Malware Authors Using New Techniques

[De Hollander]

Malware Authors Using New Techniques to Evade Automated Threat Analysis Systems.

http://www.symantec.com/connect/blog...alysis-systems

[Mman79]

In other words, most of our tools are useless against determined attackers, which most already knew, and now the job is getting easier to attack and harder to defend.

[fax]

The trick here is to analyse the behavior of applications/potential malware directly on local machines where the malware is installed and active (e.g. WSA approach) rather than base the judgement on dedicated virtual machines that are prone to be fooled. This means a radical different way of dealing with infections for which most security companies are not prepared to.

[noone_particular]

All of their other comments/claims aside, that article says one thing.
We can't keep up with the threats.
Many of us figured that out years ago.

[Peter2150]

What it says to me is signature based detection is becoming impossible. There are other solutions, however.

[Mman79]

Quote:

Originally Posted by Peter2150

What it says to me is signature based detection is becoming impossible. There are other solutions, however.

It says to me that virtual software environments are not as useful as one might think and signatures are all but useless as well. But many already understood both of those things. I'm in favor of more complex solutions like HIPS, but at the same time I don't see them as favorable solutions to the "average" computing experience and user. It's hard enough to get people off of the idea that an AV will handle it all for them. The typical pop-up from many HIPS solutions will just have people shutting them off. I've yet to see a program like this stick to the K.I.S.S principle, and I'm not sure they can and still be effective.

[wat0114]

"Automated threat analysis systems" = relegated to the stone age.

[noone_particular]

Quote:

Originally Posted by Peter2150

What it says to me is signature based detection is becoming impossible. There are other solutions, however.

Signature based detection should already be dead, and would be if it wasn't such a cash cow.

As for "other solutions", for the type of users that you find here, there's several. Finding one that will consistently work for the average user is a much taller order. Sandboxing and virtualization seem good now, but as they become more mainstream they will be attacked and defeated more often, and we'll be right back where we started. As long as the typical user is able to function as an administrator, there's no realistic way to protect either. Windows makes it way too easy to be the administrator.

[Mman79]

Not being an Administrator on a system is really an answer for past issues more than it is for current ones. Not being one only limited damage to begin with, and now we deal with breaches that affect us when it isn't even on our system and more socially-engineered malware. There isn't much point in being a non-administrator if you purposefully let things run, as many do with these social-engineered attacks.

[noone_particular]

No, nothing will stop a user from clicking things they shouldn't. Running as a non-admin does limit the damage malware can do, to the system anyway.

[Nebulus]

Unfortunately in this age of social networks and e-commerce, the damage to the system is the least of your worries. Attackers are after your personal data, passwords, banking details, etc. and that can be achieved when working in user mode as well, not only in administrator mode.

[PJC]

Quote:

Originally Posted by Peter2150

What it says to me is signature based detection is becoming impossible.
There are other solutions, however.

Cannot agree more with you!
Since 2007, I've ditched Resident/Real-Time Scanners.
Virtualization/Sandboxing, Imaging etc. is, by far, more advisable...

[lodore]

The only reason malware authors have to think of new techniques is because the goodguys are getting better at detecting their creations. 100% security will never work. I do feel that sandboxing each applications is a great idea.

I feel that security software on a smart phone is a good idea. I dis agree that simply removing apps from the store when they are found to be malicious.
An application Could steal data from the phone such as emails,phone numbers and dial premium rate numbers. by the time the app is removed from the market the criminals could of made a fortune. So I feel that antivirus is still relevant today.

I think the best solution is a combination of blacklist and whitelist and then do an indepth analysis of the unknown files.

[noone_particular]

Quote:

I think the best solution is a combination of blacklist and whitelist and then do an indepth analysis of the unknown files.

That would work for the type of user found here. I can't imagine the average user doing that.

[noone_particular]

Quote:

Not being an Administrator on a system is really an answer for past issues more than it is for current ones. Not being one only limited damage to begin with, and now we deal with breaches that affect us when it isn't even on our system and more socially-engineered malware. There isn't much point in being a non-administrator if you purposefully let things run, as many do with these social-engineered attacks.

If someone could ever come up with it, there's an enormous market for effective anti-stupidy software. Barring that, nothing can stop a user from shooting themselves in the foot (or the wallet), not even the best live CDS.