Entries Tagged "antivirus"

Page 3 of 5

New Windows Attack

It’s still only in the lab, but nothing detects it right now:

The attack is a clever “bait-and-switch” style move. Harmless code is passed to the security software for scanning, but as soon as it’s given the green light, it’s swapped for the malicious code. The attack works even more reliably on multi-core systems because one thread doesn’t keep an eye on other threads that are running simultaneously, making the switch easier.

The attack, called KHOBE (Kernel HOok Bypassing Engine), leverages a Windows module called the System Service Descriptor Table, or SSDT, which is hooked up to the Windows kernel. Unfortunately, SSDT is utilized by antivirus software.

Posted on May 14, 2010 at 11:50 AMView Comments

Is Antivirus Dead?

This essay previously appeared in Information Security Magazine, as the second half of a point-counterpoint with Marcus Ranum. You can read his half here as well.

Security is never black and white. If someone asks, “for best security, should I do A or B?” the answer almost invariably is both. But security is always a trade-off. Often it’s impossible to do both A and B—there’s no time to do both, it’s too expensive to do both, or whatever—and you have to choose. In that case, you look at A and B and you make you best choice. But it’s almost always more secure to do both.

Yes, antivirus programs have been getting less effective as new viruses are more frequent and existing viruses mutate faster. Yes, antivirus companies are forever playing catch-up, trying to create signatures for new viruses. Yes, signature-based antivirus software won’t protect you when a virus is new, before the signature is added to the detection program. Antivirus is by no means a panacea.

On the other hand, an antivirus program with up-to-date signatures will protect you from a lot of threats. It’ll protect you against viruses, against spyware, against Trojans—against all sorts of malware. It’ll run in the background, automatically, and you won’t notice any performance degradation at all. And—here’s the best part—it can be free. AVG won’t cost you a penny. To me, this is an easy trade-off, certainly for the average computer user who clicks on attachments he probably shouldn’t click on, downloads things he probably shouldn’t download, and doesn’t understand the finer workings of Windows Personal Firewall.

Certainly security would be improved if people used whitelisting programs such as Bit9 Parity and Savant Protection—and I personally recommend Malwarebytes’ Anti-Malware—but a lot of users are going to have trouble with this. The average user will probably just swat away the “you’re trying to run a program not on your whitelist” warning message or—even worse—wonder why his computer is broken when he tries to run a new piece of software. The average corporate IT department doesn’t have a good idea of what software is running on all the computers within the corporation, and doesn’t want the administrative overhead of managing all the change requests. And whitelists aren’t a panacea, either: they don’t defend against malware that attaches itself to data files (think Word macro viruses), for example.

One of the newest trends in IT is consumerization, and if you don’t already know about it, you soon will. It’s the idea that new technologies, the cool stuff people want, will become available for the consumer market before they become available for the business market. What it means to business is that people—employees, customers, partners—will access business networks from wherever they happen to be, with whatever hardware and software they have. Maybe it’ll be the computer you gave them when you hired them. Maybe it’ll be their home computer, the one their kids use. Maybe it’ll be their cell phone or PDA, or a computer in a hotel’s business center. Your business will have no way to know what they’re using, and—more importantly—you’ll have no control.

In this kind of environment, computers are going to connect to each other without a whole lot of trust between them. Untrusted computers are going to connect to untrusted networks. Trusted computers are going to connect to untrusted networks. The whole idea of “safe computing” is going to take on a whole new meaning—every man for himself. A corporate network is going to need a simple, dumb, signature-based antivirus product at the gateway of its network. And a user is going to need a similar program to protect his computer.

Bottom line: antivirus software is neither necessary nor sufficient for security, but it’s still a good idea. It’s not a panacea that magically makes you safe, nor is it is obsolete in the face of current threats. As countermeasures go, it’s cheap, it’s easy, and it’s effective. I haven’t dumped my antivirus program, and I have no intention of doing so anytime soon.

Posted on November 10, 2009 at 6:31 AMView Comments

Benevolent Worms

This is a stupid idea:

Milan Vojnovic and colleagues from Microsoft Research in Cambridge, UK, want to make useful pieces of information such as software updates behave more like computer worms: spreading between computers instead of being downloaded from central servers.

The research may also help defend against malicious types of worm, the researchers say.

Software worms spread by self-replicating. After infecting one computer they probe others to find new hosts. Most existing worms randomly probe computers when looking for new hosts to infect, but that is inefficient, says Vojnovic, because they waste time exploring groups or “subnets” of computers that contain few uninfected hosts.

This idea pops up every few years. This is what I wrote back in 2003, updating something I wrote in 2000:

This is tempting for several reasons. One, it’s poetic: turning a weapon against itself. Two, it lets ethical programmers share in the fun of designing worms. And three, it sounds like a promising technique to solve one of the nastiest online security problems: patching or repairing computers’ vulnerabilities.

Everyone knows that patching is in shambles. Users, especially home users, don’t do it. The best patching techniques involve a lot of negotiation, pleading, and manual labor…things that nobody enjoys very much. Beneficial worms look like a happy solution. You turn a Byzantine social problem into a fun technical problem. You don’t have to convince people to install patches and system updates; you use technology to force them to do what you want.

And that’s exactly why it’s a terrible idea. Patching other people’s machines without annoying them is good; patching other people’s machines without their consent is not. A worm is not “bad” or “good” depending on its payload. Viral propagation mechanisms are inherently bad, and giving them beneficial payloads doesn’t make things better. A worm is no tool for any rational network administrator, regardless of intent.

A good software distribution mechanism has the following characteristics:

  1. People can choose the options they want.
  2. Installation is adapted to the host it’s running on.
  3. It’s easy to stop an installation in progress, or uninstall the software.
  4. It’s easy to know what has been installed where.

A successful worm, on the other hand, runs without the consent of the user. It has a small amount of code, and once it starts to spread, it is self-propagating, and will keep going automatically until it’s halted.

These characteristics are simply incompatible. Giving the user more choice, making installation flexible and universal, allowing for uninstallation—all of these make worms harder to propagate. Designing a better software distribution mechanism, makes it a worse worm, and vice versa. On the other hand, making the worm quieter and less obvious to the user, making it smaller and easier to propagate, and making it impossible to contain, all make for bad software distribution.

EDITED TO ADD (2/19): This is worth reading on the topic.

EDITED TO ADD (2/19): Microsoft is trying to dispel the rumor that it is working on this technology.

EDITED TO ADD (2/21): Using benevolent worms to test Internet censorship.

EDITED TO ADD (3/13): The benveolent W32.Welchia.Worm, intended to fix Blaster-infected systems, just created havoc.

Posted on February 19, 2008 at 6:57 AMView Comments

Is Sears Engaging in Criminal Hacking Behavior?

Join “My SHC Community” on Sears.com, and the company will install some pretty impressive spyware on your computer:

Sears.com is distributing spyware that tracks all your Internet usage – including banking logins, email, and all other forms of Internet usage – all in the name of “community participation.” Every website visitor that joins the Sears community installs software that acts as a proxy to every web transaction made on the compromised computer. In other words, if you have installed Sears software (“the proxy”) on your system, all data transmitted to and from your system will be intercepted. This extreme level of user tracking is done with little and inconspicuous notice about the true nature of the software. In fact, while registering to join the “community,” very little mention is made of software or tracking. Furthermore, after the software is installed, there is no indication on the desktop that the proxy exists on the system, so users are tracked silently.

Here is a summary of what the software does and how it is used. The proxy:

  1. Monitors and transmits a copy of all Internet traffic going from and coming to the compromised system.
  2. Monitors secure sessions (websites beginning with ‘https’), which may include shopping or banking sites.
  3. Records and transmits “the pace and style with which you enter information online…”
  4. Parses the header section of personal emails.
  5. May combine any data intercepted with additional information like “select credit bureau information” and other sources like “consumer preference reporting companies or credit reporting agencies”.

    If a kid with a scary hacker name did this sort of thing, he’d be arrested. But this is Sears, so who knows what will happen to them. But what should happen is that the anti-spyware companies should treat this as the malware it is, and not ignore it because it’s done by a Fortune 500 company.

    Posted on January 3, 2008 at 11:02 AMView Comments

    Targeted Phishing from Salesforce.com Leak

    From Slashdot:

    Salesforce.com has finally acknowledged what security experts have suspected for weeks: that a Salesforce.com employee had his company credentials stolen
    in a phishing scam, and criminals have been using names and e-mail addresses from Salesforce’s customer list to conduct other highly targeted phishing attacks, including the recent round of fake e-mails apparently from the Federal Trade Commission.” In such hightly targeted attacks, the AV companies are at a loss—they have little chance of quickly developing signatures for threats that only reach a few thousand victims.

    Posted on November 8, 2007 at 7:33 AMView Comments

    The Storm Worm

    The Storm worm first appeared at the beginning of the year, hiding in e-mail attachments with the subject line: “230 dead as storm batters Europe.” Those who opened the attachment became infected, their computers joining an ever-growing botnet.

    Although it’s most commonly called a worm, Storm is really more: a worm, a Trojan horse and a bot all rolled into one. It’s also the most successful example we have of a new breed of worm, and I’ve seen estimates that between 1 million and 50 million computers have been infected worldwide.

    Old style worms—Sasser, Slammer, Nimda—were written by hackers looking for fame. They spread as quickly as possible (Slammer infected 75,000 computers in 10 minutes) and garnered a lot of notice in the process. The onslaught made it easier for security experts to detect the attack, but required a quick response by antivirus companies, sysadmins and users hoping to contain it. Think of this type of worm as an infectious disease that shows immediate symptoms.

    Worms like Storm are written by hackers looking for profit, and they’re different. These worms spread more subtly, without making noise. Symptoms don’t appear immediately, and an infected computer can sit dormant for a long time. If it were a disease, it would be more like syphilis, whose symptoms may be mild or disappear altogether, but which will eventually come back years later and eat your brain.

    Storm represents the future of malware. Let’s look at its behavior:

    1. Storm is patient. A worm that attacks all the time is much easier to detect; a worm that attacks and then shuts off for a while hides much more easily.
    2. Storm is designed like an ant colony, with separation of duties. Only a small fraction of infected hosts spread the worm. A much smaller fraction are C2: command-and-control servers. The rest stand by to receive orders. By only allowing a small number of hosts to propagate the virus and act as command-and-control servers, Storm is resilient against attack. Even if those hosts shut down, the network remains largely intact, and other hosts can take over those duties.
    3. Storm doesn’t cause any damage, or noticeable performance impact, to the hosts. Like a parasite, it needs its host to be intact and healthy for its own survival. This makes it harder to detect, because users and network administrators won’t notice any abnormal behavior most of the time.
    4. Rather than having all hosts communicate to a central server or set of servers, Storm uses a peer-to-peer network for C2. This makes the Storm botnet much harder to disable. The most common way to disable a botnet is to shut down the centralized control point. Storm doesn’t have a centralized control point, and thus can’t be shut down that way.

      This technique has other advantages, too. Companies that monitor net activity can detect traffic anomalies with a centralized C2 point, but distributed C2 doesn’t show up as a spike. Communications are much harder to detect.

      One standard method of tracking root C2 servers is to put an infected host through a memory debugger and figure out where its orders are coming from. This won’t work with Storm: An infected host may only know about a small fraction of infected hosts—25-30 at a time—and those hosts are an unknown number of hops away from the primary C2 servers.

      And even if a C2 node is taken down, the system doesn’t suffer. Like a hydra with many heads, Storm’s C2 structure is distributed.

    5. Not only are the C2 servers distributed, but they also hide behind a constantly changing DNS technique called “fast flux.” So even if a compromised host is isolated and debugged, and a C2 server identified through the cloud, by that time it may no longer be active.
    6. Storm’s payload—the code it uses to spread—morphs every 30 minutes or so, making typical AV (antivirus) and IDS techniques less effective.
    7. Storm’s delivery mechanism also changes regularly. Storm started out as PDF spam, then its programmers started using e-cards and YouTube invites—anything to entice users to click on a phony link. Storm also started posting blog-comment spam, again trying to trick viewers into clicking infected links. While these sorts of things are pretty standard worm tactics, it does highlight how Storm is constantly shifting at all levels.
    8. The Storm e-mail also changes all the time, leveraging social engineering techniques. There are always new subject lines and new enticing text: “A killer at 11, he’s free at 21 and …,” “football tracking program” on NFL opening weekend, and major storm and hurricane warnings. Storm’s programmers are very good at preying on human nature.
    9. Last month, Storm began attacking anti-spam sites focused on identifying it—spamhaus.org, 419eater and so on—and the personal website of Joe Stewart, who published an analysis of Storm. I am reminded of a basic theory of war: Take out your enemy’s reconnaissance. Or a basic theory of urban gangs and some governments: Make sure others know not to mess with you.

    Not that we really have any idea how to mess with Storm. Storm has been around for almost a year, and the antivirus companies are pretty much powerless to do anything about it. Inoculating infected machines individually is simply not going to work, and I can’t imagine forcing ISPs to quarantine infected hosts. A quarantine wouldn’t work in any case: Storm’s creators could easily design another worm—and we know that users can’t keep themselves from clicking on enticing attachments and links.

    Redesigning the Microsoft Windows operating system would work, but that’s ridiculous to even suggest. Creating a counterworm would make a great piece of fiction, but it’s a really bad idea in real life. We simply don’t know how to stop Storm, except to find the people controlling it and arrest them.

    Unfortunately we have no idea who controls Storm, although there’s some speculation that they’re Russian. The programmers are obviously very skilled, and they’re continuing to work on their creation.

    Oddly enough, Storm isn’t doing much, so far, except gathering strength. Aside from continuing to infect other Windows machines and attacking particular sites that are attacking it, Storm has only been implicated in some pump-and-dump stock scams. There are rumors that Storm is leased out to other criminal groups. Other than that, nothing.

    Personally, I’m worried about what Storm’s creators are planning for Phase II.

    This essay originally appeared on Wired.com.

    EDITED TO ADD (10/17): Storm is being partitioned, presumably so parts can be sold off. If that’s true, we should expect more malicious activitity out of Storm in the future; anyone buying a botnet will want to use it.

    Slashdot thread on Storm.

    EDITEDT TO ADD (10/22): Here’s research that suggests Storm is shinking.

    EDITED T OADD (10/24): Another article about Storm striking back at security researchers.

    Posted on October 4, 2007 at 6:00 AMView Comments

    Ransomware

    Computer security people have been talking about this for years, but only recently are we seeing it in the wild: software that encrypts your data, and then charges you for the decryption key.

    PandaLabs points out that this is not the first time such a Trojan has made the rounds, citing PGPCoder as having a “long record on the ransomware scene.” Ransom.A is another Trojan that presented to the user both a shorter time frame and a significantly lower bounty—a file was to be deleted every 30 minutes unless the user paid up the ransom of $10.99. Finally, Arhiveus.A also encrypted user files, but instead of demanding money, instead demanded that the user purchase products from an online drug store.

    There appears to be no information available regarding what happens when the user attempts to contact the address in the e-mail or whether the alleged decrypting software actually does the job it’s supposed to do. Gostev places a strong warning on his blog, however, saying that if you find yourself infected with Sinowal.FY, Gpcode.ai, or any other type of ransomware, do not pay up “under any circumstances.” It also doesn’t appear as if there is currently any antivirus solution that can help decrypt the files once they are encrypted, although Gostev says that the Kaspersky Lab team is currently working on a decryption routine.

    Posted on July 23, 2007 at 6:08 AMView Comments

    1 2 3 4 5

    Sidebar photo of Bruce Schneier by Joe MacInnis.