Buffer Overflow Protection

Thanks, Kareldjag, good articles. I never expected Attack Shield to stop all buffer overflows, but it looks like I was right that it still wouldn't be able to compromise the machine by the buffer overflow, just crash it (according to the article.)

 

Thanks for the info guys, much appreciated.

In relation to CN232

I agree that the information was not quite accurate. The boundary between worms and trojans has been blurring recently, with trojans employing worm abilities and visa versa. Nor did I mean to suggest that a worm must use buffer overflow.

A script can be a worm....eg in relation to the second part of your quote, the worm was a 376byte script (I think it was 376bytes...very small in any case....I can't remember it's name, it was a port scanning worm <edit:close>, that infected via buffer overflow, then replicated itself by using the infected machine/server to scan for more vulnerable machines. Some site posted it's script and explained how it worked. Can't find the site atm...came across it on my wonderings)

Personally I don't understand why there is any differentiation between a worm and a trojan...except to make it clear that some trojans target vulnerabilites in the OS to replicate/work - ie worm.

Anyway, thanks for all the extra info on buffer overflows

edit : Ah found it, it was Slammer http://www.viruslist.com/en/hackers/info?chapter=153349777 and
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SQLP1434.A&VSect=T . Not the site that showed the script, but matches what I said

edit again : the actual site http://www.wired.com/wired/archive/11.07/slammer.html
presuming the code is harmless now, because it's been patched, with no similar outbreaks in last couple of years

 

http://www.sanasecurity.com/common/files/AttackShieldWSAdministrator2_0.pdf

Look under configuring executables.

Nice batch of articles on http://www.sanasecurity.com/resources/collateral.php
below "true intrusion protection software" , which briefly explains what attackshield does and talks about buffer overflow protection methods. As already mentioned it doesn't directly address buffer overflow, but watches for suspicious activity.

There's also a nice indepdendent paper out that compared the strengths of stackguard, overflowguard and a couple of others, with the final conclusion that none of them block everything.

 

It's not only security apps. Even normal apps that are trusted to run without running as a service can cause damage. A very good reason to practice safehex even if you use PG!!

 

Thank you very much!

A trojan is one part: software. It requires the user to run it and typically sets up shop and does not spread by itself. It spreads by making you think it's something you want so you will run it.

A worm is 5 parts: warhead (this is where the buffer overflow would be, it's the part that forces the rest into your sytem), propagation engine, target selection engine, scanning engine, and payload (this could very well be a trojan.) A worm is self-replicating and typically does not require user interaction to spread. It also typically spreads through networks, scanning for vulnerable targets.

Anyone interested in more info may want to read Malware: Fighting Malicious Code

 

Hi all,

Since there are many ways to infest a computer, my own preference is for tools like ProcessGuard. WormGuard, and KAV that can detect before the malware starts doing its dirty work. Even RegDefend is more of an "after the fact", though it is pro-active in regards to the registry itself, and therefore a consider it a good second line of defense after PG and WormGuard.

With that in mind, I was looking at ActiveShield, and it appears to be a more second-line of defense type of propduct since the malware is already executing and Active Shield will block any abnormal types of execution calls. While, it is still not clear to me the exact mechanics of the software, from the documentation, there is a clue:

"Code injections that that originate system calls from read/write memory (heap, stack, or static memory), are blocked."

This would seem to apply to all types of malware and appears to substantially overlap with ProcessGuard. I would appreciate it if anyone would correct me if I am wrong.

In regards to protecting against malware execution more "upstream", clearly KAV, BOClean, Ewido are excellent at this, though are limited to their own signatures and possible heuristics. ProcessGuard is pretty strong. HOwever, I would appreciate comments conerning upstream protection against other possible attack strategies such as worms.

I have WormGuard in place, and my eperiences with it lead me to believe it is highly competent. I have also been looking at RegRun which seems to have script protection but I was wondering if it is more or less than what WormGuard provides. Also, RegRun appears to have more "downstream" protection such as protecting folders/files which seems interesting as a second line of defense (especially considering current discussions regarding RegDefend and the possible desirability to monitor its Registry Groups. Any comments would be appreciated.

Thanks,
Rich

 

Cluelessnewbie, with insightful posts like that, you're going to have to change your name...

The best defence against buffer overflows is to only use software that does not have such vulnerabilities (i.e. where every data input is properly restricted to prevent overflow). Since this comes down (in part) to program design, it means using as few programs as possible and using smaller ones (which, all things being equal, will have fewer bugs than larger ones) that suffice to do the job needed.

One good example is browsers. Firefox 1.0.4's installer for Windows is 4.7MB. Opera 8.0 for Windows is 3.6MB. Internet Explorer has no installer, being bundled with Windows itself, but IE6 Service Pack 1 can be anything from a 480K to 75MB download. As such we can conclude that IE has a codebase at least 15x the size of Firefox and 18x the size of Opera - and assuming that Microsofts' coding quality is up to that of the Firefox or Opera teams *cue hysterical laughter* that means one can expect 15x the number of vulnerabilities (the number of discovered ones to date has been rather less - so either IE is better written than I am giving MS credit for, or most of the problems have yet to surface).

The next best defence is to restrict what data can come in, which is where a firewall can help. As long as the firewall has no buffer overflow problems itself (Kerio 2.x and Black Ice 3.x being the only personal firewalls I know of with such bugs to date), it can block unsolicited incoming packets which is how most buffer overflows are exploited. It should be noted that PCs can be better secured in this regard since they do not have to respond to unsolicited requests while servers do - which is why most buffer overflow attacks have been accomplished against servers (including Slammer which targeted MS SQL Server) and why they have been more of an issue in the Unix/Linux world to date (more servers using these OSes).

Aside from unsolicited packets, the only remaining avenues of attack require the victim to take some action - e.g. to visit a specially crafted webpage that can exploit IE's HTML Elements Buffer Overflow Vulnerability or to download a file containing a trojan. Web filters (like Proxomitron) can, to some extent, counter known HTML exploits and (by filtering ActiveX, etc) reduce the scope of webpages to cause mischief while AV/AT scanners can detect known malware. At this point, anything using a buffer-overflow exploit has to pass a number of hurdles to get a chance to run - so it can be seen as just another possible characteristic of malware, like rootkits or DLL/code injectors.

The most dangerous aspect of buffer overflows (I keep typing "bugger" here, must be a Freudian slip!) is for servers which have to be open to incoming packets from the Internet. This means that successful attacks can propagate from server to server very quickly. A well configured personal firewall (or router firewall for that matter) should block the vast majority of in-the-wild exploits making them less likely for security-conscious PC users.

 

Took me half a second to put together P2K's freudian slip...ick...the mental images were quite horrifying.

CN232 that I 'personally' consider trojans no different to worms, is because of three things :
1. they are both standalone programs (until installed)
2. As I'm not on a network, and my internet is firewalled - then apart from the buffer overflow method, worms seem to need the same sort of access as trojans to spread (I could be wrong on this one, but can't find where)
3. the protection against them seems to be the same answer PrevX/PG/RD and an AV/AT

I know they work differently, it's just an easier way to understand fighting them for me.

However, that said, Notoks post on worms was very insightful. I knew most of it, but had never put it together in my head like that. Good stuff

PS this thread has been most helpful, thanks once again for all the info.

 

Thanks a lot Paranoid2000. Your explanation was very helpful.

Rich

 

I've read these posts several times, and have looked at many articles on this topic, and have not progressed much past the conclusions of richrf in the first post of this thread:

1) Buffer overflows are indeed a serious threat to security that users should be concerned about and,

2) Buffer overflows are not a threat and users should bit worry about them at all.

I know that there have been listed here numerous examples of this buffer overflow and that; I'm wondering, if someone who has had the experience, can describe *step-by-step* an entire scenario of what would happen from a buffer overflow on, let's say, Mr. Smith's computer.

Mr. Smith logs onto the internet. OK, let's go... *step-by-step* ... how does *it* (sounds like the plague) get into the computer, what happens next, ...

Thanks,

-rich

 

Hardly. I'm still clueless about the value of execution monitoring tools like SSM and PG that is all the rage these days.

As Paranoid already mentioned it's either some file you run yourself (see JPG processing buffer overflow), or more commonly, a worm that exploits some Buffer overflow attack via some windows services on a unfirewalled pc (see sql slammer worm etc).

1) All programs are standalone until installed
2) The access is your email . Once some malware starts to take steps to spread via email or whatnot it's a worm
3) This I agree, but the answer seems to be the same for almost all malware
RD,PG,Prevx tends to monitor behaviour common to malware. PG would I think be less effective against worms, since worms don't need to install as drivers, or use global hooks. Execution monitoring might help , but technically it could help against anything AS LONG AS the user is smart.

Rich I know you have being repeating this line for almost every post on Wilders. But I must seriously disagree.

Execution monitoring is not enough, it's not even a real defense, it's monitoring of other suspicious behaviour (hooks,drivers installation) that is valuable. It's true that by then you would be partly infected, but at least it provides some information for the user to block a process.

A generic popup telling me process x is starting tells me nothing and gives me no basis at all to decide to allow it or not. I'm talking about programs that you have already decided to install of course.

On the other hand, if I see this simple text editor want to install a hook, I'm going to get a bit suspicious.

.

 

It seems to me, then, that the only secure protection is a lockdown program (ShadowUser, Deep Freeze) that will return the system to it's original state on reboot.

regards,

-rich

 

Hi Cluessnewbie,

Yes, execution protection is not enough. I don't think anyone has ever said it was. Whether or not it is "real protection", I guess is up to you to decide. For me, it is some of the most formidable protection. When someone knocks on my door in the middle of the night when I am sleeping, for me that is "real information." First, I am glad that the door is locked. Second, I check on who it is. If it is someone I don't recognize, I don't let them in. Pre-empting the installation of services, rootkits, keyloggers is additional protection.

If you and CN232 have better protection, I would be happy to consider it. Would both of you like to share with us your preferred setup?

Rich

 

To see if PG adds "real information" that increases your security, let's see what type of events PG alerts you to

Type 1 : WIndow services starting up for some unknown reason. Fun and edcational to know, but in 99.99% of cases doesn't help you at all.

Type 2 : Processes running in response to you doing something. PG is merely wasting your time. You already decided to run it after all! After this inital permission you might see a chain of other processes starting each other, but this pretty normal and typical, I see no additional information gain here that helps protect you.

Type 3 : Other processes started by a process you earlier allowed. Does not seem to be in response to your action. You have 2 choices allow or block. The name of the child process starting doesn't really give you any clues. Chances are you will allow it, after all if you didn't trust the parent process, why install it in the first place?










If you and CN232 have better protection, I would be happy to consider it. Would both of you like to share with us your preferred setup?

Rich[/QUOTE]

 

Safehex, something you don't seem to think highly of. I'm trying to show that even with all your "proactive", early detection in the 'execution stream' tools, safe hex is still critical.

 

Hi CN232,

You are forgetting about one other category of "information":

Type 4: Unauthorized software that is not associated with a trusted process that is trying execute, install services, acquire global hooks (this happens quite ofen).

In my whole time that I have been alive, I would say that thousands of friendly people have knocked on my door and I always let them in. Now and then, a face appears that I do not know and I ask for verification. In almost all cases they are also friendly though once in a great, great while I keep the door closed and send them a way. The fact that 99.9% of the cases are just friendly faces has so far not been sufficient reason for me unlock my door and let everyone who wants to get into my house, free and easy exit.

Yes, depending upon your other activities on your computer, safe-surfing is very important. However, there are people in this world who are using their computer just for the fun of a "roller-coaster ride". I doubt they need any kind of security software. I like the idea of an "insurance policy" that I hope I never have to use, but if I ever need it, I am glad that it is there. Some people have liability insurance, others do not. It is a matter of how one leads one's life.

Rich

 

First off, we are talking about trying to execute (the other actions are a different matter), so let's keep to that.

You mention "unauthorized software not associated with trusted process". Do pray tell me now this can possibly occur. How another process can magically startup if it's not directly executed by you, or by a process your trust. Tell me in your own words if possible.

 

Dont know if I'm missing the point here. Can't malware automatically install itself on your machine while you're on the internet?

 

Hi CN232,

Well, I guess you can make the argument that it all comes back to the fact that we all have to "trust" Windows. So the best thing to do is not use Windows and abstain from Interent surfing entirely. Abstinence is always a solution to anything we do in life. I can avoid stomach aches by not eating, for example. As long as one can deal with the pros and cons of abstinence.

Rich

 

What I fully agree with, CN232, is that every user does have to find the setup that is right for them, understanding what the program can do for them. PG CAN provide very strong protection, but you do have to be close to the skill level of those that do HJT log analysis to make it fully effective.. if you don't know the difference between c:\windows\svchost.exe and c:\windows\system32\svchost.exe, things are most certainly going to slip by you. However there are cases that it can still help. I was checking out a piece of software a while ago and left PG running while I installed it, along with the installer, something named instafinder.exe wanted to run during the setup as well, then it wanted to run some other exe as well. It was pretty plain to see that I was not interested in instafinder.exe, nor this other file that wanted to run from my system32 directory during the install of a program that had no business being in my system32 directory. I let instafinder run because I knew what I was doing and made a conscious choice, but not the trojan dropper Similar kind of thing with Prevx, if you use the "Trusted Installation" feature and pay attention to any popups that may still occur, it can save you. The clencher here, however, is that you do need to understand what the program does, how and why it does it, and actually pay close attention to the alerts. Unexpected popups are certainly to be denied after the program is well trained, but I agree that doesn't cover everything. The bottom line is that with any IPS you do need to spend some time learning, otherwise the protection will be quite minimal.

So the question is whether protection against buffer overflows (hah, I almost wanted to type bugger, too.. the power of suggestion ), the question is one that really has to be answered individually, based on your own preferences, patience, and skill level. Personally I feel that Attack Shield, while not a catch-all, provides a nice layer with absolute transparency and minimum of resource usage, but those comfortable with other IPS/IDS programs may be just fine with what they already have.. after all, the buffer overflow isn't all malware is going to do, that's just it's enterance. The same question could be applied to any security software, really. My personal feeling is that system hardening is something that should be done by pretty much everyone.. you can't create a buffer overflow in a process that isn't in memory Again, not a catch-all, but a very good layer indeed.

CN232, I wish you'd register one of these days

Any program, Windows or not, is potentially vulnerable to buffer overflow. I don't see your point here.

 

Yes Notok,

One can make the argument not to use Linux. It is a matter of how far one wants to go to win an argument.

In order to surf the Internet, the user must trust at least the operating system. So if someone, like CN232, wants to make the argument that the only way malware can enter a system is by the user initially "trusting it", then that argument is valid - since one has to begin by "trusting" Windows. I just don't see the practical purpose of such an argument - other than to win the argument. And I agree. Abstinence is always a possibility and I do have a friend who does not have a computer and has none of the problems discussed on this or any other computer forum.

Rich

 

Hi,

Just to summarize my point of view:

Is a specific buffer overflow protection really necessary for a home user on a Windows system?
I don't think that's it's really necessary.
From a statistical point of view, home users are more concerned by virus, trojans (CWS) and pricipally spywares (hijackers) than by B.O attacks.

Writting a Buffer Overflow SchellCode requires to be very knowledgeable and experienced with C/C++ language.
In this case, it's more a challenge for advanced attackers than for scriptkiddies (who are common attackers against windows/home users).
Nowadays, hacking is more criminal than ethical and advanced attackers are more interested in corporate environment.

Then, as said paranoid, B.O are more common on Unix systems (and Linux) than on windows.
If you the user does not work on Database, A Buffer Overflow protection is not necessary.
I don't think that this protection will prevent all unknown worms.
I've read a paper recently about "the imminence" of an SSH worm, and it appears a little bit pretentious and ambitious to prevent that which is not exist (even with IPS/IDS).

In all case, B.O are fearsome and effective attacks which can permit a root-access to a system, modifiactions, DOS and son on.

In the other hand, the user who wants the stronguest defense can deploy a B.O protection: for paranoiacs users, too much security is often better than not enough.
As often, it's a question of personal choice.

WormGuard will protect against known worms, AttackShield will prevent some unknown worms which uses a specific behaviour: this defense is enough.
IE addicts will perhaps enjoy OverflowGuard which is a plugin to IE and will protect the browser more than Prevx (for instance) could do.
And StackDefender is well known to be effective.

In all case, restricting privileges, running only necessary service (IRC, Messenger, ICQ are infection vectors), using software which are coded with safe libraries (like libsafe) and taking advantage of a specific processor (AMD 64 bits) are safe prudences.

Rmus,

For demos about Buffer Overflow, here again the link:
http://nsfsecurity.pr.erau.edu/bom/

With java/java script enabled on the browser, just click on the next link for the Smasher Demo (totally safe):
http://nsfsecurity.pr.erau.edu/bom/Smasher.html


A few resources about worms:

Worm's strategies: http://www.awprofessional.com/articles/article.asp?p=366891&rl=1

2 interesting pdf papers:
-virus and worms: http://engr.smu.edu/~tchen/papers/talk-bupt-worms-Augu2004.pdf

-Research in virus and worms: http://engr.smu.edu/~tchen/papers/talk-Imu-Oct2004.pdf

To be involved in the worm's battle: http://wormradar.com/

A little gadget from Symantec to see (on a globe ) worms infection statistics:
http://enterprisesecurity.symantec.com/content.cfm?articleid=5479

regards

 

Hi, kareldjag,

As always, very informative discussion and articles.

Thanks,

-rich

 

Thanks for the summary kareldjag.

Rich