security software vs. 0day malware

Guys,
didn't find a better title. We know that malware creators are testing their new code vs. all the most popular security software. So even we have a real good setup, we need to assume that the latest malware was tested against and adjusted to circumvent it.

What do you do to counter this threat ? What additional layers could be added ?

cheers,
gam

 

It is impossible for malware creators to try every configuration for every security tool out there, but I'm pretty sure that they test their tools against the default configuration. So my first idea would be to spend some time with any security software that you want to use, and configure it to your needs instead of leaving the default settings enabled.

 

You stop relying on tools that need to detect/ know malware.

 

That sums it up perfectly I only see them as a second opinion, but one I don't place too much faith in.

 

But what does one replace these ineffective tools with, or use alongside them? As I understand it, HIPS-like software can help. But those seem so very complicated to understand and deal with for us less knowledgeable folks. I am not the type of individual that gets a thrill from my computer asking me questions all the time, bothering me with jargon-filled pop-ups wanting me to allow something or denying my ability to do something without telling me in plain English why it doesn't like what I or a program is doing.

 

Dave0291, try Sandboxie. And don't use it only for sandboxing browsers. Looking for the perfect tool (for me) to handle Zero day threats is how I ended up using SBIE. It didn't take me long after discovering it to know that SBIE was for real.

Bo

 

Mitigation techniques. Not saying AVs are useless, but in extreme cases they will be more helpful to prevent advanced exploits and other "magical" bypasses.

 

Believe it or not, becoming more knowledgeable about security matters can also be as a security "asset", alongside other software that provide various degrees of protection.

 

Nebulus, that is precisely what I have been attempting to do over a period of time. I don't feel it is very wise to just sit back and let programs watch over me. If I understand how the most common threats work and what they can and cannot do, then perhaps I can avoid the mistake of having too many programs overlapping and causing issues. More importantly, I might avoid dangers in the first place.

Graf Zeppelin, mitigation techniques such as EMET? Although I do not understand all of the terminology, I had been looking into using that as it seemed fairly straightforward.

Bo Elam, I am a bit on the fence when it comes to programs such as Sandboxie. I have read many glowing reviews and praises for the work that one lone man has put into it. However, I understand it has its drawbacks as well and may not stop threats, but rather contain them.

I had been thinking of switching to Chrome for browsing, running EMET and MBAM Pro, and either continuing on with Avast or perhaps going to Panda Cloud for an AV. It seems rather basic, but perhaps it will hold me until I learn more about more effective tools and how to use them.

 

@Dave0291

Well, that one too. But EMET can be very troublesome if you ever encountered weird behaviors of your programs.

And about using EMET to protect Chrome, here's some info:
https://www.wilderssecurity.com/showpost.php?p=2309977&postcount=414

 

That is a potential weakness of containment based policies. For the typical malware a user might encounter, a sandbox is usually sufficient, for now anyway. It's entirely possible to create malware that will defeat sandboxing. It's not likely at this time that a user will encounter it, unless they're being directly targeted, and the adversary knows that you're using one. As sandboxing becomes more common, attacks against it will also become more common. Sandboxing is also of limited value against malware that can do its work from within the sandbox, eg a one time use that steals passwords or login data.

 

... And note that HIPS/AE programs are for the most part a (limited) subset of sandboxes.

 

Five years ago I learned that protecting my computers against Zero day threats was possible if I got out of the box regarding computers security. And that's exactly what I did when I decided to use Sandboxie and learned basic security. In my personal case, that was enough to make a difference.

Glowing reviews and praises about SBIE meant nothing to me then or now, results do. After five years of using Sandboxie, to this day, I haven't seen anything get out of any sandbox unless I allow it. And that's really all that matters Dave.

Perhaps Sandboxie is not for you but I can assure you, protecting yourself against Zero day threats is easy, all you really have to do is find your own way of doing it like I did. If you do, you ll enjoy using computers and the internet a lot more than you do now.

Bo

 

Regarding Sandboxie, SBIE is not an anti keylogger but I have never seen a piece of malware do its thing as described above in any of my sandboxes ever. If you don't carry an infected addon that hijacks your browser or your system is infected by a keylogger, it is not likely that your passwords, etc can be stolen and send out if you are using an internet restricted sandbox.

Bo

 

You wouldn't be logging into such an account from an internet restricted sandbox. Sandboxing is good for preventing malware from infecting your physical system. It's not a solution against browser exploits, compromised sites, malware that runs in memory, etc. Sandboxing can't be viewed as a solution to zero day malware. It's effective against some type, useless against others. Users need to understand its abilities and limitations.

 

What are you talking about, what do you mean?

I cant believe you believe what you are saying.

Bo

 

Thanks for your thoughts. Would you say that even popular HIPS like OA or Commodo are tested for bypassing before they realease any new more sophisticated malware ? I'm using OA free but i'd agree that EMET, SBie and/or MB Anti-Exploit are strongly needed.

 

I'm not sure how to be clearer. You said:

Why would you need those passwords in an internet restricted sandbox? You'd enter login passwords from a sandbox that has internet access. Malware injected by a malicious site could steal them at that time. Look back at the attack on the Bank of India.

Regarding:

I'm not a fan of sandboxing as the primary defense. IMO, if malicious code is allowed to execute, all bets are off. I base my security policy around default-deny, a reduced and hardened attack surface, and restricting permissions as much as possible.
Here's a current example of a sandbox failing against 0-day exploits. Check the link HM posted there.
https://www.wilderssecurity.com/showthread.php?t=357131
As sandboxing becomes more commonplace, malicious code that targets sandboxes will become more common. This is just another step in an unending arms race. It's unending because it's based on a default-permit policy at its core.
You might find this interesting:
The Six Dumbest Ideas in Computer Security.

 

Default-deny on the level that actually matters - the level of machine code - is not possible by any sensible definition, at least not on x86. Default-deny for executable files is really a pretty abstract concept, and is not worth much vs. zero-day exploits.

(It can be really effective against e.g. spear phishing though.)

For dealing with real zero-day stuff, I think the best solution - the only one, really - is strength through diversity. Don't use what everyone else is using, and you're less likely to be a target.

 

Noone, because you are not a fan of sandboxing don't mean that Sandboxie can not contain Zero day threats. If you are browsing and there is an exploit of Flash or Java, for example, and malware is dropped in your computer, it is contained within the sandbox and isolated from your system. That is exactly what Sandboxie does. In my personal case, I use nothing but Sandboxie and SBIE has never let me down so I know for sure that it does contain all kind of threats.

Let me give you an example of what I do with a PDF when its downloaded into my computer. If you sent me a PDF like the one that escapes Adobes sandbox, the PDF wil go into my download folder. When I run the PDF out the downloads folder, it will run sandboxed if it is a PDF. If the file that you sent me looks like a PDF but it aint, it will not run as it will blocked by Sandboxies Start/Run restrictions. After I move the PDF from my Downloads folder, the PDF will always run in a sandbox until the day it gets deleted from the computer. And it will run in a sandbox where only Foxit is allowed to run and no program is allowed to connect. If the PDF had an exploit, it is contained and deleted when I get rid of the sandbox.

For users using an antivirus, Sandboxie works great as it can be used to handle Zero day threats while the antivirus takes care of threats that are known. That really is the best way of using SBIE. The main reason really to use something like Sandboxie is so you do not depend on signatures to be protected. Thats why Sandboxie treats all programs and files alike. Sandboxie is not for everyone but it really works against Zero day threats you just don't know it.

Bo

 

I would say sandboxing easily has the most potential for security of anything out there. Default deny *still allows code to execute*, which has been covered in depth on wilders - so if you think 'all bets are off' after that, they aren't helping.

Properly implemented containment, which involves quite a lot (and is really only possible on Linux with significant effort into a programs architecture -> vsftpd, chrome), is one of the most significant ways to stop an attacker from monetizing the system.

Of course, that requires full rearchitecture of programs. But that's becoming less of an issue.

There's some really cool research into 'intent' based capabilities. Capability research will probably lead to the most significant advancement in security - it's the foundation for seccomp, for example.

Of course, all of that hits Linux first, and we're a long ways away from full hardware based capabilities.

 

I'm sorry for getting back into the thread a little late. I have been reading more and looking at the responses here..and I must say the differing opinions are confusing. What I really wish I could do, is not let any malicious code execute. I don't even want it to look at my computer and think it has a chance. Perhaps that is asking a bit much. Regarding Sandboxie, this article is one of a few that put me on the fence about sandboxing. http://www.insanitybit.com/2013/09/12/browser-exploitation-expanded-noscript-sandboxie/. It seems like you would really have to know what you are doing and perhaps face usability difficulties to set up Sandboxie as a proper defense option.

I am curious though. Since many people have a lot of faith in NoScript, for Chrome would the extension talked about at https://www.wilderssecurity.com/showthread.php?t=356427 be a good alternative? It seems close to what NoScript does.

 

YES! I mean... yes. I personally consider it as the best content filtering extension for Chrome/Chromium-based browsers ATM. If I understand it right, it even can block known bad domains from various database, just like ScriptSafe.

 

As a Sandboxie user who believes in restricting what can run, and what can access the internet from within all of my sandboxes, I also believe that it is critical to close the sandboxes frequently and have it configured to auto-delete the contents.

Doing so limits the amount of time that any malware is permitted to run, and if emptied prior to connecting to important sites, assures the user that a keylogger is not present in the sandbox.

I know it sounds obvious, but I'm guessing that even some regular SBIE users don't close their sandboxes very frequently. It's a good habit to get into.

 

In my opinion, new Sandboxie users should use Sandboxie on default settings, changing settings as they learn the program. Most of the people that I know in life that are using Sandboxie have never gone into settings, they use a default settings sandbox and dont get infected anymore.

The only settings that I recommend to change immediately after installing Sandboxie are: 1) Set the sandbox to delete on closing, 2) Set bookmarks or favorites to be saved out of the sandbox and 3) Set the browser and sandbox to save files that you download out of the sandbox. That and knowing how your antivirus (if you use one) and Sandboxie interact with each other is all thats needed on Day 1.

Later, as you go and learn more about Sandboxie, you can start restricting the sandbox and create more sandboxes to make isolation work better. The more you separate programs from each other and the system, the better Sandboxie works and the safer you are. There are settings for you to keep your personal information out of reach of programs that are running within the sandbox, you can learn about them on Day 4.

By the way, the reason I use Firefox is NoScript. Sandboxie, NoScript is all I use and it works.....for me.

Bo