Current categories of attacks & security software

Discussion in 'other anti-malware software' started by halcyon, Apr 24, 2007.

Thread Status:
Not open for further replies.
  1. halcyon

    halcyon Registered Member

    May 14, 2003
    Has anybody seen / done an up to date version of current:

    Risk & attack types
    - viruses, worms
    - trojans, rootkits
    - malware, adware
    - dialers
    - bots, zombie controllers
    - outgoing attacks, sw firewall removers
    - password sniffers, password scanners, password hackers


    Protection & Security software
    - Anti-virus software
    - Anti-trojan & malware software
    - Software firewalls (incl.
    - HIPS
    - Sandboxes
    - etc.

    I'm not looking for a complete list of application names, but more like categories of different risk/attack types vs. various protection/scanner software.

    Also, what categories of risks are growing the most currently?

    What categories of risks are most difficult to detect & protect against currently?

    What category attacks are most risky (in terms of potential losses, like banking account info, credit card numbers, etc)?

    What type of combination of protection/scanners categories would give a reasonable current & up-to-date protection for today's worst risks.

    BTW, when asking I'm assuming the following:

    1. User already has a brain, knows how to operate it (i.e. safe surfing)
    2. User does NOT have time to keep up to date on 0-day exploits and patches
    3. User does NOT have time to learn very complicated programs or esoteric software with Chinese only UI
    4. Due to assumption (1), the user does not like to install and use underground security apps not tested or verified in public (i.e. avoid using enthusiast specialty software)
    5. Single security suites (any suite from any publisher) does not provide a reasonable level of protection
    6. Choking the machine with 3 x HIPS, 2 x sandbox, 3 x antivirus, 10 x manual scanners, 7 x anti-rootkits is too cumbersome, too time consuming, too risky of system level conflicts and as such, completely out of the question. The protection must be in balance with the risks, but provide higher level of actual security than a single suite.

    I think this kind of an overview would be beneficial to many of us, who mostly have time to visit forums like this couple of times a month and only glance through a few topics.

    Of course, this kind of overview would need to be up dated and include metareviews of all the applications as well, in order to be able to give practical recommendations.

    But let's stick to 'software category' level for now, and forget about single named applications or sw manufacturers.
  2. Rmus

    Rmus Exploit Analyst

    Mar 16, 2005
    I suppose there are different ways of thinking of "categories" of attack types. I use the following:


    1) through ports

    2) initiated by remote code execution on web sites

    3) initiated by clicking on an email attachment which

    --> launches an executable
    --> redirects to a web site which then sets up for (2 above

    4) bundled with software or a program you download

    Well, it's always been my contention that if this is in full force, you don't need much at all in the way of security programs.

    But in thinking about how to help someone new set up a security strategy, rather than just piling on software, I feel it's more helpful in the long run to show them how to think through the above categories and then select what seems appropriate. This, of course, will depend on the individual circumstances of each person.

    1) attack through a port

    A firewall properly configured will prevent this. If the user sets up a network, a router can be added. The obvious types of malware are messenger spam, worms and trojans. Looking at a firewall log will show how these ports are effectively blocked.

    2) remote code execution - embedded in a web site

    These are often referred to as browser exploits, since the browser is the means by which the malware gets installed. While certain browsers purport to be safe, I would not depend on that, and would want to have something behind the browser.

    Now, you have to decide on what type of protection you want to catch that. The two principle types are Black List and White List. Or a combination.

    If you have Zero-day concerns, then you definitely don't want to depend on a Black List solution only, since your signature database may or may not have the current exploit, as many past examples have shown.

    So what are the threats? Most embedded code in a web site has one goal: to install a trojan downloader which then connects out to download more junk, from spyware to keyloggers - you name it.

    Since these are executable programs, you ask yourself, what is the most secure solution for preventing the installation of an unauthorized executable? If you deal with the concept of "executable" rather than "keylogger," "rootkit," etc, then you have a better grasp of selecting a solution for prevention, rather than worrying about what the malware might do after the fact.

    3) Email attachments.

    Surely, nothing needs to be said here. Common Sense which you refer to should take care of 99% of the situations. In the unlikely case of the "inadvertant click" the above protection will take care of things. Also I include here the addition of a Reboot-to-Restore solution.

    4) Malware bundled with programs you install

    This is the most controversial category to discuss, because approaches to solutions range from those who trust what they install based on confidence in the sources, to those who trust nothing. There is really nothing more to say, since solutions vary from relying on your own judgment, to scanning everything. Or an in-between approach.

    Malware has become very sophisticated: rootkits and all. The methods of attack haven't varied much, except for the Social Engineering varieties. The tried and proven approaches above are still effective today.

    Best information for this question is to follow the different malware forums here. It seems like new products and new versions are appearing frequently. Also read reviews.

    It is for these reasons I've avoided mentioning HIPS, Sandboxes, etc as part of the solution. In thinking of the average users I encounter, I want the least cumbersome set up.

    That's why I've evolved my approach to a simple Firewall -- White List -- Reboot to Restore set up. With a backup strategy in place, of course. From that starting point, I select products.

    I've omitted detection, since I've focussed on prevention. If malware doesn't intrude, there is nothing to detect.


    "Talking About Security Can Lead To Anxiety, Panic, And Dread...
    Or Cool Assessments, Common Sense And Practical Planning..."
    --Bruce Schneier
  3. Devil's Advocate

    Devil's Advocate Registered Member

    Feb 5, 2006
    Probably moving this to some other forum might get more replies.
Thread Status:
Not open for further replies.