corporate use, I can vote with my wallet as well.
Re:Daemon Tools (Score:3, Funny)
I don't think he decided it as much as he *realised* it.
Botnets and Zombie hosts (Score:2, Insightful)
Would it be possible, if for instance, an ISP sees a shit load of traffic from a customer's address directed at another address to start blocking that traffic? Or at the very least notifying the customer that there may something wrong. I bet just about everyone whose
Re:Botnets and Zombie hosts (Score:3, Informative)
Re:Botnets and Zombie hosts (Score:2)
Re:Botnets and Zombie hosts (Score:2)
Re:Botnets and Zombie hosts (Score:3, Interesting)
Which sounds pretty strict, except that we'll clean their computers for free.
Re:Botnets and Zombie hosts (Score:3, Insightful)
Notification is fine, but I would be very pissed if my ISP decided on their own to block traffic from my address based on an incorrect assumption that the traffic from my address was from an exploited host. My ISP actually did notify me once about their concern for traffic volume from my address and after I explained the situ
Re:Botnets and Zombie hosts (Score:2)
Yeah, a lot of traffic, but it's not ICMP or SMTP, which are easy to tell from "more normal" traffic.
It has been suggested here before; why don't consumer packages from ISPs come with port 25 (and/or other "well known" server ports) blocked by default, and an easy way (one phone call, or a secure self-serv web interface) for someone who knows they want the port enabled to make it so?
Most consumer packages don't allow servers, anyway, and sta
Benefits of malware... (Score:1, Funny)
In the UK, flights being delayed by only 10 minutes is a cause for celebration. By this metric, French Air Traffic Control on a public-holiday-strike is more damaging to world commerce than a piddly little computer worm!
Re:Benefits of malware... (Score:2, Insightful)
Wasn't it just the other day that the tube union went on strike yet again because their working day of 35 hour was too long.
Re:Benefits of malware... (Score:1)
Pussies! Working more that 24 hours a day hasn't killed anyone!
How do we stop it? (Score:2, Funny)
Re:How do we stop it? (Score:1, Funny)
His head, or someone else's?
Re:How do we stop it? (Score:2)
Exclamation Replication! (Score:5, Funny)
Now after reading it, I have become so depressed that I have decided not to connect my computer to the internet ever again!!!
Re: Exclamation Replication! (Score:2)
It's probably malware for your web browser, encoded in base 1.
Re:Exclamation Replication! (Score:2, Funny)
"Multiple exclamation marks are the sign of a diseased mind."
--Terry Prattchett
Extremely thorough, except... (Score:2, Insightful)
Re:Extremely thorough, except... (Score:2)
On the whole, no. If you have a buffer overflow or something then yes, you will get malware coming in. But most problems are caused by computers stupidly executing data they get, due to stupid design, the most common form of which is deciding to allow remote plugins (activex, I'm looking at yo
Future trends of software dictate it (Score:2)
Conclusion: more of the same but general software reacts to malware much more slowly than the counter reaction.
Is this a college paper? (Score:4, Insightful)
Comment removed (Score:5, Insightful)
Re:One word: Legitimization. (Score:4, Insightful)
Why is it that Apple can figure out what regular people want and HP & Packard Bell saddle people with crap?
Re:One word: Legitimization. (Score:3, Insightful)
And this is one of the big reasons why Apple machines tend to cost a bit more. Bear in mind that HP and Dell and whoever else get paid to include the trialware and crippled versions of apps on their machines. They then turn around and pass the savings on to you, the consumer! They call it "adding value" to the machine. I call it loading it up with useless crap.
Re:One word: Legitimization. (Score:2)
Re:One word: Legitimization. (Score:2)
Re:One word: Legitimization. (Score:2)
I do not find this to be the case.
There's a huge warez market for PCs. There's not much of a warez market for Macs.
OS X shareware is widespread; there's a huge amount of it out there.
Re:One word: Legitimization. (Score:2)
Did you miss the big announcements, yesterday? Apple has already released the first Intel iMacs and laptops. So you can now pay 2x as much for a computer the same speed as a PC.
Re:One word: Legitimization. (Score:2)
Now, over yonder I've got an equivalent PC (P3-500 -- it has more Toys, but their performance is almost identical) that's about a year older... and it cost me around $500.
And over on the workbench I've got a Compaq dual Xeon 750 of similar vi
Comment removed (Score:5, Insightful)
Re:One word: Legitimization. (Score:2)
As long as there are geeks, and they get angry, there will be free software and operating systems, which you can't inject copy spy^H^H^Hprotection onto, but can use to play music. Geeks may not buy the CDs if they require said software to play. But they s
P2P worms? (Score:5, Insightful)
From the article:
modular - new features are easily added to further improve its impact, want it to have P2P propagation capability, add it, want it to disseminate over IM, done.
Okay, malware can be modular - makes sense.
The lack of P2P worms is, I think, a logical consequence of the RIAA's busts around the U.S, and the global response towards P2P networks copyright infringement.
How did the author manage to come to that "logical" conclusion? How is the presence (or !presence) of malware related to the "global response... copyright infringement"?
Given today's P2P concepts, and the disruptive BitTorrent technology, it is not longer required to on purposely slow down transfers to hide the activity on a user's host.
And where the heck is he going with this??
Submitter, if this is your idea of "well written", I respectfully suggest you broaden your literary scope.
What if we sandbox major apps like browsers? (Score:5, Insightful)
It wouldn't solve everything, but it would help limit further the damage malware could do. It could access (and corrupt) the data for the particular application it suborned, but without exploiting secondary holes it couldn't do more. This would prevent, say, a hole in Firefox from allowing malware to get at your Gnucash data. It also doesn't require much any new permission-checking code, the kernel already does file-access checks anyway.
Re:What if we sandbox major apps like browsers? (Score:2)
number_of_users * number_of_apps accounts. Doesn't seem like a nice, simple, elegant solution. Perhaps we need something like subusers - which would be a user within a user.
Re:What if we sandbox major apps like browsers? (Score:2)
But it could be managed behind the scene, by scripts and such. The real human users wouldn't need to see the 'virtual' users. And it requires zero changes to the existing Unix security model. Admittedly, at large installations with a lot of users, you might get close to the limits of a 16-bit uid_t, but even if you had, say, 2,000 users
Re:What if we sandbox major apps like browsers? (Score:3, Insightful)
Yeah. One flaw: You're assuming that the host operating system has support for UNIX-style user account restrictions. Windows could do something similar if they were to add an "Always Run As..." option, and users were smart enough to set it up, but it would be a hack at best. My guess is that as soon as support for this approach is implemented, even if the security part itself were *bug-free*, it would be a week at most before someone found an exploit to allow them to march out of the sandbox and into th
Re:What if we sandbox major apps like browsers? (Score:3, Interesting)
Actually I think what people are doing today, is practically building another guest house out back for the foreman and the rest of his work crew to live in while they're patching up your house. Remember the discussion a few months ago here on Slashdot about why the average joe needed a dual-core or multiprocessor Windows box? It was so one processor could run his actual application, and the other one could run all the anti-virus/spyware/adware/intrusion programs.
The situation
Re:What if we sandbox major apps like browsers? (Score:3, Insightful)
Furthermore it doesn't do what you want: Exploiting "user1Firefox:user1Firefoxgroup" is good enough to send spam and DoS attacks.
Check "Capabilities"-based systems that do what you really want. They've been around for a while.
(B) Users want
Re:What if we sandbox major apps like browsers? (Score:2)
To a "downloads" directory like "/home//Firefox/Downloads". The user can retrieve the file from there easily; as noted, they have the permission to do so.
Furthermore it doesn't do what you want: Exploiting "user1Firefox:user1Firefoxgroup" is good enough to send spam and DoS attacks.
I never said it did - in fact I said the opposite, "It wouldn't solve everything". Linux separates normal user activity from adminis
Re:What if we sandbox major apps like browsers? (Score:2)
Right idea, but may need SELinux to do right (Score:2)
The right answer for security purposes is to run the renderer component of a browser in a kind of jail, with each page (or at least each site) rendered in its own jail. An instance of the renderer should be launched with a connection to a window, a c
Re:Right idea, but may need SELinux to do right (Score:2)
Maybe it wouldn't solve all the problems, but just making things a bit harder has a dramatic effect on the prevalence of malware. Apache is far from vulnerabi
Re:Right idea, but may need SELinux to do right (Score:2)
Not any more. Read the original article. Malware now has enough of a profitable ecosystem that people are being paid for writing it. It's not just some kid in their parent's basement any more. Malware is far more complex than it was even two years ago. Just plugging holes one at a time isn't working any more. Patch-based security and signature-based detection are routine
Re:Right idea, but may need SELinux to do right (Score:2)
Yes, I acknowledge that. But defense-in-depth is the way to deal with that. My personal web server takes that to an extreme, and is virtually unhackable. It's running an undisclosed version of a relatively obscure httpd in a chroot jail on a relatively obscure OS on a relatively obscure processor a
Re: (Score:2)
Re:Right idea, but may need SELinux to do right (Score:2)
That's really clever. It's a reflexive statement on itself, isn't it?
But if it makes you happy, how about: "Apache has had more vulnerabilities than IIS 6 and yet, despite its popularity, it hasn't been subjected to any major worms the way IIS 5 has."
Re:What if we sandbox major apps like browsers? (Score:2)
It's not "better than" SSH. For certain uses it offers better security; for other uses Ostiary is totally inadequate and SSH is a better choice. See this [homeunix.org] and the first paragraph of the Introduction [homeunix.org].
Seems kind of pointless... (Score:4, Insightful)
Malicious software can make money now, that which makes money attracts sellers.
It's that simple, whereas in the past malware was mostly out of a quest for fame or percieved revenge, the malware of today is business malware, the nasty programs of old all dressed up in suit and tie and making someone filthy rich.
This problem is exacerbated by the fact that nearly everyone runs Windows XP these days and Microsoft wasn't very attentive to security when they designed it. The sheer number of critical vulnerabilities that the operating system has is mind boggling. Recently, it was stated by some firm or another that Linux had released more patches than any other OS this year. Now, aside from the obvious problem with that statement (the patches weren't patches for Linux itself but for software in common Linux distributions, which is vastly greater in number than that of a Windows installation) if you look at the things patched, they aren't terribly dangerous. They are things like "potentially vulnerable to DNS attack" or "Local user can gain partial root privileges" and such, they are not like "Someone on the other side of a planet can send you a magic packet that makes your computer their bitch permanently," which is what the vast majority of Windows vulnerabilities allow.
In short, malware has grown because malware is like any pathogen, it lies in wait until conditions are optimal for its growth and when they are it takes over quite rapidly. Remove one of its primary growth factors, and you'll slow it down. Remove more, and you'll potentially kill it.
Comment removed (Score:4, Funny)
simple solution (Score:4, Insightful)
Re:simple solution (Score:2)
Malware is becoming dangerous (Score:4, Insightful)
Malware is also becoming intelligently designed, no longer the 'see-this-famous-tennis-star-naked so-I-can-use-built-in-vbs-code to-email-everyone-in-your-addressbook' stupid-is-as-stupid-does tricks. They're pointed, direct, and very very scary.
Here's to paying and treating your geek employee well!
Re:Malware is becoming dangerous (Score:5, Funny)
Are you sure its not evolving?
Ba-duh-chick!
WTF does this mean? (Score:4, Insightful)
Could the person who called this article "well-written" be so kind as to tell me what this means? The article is filled with crap like this; I'd give it a C-, at best, as a freshman paper.
Categories by goal (Score:5, Interesting)
Note that some of these goals target individuals and their PCs whereas other target larger organizations. One key commonality of nearly all of the goals is that they target large numbers of PCs or require large numbers of infected machines to achieve the goal. Thus immunological approaches that look for the spread of unusual code or data packet patterns can help address this problem. On the other hand, immunological approaches won't work if the malware attack targets a single individual or company -- e.g. implanting a unique virus in one computer in a company for purposes of espionage or extortion.
Note that half of the goals are very different from the stereotypical destructive virus or worm of yesteryear. With the exception of vandalism, extortion, vigilantism, and military, the other goals are essentially non-destructive. The malware creator's goals are not achieved if the malware crashes the target machine.
You forgot No 9 (Score:2)
Malware can be categorized by the goal of the creator.
You forgot the most obvious goal
9. Because they can
Wrong approach altogether (Score:2, Insightful)
With a multiuser system that actually enforces permissions, it's your fault if you click on that attachment. And the only thing that happens is you lose your home dir. I agree tha
Re:Wrong approach altogether (Score:2)
Agreed. And to mitigate that, the system could have a script running (as a different user) that backs up your home directory to another partition every so often, where the original user does not have any write permissions.
And if you have files that you wish no one else to see, then chmoding them 600 is not sufficient. They should be encrypted
flawed for the company? or flawed for the user? (Score:2)
It seems to me that a signature-based antivirus system (that needs to be updated continuously via subscription) is a more steady and lucrative form of business model than a final solution to all computer security.
It's not just a technical problem (Score:3, Interesting)
I don't pretend to know the answers, but waving a copy of Norton Internet Security at the bad boys isn't it, for sure. Perhaps there is an element of deliberate wimping out going on here. The IT industry doesn't want to admit it cannot solve things alone, because it doesn't want politicians and regulators muscling in. And politicians like to pretend that malware is purely an IT problem because they don't want the headache of involvement in sorting out the mess.
As one result, perhaps, domains ending in letters like
Dont know .. but ... (Score:2)
I'll tell you what, there's a site I hit, that the second I got there, the computer seemed to lock up (the VMWare session went to 99%) for about 20 seconds. Then it came back to reality, the browser closed, the MS Picture viewer rendered a file called 892f98lkf43.WMF and then it closed. All of a sudden, I had about 10 toolbars, SpySheriff, my desktop changed to a "YOUR COMPUTER IS INFECTED W
Yawn. (Score:3, Insightful)
What would be interesting would be malware written in popular high level scripting or bytecode languages - e.g. perl, python, lisp. These do and will run on windows - with broadband becoming widespread it doesn't take long to download and run the relevant packed perl/python/lisp executable, and such executables do have legitimate uses anyway.
You can very easily write games/utils in such languages to help them spread as trojans.
It'll be interesting to see how the AV people will cope with these.
An attacker should be able to rapidly generate multiple versions of the malware faster than the AV people can generate signatures.
The malware can search for updates and download them with the help of search engines like google (google groups) and various blog/discussion sites. They might even be able to communicate with each other via spam email.
I'm not even sure if the code signing stuff will help.
After all the initial code could be innocuous with perhaps one or two really terrible "bugs". But subsequent code could be totally different. Because with such languages once the first bit is in, fetching and executing new code isn't as hard as downloading a new executable binary (which may require passing checks by the O/S and AV software), it's just downloading/finding the correctly identified/tagged string and running the equivalent of "eval" on it. Heck, one could just blindly run a string and catch the resulting exceptions if it's not proper code.
I'm not a malware author, but I think most malware is rather primitive (esp those on windows[1]). I'm wondering how advanced the malware detection and prevention stuff really is.
[1] I guess they don't need to be very sophisticated when the users actually do stuff like help enter the right passwords to unzip the malware and then voluntarily run the payload! Even better those users usually run as admin.
Interesting, But Well-Written? (Score:2)
lack of security intentional? (Score:2, Interesting)
A lot of users have asked me over the years if Microsoft is paid by antivirus companies not to fix vulnerabilities. This is apparently an easy leap of logic for the most untechnical folks. We know that pharmaceutical marketers are using
Re:Tosh! With Bonus Exclamation Points! (Score:2)
I'm not sure what's wrong with his statement about the public key, though. If the malware encrypts your data using the malware-author's public key, it can only be decrypted using the author's private key, which -- one assumes -- he keeps private until you've coughed up the dough. If it was encrypted using his pr