The Rise of Polymorphic Malware 202
twoheadedboy writes "The level of aggressive, polymorphic malware intercepted by Symantec doubled in July, when compared to figures from six months ago. This kind of malware has been typically found inside an executable within an attached ZIP file disguised as a PDF file, and is pretty darn good at getting around traditional anti-virus products. 'There are powerful Darwinian forces acting on the development of malware by criminals,' said Martin Lee, senior software engineer at Symantec. 'Those who look to innovate and improve their malware tend to infect more computers and acquire the resources to reinvest in further development and innovation.'"
OOPS (Score:3)
Virus writers discover OOP??
Re: (Score:2)
Context comprehension fail.
See the other [wikipedia.org] wiki article on polymorphism.
Re: (Score:2)
It's 2011, don't open the attachment (Score:2)
Re:It's 2011, don't open the attachment (Score:5, Insightful)
Re: (Score:2)
The rule is, never open an attachment you weren't expecting. If you weren't notified in advance by a trusted party of the attachments impending arrival, assume it is malware.
Re: (Score:2)
If everyone did start doing this (they won't; those who'd open anything without thinking will want to send the latest lolcat thing NOW) then the spammers just modify the emailer script to send a "Hi [firstname], expect a Powerpoint from me shortly", and then send the malware in the next email to them, with a couple minutes' delay to simulate an actual person attaching a document and sending it.
Re: (Score:3)
My ISP e-mailed me 'my invoice' as an attachment last week, when they had previously sent a summary in text, and a link to their site to view the invoice.
I e-mailed and told them that I wouldn't open attachments from them, and I wanted the plain, boring, text summary ... and I get a response back about how the invoice has always been PDF, and they closed the ticket.
So, anyone know of any good ISPs in the Maryland/DC area? (and Verizon and Comcast don't qualify as 'good' in my opinion).
Re: (Score:2)
Re: (Score:3)
It still blows my mind that people open attachments from individuals they do not know.
"But Culture20, the email came from you, and you're our systems administrator."
"Did it contain my gpg/pgp signature?"
"What?"
"That gobbledygook at the beginning and end of all my emails that you apparently don't pay attention to."
Malware spreaders using people's address books stand a good chance of faking an email from someone the target knows and trusts. Users are still surprised that identities can be faked in an email.
Passphrase to access an address book (Score:2)
Malware spreaders using people's address books
If malware can sniff the passphrase to read an address book, it can sniff the passphrase to sign mail.
Re: (Score:2)
Re:It's 2011, don't open the attachment (Score:5, Interesting)
While "the club" really isn't very effective as an anti-theft device, wanting to protect your car from theft at a Walmart is actually pretty sensible, as that's an extremely likely place for it to be stolen. And there's no such thing as a Walmart "in the middle of no where": Walmart always locates stores in locations where there's plenty of customers. Even if that's some small town, it's the nexus for a large number of customers from surrounding areas and towns, so just putting the Walmart there will draw lots of people to that place, and consequently it is no longer "the middle of no where", it's actually a giant gathering place.
Here's a better anecdote: a couple months ago, I visited a place called Arcosanti, north of Phoenix in Arizona. It's a strange little artists' community built by an architect named Paolo Soleri, who has dreams of a Utopian city where everyone lives together in harmony in shared buildings (i.e., there's no separate houses, everyone has a small apartment, that kind of thing). His dreams are much bigger than the reality, which is a small community of people who've basically given up their normal lives to come live with him and, as they get enough money for concrete, build more of his vision. They basically live off selling some weird wind chimes they make there, and tour fees. Anyway, my wife and I went up there to check it out and take the tour, as it's a cool idea although not that realistic, and there were only two other visitors, one single woman and one older couple. This older couple pulled up into the parking lot right after us and parked next to us, and what did the man do when he stopped? He got out The Club and put it on his steering wheel! Now, keep in mind (take a look at Arcosanti on a map if you want), this place really IS "in the middle of no where": it's in Arizona's high desert, about 2 miles down a gravel road from the nearest civilization, which is nothing more than a couple of gas stations at an interstate exit, about 3 miles from a tiny development called Cordes Lakes, and about 20 miles from the nearest real town called Camp Verde. There really is nothing there, except some funny-looking concrete buildings with a few dozen residents, and it's probably the safest place for your vehicle to be in the whole state. The idea of needing additional vehicle security in such a place is laughable. Car thieves don't go out to remote destinations to steal peoples' vehicles, they go to population centers (i.e., cities), and crowded locations in those population centers such as shopping center parking lots, apartment parking lots, etc.
Re: (Score:2)
We learn to put on the club out of habit so that when we do go to Walmart our car is left alone. Sometimes it's a good idea not to interrupt automatic processes with rational thought... believe it or not.
Always wanted to go to Arcosanti...
Re: (Score:2)
A few seconds with a hacksaw and your Club is rendered useless. Get an alarm that disables the ignition and stop wasting your time with something that doesn't work.
Re: (Score:2)
Re: (Score:2)
Well yes. The best option is a battery-powered reciprocating saw with a general-purpose demolition blade.
Re: (Score:2)
Yep, that too. But if that fails, it's pretty easy to hacksaw through a steering wheel.
Re: (Score:2)
In fairness to the person using the club, it only takes a couple of seconds to put it on, and routines tend to be all-or-nothing: if you look around and try to assess whether your current surroundings justify using the club, you're likely to fall out of the habit of using it at all.
I've been wanting to visit Arcosanti, by the way. It sounds like a crazy utopian scheme, but with something to it. I've wondered if Soleri was an influence on the design of the Marine Towers in Chicago.
Risk of losing car in middle of nowhere (Score:2)
Since you're in the middle of nowhere, the cost of losing your car is ever so much greater. Therefore, it makes sense to protect your car. Cost/benefit.
Re: (Score:2)
Obviously, certain cities and places are going to have higher theft rates than other places.
However, for any given area, think about it: imagine you want to steal a car. Where are you going to go? Are you going to go to a subdivision, and drive from car to car looking for one that's a good target? Or are you going to go to a parking lot that's literally full of cars, and find one that's a good target? Now, where's the biggest parking lot around? In big cities, it's the mall, but everywhere else, it's W
Um, bait cars! (Score:2)
Re: (Score:2)
Re: (Score:2)
You have a point there. I'm not sure there's even cellular coverage there, and it'd probably cost a fortune to have a cab come pick you up there.
Re:It's 2011, don't open the attachment (Score:5, Insightful)
Isn't the problem that the application that renders the PDF/Flash/etc attachment has access to resources on the system that shouldn't be allowed?
In other words, why aren't all attachments files rendered by applications running in a "jail"?
Re: (Score:3)
It's ironic therefore that
Re: (Score:2)
Java bytecode is a good example, and consequently the Java Virtual Machine is sandboxed. But JavaScript, PDF, and Flash are other good examples, and they're not sandboxed.
Nope. Java code running in the VM is sandboxed, but usually the VM itself is not. Similarly JavaScript code running in a web browser or PDF viewer, or ActionScript in the Flash plugin are sandboxed, but the applications running them are not. Java and Flash's sandboxes are not enforced by the OS (beyond normal process isolation), so they are no stronger than the applications themselves. These are large and complicated programs, which must be bug free in order for the sandbox to be secure. This is the sa
Re: (Score:3)
Sandbox everything.
Re: (Score:2)
I think they real question is why in 2011, there is still no way to open an attachment without risking the security of your system. Attachments were invented in 1990, and yet they still don't work as they should. I think this says more about the state of the software industry than about people.
Re: (Score:2)
If you use Adblock and Noscript, it is nearly impossible to get infected. Why that functionality is not in every browser and enabled by default I simply don't understand.
Re: (Score:3)
AdBlock implemented default in browsers? Oh my an outcry there'd be... and there'd be a lot more incentive for trying to circumvent AB, leading to more websites where those of us running AB wouldn't have ads automatically blocked - ugh.
NoScript is simply a too advanced feature for Regular Joe & Jane. They'd be confused to death why 90% of the internet suddenly breaks for them, and they don't have the skills to selectively whitelist just the non-dangerous stuff. If you think noscript is trivial, your whi
Flashblock (Score:2)
AdBlock implemented default in browsers? Oh my an outcry there'd be
Then let's backpedal a bit. I'd recommend implementing content-type blocking (e.g. Flashblock) by default in browsers. That'd keep the user safe from untrusted rich media in an exploitable non-free player, and the circumvention (advertise using a medium other than Flash) wouldn't be much of a burden for advertisers.
Re: (Score:2)
That's something I can fully agree with - I like what Chrome does with Java content (too bad it doesn't do the same for flash). It's good for helping against drive-by exploits, and it's simple enough to not confuse the Johns and Janes too much.
Of course it doesn't help for sites that lure people to enable whatever with the promise of "zomg hilarious pictures" or "britney dyking out with olsen twins", but you can't really help people who fall for that anyway.
Re: (Score:2)
If you use Adblock and Noscript, it is nearly impossible to get infected. Why that functionality is not in every browser and enabled by default I simply don't understand.
How is Adblock and Noscript protecting against e-mail attachments?
Only people engaging in rational thinking will stop this. And that isn't going to happen.
Re: (Score:2)
Re: (Score:2)
Sorry, but those steps aren't really comparable to the two clicks it takes to white-list something in with NoScript / Firefox.
Re: (Score:2)
In that case I take back my previous statement regarding Chrome.
Re: (Score:2)
Noscript functionality is in Chrome and IE, just not enabled by default. In Chrome go to Options > Under the hood > Content Settings and disable then add your white-listed domains. In IE its a little more complicated, Internet Options > Security > Set Internet to HIGH then go to Trusted Sites and add your white-listed domains. Then go to Internet Options > Programs > Manage Addons > Toolbars and Extensions > Disable any addons you will not use, for addons you do use right click them > More Information > Remove all sites and add only white-listed domains.
99.999999% of the people getting malware like this don't know what a script IS, let alone anything you just typed there. Believe it or not, there are people who when you ask them what browser they use they will say "I gots the Winders XP". Those are the people who are targeted by malware writers. People running no-script and adblock and sandboxes are simply such a small percentage of the masses on the internet it's a drop in the bucket.
However dell and hp and lenovo and the other OEM ship out their boxes a
Re:It's 2011, don't open the attachment (Score:5, Insightful)
If you use Adblock and Noscript, it is nearly impossible to get infected. Why that functionality is not in every browser and enabled by default I simply don't understand.
I have good enough karma with Slashdot that I'm given the option to disable ads. I don't. Why? Because ads fund Slashdot and keep it free. If ad blockers were on by default most of the sites people like and use would go out of business.
Re: (Score:2)
Re: (Score:2)
If you use noscript, about 90% (made-up large percentage) of the web is broken or functionally degraded.
Re: (Score:2)
If they are hidden out-of-the-box though, what chance do they have to reach those who would click if they saw it?
That tiny percentage drops to approaching-zero. Kaboom.
Re: (Score:2)
It's not 100%, but as the joke goes, I don't have to run faster than the bear, I just have to run faster than the average person
Re: (Score:2)
Re: (Score:2)
How the hell does an executable within an attached ZIP file disguised as a PDF get launched anyway?
Click
Click
Click
WHAM
Re: (Score:2)
"powerful Darwinian forces" (Score:3)
"powerful Darwinian forces" is an interesting way to describe the process by which the designers of these viruses are using progressively more intelligent designs.
Re: (Score:2)
Which brings up an even more interesting question: were humans designed by God or malware hackers? Or are we God's malware?
God's son had to die to pay the ransom (Score:2)
Re: (Score:3)
It's more like this, although it may tread into slightly blasphemous territory by being written like this:
God has a good old time livin' it up with the angels. Then one day Lucifer, a great leader of angels, gets dissatisfied with his position and jealous and decides he wants to be like God. A whole bunch of angels follow him. God isn't pleased and decides to kick them all out of His presence.
Meanwhile, God creates the universe and a man for companionship, and then a woman to keep the man company, in a perf
Re: (Score:2)
Re: (Score:2)
I guess? As long as the point is something pro-Christianity I don't mind :)
Re: (Score:2)
Eh, the worst that could happen is that people ridicule and troll you your whole life, for trying to be a decent human being to the other people around you. I'll take it.
Re: (Score:2)
I find it quite fitting. It's not the most advanced or strongest of the species that survive, but those that can adapt.
This is evolution in a nutshell.
Re: (Score:2)
Re: (Score:2)
I find it quite fitting. It's not the most advanced or strongest of the species that survive, but those that can adapt.
This is evolution in a nutshell
Sir –
I agree that evolution is present, but it is not of the Darwinian sort. The Darwinian theory of evolution is based upon natural selection, as distinguished from (even in his day) widely understood and accepted forms of artificial selection (e.g. husbandry, horticulture). Darwinian selection is controversial because it removes from the equation of evolution the guiding hand of God – Darwin posited that we "advance" not because of some divine purpose, but as a response to criteria set out in
Re: (Score:2)
Some good readings (Score:2)
Polymorphic Shellcode Engine Using Spectrum Analysis
http://www.phrack.org/issues.html?issue=61&id=9 [phrack.org]
Release date : 13/08/2003
Naturally I'm paranoid about what AVG and Comodo have not detected since then. NOD32 didn't say anything either about my normal use, but I'm actually glad the technique is becoming a threat that AV suppliers must address.
Not News (Score:2)
Re: (Score:2)
Thank you! I thought I was the only one that knew this. I even programmed a little polymorphic program in 2004.
I was beginning to think I had lost a great opportunity. :P
Re: (Score:3)
Polymorphic and metamorphic malware.
As for me, I prefer sedimentary software that accretes little bits of code over many years, or igneous software that erupts, molten and sulfurous, from a glowing fissure in the earth's crust, then freezes into brittle glass-like applications.
Polymorphic Software (Score:5, Informative)
Prerequisite: Industrial Base, Information Networks
Technology: Advanced Subatomic Theory, Optical Computers, Adaptive Doctrine
Special Ability: Heavy Artillery
Improves Probe Team success rate.
Track and Level: Discover 2
"Technological advance is an inherently iterative process. One does not simply take sand from the beach and produce a Dataprobe. We use crude tools to fashion better tools, and then our better tools to fashion more precise tools, and so on. Each minor refinement is a step in the process, and all of the steps must be taken."
-- Chairman Sheng-ji Yang,
"Looking God in the Eye"
Re: (Score:2)
I'd love to see a remake of that game -- overhaul the graphics, maybe tweak the gameplay a little but not too much, but keep all the writing.
Why the hell should PDF allow zipped executables? (Score:3)
I think a lot of our problems come from these 3rd party packages that have grown WAY too complex and provide too many vulnerabilities. Why, for example, should the PDF format permit -anything executable or coded-, whether it's JavaScript or ZIP files? It's time in my view for the developer and system integrator community to simplify; let's get back to the idea of tools and programs that have well-defined scope and do a few things well, rather than turning into Yet Another Vendor Platform that can be used to distribute viruses/trojans/malware/crapware/etc.
"Powerful Darwinian Forces" huh (Score:4, Informative)
Whale [wikipedia.org] is more than 20 years old now, and it was polymorphic. An issue of 40hex from 1993 [textfiles.com] provides source for a polymorphic engine. This isn't a new development, the technique was "mastered" 20 years ago :P
Maybe they've seen a recent spike in it, but... who cares? Well, unless it means they'll put a little more thought into AV than signature-based bullshit. "heuristics"-based detection that isn't a complete joke, for a start.
Process Permissions (Score:5, Insightful)
I'd like to see the OS, especially one like Android in the hands of unsupported, naive, and promiscuous users, require permissions for InterProcess Communication the it does for files. And for DB access. All strongly typed. Those kinds of familiar patterns in combination, upon every access between processes on objects. Mediated by an OS capable of supporting the user and using a support Internet to warn others when threats (or patterns that represent threats) appear to correlate to risky objects of the same kind.
The OS and Internet should act as an integrated immune system bathing our objects, not just a special case intervention when opening the first file from an email. Dedicate one or two cores of these multicore CPUs (and prefilter at servers for smaller/mobile devices). Attacks are now the norm, not the exception. The network and OS infrastructure design should recognize the new reality.
Re: (Score:2)
oh you want symbian? you want to go insane developing applications someone could actually use for it too? I mean, I even went and bought a book for it, a highly recommended one. you know what it said about IPC? that't it's too fucking complicated to go into in the book as thick as harry potters.
and for the record android asks for permission (install time, but anyways) for just about anything. you know what's wrong with it? you can't know what the app will actually do with those permissions -
Re: (Score:2)
I don't want Symbian, but I do want the kind of IPC I described. I don't want it to be insanely complex, nor need it be - which I guess is one reason I don't want Symbian.
Actually Android's permissioning sounds similar to what I want, but not quite good enough. I'll have to look into it. Install time is the time to ask for permission to IPC to other apps/processes, but the GUI should describe it by service role rather than app/data, because users can make sense of roles rather than the techical implementati
Re: (Score:2)
What fucking planet are you from dude? :)
That's an extremely logical and well thought out plan for a system design for non-humans.
A computer can warn a human of all the threats in the world. However, if there is a promise of a fuzzy kitten doing something cute, or a fuzzy kitten in between a pair a nice tits, all the warnings are useless.
If I had a nickle for every time somebody I know said they clicked on the link anyways because of the promised content I would be retired on an island.
I think the better i
Antivirus makes a better suggestion than solution (Score:5, Interesting)
Several reasons why Antivirus is a fail:
1) 0-day. Your AV will never pick it up
2) polymorphism - if the virus sig changes, you're hosed
3) People think: "Since I have AV, I can't get infected"
4) People think: "AV didn't find anything wrong, so I must be clean"
5) When AV doesn't work, people assume it's broken
Antivirus has evolved into a "solution" when it's clearly not capable. How many infected windows installs have you found where Norton took a head-shot, or some kind of AV *was* installed at one time but got smoked?
What's needed: OSs need to plug their holes. Browsers could be fixed so it doesn't hand off malicious content to system executables. The OS itself should be trimmed down so not everyone is running SMB/RPC (or other commonly exploited services) by default. Executables which handle web contect could be sandboxed and run by a lower privilege user (this can be done in Unix, so why not windows?). Why do these things not happen?
AV is great when it works but it's proving not to be enough.
Re: (Score:2)
Re: (Score:2)
Re:Antivirus makes a better suggestion than soluti (Score:4, Interesting)
The first polymorphic file-infecting virus that saw wide dispersion was DAV (Dark Avenger), back in 1991. It was detected just fine.
Not all virus detection is performed via signature-checking. In the case of Dark Avenger, McAfee used curve-fitting. A histogram of the frequency of various byte values in specific locations within an executable file was generated, and a frequency-distribution curve generated from that. This curve was compared to the curves of legitimate executables and to what the DAV virus tended to create as it altered the files it infected. How well the curves matched, and where any anomalies in otherwise-perfectly-matching curves were, became the basis of determining confidence that there was a"hit". This technique proved to be extremely accurate, moreso than string-matching. While false-negative (failed detection) and false-positive rates were never perfect, they were in the "many 9's" of accuracy. In many cases, this heuristic was more accurate against DAV than string-matching was against other non-polymorphic viruses
Point 1 is incorrect. Heuristics will often pick up a 0-day virus, as will behavior-based (anomaly detection) systems. String-based virus detection is only a part of modern antivirus products.
Point 2 is incorrect, and has been for 20 years. Polymorphism is no more a perfect virus cloaking mechanism than antivirus software is perfect malware defense.
Points 3 and 4... no antivirus software will ever stop infection if the user explicitly grants permission for something to run. There is no functional difference between malware and legitimate software; everything that malware does (from a functional perspective) is something that some piece of legitimate software or another can do. Malware is defined by deception, not function. Antivirus software does not detect deception, nor should it be expected to.
Point 5... yeah. People expect magic bullets. People demand perfection for free. People can go fuck themselves and their slimy little tort lawyers.
And... stack-based exploits are not viruses. Antivirus software is not intended to defend against such attacks.
But yes, all applications should run in their own sandboxes, memory-wise, file-system-wise, privilege-wise. This isn't a perfect defense either, as the software which attempts to enforce the sandbox is itself subject to attack. And there are many components of a system which are user-installed but are not sandboxed (device drivers, maintenance utilities). As long as operating systems and applications are architected as they are, there will be vulnerabilities which are deception-based. The only defenses there are education and reputation.
Sigh (Score:5, Insightful)
I get real tired of this one. This naive geek idea that OSes can be made perfect and somehow immune to viruses. News flash: They can't, at least not if you wish to keep the ability to run arbitrary code. The only way to make an OS safe against viruses is the Apple "walled garden" idea where only authorized apps run. Even then, you could potentially sneak something by the authority that says if apps are ok. However so long as you can run arbitrary code, you can run evil code. There is no evil bit, the computer will execute anything it is given.
Please remember when talking about malware as opposed to worms you are talking about stuff that comes in to the computer through user action. It is bundled with an application, or is an app all by itself. The user downloads and runs it. There is no patching against that.
Also you have the silly idea of "if something isn't 100% effective it shouldn't be used." Bullshit. Look at security in the real world some day, where there is no such thing, ever, as perfect security. You get used to the concept that everything is fallible and you need defense in depth. Virus scanners help provide that defense in depth. They scan incoming things for known threats (by the way good ones are updated more than once a day). It is not your only line of defense, but one of them.
Run a virus scanner, and run as a deprivledged user, and patch your OS, and make sure to get software from trusted sources, and monitor your system, and so on. Don't have a defense, have layers. Only then do you have a real security solution.
PS, web executables can be sandboxed on Windows, IE does this, other browsers just don't care to use the interface to do so.
Re: (Score:2)
How many infected windows installs have you found where Norton took a head-shot, or some kind of AV *was* installed at one time but got smoked?
Normally it is because the AV subscription hasn't been paid up. I don't think I have seen an infection on a computer with a working anti-virus.
Then again if you are basing this on Norton, well yea then All AV's are crap if you only judge it by Norton, they may have name recognition, but that is about all.
Re: (Score:2)
Best clean-up I ever did was a Norton install done by my father-in-law's 'computer guy', complete with trojan masquerading as a key generator.
Re: (Score:2)
You hit the nail almost on the head. I work in IT, and I see a lot of dumb stuff happen because people trust their computers to magically keep them safe.
AV software usually has features that plug some of the holes - like blocking IRC communication, or preventing execution of attachments, or things in temp folders, or things on network shares. You have to configure it right. That's not a skill most users are going to have, unfortunately. The overhead of doing all this can be pretty intense sometimes, too, wh
Re: (Score:2)
There was a guy in one place where I worked who would constantly click on shit he shouldn't have, and so a lot of time was spent helping him out. He got infected by one trojan that had a chopped-up payload, so when you got rid of the main program it would just piece it together from bits scattered over the drive, registry entries, etc. on reboot.
Someone in the office probably gave it to him. It was insidious.
What? (Score:2)
Hey... grep can only do so much... (Score:2)
One has to wonder, as viruses get more sophisticated and are able to obfuscate their own signatures, what methods are going to be utilized in the future to detect them... because I can't see it.
For some reason, this is reminding me of the Turing Halting Problem.
And even trying to practice safe web surfing habits isn't always effective. I have seen a virus get onto a work computer that was behind the company's firewall, where the user did not install any software at all, used mozilla for 100% of his b
Re: (Score:2)
One has to wonder, as viruses get more sophisticated and are able to obfuscate their own signatures, what methods are going to be utilized in the future to detect them... because I can't see it.
I wrote the first heuristic AV program back in the late 80s, which would not just look at signatures, but what the code actually did and whether THAT posed a risk. A mini disassembler and risk analysis tool, if you like.
Unfortunately, it requires that the user doesn't blindly trust the AV software, but makes decisions too. Perhaps there's a good reason why a program would patch an IO vector, and the AV software can not know this for certain. But it can point it out.
AV software can also patch an OS to mak
Doubled in July? (Score:2)
[grammar_nazi_mode=ON]
This may win me the pedant of the year award, but the summary says "The level ... doubled in July, when compared to figures from six months ago." This is incorrect and doesn't even make sense. Reading the original article reveals the truth. The level doubled in the six months leading up to July. I suppose it's theoretically possible that the level stayed perfectly flat for 5 months, then suddenly doubled, but I think the article would have mentioned that.
[grammar_nazi_mode=OFF]
This headline brought to you by the year 1989 (Score:2)
And the 1260 [wikipedia.org] virus.
The 'methods' of encryption have changed (once was ZIP, now ZIP AND PDF, requiring a PDF reader in addition to ZIP libraries), but the concept isn't new, and I;m surprised has not been in continuous use since then.
And this passes as either new or unusual for /.? Doubling the deteciton volume for a month? July? And July isn't even over yet?
So was it the word 'darwinian' that justified this as interesting?
feh.
ahhh (Score:2)
I've been wondering about this for 13 years now (when I started learning z80 and 68k assembly) if antivirus software was smart enough to analyze for things like:
jmp lbl_1 .ds 50 /* declare 50 bytes of storage */
lbl_1:
And those 50 bytes are filled in with random patterns. But this article makes it sound like there are multiple jumps that are being generated which I've also considered. Or dummy for loops.
I'm surprised virus writers are only starting to do this. Any assembly coder worth his salt sho
Re: (Score:2)
Sorry there should be a carriage return between the the "jmp lbl_1" and the ".ds 50"
Re: (Score:2)
Competent malware authors have been doing this for many years.
The news is the techniques are becoming more common even amongst the level that produces stuff Symantec can actually catch.
Polymorphic is old news (Score:2)
MS-DOS had polymorphic viruses in the early '90s.
powerful Darwinian forces (Score:2)
Then these must affect OS X.....
I suppose we should be thankful he didn't go for something like:
These Darwinian forces are causing an acceleration of Moore's Law in the prevalence of super-intelligent malware.
sigh.
"OMG WTF PDF" lecture (Score:2)
If you're wondering what they're talking about you should watch this video. http://www.youtube.com/watch?v=54XYqsf4JEY [youtube.com]
For a demo, see the 38:00 mark. The windows "calc.exe" is modified to simultaneously a valid windows exe, a valid zip archive, and a valid PDF. The same file can appear benign to anti-virus tools even though there is malware contained in the file when interpreted in certain ways.
-molo
Re: (Score:2)
The problem is you can hide different payloads in each, including malware. If a program (or antivirus) treats it as one file type and not the other, then the remaining data will be ignored.
-molo
Is it time for digital postage yet? (Score:2)
Between the spam and viruses, perhaps the time has come for some sort of digital postage? Its been discussed and shot down before but its reached a point where the ongoing costs of fighting spam, viruses and malware are outpacing previously proposed pricing for emails. It just seems ridiculous that I end up spending so much time and effort with my clients just trying to keep up with idiots who want to fuck up peoples computers and dealing with the ignorant (who admittedly shouldn't have to know all about
what about the malware called norton (Score:2)
you can uninstall it, delete it, manually remove it from the registry, use specialized tools, and even beg for the authors to provide help , but BAM there is a fucking windows installer asking you to insert the disk every time you fart
Re: (Score:2)
As an antivirus author myself, I think that antivirus programs are partly to blame. They give people a false sense of security, believing they cannot get a virus if they have an antivirus program. So they let all caution out the door; it becomes the responsibility of the AV program to keep them safe.
It's as mindboggling as if people thought that wearing a seat belt and having air bags means they can drive without looking at the road. Mind, there seems to be a few drivers like that.
Re: (Score:2)
Re: (Score:2)
All perl code looks polymorphic to me. I don't ever recall seeing the same perl code twice.
Re: (Score:2)
By not allowing scripted languages to be executed without permission.
SElinux does a lot of good here, and I wish OS-X had it. Anything you get from your browser or e-mail app will (on a strict system) not be allowed to do anything until you change the context, and depending on the context you set it to, even then it can be prevented from many actions. Like writing to /bin or /usr/bin or making a network connection, even if run as root.
even then they can still F* user data (Score:2)
even then they can still F* user data and maybe even infect data files.
Re: (Score:2)
- Your friendly neighborhood dead beet
Re: (Score:2)
He's doing the exact same things corporations have done for hundreds of years. They've shrugged off their debts and destroyed our money, and I find it a bit difficult to speak out against someone who's decided to do the same thing back to them.
Re: (Score:2)
When an individual does it, they are a deadbeat; when a corporation does it [they are also a deadbeat, but] they get a bailout and the CEO gets a huge bonus.
Is more to my liking.
As much pizza as I would like to eat, I still can't get up to "too big to fail" size.