Shape-Shifting Malware Hits the Web

Stony Stevenson writes to tell us that in a recent interview, Marc Henauer has revealed that security researchers are falling behind now that malware is starting to be able to change its signature every few hours. "Unfortunately the know-how and construction kits used to create this shape-shifting threat are now readily available and are unleashing a wave of malware based on social engineering techniques. [...] Sweeney believes that a non rules-based monitoring process must be set up to defend all ingress and egress points covering SMTP, DNS, HTTP(s), IM etc."

This is a GOOD thing

[$RANDOMLUSER]

Maybe now we'll stop pretending that glorified versions of grep can keep us safe.

It's just the anti-virus companies claiming that.

[khasim]

That way they can keep selling you "updated" "signature files" every hour / day / week / month / year.

The correct way to handle this is to set up your system so that the user cannot ACCIDENTALLY execute any external code.

There's no way to solve the issue of some idiot clicking on everything and putting in the root password whenever asked. So don't bother bringing that case up.

For everyone else, lock the OS files so that it cannot be infected and set the user writable portion to not execute any code. There, the majority of that problem is solved.

Then, ship the default installation without any open ports and you've pretty much solved the worm issue.

But that approach means that the anti-virus companies cannot keep selling you new signature files. So don't expect any of them to support it.

Re:It's just the anti-virus companies claiming tha

[nbert]

The correct way to handle this is to set up your system so that the user cannot ACCIDENTALLY execute any external code.

Would be rather trivial to implement in XP or Vista (and I'd love it, because it would reduce the number of calls off duty. On the other hand every employee would hate it and they might call me even more because they can't download "useful" stuff). But in the end this is not the most common source of malware/virii anymore. Cross-site-scripting accompanied by security holes in common plugins causes way more compromised systems. Bugs in Flash or quicktime in earlier versions make it extremely easy to infect a system without the user noticing. When I look at the stats of my website I could infect 50 visitors by week without much effort, because they run old versions of Flash (I'm not talking about the website I list in my profile). The so called "Russian Business Network" offered $ 0.10 per infected user last year. Might be just 5 bucks per week for my small site, but in the end I must say that it has never been easier and more profitable to infect IT systems (and no, I didn't take the money).

Re:It's just the anti-virus companies claiming tha

[Joe The Dragon]

The correct way to handle this is to set up your system so that the user cannot ACCIDENTALLY execute any external code.
and you do that by asking cancel or allow for each app.

Re:

[Missing_dc]

Ok, so we set a cancel/allow feature for every app. that may work for skilled or intelligent users, and most slashdotters would be OK.

The REST of the users out there are not as program/os/security savvy and would tell their PC to allow the app so they can watch that adult video or so they can have that pretty screensaver. They become so trained to just click allow that it defeats the purpose. As a sysadmin and a former helpdesker, I can tell you that the majority of computer users are a bunch of crack-tar

Re:

[zoips]

You should probably have that ego checked out; it might lead to your head spontaneously exploding if left unchecked.

Re:It's just the anti-virus companies claiming tha

[AmiMoJo]

You can do this quite easily on Windows.

Start->Run... "gpedit.msc" -> Windows Settings -> Security Settings -> Software Restriction Policies. If there is nothing in there create a new policy, then under Addition Rules create a path rule for your data and download folders. It then becomes impossible to execute anything in these directories.

Locking the OS files and registry is as simple as running as a normal user account instead of admin.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[Bryansix]

I'm pretty sure that deleting all the shortcuts and then putting firefox as the default browser is a way better solution then actually trying to yank IE out of Windows.

Re:

[idontgno]

As long as you can avoid every piece of software that uses IE's integrated libraries and services for its own web access and rendering. Good luck with that.

Really, "iexplore.exe" is the least of your problems. The real evil is in the half-assed DLLs and associated components.

Re:

[HisMother]

Good luck with that.

Last I checked, neither my MacBook nor my Linux desktop used a single DLL.

Re:

[idontgno]

What, no VM or Boot Camp?

Anyways, a clever answer, and in the final analysis, the correct one. But, violates the implied constraint of GP's question: While running Windows, how do you avoid using Internet Explorer?

My answer was "not as easily as it seems". Your answer was "mu". Very Zen.

Re:

[Anonymous Coward]

.dll = .Framework, .bundle, .dylib,.so

Re:

[HisMother]

Ummmm... yeah. Way to miss the point.

Re:

[ScreamingCactus]

Not so. Not with Vista anyway. That's precisely what I did, yet for some reason, from time to time IE randomly opens up to an ad page. AVG doesn't know why, AdAware, Windows Defender (joke), and other programs couldn't figure it out either. I think it started when I installed itunes and quicktime. The weirdest thing is, it seems to occur when they system *sees* certain files, like when explorer opens the folder they are in. I don't know what kind of files though. It's rare and inconsistent, so I can'

Re:

[Sfing_ter]

And by WinNT you mean OS2/Warp right?

Re:

[Kartoffel]

I don't know. Back in the day, IE for Solaris was a pretty decent alternative to Netscape.

Re:It's just the anti-virus companies claiming tha

[ka9dgx]

The user has two options... click or don't.

How about giving the user more choices? You might want to let them run it in a sandbox, or run it without internet access, or chroot it.

If they had a way to express their intent, and actually control how much they give away when they click... it would go a VERY long way towards fixing things, probably 99%.

--Mike--

Re:It's just the anti-virus companies claiming tha

[techno-vampire]

How about giving the user more choices? You might want to let them run it in a sandbox, or run it without internet access, or chroot it.

And how many users, pray tell, do you think would understand what those options are, or which one to pick for any given program. If your answer is > 1 %, you have a much higher opinion of the average computer user's understanding of what they're doing than I do.

Re:It's just the anti-virus companies claiming tha

[adisakp]

How about giving the user more choices? You might want to let them run it in a sandbox, or run it without internet access, or chroot it.

If they had a way to express their intent, and actually control how much they give away when they click... it would go a VERY long way towards fixing things, probably 99%.

Have you ever tried Comodo's free firewall [comodo.com] or free antivirus [comodo.com]???

Both of them use whitelisting / safelists. Anything not whitelisted needs explicit permission from the user before they're able to read/write/delete/create a file or directory or access the internet. These two FREE (as in beer) products literally give you a similar level of control over what runs on your computer.

The Comodo antivirus doesn't work on Vista right now but will soon. Then again, this is Slashdot so we're all running XP right ?!?

For sandboxing, you can use VMWare Server (free as in beer) to generate an image to run in VMPlayer (also free as in beer) which you can then use within Windows. If you get VMWorkstation (not free but well worth it), you can get fine-grained control over snapshotting.

Re:

[lgw]

Does it work with Windows Server 2003? Most XP products do, it they don't explicitly check that they're unning on XP.

Re:

[drspliff]

Will Comodo run in Wine? :)

Re:

[TheRaven64]

How about giving the user more choices? You might want to let them run it in a sandbox, or run it without internet access, or chroot it.

Right idea, wrong UI. Let it run, by default, in a severely restricted environment - no access to the network (other than possibly one remote address, which is the site from which it was originally downloaded). No ability to access the filesystem outside a private, per-application component. If a process needs more than this, then pop up an irritating box asking for elevated permissions and remember the setting. Make the box look scary so the default response is to click 'no' (and if this happens let

Re:

[ka9dgx]

That's true, but then again safety belts save lives in many cases regardless of the ones who refuse to use them.

Trying to wikipedia your way to a +5, eh?

[Anonymous Coward]

This is what the GP said:

For everyone else, lock the OS files so that it cannot be infected and set the user writable portion to not execute any code. There, the majority of that problem is solved.

This is what you said:

You should NEVER have to trust an application to contain itself to a set of capabilities. That's what Operating Systems are supposed to do for you.

So, he said that we should control executables at the OS level, and your response is "no, we should control executables at the OS level (plus a wikipedia link to a sort-of but not really related problem)." Hold on, your brilliance is hurting my eyes.

Come on mods, this guy didn't even read the parent! I know he has a wikipedia link, but follow the damn conversation!

Re:

[ka9dgx]

It's like structured code vs assembler.... you can do the same thing in either, in theory.
The difference is that the USER should get to pick which side effects they want to let a given random piece of code get away with, regardless if it was written in Redmond or somewhere else.
There's currently no way for a user to specify what a program can/can't do other than to create an account, set the permissions on EVERYTHING it might touch, and then hope it doesn't somehow do something bad anyway due to a bug s

Attention Mods! Parent is karma whoring

[an.echte.trilingue]

His posts have absolutely no coherence with the posts he is responding to. He is throwing in keywords that he knows will get him attention here on /. and I think using a sock puppet with mod points to give himself that all-important first plus to get the plus five.

Seriously:

It's like structured code vs assembler.... you can do the same thing in either, in theory.

Sounds smart until you read the gp. Just throwing in the name of a couple programming languages is not insightful.

written in Redmond or somewhere else

The GP never made a comparison between any two methods. This is just pandering to the "well, I like to use the softw

Re:Attention Mods! Parent is karma whoring

[ka9dgx]

I'm not trying to game the system... I hit the karma cap a few years ago, and really don't care about it. I do care very much about making a what is a subtle distinction a bit more clear.

I'm sorry if my writing wasn't up to snuf.

A lot of people will tell you that an Object Capability System can't do anything more than one based on Access Control Lists. This argument is much like the ones posed against Structured programming when it came out... the opponents to change all said "well.. it doesn't really do anything new"... and if you picked enough nits, you could technically say they were right, in terms of the expressiveness of the program.

However, in practice it's not just about the types of computation your code you can express, but rather the programmers productivity. Structured programming made it easier to get things done. It saved programmers time.

In theory, in an ACL based system, you can run a program inside of a sandbox. You first create a new account for a program to run inside of, and then lock down the permissions of the rest of the system to make it safe. This is a non-trival task, which must be done perfectly if your program you wish to run turns out to be malicious.

A capabilities based system is designed from the start to enforce a policy of least privilege. That means that a program should given only the capabilities it requires to execute the task at hand, and nothing more. To run a program in a "sandbox" requires no more action that only giving it a sandbox to play in, the system enforces the rest. Not only that, it makes it possible for an end user to decide what rights to give a program without having to check all of the rest of the system.

The lack of awareness of the Capability Object Model severely constrains the possible futures that can be imagined by most of us, and we're making bad choices because of that ignorance.

I'm just trying to shine some light into the darkness.

--Mike--

Re:

[datapharmer]

Nah, just setup a very restricted user account and run it under the other user. Then you don't have to restrict everything on you normal account. There is no reason you should have to limit the system, just limit the user and run the program that way.

More like Everything Old is New Again

[WinPimp2K]

Or am I the only one old enough to remember that brief time when DAME was considered the unholy terror?

Re:

[idontgno]

Ah, Dark Avenger Mutation Engine. Sheesh. That brings back memories of frisk and Vesselin Bontchev holding forth on VIRUS-L. The good ol' days.

Dang. It's been at least 1 1/2 decades that experts have been warning that signature-based malware detection isn't gonna cut it. Heck, Fred Cohen warned us in 1987. [wikipedia.org] So what do we get? Nothin' but signature-based antivirus. Sucks bad to be us. Great time to be an antivirus vendor though.

Re:This is a GOOD thing

[ka9dgx]

Amen!
Imagine having two broken hands. You would have no way to directly take the money from your wallet and manage it yourself, you'd be forced somehow give your entire wallet to someone each time you wanted to pay. It would be almost impossible to prevent them from slipping an extra $20 unless you happened to see it. You're forced to trust someone completely.
For the foreseeable future, we're all dealing with two broken hands. There's no way to pick which parts of our set of capabilities we want to hand to a program. We have no way of stopping it from taking our personal data and sending it away, holding it hostage, or subtly sabotaging it.
I want my metaphorical fingers back.
--Mike--

Re:This is a GOOD thing

[AKAImBatman]

Self modifying code is self modifying code. If it changes its signature into a different permutation that contains the same logic (e.g. changing the registers loaded, moving memory locations, inserting no-ops that don't look like no-ops, allocating different stack size, using a different location on disk, etc.) then it becomes nearly invisible to automated tools. I'm sure the next revision of anti-viral software will aim for complex heuristics that attempt to negate this sort of hiding. Which will become the next major arms race between virus writers and anti-virus writers. (Just like spam vs. anti-spam.)

Of course, arms races are usually a bad thing. They waste resources yet deliver very little. We need to start thinking about building a new infrastructure that is not susceptible to such simplistic attacks. e.g. Managed languages, jailed environments, trust relationships for email servers, and other such steps to data security. Unfortunately, there is so much time and money invested in our current infrastructure that there's no chance the market would make such a change unless absolutely forced to do so. Thus we come full circle back to the GPP's point.

Re:This is a GOOD thing

[AKAImBatman]

Oh, and I forgot a particularly nasty option: Compressing or encrypting the code. e.g. A piece of code can use OS services to compress data on disk. This would make it look like any other program with compressed segments. Another option is a variation of One Time Pad based on system information like hostname or MAC address. Again, it's hard to identify the stub as a definite virus header.

Even worse is that most viruses today are part of a Botnet that has Command and Control capabilities. So the hiding ability of the virus can be updated on a regular basis. Version 1 selected between compression and OTP? No problem! Version 2 will add reordering of code segments!

Quite nasty, these bugs.

Re:

[drspliff]

A major pain in the ass is to write a polymorphic bootstrapper that won't be picked up. Most of the bots I've dissected in the past have used off the shelf compressors or encryptors to wrap a fairly standard (badly written) piece of software.

One of the neatest things I've seen so far is a server which gave one-off encrypted executables based on the clients ip address, the boot strapper then had to confirm the ip address before it could decrypt it, or download another version and try again.

Maybe arms race is a good thing

[jhoger]

Actually the arms race may be a GOOD thing. Viruses and spam could be the "key driver" the market needs to force progress on artificial intelligence.

Re:

[Xenna]

This is actually old hat. The older PC viruses (in the early nineties) used polymorphic encryption engines. For each copy of the virus a slightly different decryption algorithm was created, that algorithm was the only unencrypted part of the virus the rest was encrypted (with a different key/algorithm each time). Upon execution of the virus the decryption code would get control first decrypt the rest of it and pass control to the actual 'payload'.

Anti-virus writers beat this scheme by running the decryption

Re:

[dvice_null]

> Are you kidding? Arms races are the reason we have (relatively) easily accessible and affordable flight to most parts of the world

We could have had the same technology without wars a lot cheaper. In war we basicly hire some scientists to work with a problem and we use e.g. 1% of less of the resources to this. And 99% of the resources to build machines that will be destroyed very soon on purpose. And in addition we kill educated people who could instead of dieing do someting usefull.

If instead we would

Re:

[fatphil]

Bzzzt! In order to do that we have to first solve the Halting Problem.
It is impossible, for arbitrary code, to even tell which parts of the code are code, and which are data. Working out which bits of the code are a morphing routine is unimaginably harder.

I love it.

[Anonymous Coward]

The slashdot synopsis is longer than the article.

Re:I love it.

[corsec67]

It is a clever plan to get people to RTFA. Now people will stop bothering to read the fine summary.

Enumerating the Bad is not a good idea

[corsec67]

Enumerating the bad is usually a bad idea, since it is to easy to change what is "bad". We enumerate the good with firewalls, why should software security be any different? Distro repository + corperate repository should cover all software necessary, right?

Will we now see true evolution of software viruses?

This is pretty much #1 and #2 in this list of The Six Dumbest Ideas in Computer Security [ranum.com].

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[corsec67]

I wasn't referring to virus checkers for a list of "good software", I was thinking about the package manager used by many Linux distributions.
I don't know how that would work in Windows, but it generally works pretty well in Ubuntu, with the advantage that you can quickly add a set of applications.

Re:

[lgw]

Right, because you've never get anything like a compromised version of SSL in a common distro package, compromising security for years undetected, right? And that was just accident, not malicious gaming of the system for millions of dollars reward.

Re:

[lgw]

If you're vulnerable to accident, you're quite vulnerable to malice. No one has deliberately gamed a package management system to install malware broadly yet, but only because Windows Update is well-controlled, and the others reach too few targets.

Re:

[DRAGONWEEZEL]

Require comercial software writers to subscribe to a whitelist (free of charge, but phone verification required)
Software becomes Read-only
Data is stored in data files
Owners machines poll for software installed, check against whitelist, everything else = BAD and has to be verified by owner
Switching verification off is a possiblity, but defeats purpose.
Whitelist gets updated nightly with verified "good" software

Donate now to DW's AV Startup w/ Paypal

Can someone explain what this means?

[yuna49]

Sweeney believes that a non rules-based monitoring process must be set up to defend all ingress and egress points covering SMTP, DNS, HTTP(s), IM etc.

What exactly is a "non rules-based monitoring process?" I thought I had some clue about security procedures, but I'm be hard pressed to describe what such a process might be. Even more importantly, what would it cost to implement? TFA is no help here, consisting of the usual hand-waving about the never-ending arms race between malware writers and the rest of us.

We all know what the most effective solution to this problem would be. Funny how it's never mentioned in any of these articles.

Re:Can someone explain what this means?

[ratboy666]

Actually, it is "rules". But, it is not "patterns".

Specifically, http outbound access should be allowed for firefox. The firefox binary is /usr/bin/firefox, and has an md5 signature of 64b6c465f9919e1fa860707fb762cff2. If the signature changes (without having updated the program), a security alert is raised. And that name/hash combination is allowed outbound port 80 access.

Basically, security should be SElinux and Tripwire. Those two tools (or equivalents on alternate Operating Environments) cover most of the threats.

Malware cannot then hide as an existing program. New programs should have strict security profiles that prevent "excess" (network, disk, cpu, memory) usage.

It would be possible to create malware, but it would be worthless, in the sense that the resources that could be misappropriated would be minimal (note that Unix and Unix-like systems have had ulimit for ages -- SElinux expands on the idea). A particular malware COULD attempt escalate to root, but SElinux would prevent the attempt to escalate the "usual" way. Specifically, firefox has NO REASON to gain root, and this can be prevented.

What would the worst malware look like in this senario? A javascript in firefox because it can do almost unlimited port 80 access. Email can be limited to qmail or sendmail (and even further limited by the expected amount).

Unix-like systems (with the exception of MAC OS X, which frightens me a bit) are heading here. Intrusion alert systems coupled with execution limiting, role based security systems (apparmor and selinex).

"AppArmor is an application security tool designed to provide an easy-to-use security framework for your applications. AppArmor proactively protects the operating system and applications from external or internal threats, even zero-day attacks, by enforcing good behavior and preventing even unknown application flaws from being exploited. AppArmor security policies, called "profiles", completely define what system resources individual applications can access, and with what privileges. A number of default profiles are included with AppArmor, and using a combination of advanced static analysis and learning-based tools, AppArmor profiles for even very complex applications can be deployed successfully in a matter of hours."

Of course there is no need for malware detection with this model. Tripwire already does a better job than any "anti-malware" program could, because it snapshots the OK state of all files. *anything* that differs is then suspect. AppArmor/SElinux provides for the expected BEHAVIOR of all programs. If they differ, they are suspect.

As you have probably noted, this protection does not accomodate "rootkits". However, a rootkit cannot be "defended" against, or even detected when running under it (at least if it is a reasonably well done rootkit). But this simple approach will eliminate all, or almost all, malware seen in the wild. With no need for anti-malware updates, or subscriptions, etc.

Re:

[Blakey Rat]

Unix-like systems (with the exception of MAC OS X, which frightens me a bit) are heading here. Intrusion alert systems coupled with execution limiting, role based security systems (apparmor and selinex).

Apple realizes that OS X has, as a significant share of its market, this thing called "normal people." "Normal people," in case you've never encountered one before, have no clue how to use any of the stuff you just outlined above.

The real issue at hand here is the following:

1) The OS has to ask the user whet

Re:

[ka9dgx]

Thanks for the pointer to AppArmor, it appears to be a very good step in the direction of least privilege execution of program. The "learn" mode makes it easier to configure things, which helps out the novice.

Doing this on the Windows side of the world is, of course, impossible, because you can't patch the kernel there, and there's no equivalent of Linux Security Modules.

I guess the closest we could get would be to run apps in Wine with an AppArmor profile for each one. 8)

No, it's not freakin' Unix

[Anonymous Coward]

Thinking that using Unix is the solution to getting 0wned is like thinking that heterosexuality is the solution to getting AIDS. The only general solution is education.

As the article states, this malware is all based on social engineering. If you can convince somebody to run a program because it will show them the latest celebrity sex tape, it doesn't matter what OS they're running. Right now it only works on Windows because the malware authors know that they can get 90% of the market by doing only 10% of t

Re:

[Nullav]

Keep in mind that a lot of Windows malware only works because everyone runs as root.

Re:

[X_Bones]

Thinking that using Unix is the solution to getting 0wned is like thinking that heterosexuality is the solution to getting AIDS. The only general solution is education.

I'm sorry, but this is Slashdot. I'll need an automobile analogy, please.

Computer Immune Systems

[VoidEngineer]

What exactly is a "non rules-based monitoring process?" I thought I had some clue about security procedures, but I'm be hard pressed to describe what such a process might be. Even more importantly, what would it cost to implement? TFA is no help here, consisting of the usual hand-waving about the never-ending arms race between malware writers and the rest of us.

He's talking about computer immune systems. Here's a link to an IBM research paper from the top of the Google results for "virus immune system c

Re:

[yuna49]

Thanks to you and ratboy above for these excellent responses.

However aren't you both really talking about a solution whose implementation, if if ever happens, is decades into the future? We have hundreds of millions of computers in the world running operating systems and applications that represent the current state of technology. Wouldn't these approaches literally require all those computers switch to entirely new operating systems and applications than are installed today?

If so, I don't see this as a r

Re:

[VoidEngineer]

These things mostly exist in laboratories already. It's really just a question of distribution to the masses. And, I dare say, that companies like Norton and Symantec are already investing in these technologies. Before long, the copies of Norton 2010 or Symantec 2012 are going to include immune systems. If not 2010 or 2012, then some other date in the future. So, getting it to market and getting it to early adopters won't be that difficult. Getting it to the masses, however, will be a bit more complic

Re:

[yuna49]

I guess I'm still a bit confused. You're saying these technologies could be bolted on to existing platforms in the way anti-virus programs are now? Won't they have to be supported by operating system and applications programmers as well? Even if they're included in the next generation of software, it'll take many years before that generation of software replaces the infrastructure we have now.

I'd also wonder what the user interface would look like. Popups that say "application X has tried to use port Z

Re:

[VoidEngineer]

Good questions. I would imagine that an immune system would be built as an application service layer. In of itself, that doesn't pose too many challenges, and is fairly straight forward. Getting the operating system support and application programming support can be provided by the developers who program the immune system in the first place, by conforming to the standards that vendors provide. If you wanted the immune system to be an application framework, which other applications could build on top of,

Re:

[yuna49]

Indeed. I don't really care if it's Linux or Open Solaris or OS X or, hell, even HP-UX. It doesn't even have to be *nix if it's built on a sound security model.

The fact that the global computing infrastructure is so homogeneously based an operating system as vulnerable as Windows just never gets discussed in these sorts of articles. Most Windows users I know just accept that virus protection, spyware protection, and the occasional reinstallation of the OS, are all the normal state of affairs in computing

Re:

[ka9dgx]

You're right about needing a sound security model. One that allows the user to express their intent when running a program would be a good start.

Any idea where I can get something like that? I haven't seen a copy of KeyKos, CapROS, or Eros sitting on the shelves at Best Buy lately.

--Mike--

How about a ring security model? ala Intel ISA?

[master_p]

The system runs at ring 0, the local applications at ring 1, the intranet applications at ring 2, the internet applications at ring 3. Thus no malware can do anything, unless there is a bug in the software interfaces between the rings.

Re:

[ka9dgx]

Secure hardware is an essential foundation for a secure operating system, but secure hardware doesn't do anything useful if the OS is junk.

You are just wrong, stud.

[Anonymous Coward]

Linux and Mac to some extent are a solution because they're not targeted as much. Because they don't have the market share.

Bullshit. Bullshit. This argument has been fully debunked and it is utter bullshit. I can't believe I still see it on /. of all places.

Malware writers go for botnets of puny windows desktop machines because that is low hanging fruit. One decent server with an always-on fiber connection to the net is worth thousands of times more than your dinky little ADSL gaming machine for just about anything that you would a botnet for. You know what the market share looks like on the server side? Most of the bi

Re:

[jez9999]

Bullshit. Bullshit. This argument has been fully debunked and it is utter bullshit. I can't believe I still see it on /. of all places.

You must be new here.

It won't end until there is extreme violence

[erroneus]

Until the people who are putting this stuff out there are seriously and literally beaten either within inches of their lives or to death, this sort of thing will get worse and worse.

These assholes call themselves "marketers." They have gotten away with it for so long, they often call a great portion of this "legitimate business." It's not enough to criminalize this stuff... especially when law enforcement generally has no idea how to prosecute or make a case against any of it.

There should be a series of web sites built that creates a "hit list" of people responsible for this crap. That's where the end of this should begin.

Re:

[maxume]

That's stupid.

Look how well playing wack-a-mole has worked for drug enforcement. Rather, look how it hasn't worked at all.

Re:

[InlawBiker]

Yeah, but still. Having had to clean up some catastrophic messes that have been created by malware I still fantasize about one day beating the pulp out of one of those bastards.

Re:

[erroneus]

Is there a "whack-a-mole" game going on against drug makers and distributors? I'm talking about vigilante justice. There isn't any large-scale information availability on the identity and whereabouts of drug people. Do you know of any?

Re:

[Nullav]

Not like drug dealers aren't killing each other daily. When's the last time you heard about a spammer shootout over a bad deal? When hijacking machines and flooding disks around the world ceases to be easy money, I predict that a lot of these parasites will simply move on to something else. Yes, I am advocating the idea that we legalize spammer hit-lists. Opt-out, of course. =p

Re:

[account_deleted]

Comment removed based on user account deletion

Is I told you so a meme?

[zappepcs]

All my posts about malware and virus software for some time have been doom and gloom. Seems moderators don't like that. This is nothing but the tip of the iceburg of what might be coming, and what is probably already in the wild, we just don't know it yet. I could probably think of a dozen scenarios where malware could already be hiding on your equipment, silently waiting to be signaled.

It's possibly in your router's flash by now, or your motherboard's flash, or sitting on a CD or CE player's flash, or an MP3 player. It only has to wait till it needs to start spreading, and be dormant there too, then one day you notice missing files, or there is an outbreak of serious malware globally. Yes, tinfoil hat stuff, but it is possible, and as time ticks on it is becoming more probable.

Nobody wants to believe it, but it is possible. If it is possible, it will only be a matter of time...

Re:

[ka9dgx]

It's possibly in your router's flash by now

Especially if you recently got fake routers from China. ;-)

Work Uniform

[WindowlessView]

I thought shape-shifting malware was the official business attire of geeks everywhere.

Re:

[Phroggy]

That's "shape-shifting malwear"; note the spelling distinction.

A Blast from the Past....

[NullProg]

1991
        Tequila is the first widespread polymorphic virus found in the wild. Polymorphic viruses make detection difficult for virus scanners by changing their appearance with each new infection.


Sweeney believes that a non rules-based monitoring process must be set up to defend all ingress and egress points covering SMTP, DNS, HTTP(s), IM etc."

Its called heuristics and its been in use for a while.

Enjoy,

Re:

[ka9dgx]

Sorry, take your magic bullet home, and try again. Heuristics only catch the obvious, and not the subtle nor patient.

Re:

[Kingrames]

Admit it. If tequila is a virus, you don't want to be virus free.

a possible solution

[FudRucker]

If you take a snapshot of your harddrive/OperatingSystem, and as long as you don't do anything to change it (no writing to disk anywhere, no launching applications) then take another snapshot a few minutes later and another and another, soon this shape/shifting malware will reveal itself, get enough glimpses of it and a picture will emerge so you will know what to look for then know how to eradicate it from your computer, I doubt the kludge like mcaffee & norton are capable but somebody has to rise to the occasion to build something good enough to do this, it would be worth it to leave your PC alone while some anti-malware runs that can deal with this shape/shifting malware and catch it so it can be removed, or reveal a method & list of files so you can manually remove it...

Re:

[ka9dgx]

Wouldn't it be simpler (but by no means easier) to allow the user to specify what side effects they are willing to allow a program to create before they run it?

System updates would be allowed pretty much any side effect (but not the user folders).

Web browsers could only connect to the net, and their local folder, but nothing else.

etc, etc.

Re:

[FudRucker]

thats exactly why I don't use ms-windows anymore, everything is just too open to attack, open Windows Explorer file manager and type in a URL - it does not launch IE, it is IE or morphs in to IE, open Internet Explorer and type in C: hit enter and you can use it as a file manager and change & delete files, if that is not asking for trouble I don't know what is, knowing this and how many users run their PCs 24/7/365 with admin privileges because managing a multi-user system with admin & users privile

Re:

[ka9dgx]

Sounds like a prudent strategy to me, not perfect, but apparently good enough.

Re:

[yuna49]

open Windows Explorer file manager and type in a URL - it does not launch IE, it is IE or morphs in to IE, open Internet Explorer and type in C: hit enter and you can use it as a file manager and change & delete files

Sounds a lot like Konqueror to me. Having the ability to treat local and remote files equivalently seems like a good thing to me. In fact, one of the features I like best about Konqueror is its ability to handle all sorts of URLs like smb:// and fish://. I don't use it routinely to brows

Shellcode polymorphism

[Ceriel Nosforit]

Shellcode polymorphism has been known for years. Here's a good article from Phrack [phrack.org] on it.
Any AV vendor who isn't prepared for it by now has grossly failed their customers.

This is news?

[Anarke_Incarnate]

Every few years the malware comes out newer, shinier and costs about $100-400 depending on if you get the Home Basic or Ultimate versions.

It's beginning to look like...

[rickb928]

...this is the first step towards a 'solution':

SELinux
Firefox
???
Security for a while
Profit!
Repeat as necessary.

Windows is so blown up, security is pointless.

Better website design/security doesn't help. The nasties will create their own malware sites quicker than you can say 'globals off'. And detection in Windows is pretty much like your oil light on the car dash - 'you are hosed, just letting you know it's bad.'

I'm thinking my wife's next machine is running Kubuntu. Mine at home too. All I need is a wa

Re:

[rickb928]

Wow. I got this CD in a book back in '93 or '94. Had a program called Slackware. Really interesting. Something called 'kernel 0.91' was in it.

I wuz huked.

It was a couple of years later when I was down to the Novell branch that one of the guys shows me a web server running on his lab NetWare server. It was something he called NAMP.

I waz huked agin. Nobody else believed me. Then, they didn't care. Feh. Of course, I gave up on NetWare.

Funny the stuff we think is cool, new, or just plain fun.

Not to sound like a dick

[pembo13]

But my Linux desktops and servers seem just fine. And I don't trust my WindowsXP laptop with important data. At some point, there needs to be personal responsibility. In the same way that I need to make sure that the brake pads on my vehicle are in good order, people need to make sure that their software, whatever they choose, is also in good order.

Nothing about our industry makes sense any more

[bill_kress]

There are some very sane and easy ways to fight these things, and not a single entity (except perhaps tripwire which is out because of how hard it is to use/configure, and java which works pretty well in limited situations) even tries.

We need per-app permissions. This doesn't have to be obvious, but when you install an app, the system needs to pop up a box before a single line of code is run giving options that the software is asking for.

Net access, write to own directory, write to system directories, use

Re:

[99BottlesOfBeerInMyF]

We need per-app permissions.

Agreed. We (sort of) have them. Vista, OS X, and Linux are all shipping with Application level access control frameworks, by default, these days. The problem is getting it applied and getting a workable UI and workflow.

This doesn't have to be obvious, but when you install an app, the system needs to pop up a box before a single line of code is run giving options that the software is asking for.

I think this is too cumbersome and too complex for the average user. Rather, I think we need to go further. Apps should ship with an ACL that specifies what it should need. Anti-malware companies and organizations should verify these and provide white lists and checksums. That way pre-in

AV is so dead to me

[istartedi]

I never run it. I've only been hacked a few times, and knew it almost right away. It's the ones you don't see that worry me; but if you can't see them, what makes you think the AV companies can see them? Before the AV companies will write signatures for them, somebody has to notice them, and if "noticing them" is automated, then that implies that polymorphism is not a problem--but it's common knowledge that it IS a problem for AV vendors. Besides, you have to *pay* for AV, and it slows your machine down

Re:

[istartedi]

Something you are doing isn't working

The first time was nimdA. It was an exploit that affected Outlook Express. AFAIK, it was one of those rare occasions when you didn't have to be looking at HTML mail, or execute an attachment. I don't use OE anymore. The other times have been before I got agressive with the Internet Explorer security settings. Now that I've clamped down, so far so good. So. It's a learning process, true; but I like it better than learning which AV products are good and bad.

Po

Re:

[ka9dgx]

That doesn't help the situation. If windows goes away, the problem with just migrate to Linux.
Until we get to the point where you can assign permissions to every single program for every single role you expect that program to fulfill, it's not going to get much better.
--Mike--

Re:

[Cajun Hell]

That doesn't help the situation. If windows goes away, the problem with just migrate to Linux.

It's true! Just a few minutes ago I was sorely tempted to type "sudo apt-get install shapeshiftvirus". If Linux gets more popular, it's just a matter of time until shapeshiftvirus gets ported to it. Then, assuming the virus is GPLed, Debian will enthusiastically put it into their repository. It'll trickle down to Ubuntu. When that happens, users all over the world are going to choose to install it, type in t

Re:

[tuomoks]

I think you are right. Now, as in some systems I know they follow the rules, every initiation of a program or transaction is based on authorization of the initiator AND program/transaction (authentication is already done by default - the program is already starting). The execution rights, the database access on field level, the network access, etc are also based on same authorization. Might not help if the person granting the authorizations is totally clueless but might help when the OS asks the permissions

Re:

[lgw]

If all the Wonows user moved to Linux, then this would no longer be the nature of the community. One distro would rule them all and in the darkness bind them, and the spam would continue unabated.

Re:

[ka9dgx]

Ok.. you kill the author of a piece of malware... does that magically remove it from all the places it's gone to?

It might make us feel better, but it's not a solution.

--Mike--

Re:

[Archangel Michael]

SO, what is the acceptable penalty/deterrent for this crap? Because whatever we got now, it isn't working.

Funny thing, most people say "that won't work", but are unwilling to even try. I'm sorry, but I guarantee you that if we get a couple of dozen hackers hacked up, machete style, it will be a deterrent.

Guaranteed!

Re:

[Builder]

Yeah, but what are the odds on him writing a second piece of malware if we kill him after the first one? See - there IS an upside to this model of enforcement :)

Re:

[ka9dgx]

Too late, it's already in the BIOS. ;-)