0Day Threats

The other day I downloaded some software off the net. With the source looking a little suspect I scanned the files with three engines. GData AV (BitDefender & Avast) returned clear for the files, Kaspersky online also returned clear. Prevx Edge was also running but did not come back with any problems.

Although it seems that all the tests have passed, this doesn't mean to say that there wasn't any malware installed, just that it wasn't detected or unknown. Lets say there was 0day malware in this application, how can I check this out for myself?

 

Betta hire one antimalware ExPert.

 

You can try scanning single files with: http://www.virustotal.com/ It will scan the file with many scanners. Chances are one of them had picked up the malware sample and created a signature for it. Also, a HIPS program (Malware Defender, EQSecure, DefenseWall) or sandbox would trap it or detect it before AV programs. The HIPS programs will prompt you whether to allow the file to run. You then have to make the right decision. Running in it a sandbox would (hopefully) isolate it from doing damage to your system. Best approach is a layered security system (firewall, AV/AM, HIPS and/or sandbox type program) and fully patched system.

 

I don't see how a sandbox would work. The real application would normally write to system32, the windows folder, and the registry. I would have to run this application as trusted just to get it installed normally, thats without malware.

 

See: http://www.youtube.com/watch?v=PBKNHBl-yos for some ideas of how GesWall works. The best advice is only download from a trusted source and then scan the file before running it. I use KAV and Prevx and right-click on them. There is always the possibility of getting infected. Make sure all your data is backed up on a separate drive and have a program that can return you to a snapshot of your system before the infection occurred. Worst case scenario is to reformat.

 

Is there any way to lock an entire drive so it can't be modified?

 

Returnil, Shadow Defender, ShadowUser Pro, DeepFreeze (these are the ones i've tried, there are more)

 

Sandboxie creates duplicate registry sections and system folders as they're needed. Most legitimate applications can't tell the actual system folders from the Sandboxie created alternates. The same applies to the registry. Except for some security software that operates at a kernel level, I'd be suspicious of any software that wouldn't install in Sandboxie or in a virtual environment. If for some reason I felt it necessary to use such software, I'd install it on a separate test unit first and evaluate it thoroughly before I considered installing it on a good system.

Regarding zero-day malware, no scanner will identify true zero day malware. The exception here is if the AV identifies it heuristically (by behavior). By definition, zero-day malware hasn't been identified and is in the wild. In most cases, a sandbox or virtual system can contain the malicious code, preventing it from installing on the physical operating system. That said, a keylogger running on a virtual system can collect keystrokes made on that system. It's also possible that we will see malware that can break out of a sandbox or virtual system. The only sure way to prevent unknown or unidentified malicious code from running is to implement a default-deny security policy. With this approach, only those apps/processes that the user has specified can run, nothing else. Classic HIPS are ideal for enforcing a default-deny policy, provided that the user can identify which applications/processes are part of the system and installed software, and are necessary for its normal operation.

 

Maybe you could scan it with something like ThreatExpert?

 

Why not submit it to an AV who can give you a proper informed answer... and know what they're doing (no disrespect).

BitDefender - http://www.bitdefender.co.uk/site/KnowledgeBase/consumer/#492

Avast -

 

If I recall correctly, you could use DefenseWall and run as untrusted until you iz happy http://www.softsphere.com/
I could be wrong, been a while since I used DW and things may have change( but I suspect not)
Not sure about kernel level installs either if that's what you want.
Ask at forums: http://gladiator-antivirus.com/forum/index.php?showforum=192

EDIT: Ahh, sorry; I see you already run DW:

 

maybe, they didnt detect anything because what you thought was a malware source, didnt install anything on your PC.

 

I'd go with the install in Sandboxie option until I was sure of it's safety.If it wouldn't run in SBIE it wouldn't be installed full stop.

 

Returnil? Thats like DeepFreeze isn't it?

I have tested DeeoFreeze, the only problem I found is that it doesn't allow folders for AV to update. Does Returnil?

 

You've got a lot of good suggestions so far. I would suggest that you only download reputable softwares from reputable sources. You can also checkout the background of the company and site. If in doubt, ask about the software/company in a security forum like Wilders. Who knows, you might even find a good program that does the job better without all the worry.

With Returnil, you would have to turn it's protection off and then update your AV and then turn the protection on again. The same with all updates etc. unless you can move where the data is stored to an unprotected location.

 

Actually a perceptive and important question, about a topic that affects all web users.
It is quite possible (likely, even) the files are malware-free, as alluded by trjam. You do have to be a little unlucky to score a genuine zero day threat. (Yet it happens all the time. )
The Sandboxie suggestions sound good to me. Better are the suggestions to submit files to an av vendor with the appropriate facilities for analysis.
Consider running a behaviour blocker to receive alerts about suspicious attempted changes. (Which will likely need a bit of inside knowledge to interpret correctly.)

With Prevx running, and in the light of the comments made on your other thread about the library of modified vs original files and repair ability of same (I agree, that is impressive if it works.) your chances are further improved, I would think.

 

Shadow Defender and ShadowUser have the possibility to allow security applications to update. ShadowUser doesn't work with Vista, Shadow Defender seems to have a dynamic developer behind and works with Vista.

 

It's actually quite interesting to get a true zero-day sample, then check on a daily basis at Virustotal to see which product will detect it and when it happens. It will also point out an intrinsic flaw in AV testing- the lack of something like a "Time to Detection" factor.

At the end of 10 days maybe all AV's will detect the sample, but prior to that product differences will be totally different.

 

Seems more like your methodoligy's more flawed than anything... the settings, update frequency and detection ability of AVs on virustotal are not necessarily the same as that on home-user products.

 

Actually they do seem to be. I've tried the above and seen (without mentioning any names) product detections going from zero to 3 to 6, etc.

If after all does stand to reason that some companies will be more responsive than others.

 

The best weapon in determining the safety of a new program is often Google.By simply entering the product name a wealth of information can be found.If it's available on reputable download sites such as Softpedia and Majorgeeks then you should be fine,however if it's only available on less straight sites such as Brothersoft,alarm bells should ring.Of course truly new software won't yet have been passed safe by sites such as these which check files they host are malware free.A website rating utility comes in handy here to determine which sites are which.Also the Google search might link to forums such as this or bleeping computer etc.

At the end of the day if in doubt,or no info is available due to it being too new,you need to ask yourself just how necessary is this program now rather than waiting until it's been properly categorized,or as was mentioned before,is there a known safe alternative available.