How malware is delivered nowadays?

I've stumbled upon a very interesting blog entry made by the folks at F-Secure. I will quote the most interesting bits and analyze them according to my knowledge:

Pretty simple, isn't it? Use a mail provider which filters spam and executable attachments (GMail does this). Configure your mail client to display file extensions and MIME types. Don't open unsolicited attachments. Attachments coming fron trusted peers should be handled very carefully, your friends may be infected. If you didn't solicite the content, don't open it. If you solicited it, save the attachment to disk and scan it with your local AV and a service like Virustotal/Jotti. Another option is running that content inside a sandbox or, better yet, a VM.

Now that malicious attachments aren't working well for the gangs, they try to trick you in clicking a link which takes you to the malicious/compromised site. Common computer sense says that you shouldn't click on random links, specially if they come in unsolicited/bulk/spam email and contain obvious social engineering tricks.

Drive-by downloads aren't black magic. They require that you:
- Visit a malicious or compromised website. You can avoid the former by not visiting warez and cracking websites and other types of dodgy sites. The compromise of legitimate sites is on the rise, but (IMO) we are far away from reaching epidemic proportions.
- Happen to have a vulnerable application waiting to be exploited. Just enable DEP for all your applications to prevent the most common types of buffer overflows (a kind of vulnerability) and keep up-to-date wich patches for every applications that deals with untrusted content, specially if it comes fron Internet. This includes the operating system, the browser(s), the mail client(s), the office suite (Microsoft Office, Open Office, etc), the PDF reader (Adobe Reader, etc), the archiver (WinZiip, WinRAR, 7-Zip, etc), the image viewers (XnView, FastStone Image Viewer, Irfanview, etc), the multimedia players (Winamp, Media Player Classic, VLC, PowerDVD, WinDVD, Windows Media Player, Real Player, Quick Time Player, Nero, etc), the runtime libraries (.NET Framework, Java, etc), P2P applications (Emule, BitTorrent clients, Shareaza, etc) and browser plug-ins (Java, Flash, Shockwave, Quick Time, Windows Media, Real, Silverlight, etc)
0-day vulnerabilities (i.e. vulnerabilities which are being exploited by the bad guys before a patch is avalable or the vulnerability is acknowledged by the vendor) are much less common than some ones may think. Also, when a 0-day is "in the wild" you can apply temporary workarounds offered in websites dedicated to information security.

Common computer sense says that you shouldn't trust strange and unexpected executables. If you have installed the most common codecs from a trusted source, you shouldn't need an ActiveX codec or another browser plug-in.

No matter what somebody wants you to believe, ads not only are annoying, a waste of (often scarce) bandwidth and sometimes a violation of privacy, they're also a security risk. Often, ads are combined with social engineering tricks to incite you to click them (the famous messages of system errors and alerts of infections). The bad guys are even deploying rogue ad networks. So, use a pop-up blocker (built-in into your browser) and filter ads with a browser plug-in or a local proxy. Only accept ads from sites you want to support and you trust in their security skills.

As I've said before, hacking of legitimate sites is on the rise, but it's far away from an epidemic. Depending on your comfort level and abilities/skills, you may consider the whitelisting (i.e. only allow what you deem good/trustworthy and deny the rest) the web content, specially scripts and multimedia plug-ins. This will provide your first line of defense against a sudden compromise of a trusted/legitimate site. The general measures of avoiding executable content, enabling DEP, patching your whole system and avoiding risky sites also apply here.

As you've seen, you can secure most of the threat-gates with simple measures and avoid most of the junkware/malware with just some common computer sense without even using security software.
But you need security software to close any potential hole, be it a high-profile 0-day without workarounds or unknowingly trusting malicious content or whatever happens:
- Enable the Windows firewall (XP and Vista) to prevent exploitation of system services which listen for incoming connections. Actually, this is a low-risk threat, but it was a popular one in the past (think about Blaster, Sasser, Code Red and other worms) and new vulnerabilities on these services may arise again. If you have multiple PCs, consider buying a NAT/SPI router and configure it appropiately (change the default password, disable the remote admin feature, disable the UPnP service, enable the SPI, etc)
- Disable the AutoRun/AutoPlay feature from every removable device (CD/DVD, USB disks, pen drives, etc) on every user account. It isn't uncommon to buy an infected pen drive or digital frame or infect your pen drive when you use it on someone else PC.
- Create and use a standard/limited user account for daily activities and leave the admin accounts for administration purposes (installing hardware and software, applying patches, changing system settings, etc)
A limited account prevents malware from tampering with your system, disabling your security software and manipulating the kernel to hide from security tools and you. This makes recovery much easier and it also eliminates the risks of kernel rootkits, the most dangerous kind of malware. See here for more info.
- Since most malware is of executable nature (be it a mail attachment, the result of a drive-by download, a file launched by the autorun trick or something else), consider the whitelisting of your trusted executables (Windows and Program Files) and deny the rest. This can be done with applications like Faronics' Anti-Executable or using Software Restriction Policies.
- Install an AV and configure it to the recommended settings. Then check that it's working normally going to the EICAR site and then schedule weekly scans. Advanced users may want to stop using a real-time malware scanner and go for applications like behaviours blockers and leave the AV to do only on-demand scans. If it's possible, scan downloaded content at sites like Virustotal or Jotti.
- Isolate the vectors of attack. Sandboxing your browser is an effective way of dealing with drive-by downloads.
- Backup your system and information to ensure a painless recovery if you ever manage to get infected. Backups also protect against hardware failures, user mistakes, natural disasters (if you have offsite protected backups) and thief.


Mods: if you think that this is not the appropriate sub-forum, feel free to move the thread, although I think it should be here due to the higher exposure it can get.

 

Thanks Lucas, good read !!

 

Thanks for the interesting post. It gives a layman like me confirmation that my security strategy is adequate.
I always believed that java scripts, when online, are the weak link (actually the vulnerability in browsers that they use) so the only two entry points that is hard to protect against are hacking of legitimate sites (Noscript wont help there since I usually allow scripts on these when needed) and software installation. And the latter is the only reason why I still use a AV becaus my SRP and Limited account wont prevent if a malware is bundled with a software I want to install. (maybe LUA takes the edge of the malware, but it wont prevent it)

 

Thanks Huupi and sukarof, I'm glad that you liked it.

NoScript may protect you if you block IFRAMES (prevents redirections to malicious sites) and forbid plug-ins (allow on-demand Flash clips, etc) even on trusted sites. You would be unprotected against remote code execution vulnerabilities in the Firefox's Javascript engine.

 

Much agreed, excellent material there and lines up with what this great forum, staff, and membership is been about for some time.

Hats off to all the Brilliant, generous and most (helpful) developers who are mostly always commonly overlooked at in the big world press machines eyes and articles as medium security vendors at best.

Heck, they been the top chief architects of the ABSOLUTE very best innovations and security that Microsoft Operating Systems can only drool over.

EASTER

 

lucas excellent write up and thank you for posting it.

Wake

 

Please mods make it sticky,this is serious stuff !

 

If someone watches flash content from YouTube, for example, Noscript can't prevent them from being compromised if one of those files is also malware that exploits an unpatched vulnerability in Flash, right? Natural social engineering, if you will.

Two distinct events have to happen in the same window of time (i.e., coincidence)

For example, the Miami Dolphins Stadium website hack couldn't have compromised a system if that system was patched. The hacker(s) simply could not coincidentally hack into a website that would be popular at the time and obtain a zero-day vulnerability. They likely could "get lucky" only once and, like most of these hacks, needed to rely on a user having an unpatched system (with multiple vulnerabilities, in this case) for the complete drive-by infection to occur. Correct me if I'm mistaken, but my sense is that a serious unknown zero-day vulnerability can usually be exploited for a few weeks or a few months at best, before it's discovered.

It doesn't seem easy to pull off a drive-by, if the user keeps patched and employs common computer sense, as you point out, because of the coincidences needed for the hacker. This is why I personally rely less and less on security products, and more and more on security policies (for my situation anyway).

A piece of advice from these forums that influenced how I look at the limits of computer security (once I understood what he meant), was Mrkvonic's often repeated, seemingly tautological comment to not put malware on your computer if you don't want to be compromised.

Like that advice, your post gets back to the basics.

 

Good post Lucas.

 

This is the direction I'm heading in too, Dogbiscuit. Maybe I'm burned out from trialling so many different pc security gadgets (software) over the years in an attempt to build the perfect layered security fortress, capable of stopping every conceivable exploit out there, when really the most logical approach is to follow the sound advice given in this thread and others similar to it.

Yes, I must admit Mrk's *"cool, reflective approach" on pc security eventually rubbed off on me to some extent, too

*credit for this quote goes to lusher

 

Thanks Lucas, for taking the time to post this.
Excellent read.

 

I agree with almost every word. There is plenty for people to get their teeth into here - without the need to buy or install any security software.

Use a mail provider which filters spam
Don't open unsolicited attachments
you shouldn't click on random links
not visiting warez and cracking websites
buying a NAT/SPI router and configure it appropriately
Disable the AutoRun/AutoPlay
Limited user account for daily activities
Sandboxing
Backup your system

My 2 concerns are that (1) far too many think that the risks of infection are far greater than they really are and (2) Far too many would prefer to buy vast numbers of programs to provide protection in preference to understanding what is going on.

 

Long View, I agree,in reality for many much is overdone but they feel safer by it so let it be,also many play with different setups,its their hobby and joy in live,better then roaming the streets.

 

Better than roaming the streets yes and playing as a hobbie - fine - but I find that all too often those who complain that they have been infected say that they were running the latest version of XYZ anti-virus, they regularly use Super anti spybot adaware cookie cleaner. Load a bunch of programs, call it layered and then wonder why they still get infected.

Instal HIPS if you want to enjoy learning about HIPS programs. Install an anti-executable if it allows you to sleep better but don't be surprised if having taken all of the sensible steps recorded by Lucas 1985 that nothing ever happens.

 

Bravo for the nice post lucas1985 .

Unfortunately, I believe that avoiding high-risk websites is no longer a good guarantee of avoiding malicious content, so I respectfully disagree somewhat with lucas1985's position on this. According to http://www.techworld.com/security/news/index.cfm?RSS&NewsID=11241, most website malware is now actually from legitimate sites. Also, a technical report from Google, available at http://googleonlinesecurity.blogspot.com/2008/02/all-your-iframe-are-point-to-us.html, states that "we showed that exposure to web-malware is not strongly tied to a particular browsing
habit." This is partially due to the ad distribution networks that lucas1985 mentions. See page 10 of this paper for a nice graph of malware exposure by various category of website. As you can see from the graph, the 'adult' category websites have only 2 to 3 times the malware exposure rate (counting both known malware and suspicious behavior as malware) of the other categories.

If you're running as administrator, it's a good idea to run all the high-risk app types lucas1985 mentions as 'Basic User' in Software Restriction Policies. In XP, 'Basic User' is not present by default - see http://www.broadbandreports.com/forum/remark,14461638 on how to add it.

Use freeware Secunia PSI to keep the high-risk app types lucas1985 mentions updated.

If your processor does not support hardware DEP, consider using freeware Comodo Memory Firewall to combat buffer overflow exploits. Software-only DEP is weak protection. In XP, you can check if your DEP is hardware-based in Control Panel->System->Advanced->Performance->Data Execution Prevention. Comodo Memory Firewall also claims to protect against some types of buffer overflow attacks that even Hardware DEP may in some cases not protect against, such as Return-to-libc attacks. See http://blogs.zdnet.com/security/?p=912 for further details.

Using an alternative browser can help you to lessen the threat of web malware. Firefox and Opera are good alternatives to Internet Explorer.

 

I am like a lot in here and play around with security software mainly to see what it does. But I am finding my favored setup is a Limited User Account, Software Restriction Policy and an AV. My thinking is if something does get by the AV it can't execute anyways because of the SRP, and as someone said, "If it can't execute, it can't infect." A virtulization app like Returnil finishes off the mix by getting rid of the crap with a simple reboot. It's safety without slowing my computer down.

 

A great reading. Thnaks lucas for taking the time to write it.

 

Very thorough analysis, Lucas!


----
rich

 

I must have missed something because I didn't read anything in lucas1985's post which held that avoiding high-risk websites was a guarantee of avoiding all malicious content. As to avoiding some malicious content, even the Google Technical Report referenced stated: "Although we found that adult web pages may increase the risk of exploitation, each DMOZ category was affected.'

And while they found no strong correlation between browsing habits and malware exposure in the 2007 period studied, the above referenced statement implies at least some correlation.

Isn't this consistent with lucas1985's advice?

 

The statement I was referring to is "The compromise of legitimate sites is on the rise, but (IMO) we are far away from reaching epidemic proportions." This statement to me would seem to indicate that malware found on legitimate sites is not that great of an issue. But according to the one of the links I supplied, "According to data compiled by Websense, 51 percent of the sites it classified as malicious in the second half of 2007 had been compromised and then seeded with attack code that infected unpatched machines visiting the URLs." Thus, I believe legitimate sites hosting malware is indeed a big issue, perhaps large enough to be considered "epidemic proportions." Fortunately, the good advice given to use ad blockers would mitigate this issue at least somewhat.

The statement "Although we found that adult web pages may increase the risk of exploitation, each DMOZ category was affected" means that even though the malware risk is higher with adult websites, there is nonetheless a nontrivial risk of malware associated with other types of websites other than adult websites. Or, to use the authors' own words again, "we showed that exposure to web-malware is not strongly tied to a particular browsing habit."

The point of all of this is that you cannot let your guard down even if you avoid iffy websites. The advice given here by lucas1985 and others has been fine. My desire is to emphasize that even users who believe they browse only "safe" sites also need to follow the advice given.

 

I see. Point taken.

 

Here is a fine example from http://windowssecrets.com/2008/04/17/02-Flash-ads-bearing-malware-plague-popular-sites: "A Flash-based advertisement that appeared last week on the USA Today site downloaded malicious code to users' computers, generating erroneous warnings of a malware infestation and offering a phony solution." The article later states:

"Makers of Flash-building tools, including Adobe, Autodemo, TechSmith, and InfoSoft, quickly updated their development environments to patch the holes, according to a March story in The Register. But because many of the vulnerable files have to be regenerated from scratch, a titanic number of high-risk Flash files remain online."

"Speaking at last month's CanSecWest security conference in Vancouver, B.C., [Google researcher and author Rich] Cannings estimated that over 10,000 sites host the risky files, The Register reported."

"But that estimate may be low. In his security blog, Jeremiah Grossman, founder and chief technology officer of WhiteHat Security, writes that 'potentially hundreds of thousands' of Web sites could be at risk. 'Reasonably workable fixes are going to be a long time coming,' he adds."

The facts stated in this article are illustrative of why computer users should follow the advice given in this topic, even those who avoid iffy websites.

 

Interesting - "exposure to web-malware is not strongly tied to a particular browsing habit."

I had always "assumed" that one of the main reasons that I had never found any evidence of infection was that I was a safe surfer. Now I have no idea why I'm staying safe

 

I don't have Flash Player installed. I hate that thing. I won't use Microsoft's Silverlight either. I use Fx 1.5 and Adobe Reader 5 and and and.....and I don't get infected. It has nothing to do with the version of applications you use or running as Admin...it has to do with stupid things that the majority of users want ...Flash Player, CNN, junk stuff. Oh and Facebook and Instant Messaging. I block Facebook specifically and I do not engage in Instant Messaging. I use the Proxomitron for many years. I can't imagine seeing ads. If that was happening, I'd get rid of my computer and just get a TV. Just don't think like the masses ...avoid all that garbage stuff and you will be ok.

 

The exclusion of Flash will reduce the chance of infection, but won't it dampen your web surfing experience?