How do security vendors differentiate between various malware?

From Dunn's article:

This is very misleading, for "triggering a malware attack" suggests malware downloading by remote code execution.

The Websense analysis linked by Dunn clarifies:

This exploit is a social engineering type, where the victim is enticed to permit the download/installation of the fake software. A prompt-to-download box appears for user action.

The exploits need detailed descriptions, otherwise the user is left with too many questions.

How is the exploit set in motion? Remote code execution? Social engineering enticing the user to click here?The downstream effects you describe more often than not, do download a malicious executable. Otherwise, what else does the exploit do? Will one's reboot-to-restore security erase all changes? One can't know without detailed analysis.

Buffer overflow -- and now, Null point attack -- are loaded words which are nothing more than descriptions of methods of attack.

As shown above, when analyzed, they reveal their weaknesses and strategies for combatting them.

One such banner ad exploit redirected to a site to display an animated fake scan, if the flash object were permitted to run:

Code:

document.writeln('<embed src="tpl/1/images/scanner.swf"

_________________________________________________________

I, nor anyone I know, would click to play this .swf object, which was a very realistic looking real-time scan. Therefore, not be tricked into downloading malware a la "PC Protection for Free."

End of exploit.


----
rich

 

I'll give a different example then. Look at http://www.scmagazineus.com/Malicio...atest-social-networking-attack/article/33655/. Simply going to MySpace at one point in the past could have gotten you infected, if your system was not patched, as there was an infected banner ad. No social engineering or remote code exploit was necessary. One million computers were infected by this. Just going to MySpace with a vulnerable system did the trick - nothing more needed.

Although I don't have hard data, I would agree, as malware would often like to run on reboot also. There are other possibilities though. For example, a poisoned video could theoretically contain keylogging code with transmission of results via web browser. Whether such malware actually exists others can maybe address.

Yes, whatever is protected by your reboot-to-restore security. If other partitions outside coverage were messed with, then no. Remember also that stolen data cannot be undone by a reboot.

 

If you want a specific example, check out Adobe Flash Player Multiple Vulnerabilities - http://secunia.com/advisories/28083/: "2) An integer overflow in the processing of multimedia files can be exploited to cause a buffer overflow ... Successful exploitation of the vulnerabilities may allow execution of arbitrary code."

 

Actually, it was a remote code execution exploit, exploiting the .wmf vulnerability:

And easily blocked (no patch, in this case), as shown in another site with the same exploit:




________________________________________________________________________

And here is a more recent one affecting other Adobe products:

http://secunia.com/advisories/29838/

There are two considerations I look at:

1) What is the liklihood of encountering such an exploit? (a malformed .bmp file in the above case)

2) What steps to I take to prevent the exploit from carrying out its intentions?

Here is a good example: MSWord file-parsing vulnerability in 2007.
This was of concern to my colleagues who use Word documents on a daily basis:

http://isc.sans.org/diary.html?storyid=3757

For consideration #1, it is a targeted attack (mostly corporate)

For #2, White Listing will prevent the downloading of the trojan binary. Also, common practice at the college
is to open student's MSWord documents in a text editor, in which case no embedded code (macro viruses, for example) will run.

I think it's possible to deal with all exploits in a similar fashion.

While security advisories are useful -- they alert to the exploit -- it's not until one can test a real one in the wild
(or read a detailed analysis of one, as in the sans.org example) that one can formulate a strategy.


----
rich

 

Vendor supplied whitelists have many of the same problems as AV detections or blacklists. It's physically impossible to create a whitelist that covers every version of every user application. Keeping one up to date is another impossible task, which is the scenario you described. The best the vendor producing the whitelist can do is to include the commonly used apps and keep it as up to date as realistically possible.

Vendor supplied whitelists have another potential problem. Just because an application is whitelisted by the vendor doesn't mean that it is compatible with your system and all the other apps you have installed. An application that conflicts with something else you use can be almost as damaging as malware.

If you're reasonably knowlegable about how Windows works, what the different processes do, and how they interact, you do have another option. Make your own whitelists. HIPS is ideal for creating and enforcing whitelists of the processes on your PC. Ideally, the best time to start building this whitelist is when you install your operating system. That's as close as you can get to being sure your PC is completely clean, that is assuming that your install disk isn't a pirated OS.

There's always some amount of risk when installing and upgrading software. No matter what strategy you use, the risk can't be 100% eliminated. That said, you can eliminate almost all of the risk by establishing a set policy regarding how updates and software installs are done and enforcing that policyfor all users. This is the policy I follow when installing or updating software, which includes Windows updates and patches.

1. Make a full system backup before you install anything. Ideally, the backup should be on a separate hard drive or removable media. There's several good options available for backup software. If at all possible, use something other than Windows built in system restore.
2. Verify the digital signature of the update/installer if one is available.
3. Regardless of what the file is or where it came from, scan the item to be installed at VirusTotal or an equivalent site with multiple scanners. No site or server is 100% secure or safe from malicious tampering. Neither are the files they contain.
4. Keep your security software running. Update any AV or malware scanner you have before starting the install. A PC is very vulnerable when the software is being installed or the operating system is being updated. Just because you scanned the installer with every AV available does not guarantee it's clean. There are methods of encrypting malware that will conceal it from AVs. The malware might not be detectable until the installer is unpacked. Some installers download some or all of the files used in the installation. It's also not unusual for an application or its installer to "call home". If your firewall is running during the install process, you'll be alerted if these things happen.
5. Monitor the install with a utility that detects and records changes. I like Inctrl5 for this task. It records all files and folders that are added, deleted, or modified, all registry changes, and can save the change logs as text, html, or in csv format. It's not absolutely necessary to monitor the install process but there are several benefits to doing so. The records let you see any new autostart entries that are created. You can see any file associations that get changed. If you make a file list of all the files on your PC after the initial install, then use Inctrl5 to monitor/record every install and update, You'll have records that show where every file on your system came from and what app uses it.

If the update or software works properly on your system, gets along with your other apps, and meets your expectations, then you can create permanent rules for it with your HIPS and firewall. This effectively adds it to your whitelist. If for some reason you don't want to keep the app or update, use the system backup to get back to the exact same system you started with. There's no problems this way with uninstallers that don't remove everything or don't put the file associations back the way they were.

A policy like this can be an inconvenience, especially when installing something big. It does minimize the risk to your system when installing, prevents leftover files and registry changes from causing unexpected conflicts later, and makes it much easier to restore your system to its previous state. IMO, the benefits easily outweigh the inconvenience.
Rick

 

I don't need a world-wide whitelist, possible or not. I only need a whitelist of applications installed on my system partition.

 

I think we don't actually disagree on anything. I use a HIPS program to control execution, whereas you use a whitelist product, and each is fine.

On the likelihood of exposure issue, you may wish to look at a Google Feb 2008 research paper - http://research.google.com/archive/provos-2008a.pdf. Here are the concluding remarks from the paper:

"The fact that malicious URLs that initiate drive-by downloads are spread far and wide raises concerns regarding the safety of browsing the Web. However, to date, little is known about the specifics of this increasingly common malware distribution technique. In this work, we attempt to fill in the gaps about this growing phenomenon by providing a comprehensive look at the problem from several perspectives. Our study uses a large scale data collection infrastructure that continuously detects and monitors the behavior of websites that perpetrate drive-by downloads. Our in-depth analysis of over 66 million URLs (spanning a 10 month period) reveals that the scope of the problem is significant. For instance, we find that 1.3% of the incoming search queries to Google’s search engine return at least one link to a malicious site."

"Moreover, our analysis reveals several forms of relations between some distribution sites and networks. A more troubling concern is the extent to which users may be lured into the malware distribution networks by content served through online Ads. For the most part, the syndication relations that implicitly exist in advertising networks are being abused to deliver malware through Ads. Lastly, we show that merely avoiding the dark corners of the Internet does not limit exposure to malware. Unfortunately, we also find that even state-of-the-art anti-virus engines are lacking in their ability to protect against drive-by downloads. While this is to be expected, it does call for more elaborate defense mechanisms to curtail this rapidly increasing threat."

 

Thanks for that link, which has lots of useful references.

A year or so ago, a friend and I experimented, using IE on Low Security for several hours each weekend, doing our normal work, including Google searches. Not once did we encounter a site with a drive-by download. And we clicked on prominent ad banners whenever encountered.

Recently some bloggers mentioned the prevalence of compromised Google links. I repeated my experiment for a couple of weekends, again, encountering nothing.

It made me wonder, How do people get to these compromised sites? Looking at lists posted by bloggers, I concluded that *none* would be sites that I would be likely to encounter in normal work.

Some other revealing quotes:

What, do you suppose, these "more elaborate defense mechanisms" could be?

LUA and SRP can be included (discussed in recent threads here at Wilders).


----
rich

 

Therein lies the premise supporting my own intense scrutiny and high suspicion regarding PATCHES, and why? Just like what's been mentioned and documented too i might add, they have all too easily been repatched by malware enthusiasts thru clever exploits and why i refuse to accept any of them anymore PERIOD!

You can acomplish the same and realize equally exact results from the combo of Faronic's Deep Freeze with it's own Anti-Executable program which is just fantastic IMO. AE also demands that the user exercise the proper precautions however to make a CORRECT decision that their new included app is first been declared safe by a reliable scannner to ensure it's indeed whitelist-safe.

As an alternative measure Returnil and in my case Power Shadow Master can also serve to isolate the volume(s) virtually and dismiss accumulated objects on reboot. Other alternatives also exist to improve a sound defense strategy of this nature.

 

You're welcome

I'm not sure of what to make of the differences between your experiment and Google's report, other than possibly the time the experiments were conducted. Were there differences in the browser addons present? Did you have JavaScript, etc, turned on in the browser? Were you using XP or Vista? Did you have other security software in place? Were you using a limited user account?

As for "more elaborate defense mechanisms," I think it's the kind of stuff discussed here at Wilders

You may also wish to look at this Google report, if you haven't seen it already: www.sagecertification.org/events/hotbots07/tech/full_papers/provos/provos.pdf ('The Ghost In The Browser - Analysis of Web-based Malware').

 

You might wish to reconsider. It is true that patches can be reverse engineered to see what changed between the old and new version. But this reverse engineering gives the hacker an idea of what to attack in the old version. The new version, after all, contains the fixes.

 

I purposely use IE6 unpatched for testing -- all scripting enabled, Low Security setting, *hoping* to get something.

After each web site encountered, I checked the cache -- sometimes, looking inside some of the page codes, and .js files -- then deleted the cache.

Only security running was Anti-Executable and Deep Freeze. Any drive-by attempt to download an executable would be flagged by AE.

I concluded that Mrk's statement holds true, "You have to really try to get infected."

I suppose I just didn't get to the "right" places to encounter these dreaded Remote Code Execution exploits (aka Drive-by Downloads).


----
rich

 

Maybe your testing window needs to be longer than a weekend. After all, the Google report on page 10 gives the random URL infection (counting both identified malware and behavior suspected of malware as malware) rate of approximately 0.25% for most categories and a bit above 0.6% for adult sites. Assuming you don't use adult sites for work, 0.25% translates into 1 of every 400 URLs. So you'd need to visit 400 URLs on average just to get 1 infected site. And, given that the problem is getting worse, the problem wasn't as bad one year ago when you tested, so the infection percentages were probably even lower then.

By the way, were your tests done on XP?

 

Another point to consider: in the Google study, this is from random URLs. In your browsing habits, you're probably visiting multiple, sometimes many, pages on the same website. Thus, when you reach 400 URLs, you've probably been exposed to far fewer websites than in 400 random URL visits in the Google study.

 

Win2K and WinXP.

400 URLs?

That's more than my normal workload.

My experiment was to do my regular research in my normal way (except using IE instead of Opera). My aim was to show that a drive-by download can be thwarted by White List protection. However, I never encountered a single one in normal work.

On the other hand, going directly to compromised sites mentioned in security analyses was fruitful.
Some time ago, I put a group of them together:

System:

Win2K, WinXP
IE6 unpatched
Anti-Executable
Deep Freeze

http://www.urs2.net/rsj/computing/tests/remote

In one sense, it doesn't really matter what the code exploit is. If the end result
is to download an executable binary, it's no show.

The recent flash exploit which brings up a window enticing the user to download PC Protection
is tame by the earlier RegClean exploit where the browser is completely taken over by the exploit
and any click on any part of the window triggers the download by remote code execution:

http://www.urs2.net/rsj/computing/tests/fontmania/


----
rich

 

That's not correct. Using a list of topics for a particular project, I used Google to search for them.

The point of my test was to use the internet in my normal fashion to see if I could encounter such a site. No one I know has ever encountered such a site.

The problem I see with such studies is that they are not always a realistic portrayal of what a user may do, thus creating needless fear and uncertainty.

You should do the same test -- just do your normal work, and see if your HIPS alerts to the download of any executable by remote code execution.


----
rich

 

The very next night (and this is no exaggeration on my part), after a pretty strong Tornado had went thru Atlanta Georgia USA and while the SEC Basketball Playoffs were in town, i just casually as anyone would went to the CNN site to see what their reviews of it were since their CNN News building was struck too, and i got hit with an Iframe exploit the likes of which i not seen since the Windows 98 "You Are An Idiot" bombardment and it actually buffer overflowed my IE to the point i had to hit the reset button.

Now whether somewhere there done that as a practical joke which i wouldn't think likely or someone took advantage of the ordeal to exploit their News webpage it came as a shock to me.

I still keep that "You Are An Idiot" iFrame exploit from 98 days in my collection and it still works on XP Pro. Guess i wasn't patched for it. LoL

It's just a nonsense silly loop throwing craze of windows. Downloads nothing but what lands in the TIF cache.

 

Thus, you shouldn't have expected to have been infected in the timeframe you did your test in. Your results were actually the expected case for your workload.

People do sometimes do this. I'm not sure what Google's interests would be in overstating the danger of the web though? I would think Google would want to understate the danger of the web - they want you to click on their search result links, right?

I might do this in a virtual machine. I haven't had any abnormal HIPS alerts or Comodo Memory Firewall alerts regarding my browser yet. Then again, I'm using Opera as my browser, not IE. And I also keep important programs, including browser plugins, up to date.

 

How are things going with LUA for you? I tried this a few years ago in Windows 2000. I thus created a new part-time job for myself. Maybe things have gotten better since then? Or maybe it was just me....

 

Well you 've got to simulate what those who get hooked up to botnets run: IE unpatched and nothing else updated. Otherwise, you'll never get any pickings!


----
rich

 

Thank you for the links. I have seen them before somewhere. Is this Anti-Executable in the screenshots?

 

I know, hehe! That's what I would do in the virtual machine.

 

I haven't done this personally. I just mentioned it as another option.

When I searched for this type of protection years ago, I had in mind families where several, including children, use one computer. I decided that LUA was a possibility, but when Anti-Executable came on the market and replaced FreezeX, I realized that this was an ideal solution: upon installation, it creates a White List of all executables, and nothing else can be installed w/o parental permission. Essentially a Default-Deny, set-and-forget solution, password protected. Nothing else to configure.

While it's principal purpose in these situations is to control installation of software (games, screensavers, other freebies), an added feature is protection from drive-by downloads of malware/adware/spyware.


----
rich

 

Yes.

I think I posted this in another thread discussing drive-bydownloads a while back.


----
rich

 

One of the problems with this are the demographic of exploited websites. Of those I've seen, Chinese + Russian + Ukrainian sites compose of the majority, with English websites forming a rare few. It isn't really much use, I guess, to target the European/American populace with exploits when the majority of them keep their genuine of OSes well-patched and where Firefox enjoys strong popularity.

This might be a bold statement to make, but remote code execution exploits are all but dead and gone, as long as the digital world of the West is concerned. That's why the few sites that do get exploited are so newsworthy.