Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
Security The Internet

Shape-Shifting Malware Hits the Web 179

Stony Stevenson writes to tell us that in a recent interview, Marc Henauer has revealed that security researchers are falling behind now that malware is starting to be able to change its signature every few hours. "Unfortunately the know-how and construction kits used to create this shape-shifting threat are now readily available and are unleashing a wave of malware based on social engineering techniques. [...] Sweeney believes that a non rules-based monitoring process must be set up to defend all ingress and egress points covering SMTP, DNS, HTTP(s), IM etc."
This discussion has been archived. No new comments can be posted.

Shape-Shifting Malware Hits the Web

Comments Filter:
  • by $RANDOMLUSER ( 804576 ) on Friday May 16, 2008 @03:52PM (#23438950)
    Maybe now we'll stop pretending that glorified versions of grep can keep us safe.
    • That way they can keep selling you "updated" "signature files" every hour / day / week / month / year.

      The correct way to handle this is to set up your system so that the user cannot ACCIDENTALLY execute any external code.

      There's no way to solve the issue of some idiot clicking on everything and putting in the root password whenever asked. So don't bother bringing that case up.

      For everyone else, lock the OS files so that it cannot be infected and set the user writable portion to not execute any code. There, the majority of that problem is solved.

      Then, ship the default installation without any open ports and you've pretty much solved the worm issue.

      But that approach means that the anti-virus companies cannot keep selling you new signature files. So don't expect any of them to support it.
      • by nbert ( 785663 ) on Friday May 16, 2008 @04:24PM (#23439392) Homepage Journal

        The correct way to handle this is to set up your system so that the user cannot ACCIDENTALLY execute any external code.
        Would be rather trivial to implement in XP or Vista (and I'd love it, because it would reduce the number of calls off duty. On the other hand every employee would hate it and they might call me even more because they can't download "useful" stuff). But in the end this is not the most common source of malware/virii anymore. Cross-site-scripting accompanied by security holes in common plugins causes way more compromised systems. Bugs in Flash or quicktime in earlier versions make it extremely easy to infect a system without the user noticing. When I look at the stats of my website I could infect 50 visitors by week without much effort, because they run old versions of Flash (I'm not talking about the website I list in my profile). The so called "Russian Business Network" offered $ 0.10 per infected user last year. Might be just 5 bucks per week for my small site, but in the end I must say that it has never been easier and more profitable to infect IT systems (and no, I didn't take the money).
      • by Joe The Dragon ( 967727 ) on Friday May 16, 2008 @04:29PM (#23439448)
        The correct way to handle this is to set up your system so that the user cannot ACCIDENTALLY execute any external code.
        and you do that by asking cancel or allow for each app.
        • Re: (Score:2, Insightful)

          by Missing_dc ( 1074809 )
          Ok, so we set a cancel/allow feature for every app. that may work for skilled or intelligent users, and most slashdotters would be OK.

          The REST of the users out there are not as program/os/security savvy and would tell their PC to allow the app so they can watch that adult video or so they can have that pretty screensaver. They become so trained to just click allow that it defeats the purpose. As a sysadmin and a former helpdesker, I can tell you that the majority of computer users are a bunch of crack-tar
          • by zoips ( 576749 )
            You should probably have that ego checked out; it might lead to your head spontaneously exploding if left unchecked.
      • You can do this quite easily on Windows.

        Start->Run... "gpedit.msc" -> Windows Settings -> Security Settings -> Software Restriction Policies. If there is nothing in there create a new policy, then under Addition Rules create a path rule for your data and download folders. It then becomes impossible to execute anything in these directories.

        Locking the OS files and registry is as simple as running as a normal user account instead of admin.
    • Or am I the only one old enough to remember that brief time when DAME was considered the unholy terror?
      • Re: (Score:3, Informative)

        by idontgno ( 624372 )

        Ah, Dark Avenger Mutation Engine. Sheesh. That brings back memories of frisk and Vesselin Bontchev holding forth on VIRUS-L. The good ol' days.

        Dang. It's been at least 1 1/2 decades that experts have been warning that signature-based malware detection isn't gonna cut it. Heck, Fred Cohen warned us in 1987. [wikipedia.org] So what do we get? Nothin' but signature-based antivirus. Sucks bad to be us. Great time to be an antivirus vendor though.

    • by ka9dgx ( 72702 ) on Friday May 16, 2008 @04:10PM (#23439230) Homepage Journal
      Amen!
      Imagine having two broken hands. You would have no way to directly take the money from your wallet and manage it yourself, you'd be forced somehow give your entire wallet to someone each time you wanted to pay. It would be almost impossible to prevent them from slipping an extra $20 unless you happened to see it. You're forced to trust someone completely.
      For the foreseeable future, we're all dealing with two broken hands. There's no way to pick which parts of our set of capabilities we want to hand to a program. We have no way of stopping it from taking our personal data and sending it away, holding it hostage, or subtly sabotaging it.
      I want my metaphorical fingers back.
      --Mike--
  • I love it. (Score:5, Funny)

    by Anonymous Coward on Friday May 16, 2008 @03:54PM (#23438988)
    The slashdot synopsis is longer than the article.
  • by corsec67 ( 627446 ) on Friday May 16, 2008 @03:57PM (#23439034) Homepage Journal
    Enumerating the bad is usually a bad idea, since it is to easy to change what is "bad". We enumerate the good with firewalls, why should software security be any different? Distro repository + corperate repository should cover all software necessary, right?

    Will we now see true evolution of software viruses?

    This is pretty much #1 and #2 in this list of The Six Dumbest Ideas in Computer Security [ranum.com].
    • Re: (Score:2, Interesting)

      No we won't see "true evolution" of software viruses, because for that to happen, you'd need a software analog of long chain acids that form into spirals. I.e. chaotic, yet structured data which just happens to be executable.

      If you mean evolution at a more localised level, then how local do you mean? The same payload with different signatures? Yes, you'll see that: RTFA.

      It's impossible, however, for either the payload or the delivery method to change independently of the original creator's specification. Ei
  • by yuna49 ( 905461 ) on Friday May 16, 2008 @03:57PM (#23439036)
    Sweeney believes that a non rules-based monitoring process must be set up to defend all ingress and egress points covering SMTP, DNS, HTTP(s), IM etc.

    What exactly is a "non rules-based monitoring process?" I thought I had some clue about security procedures, but I'm be hard pressed to describe what such a process might be. Even more importantly, what would it cost to implement? TFA is no help here, consisting of the usual hand-waving about the never-ending arms race between malware writers and the rest of us.

    We all know what the most effective solution to this problem would be. Funny how it's never mentioned in any of these articles.
    • Actually, it is "rules". But, it is not "patterns".

      Specifically, http outbound access should be allowed for firefox. The firefox binary is /usr/bin/firefox, and has an md5 signature of 64b6c465f9919e1fa860707fb762cff2. If the signature changes (without having updated the program), a security alert is raised. And that name/hash combination is allowed outbound port 80 access.

      Basically, security should be SElinux and Tripwire. Those two tools (or equivalents on alternate Operating Environments) cover most of the threats.

      Malware cannot then hide as an existing program. New programs should have strict security profiles that prevent "excess" (network, disk, cpu, memory) usage.

      It would be possible to create malware, but it would be worthless, in the sense that the resources that could be misappropriated would be minimal (note that Unix and Unix-like systems have had ulimit for ages -- SElinux expands on the idea). A particular malware COULD attempt escalate to root, but SElinux would prevent the attempt to escalate the "usual" way. Specifically, firefox has NO REASON to gain root, and this can be prevented.

      What would the worst malware look like in this senario? A javascript in firefox because it can do almost unlimited port 80 access. Email can be limited to qmail or sendmail (and even further limited by the expected amount).

      Unix-like systems (with the exception of MAC OS X, which frightens me a bit) are heading here. Intrusion alert systems coupled with execution limiting, role based security systems (apparmor and selinex).

      "AppArmor is an application security tool designed to provide an easy-to-use security framework for your applications. AppArmor proactively protects the operating system and applications from external or internal threats, even zero-day attacks, by enforcing good behavior and preventing even unknown application flaws from being exploited. AppArmor security policies, called "profiles", completely define what system resources individual applications can access, and with what privileges. A number of default profiles are included with AppArmor, and using a combination of advanced static analysis and learning-based tools, AppArmor profiles for even very complex applications can be deployed successfully in a matter of hours."

      Of course there is no need for malware detection with this model. Tripwire already does a better job than any "anti-malware" program could, because it snapshots the OK state of all files. *anything* that differs is then suspect. AppArmor/SElinux provides for the expected BEHAVIOR of all programs. If they differ, they are suspect.

      As you have probably noted, this protection does not accomodate "rootkits". However, a rootkit cannot be "defended" against, or even detected when running under it (at least if it is a reasonably well done rootkit). But this simple approach will eliminate all, or almost all, malware seen in the wild. With no need for anti-malware updates, or subscriptions, etc.
      • Unix-like systems (with the exception of MAC OS X, which frightens me a bit) are heading here. Intrusion alert systems coupled with execution limiting, role based security systems (apparmor and selinex).

        Apple realizes that OS X has, as a significant share of its market, this thing called "normal people." "Normal people," in case you've never encountered one before, have no clue how to use any of the stuff you just outlined above.

        The real issue at hand here is the following:

        1) The OS has to ask the user whet
      • by ka9dgx ( 72702 )
        Thanks for the pointer to AppArmor, it appears to be a very good step in the direction of least privilege execution of program. The "learn" mode makes it easier to configure things, which helps out the novice.

        Doing this on the Windows side of the world is, of course, impossible, because you can't patch the kernel there, and there's no equivalent of Linux Security Modules.

        I guess the closest we could get would be to run apps in Wine with an AppArmor profile for each one. 8)

    • by Anonymous Coward
      Thinking that using Unix is the solution to getting 0wned is like thinking that heterosexuality is the solution to getting AIDS. The only general solution is education.

      As the article states, this malware is all based on social engineering. If you can convince somebody to run a program because it will show them the latest celebrity sex tape, it doesn't matter what OS they're running. Right now it only works on Windows because the malware authors know that they can get 90% of the market by doing only 10% of t
      • by Nullav ( 1053766 )
        Keep in mind that a lot of Windows malware only works because everyone runs as root.
      • by X_Bones ( 93097 )
        Thinking that using Unix is the solution to getting 0wned is like thinking that heterosexuality is the solution to getting AIDS. The only general solution is education.

        I'm sorry, but this is Slashdot. I'll need an automobile analogy, please.
    • What exactly is a "non rules-based monitoring process?" I thought I had some clue about security procedures, but I'm be hard pressed to describe what such a process might be. Even more importantly, what would it cost to implement? TFA is no help here, consisting of the usual hand-waving about the never-ending arms race between malware writers and the rest of us.

      He's talking about computer immune systems. Here's a link to an IBM research paper from the top of the Google results for "virus immune system c
      • by yuna49 ( 905461 )
        Thanks to you and ratboy above for these excellent responses.

        However aren't you both really talking about a solution whose implementation, if if ever happens, is decades into the future? We have hundreds of millions of computers in the world running operating systems and applications that represent the current state of technology. Wouldn't these approaches literally require all those computers switch to entirely new operating systems and applications than are installed today?

        If so, I don't see this as a r
        • These things mostly exist in laboratories already. It's really just a question of distribution to the masses. And, I dare say, that companies like Norton and Symantec are already investing in these technologies. Before long, the copies of Norton 2010 or Symantec 2012 are going to include immune systems. If not 2010 or 2012, then some other date in the future. So, getting it to market and getting it to early adopters won't be that difficult. Getting it to the masses, however, will be a bit more complic
          • by yuna49 ( 905461 )
            I guess I'm still a bit confused. You're saying these technologies could be bolted on to existing platforms in the way anti-virus programs are now? Won't they have to be supported by operating system and applications programmers as well? Even if they're included in the next generation of software, it'll take many years before that generation of software replaces the infrastructure we have now.

            I'd also wonder what the user interface would look like. Popups that say "application X has tried to use port Z
            • Good questions. I would imagine that an immune system would be built as an application service layer. In of itself, that doesn't pose too many challenges, and is fairly straight forward. Getting the operating system support and application programming support can be provided by the developers who program the immune system in the first place, by conforming to the standards that vendors provide. If you wanted the immune system to be an application framework, which other applications could build on top of,
  • by erroneus ( 253617 ) on Friday May 16, 2008 @04:03PM (#23439122) Homepage
    Until the people who are putting this stuff out there are seriously and literally beaten either within inches of their lives or to death, this sort of thing will get worse and worse.

    These assholes call themselves "marketers." They have gotten away with it for so long, they often call a great portion of this "legitimate business." It's not enough to criminalize this stuff... especially when law enforcement generally has no idea how to prosecute or make a case against any of it.

    There should be a series of web sites built that creates a "hit list" of people responsible for this crap. That's where the end of this should begin.
    • Re: (Score:2, Insightful)

      by maxume ( 22995 )
      That's stupid.

      Look how well playing wack-a-mole has worked for drug enforcement. Rather, look how it hasn't worked at all.
      • Yeah, but still. Having had to clean up some catastrophic messes that have been created by malware I still fantasize about one day beating the pulp out of one of those bastards.
      • Is there a "whack-a-mole" game going on against drug makers and distributors? I'm talking about vigilante justice. There isn't any large-scale information availability on the identity and whereabouts of drug people. Do you know of any?
      • by Nullav ( 1053766 )
        Not like drug dealers aren't killing each other daily. When's the last time you heard about a spammer shootout over a bad deal? When hijacking machines and flooding disks around the world ceases to be easy money, I predict that a lot of these parasites will simply move on to something else. Yes, I am advocating the idea that we legalize spammer hit-lists. Opt-out, of course. =p
    • Re: (Score:2, Interesting)

      I thought you were talking about the antivirus authors until I read the replies. Then I read your post again, and I'm not sure any more.

      It doesn't matter though: I agree with both your possible assertions.
  • by zappepcs ( 820751 ) on Friday May 16, 2008 @04:04PM (#23439150) Journal
    All my posts about malware and virus software for some time have been doom and gloom. Seems moderators don't like that. This is nothing but the tip of the iceburg of what might be coming, and what is probably already in the wild, we just don't know it yet. I could probably think of a dozen scenarios where malware could already be hiding on your equipment, silently waiting to be signaled.

    It's possibly in your router's flash by now, or your motherboard's flash, or sitting on a CD or CE player's flash, or an MP3 player. It only has to wait till it needs to start spreading, and be dormant there too, then one day you notice missing files, or there is an outbreak of serious malware globally. Yes, tinfoil hat stuff, but it is possible, and as time ticks on it is becoming more probable.

    Nobody wants to believe it, but it is possible. If it is possible, it will only be a matter of time...
    • by ka9dgx ( 72702 )

      It's possibly in your router's flash by now
      Especially if you recently got fake routers from China. ;-)
  • by WindowlessView ( 703773 ) on Friday May 16, 2008 @04:05PM (#23439164)

    I thought shape-shifting malware was the official business attire of geeks everywhere.

  • by NullProg ( 70833 ) on Friday May 16, 2008 @04:18PM (#23439318) Homepage Journal
    1991
            Tequila is the first widespread polymorphic virus found in the wild. Polymorphic viruses make detection difficult for virus scanners by changing their appearance with each new infection.


    Sweeney believes that a non rules-based monitoring process must be set up to defend all ingress and egress points covering SMTP, DNS, HTTP(s), IM etc."

    Its called heuristics and its been in use for a while.

    Enjoy,

    • by ka9dgx ( 72702 )
      Sorry, take your magic bullet home, and try again. Heuristics only catch the obvious, and not the subtle nor patient.
    • Re: (Score:3, Funny)

      by Kingrames ( 858416 )
      Admit it. If tequila is a virus, you don't want to be virus free.
  • a possible solution (Score:4, Interesting)

    by FudRucker ( 866063 ) on Friday May 16, 2008 @04:25PM (#23439402)
    If you take a snapshot of your harddrive/OperatingSystem, and as long as you don't do anything to change it (no writing to disk anywhere, no launching applications) then take another snapshot a few minutes later and another and another, soon this shape/shifting malware will reveal itself, get enough glimpses of it and a picture will emerge so you will know what to look for then know how to eradicate it from your computer, I doubt the kludge like mcaffee & norton are capable but somebody has to rise to the occasion to build something good enough to do this, it would be worth it to leave your PC alone while some anti-malware runs that can deal with this shape/shifting malware and catch it so it can be removed, or reveal a method & list of files so you can manually remove it...
    • by ka9dgx ( 72702 )
      Wouldn't it be simpler (but by no means easier) to allow the user to specify what side effects they are willing to allow a program to create before they run it?

      System updates would be allowed pretty much any side effect (but not the user folders).

      Web browsers could only connect to the net, and their local folder, but nothing else.

      etc, etc.

      • Re: (Score:3, Insightful)

        by FudRucker ( 866063 )
        thats exactly why I don't use ms-windows anymore, everything is just too open to attack, open Windows Explorer file manager and type in a URL - it does not launch IE, it is IE or morphs in to IE, open Internet Explorer and type in C: hit enter and you can use it as a file manager and change & delete files, if that is not asking for trouble I don't know what is, knowing this and how many users run their PCs 24/7/365 with admin privileges because managing a multi-user system with admin & users privile
        • by ka9dgx ( 72702 )
          Sounds like a prudent strategy to me, not perfect, but apparently good enough.
        • by yuna49 ( 905461 )
          open Windows Explorer file manager and type in a URL - it does not launch IE, it is IE or morphs in to IE, open Internet Explorer and type in C: hit enter and you can use it as a file manager and change & delete files

          Sounds a lot like Konqueror to me. Having the ability to treat local and remote files equivalently seems like a good thing to me. In fact, one of the features I like best about Konqueror is its ability to handle all sorts of URLs like smb:// and fish://. I don't use it routinely to brows
  • Shellcode polymorphism has been known for years. Here's a good article from Phrack [phrack.org] on it.
    Any AV vendor who isn't prepared for it by now has grossly failed their customers.
  • by Anarke_Incarnate ( 733529 ) on Friday May 16, 2008 @05:39PM (#23440386)
    Every few years the malware comes out newer, shinier and costs about $100-400 depending on if you get the Home Basic or Ultimate versions.
  • ...this is the first step towards a 'solution':

    SELinux
    Firefox
    ???
    Security for a while
    Profit!
    Repeat as necessary.

    Windows is so blown up, security is pointless.

    Better website design/security doesn't help. The nasties will create their own malware sites quicker than you can say 'globals off'. And detection in Windows is pretty much like your oil light on the car dash - 'you are hosed, just letting you know it's bad.'

    I'm thinking my wife's next machine is running Kubuntu. Mine at home too. All I need is a wa
  • But my Linux desktops and servers seem just fine. And I don't trust my WindowsXP laptop with important data. At some point, there needs to be personal responsibility. In the same way that I need to make sure that the brake pads on my vehicle are in good order, people need to make sure that their software, whatever they choose, is also in good order.
  • There are some very sane and easy ways to fight these things, and not a single entity (except perhaps tripwire which is out because of how hard it is to use/configure, and java which works pretty well in limited situations) even tries.

    We need per-app permissions. This doesn't have to be obvious, but when you install an app, the system needs to pop up a box before a single line of code is run giving options that the software is asking for.

    Net access, write to own directory, write to system directories, use
    • We need per-app permissions.

      Agreed. We (sort of) have them. Vista, OS X, and Linux are all shipping with Application level access control frameworks, by default, these days. The problem is getting it applied and getting a workable UI and workflow.

      This doesn't have to be obvious, but when you install an app, the system needs to pop up a box before a single line of code is run giving options that the software is asking for.

      I think this is too cumbersome and too complex for the average user. Rather, I think we need to go further. Apps should ship with an ACL that specifies what it should need. Anti-malware companies and organizations should verify these and provide white lists and checksums. That way pre-in

  • I never run it. I've only been hacked a few times, and knew it almost right away. It's the ones you don't see that worry me; but if you can't see them, what makes you think the AV companies can see them? Before the AV companies will write signatures for them, somebody has to notice them, and if "noticing them" is automated, then that implies that polymorphism is not a problem--but it's common knowledge that it IS a problem for AV vendors. Besides, you have to *pay* for AV, and it slows your machine down

"It's ten o'clock... Do you know where your AI programs are?" -- Peter Oakley

Working...