Stormy weather for malware defenses

In the article it has a good write up on behavior blocking. What is the best behavior blocking program available right now?

 

Some symantec products and One-care have been reported as having known vulnerabilities but the painful truth is any piece of code can be written to break another piece of code and with that anything can be conceivably backdoored

If ever there was an advert or story to promote security through obscurity

 

The article seems to be an extension of a point I brought up in a seperate thread here. While I discussed the trend from the perspective that current AVs are incorporating trojan and spyware protection (thus reducing the demand for stand-alone anti-trojan and anti-spyware programs and eventually making them a thing of the past), the article extended it to include behavior blockers (HIPS). Similarly, towards the end of the article, it explained how todays AVs will become comprehensive anti-malware programs, but will likely maintain the name of 'anti-virus' due to the nature of the market.

Here is a comphrensive review of several HIPS programs.

 

STOP ALREADY with that defeatest attitude.

Malware is at an end, it's only released to attract a chuckle from those who think they have made some internet impact on numerous machines which they definitely have not and cannot.

There is safety in numbers and the number of Anti-spywares plus especially superiorly fashioned ARK's are evidence of that.

Malware is a dying breed like it or not, why? A couple of good reasons avidly avoided by the security forums who fear their hits may drop to an all time low.

RKUnhooker is the King of them all in ARK's like it or not. I can't get Gmer to work on my machine but myriads others find complete satisfaction it it.

Malware is at an end in NTSystems regardless of silly claims to the contrary.

I'm sorry but HIPS like ST, SSM, and PS eliminate those threats in their entirety, i challenge any one to prove different with any accurate results you can display for this community to review.

The AS terminators like SAS easily dismiss plenty of potentiaL THREATS and the RKUnhookr drives these malicious jokers to the surface to expose them for complete terminaton.

Malware cannot match the programs designed to expose them. Case Closed. As i said, there is power in numbers.

For god's sakes end the panics, effective security programs today to those dark code writers have them nearly at their wits end.

 

IMO KAV/KIS PDM (Proactive Defense Module) is the best behavior blocker

 

Hey EASTER.2010, I saw you included Spyware Terminator in your perhaps accurate analysis of the demise of malware. Does this mean you think it is an effective preventer of any malware that is still around?

 

How much more proof do we need that blacklist based security apps are an exercise in futility? The quantities alone make signature based detections nearly unworkable. AntiVirs VDF files total over 12 mb now. F-Prot's definition files are over 10mb.
http://i138.photobucket.com/albums/q277/herbalist-rick/f-protdetections.gif
If more of the malware writers decide to use the same tactics, we could easily end up with definition files containing over a million detections, and they'd still be incomplete and outdated from the moment they're released. There's too many ways malicious code can be packed, encrypted or modified for signature based detection to work reliably.

For signature based security software, its vendors, and the users whose security strategy is blacklist based, this storm is going to get worse. The users that have adopted a security strategy based on a whitelist approach will fare much better. Even though it takes some time and planning to set up, it's much easier to enforce a policy that allows 50 or 100 known processes to run than it is to identify and block hundreds of thousands of malicious and unknown processes, files, variants, etc. It can be done at little or no cost, is much lighter on your system, and isn't out of date 5 minutes after the last update, like AVs are. Works on old and new systems alike.
Rick

 

Rick,

While I do believe that, in principle, you're correct and eventually a purely blacklist approach will fall under its own weight, I still believe we're a number of years from that point. In addition, pure size of the VDF files is not necessarily a key limiter, it is how that database is indexed/cross-referenced/managed and used.

That said, it is clear that anti-malware products have already started to augment blacklist signatures with additional approaches to stave off this eventuality with the range spanning products like AntiExecutable (pure whitelist) to Prevx (combined white/black lists) to the latest proactive defense modules in KAV/KIS (assessing operational characteristics). All of these approaches work to varying degrees, all have limitations as well.

Blue

 

To get another's perspective on the matter, and to perhaps learn something I don't already know, what do you think those limitations of each approach are? Others are of course welcome to comment on this.

 

ST and it's scan detections are not the issue because those linitations are well know but no matter, other AS's like SAS can mose than make up for that,

What AST does do well is intercept malware BEFORE IT can lodge to a pc and thats whre HIPS and it's Resident-Guard supercedes it's scan. Enough said.

 

It seems to me that the question, "What is the liklihood that a particular threat will be exploited on my computer," should be considered in developing a security strategy. Yet, it is rarely discussed.

"Limitation" is often used to mean that a security product doesn't cover certain situations. Does that mean it can nullify your security strategy?

With many firewalls including so-called HIPS technology, a simple packet filtering firewall will have limitations to some people. For others, it's not a consideration because of other security measures in place.

Many consider the WinXP firewall limited because it doesn't provide outbound monitoring. However, I can think right off hand of three people using XP's firewall who don't consider it limited, because they think the liklihood of malware installing that would connect out, to be nil. I know two people who don't even use a firewall. None of these mentioned have ever had an infection.

The same rationale of limitation can be applied to Black List versus White List, as you ask. In the Processguard-freeware discussion, fcukdat dismisses claims of limitation with this statement,

Now, that takes gumption to say in a public security forum where many of the topics are on the latest sophisticated malware and various esoteric products; and it's evident that this statement is based on an understanding of how exploits work, and confidence in how to deal with them.

In my circle of computer friends, I'm seeing more of this confidence - analyzing carefully the latest threats, seeing what the liklihood is of them being exploited on our systems, and dealing with them accordingly, from the standpoint of understanding, and not falling lock-step in line to get the latest product because we are led to believe that without it, we are vulnerable. As one colleague puts it, "We are in charge of our own computers. We make the decisions, not the market place."

Each person has to decide whether a product's limitation, so-called, is relevant to her/his own computing environment. No one else can make that judgment call.


-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."

--Bruce Schneier​

 

I don't believe it will take nearly that long. If it weren't for their adding whitelist methods, behavior analysis, etc, it would already be happening. Blacklists containing hundreds of thousands or millions of signatures are unworkable. The sheer size of the signature and definition files are one of the primary reasons AVs are so resource and processor hungry. If malware writers kept up that kind of direct attack on AV vendors, we'd have 1.5 million more variants to contend with in a years time.

The quantity of malware is only part of the problem. With so much of it coming from botnets, it gets widespread before the AV vendors get signatures out for it. The ones that have been showing up in my Yahoo spamcatcher mailbox are only being detected by about half of the AVs at VirusTotal.

I'm sure that I'm not the only one here who's noticed how little time elapses between the discovery of a new vulnerability and the appearance of exploits for it in the wild. How many times have we been down this road in the last 2 years? The wmf exploit. Malicious code in JPEGs, DOCs, etc. These exploits can be used for weeks at times before M$ gets a patch out.

If the quantity of malware and the incredible speed it gets developed and spread aren't enough reason to drop the blacklist approach to security, it's nature and the payload it carries should be enough reason in itself. Much of it cannot be removed by an AV if it doesn't recognize it coming in. Some of the malware is getting nearly impossible to detect and remove once it's installed. It hides itself. It defends itself. It directly attacks security software. Much of it is designed to take control over your PC or steal personal info, like account numbers and passwords. The potential cost of an infection has never been higher.

How much needs to be said about the social engineering aspect of malware delivery? Malware writers are incredibly inventive when it comes to convincing people to click on something they shouldn't. Malware can and does turn up anywhere. The common sense approach isn't enough anymore. You can tell users not to visit questionable sites, assuming the average user can tell a questionable site from a legit one. Then again, legitimate sites can and do get hacked and seeded with malware. The seeding of the super bowl site is an example. Factor attacking DNS servers into this. Malware can be hidden in almost any file type anymore. Factor in spoofed file extensions. What apparent file types can be trusted? The advice telling users not to open e-mail from someone they don't know does little if it comes from an infected friend. Simply put, there are no completely safe sites, file types, or sources anymore.

I realize that most readers here know all these different things, but consider their combined effect. The odds have never been higher that you will contact malicious code that your AV doesn't recognize. One missed detection can result in an infection that's nearly permanent. If rootkits keep progressing, we could well see unremovable malware in the near future.

In my opinion, these factors combined make the risk of infection and resulting damage too high to depend on blacklist technology.

Very true. A security strategy that only allows known processes to run and limits their activities to what is necessary for the system to function will not get infected. It's not that difficult to set up a security strategy that's whitelist based. Unless you're a user who always wants to install something new, a whitelist strategy isn't restrictive either. The apps you use run as they should.

I'm not saying that users should uninstall their AVs. They still have their place, but that place is not at the core of a security strategy or system. On my system, AVs are for scanning incoming files. I don't use the resident component. My system is so much faster and more stable now that it doesn't have to check every process and file accessed against an oversized blacklist. My security strategy has 3 basic parts. Everything else is secondary and fills a support role.

Control over the traffic in and out of the PC.
Control over what content can be in the allowed traffic.
Control over what is allowed to run and what those apps are allowed to do.

A security strategy that accomplishes these 3 things will keep a PC malware free.
Rick

 

I think it's not that bad. Malware writers are evolving, and so are AV vendors. Heuristics still has a long path to go, it seems. I guess there's a finite number of possible actions malware can do, so generalistic signatures can still do a lot.
Signatures also have a quality not present in the other methods: malware clearly identified, no second thoughts. A trojan found is a trojan found, no analysis needed, except verifying that it's not a FP.

It is not good by itself, but signatures have a good advantage, even if you think only for "noobs". I consider myself a permanent half "noob", and some sort of signature scanner has to be on my pc.

 

Personally, I believe that you overstate the case.

Let's put some numbers around the discussion. Assume that the total KAV database size is a reasonable indicator of the unique malware population. Right now it's running at ~ 260,000 entries. If you look at the growth rate of this signature database, it is exponential, but it's been a stable exponential since ~March 2005. The doubling period is approximately 20.6 months and has been for the past 2 years. Yes, malware is growing in net current and legacy population, but it is on a very predictable trajectory. That's fairly important since it allows you to plan as well as estimate/simulate how a product will behave in the future. Vendors are not working in the dark, they have a clear path and design objectives in front of them, and part of those design objectives relate to performance.

Now, if you balance that database growth against historical trends in growth of computing power, it's roughly a wash to steady state. I realize we all (unfortunately) don't renew our hardware yearly (Note to self - must discuss this with wife... ). However, in the 5 years that I've owned my current machines, I have not noticed an inexorable loss of performance due to my AV/etc., in fact, they're either an equivalent or lesser drain on system performance than when I started. As with the hardware, the software end has advanced as well, in part because they have a reasonable idea of the design needs for the immediate future.

I realize that it's only anecdotal, but I simply don't see a major negative impact to date. Given that, I don't see a near term death of classical AV solutions.

I believe it is important to differentiate between what is extremely unlikely vs. potentially possible vs. somewhat likely vs. likely vs. nearly certain. Many things are possible, only a small subset of that is likely. It's prudent to plan, but the plan has to include an assessment of the realistic scenarios. Yes, there are things such as rootkits out there and while they can create problems once installed, they are not floating in the ether infecting you under a invisible cloak. They're like any other piece of software downloaded to a system - no more, no less.

Let's take this at face value. If true, what is a user to do? How do they know if anything downloaded is malicious? Do they disassemble it and use their rudimentary programming skills to figure out the good from the bad? Of course not. So they do need guidance - the guidance of a blacklist.

Everything is removable. Everything. It's only a matter of will and approach.

This is great that it works for you. Now ask yourself, what do you need to know to make this work effectively? In terms of computer operations, it's a fair amount, even relative to longtime casual users. How disciplined do you have to be to make this work effectively? If you're planning to perform demand scanning for all downloaded content prior to use, rather disciplined is the answer. Can it be done? Of course, although it's not a path I plan to follow.

I agree that straightforward whitelist approaches are perfectly viable. A well considered classical blacklist approach is also viable. Hybrid approaches are viable. Approaches not based on Windows are viable. In the right hands and under the right circumstances, a bare Windows PC is fine as well. There are many strategies that are viable and within those constructs an enormous number of specific implementations. AV's can still be the absolute core of a very viable security implementation for anyone.

As for speed, although my PC's are now 5 years old, the bootlenecks still reside in delivery of content, not rendering it on the local machine, and I'm on a reasonable cable connection. A faster machine would be great, but in actual testing, the incremental performance boost is extremely modest at best and not worth it to me at the moment.

Blue

 

Hi herbalit, nice post. Can u explain the difference between two and how to accomplish this? BY a firewall only I think.

 

@aigle:

Firewall.

Content filtering: Adblock + NoScript, Proxomitron, etc.

 

If nothing else i think we can all agree that malware publishers have grown more innovative and if theres any consolation at all to be had in all this at least the script kiddie makers have bailed away from the more intelligent and knowlegable designs that better writers have been able to achieve some success at.

Those guys are true testers of the validly of security programs as it requires as much intensive study and research testing as AV/AS developers themselves.

 

Thanks.

 

Any real life statistics?

Come on! be realistic. How many ordinary users can handle all this stuff?
They can,t even handle the popups of a simple AV.

 

So the bad guys are nowadays Anti-Anti-Virus.
And the good guys will now respond with an Anti-Anti-Anti-Virus solution.
Fantastic

 

Links would eat my entire day up but for simplicity sakes one only needs to see the results posted by HIPS users and how incredibly more secure they have become.

In retrospect, an uneducated noobie to the net are prime targets of course but malware is quickly running out of ideas and room to operate, at least so far as XP is concerned.

Do your own personal review of the many HIPS recently surfaced, virtual programs like Power Shadow, and also look at the increased useage of the more recent advanced features (HIPS included) of AV's and the power of the better AS's like SAS.

That is a very formidable front by any stretch if i might say so myself.

 

U are just being fascinated by HIPS. They have never been for normal users.
Let,s talk about all, not only about yourself or other users of Wilders.

 

HIPS are no fantasy or fasination. I run rootkits/malwares like Gromozon plus viruses and HIPS are very up to the task at intercepting possible forced intrusions. If not for normal users than why are Anti-Virus and even Firewalls getting in on the act now of application firewalling?

There is no hype at all in this newest of innovations, they are becoming and will be commonplace even more with the most popular of security programs as time moves ahead.

It just makes perfect sense to thwart off a potential attack BEFORE the fact instead of having to deal with the AFTER affect of having been invaded.

 

Aigle is saying, and i agree, that not many people can use that. Not practical.
Maybe you disagree, but this is the point.