AntiX: is it for you?… dispelling the fear of malware

Discussion in 'other security issues & news' started by Rmus, Jun 4, 2005.

Thread Status:
Not open for further replies.
  1. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    ________________________________________________
    AntiX:
    a program which prevents the execution of unauthorized code
    (source: The Rmus Handbook of Significant Data)
    ________________________________________________

    Quick: how many executables can you name? What *is* an executable?

    In a recent survey of 9 acquaintances I chose at random, 3 did not know what an executable file is. Only two could list something other than .exe. One knew .com and .bat. But what about .dll; .sys; .scr; .ocx; .ax…

    All of the above can execute code. Some are commonly used so that we are familiar with them. Others are not so familiar, but potentially dangerous when used in malware.

    Much has been written and discussed about the idea of preventing unauthorized executables from running, and the discussion often leads to conclusions based on misinformation and misunderstanding. The terms anti.exe, anti-exe, have been used to describe programs that attempt to do this, but to limit them to .exe files is misleading to the average user. Hence, the need for a new term.

    I coined AntiX to include the idea of prevention of executable files that run code in viruses, trojans, worms, etc. Because there is no consensus as to the differences in some cases between these terms, I use the term malware (in most cases) to refer to any program the user does not want to have executed; hence: unauthorized executable.

    There are a number of products that prevent unauthorized executables from running their payload. Two companies that have created very innovative and different solutions to this problem are DiamondCS, with their Process Guard (PG) and Faronics, with their Anti-Executable (AE). Using some of the tests that PG has provided on their website, and those that I have run myself with AE, I will show how the fear of malware running on your system can be alleviated when you understand how malware attempts to execute, and how that execution can be prevented. I’ll start with some of the highly-feared types of malware floating around.

    Rootkit

    The fear of a rootkit is so pervasive (shutter) that discussions in the various forums (questions like, Do I have a rootkit?, or, HELP - I think I have a rootkit) border almost on total panic. Microsoft didn’t help any with their article back in April when they wrote that we should be "very very afraid." Well, the more afraid you are, the less capable you are of dealing with the problem. This, of course, is the basis for all types of terrorism (and malware writers are a type of terrorist): to raise the level of fear as high as possible.

    As with all malware, a basic understanding of what it is (and isn’t) is the starting point.

    Rootkit (root = root privilege) + kit (hacking tools dropped into the system to work at the root level) goes back to Unix days. Hence, many advocate using a different term, since we don’t have root privilege in Windows, (unless you want to think of Administrator). A rootkit is just another type of malware (often called trojan), albeit a rather sneaky one. The fear of it started because at first they were undetectable. Then came a product that could analyze the system and detect a rootkit, but it could not be removed. Now, there are products that do even that. The scanning/analyzing is very complicated, and there aren’t too many people with the technical knowledge to use those tools effectively. Several people have posted their logs, completely befuddled as to what the logs are indicating. Often, there are false positives. Besides, the time and bother involved with that is just completely unnecessary, for the rootkit can be prevented at the start from carrying out its task.

    PG’s solution is to block the installation of the driver (.sys) by the "dropper" trojan (.exe), essentially rendering the attack useless. See:

    PG_rootkit

    When AE installs, it creates a whitelist of every executable on the computer (scans for more than 80 different types). Any executable not on that list will be blocked from installing/executing. I wanted to test fu.exe, but when I downloaded the fu rootkit package and attempted to extract the files, AE denied the extraction (copying), invoking its copy prevention rule. So, I extracted the package on my laptop (without AE) and attempted to copy fu.exe and the driver, msdirectx.sys, across my LAN to the desktop computer. Again, the attempt was denied. See:

    AE_rootkit

    With both PG and AE, installation failed. So much for rootkits.

    Dll Injection

    Ever notice how medical terms are used? - virus, injection, infection, etc. Helps to raise the fear level. In this exploit, the trojan attempts to load (inject) a dll file into one or more processes. Here are two tests - firehole.exe and pcAudit2.exe - that demonstrate dll injection. This is how PG blocks the attack. Look for those two tests at the bottom of the page:

    PG_dll injection

    In trying to run the tests on my system with AE, I ran into the same problem as with rootkit: AE blocked downloading the test files. Knowing that those test.exe files dropped a dll upon execution, I wanted to see if AE would block the dropping, since a dll is an executable. So, I turned off AE and downloaded the two tests to the desktop and then turned AE back on. Upon executing each, AE denied the attempt to drop (copy) the dll, which would have created a global hook:

    AE_dll

    Two different yet effective solutions. So much for dll injection.

    Keyloggers and Password Stealers

    The fear of this is so high that one is afraid to even type anything, lest her/his entire life history be exhibited on the internet for all to see. Well, a keylogger or password stealer is just another trojan and nothing to be afraid of. In the keylogger test that PG uses, the program loads a dll to attempt to create a global keyboard hook, and PG effectively blocks the attempt:

    PG_keylogger

    If keystroke.exe runs, AE blocks the attempt to load the dll. I had to permit the keystroke.exe file to download in order to test this. In practice, the .exe would never have made it into the system.

    AE_keylogger

    Again, two different but effective approaches to the problem. So much for keyloggers and password stealers.

    Well, there is much more that these programs do, but this shows how effective they are against some of today’s fearsome exploits involving executables. For instance, anything that attempts to execute an installation of spyware, adware, etc, would be also blocked by Anti-Executable by preventing the executable from getting into the system. Process Guard must do something similar, since it uses a whitelist.

    There are things that they don’t protect against, of course: they are not a firewall, nor a script-blocker, nor a lock-down program, but certainly can be considered as part of an over-all security setup.

    Now, the tests above could only run because permission to install them in the first place was given. It can be persuasively argued that if one’s user alertness and safe computing habits are strong enough, that AntiX is not necessary. Fair enough, and I would not argue with someone otherwise. Yet, there are those instances when something could trigger an attempt to auto-load an unauthorized executable, and it is these cases that one can argue for such protection. No two users and their systems are alike, and no single security setup would be applicable in all situations, and I think it's futile to argue for one over the other.

    Something needs to be said at this point about installing software. In doing so, it’s been said, you are granting permission for the installation of a program, and this is a point of vulnerability, since you might not be completely sure that the program is safe. True enough. When this is brought up in discussion, often a silly jump-to-conclusion is reached: "See, your AntiX doesn’t prevent installing of a malicious program." Well, this is absurd, of course, because at this point your security apparatus is turned off, and some type of risk assessment has to take place. All AntiX does is protect from *unauthorized* intrusions once the protection is enabled.

    How to evaluate risk assessment is another topic. Each to her/his own.

    Conclusion

    All writers of malware prey on fear. The more afraid you can be made to feel, the less likely you can adequately defend yourself. The first step is to understand that there are solutions to attacks against your computer.

    Your defense solution may be nothing more than your own awareness of what’s going on and not relying on any security product. A thread in another forum asked, what are your #1, 2, 3 security products. I wasn’t surprised that a number of people put either "none," or "#1-user awareness, #2-user awareness, #3-user awareness." Others said they ranked them all the same, couldn’t imagine being without any of them, and then listed all (9 in one case).

    What you choose for your security setup ultimately depends on what your concerns are.

    Today’s computer security companies have come out with many creative and innovative products. We should be thankful for that. I have demonstrated two products that offer quite different yet effective solutions to some of these concerns.

    Happy and safe computing!

    regards,

    -rich
    ___________________________________
    "Fear is only as deep as the mind allows."
    (Japanese proverb)
     
    Last edited: Jun 5, 2005
  2. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,697
    Re: AntiX: is it for you?… dispelling the fear of malware

    Hi,
    Several things:
    1.Very good post man.
    2. Could you link to faronics ae?
    3. About fear. People forget that malware is not aids. It's curable and reversible. Even the worst windows trojan cannot stand in the face of a lovely format. I noticed that people also tend to be quite afraid of formating and starting a fresh clean install. It's also usually a job of no more than 3-4 hours.
    Cheers,
    Mrk
     
  3. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Info w/link to evaluate:

    http://www.faronics.com/html/AntiExecStd.asp

    Well put!

    regards,

    -rich
     
  4. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    Re: AntiX: is it for you?… dispelling the fear of malware

    Indeed! Formatting really isn't that bad, and knowing how to do it (and having a good backup strategy) can free up a lot of apprehensions about really getting to know your system, which can only help security in the long run. Formatting and handling hardware are two things that can go a very long way towards demystifying computers. As far as malware goes, when I find a machine infected with keyloggers or backdoors I don't take chances, just format and get it done with.. especially a heavily infected machine where there may be question as to whether there's anything left. Disk imaging software is a good option for those that really don't like the idea of formatting, though, as long as you can be sure the image is clean.

    The way rootkits are going, however, I would personally still want something like PG to ensure the infection didn't go beyond the bounds of the harddrive (into other parts of the computer or into other parts of your life, like your bank account or credit report) and do prefer to format on my own schedule, not out of urgency or haste.
     
    Last edited: Jun 5, 2005
  5. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Oh, I think that should be standard procedure. In fact, I would advise before installing a program like PG or AE to start with a clean reinstall. Or, if it's a fairly new system, complete scan. After all, you are going to permit free rein for what's on your computer and block everything else.

    I certainly agree! However, as I stated earlier, I would not attempt to convince anyone of that who did not want to be convinced.

    regards,

    -rich
     
  6. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    Re: AntiX: is it for you?… dispelling the fear of malware

    Couldn't agree more :D
     
  7. dog

    dog Guest

    Re: AntiX: is it for you?… dispelling the fear of malware

    Good Posts Rich and Notok ... it is all about fear of the unknown.

    There are so many great tools available to us today that can erase any fear. It also speaks for other programs, like Deep Freeze, Shadow User, or good Imaging software.

    In the case of monitoring a user executed executable - RegDefend could be used to analyze reg entries created by it, only for analysis of course - not for daily use by monitoring HKUR, HKU, HKCU, and HKLM using wild cards. Something like Total Uninstall can be used in a similar fashion with the log generated.

    I really like the protection PG affords, and I can comfortably relax when someone else is using my PC. I have a limited whitelist, all the global protections enabled, with the block new/changing programs protection enabled, and PG locked (actually all my security apps settings are password protected - to prevent any unauthorized change by a user). Beyond that I employ other solutions, so I have no fear of what anyone does on my PC - as they can't really do any damage. :)

    Steve
     
  8. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,697
    Re: AntiX: is it for you?… dispelling the fear of malware

    Hi,
    I just installed faronics ae to try it.
    But I have encountered two snags:
    There's no uninstall feature in the add/remove.
    The new icon in the tray is unclickable.
    Any suggestions?
    Mrk
     
  9. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Answered by PM with references to the user manual.

    -rich

     
  10. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    You should set up a clinic and teach security!

    -rich
     
  11. dog

    dog Guest

    Re: AntiX: is it for you?… dispelling the fear of malware

    LOL ... isn't that what Wilders' is? ;) :) ~an evolving clinic for an ever changing threat~

    I don't think any one person could teach a clinic, it's all about group knowledge. There are an awful lot of very knowledgeable experts - I however am not one - but even those experts rely on group knowledge. I do think many of the members here could teach a basic course on security to new users ... but not too much beyond that. I think the biggest issue is teaching at a level of their comprehension, once the basics are understood then increasing the curriculum to more advance subjects. It's far to easy to ramble off, use this use that, if the users knowledge doesn't warrant an understanding of the product(s), it's protections or the inference for the need.

    Steve
     
  12. Pollmaster

    Pollmaster Guest

    Re: AntiX: is it for you?… dispelling the fear of malware


    Darn.

    Sadly, you know this, and probably 90% of everyone here knows this intellectually speaking. But emotionally speaking it doesn't register.

    Marketing of ProccessGuard and other security products often seems to imply that they provide 100% protection against rootkits. When the fact is, rootkits are often hidden as trojans that are run by the user!

    Ditto for other threats like keyloggers. It's fashionable to worry about zero day buffer overflow attacks that result in unauthorized intrusions , but the simple fact is most of the time it's the users who choose to run the malware which makes your anti-X products helpless to protect you.
     
  13. -.-.-.-.-

    -.-.-.-.- Guest

    @Rmus

    I disagree. I believe that windows rootkits are/will become a bigger problem than your post suggests.

    1.
    For many users, the very basic "white list" approach (AE) does not work because, frequently, they want to try & install new applications. The AE approach only works for corporate admins who want to provide the user with a "fixed" environment which cannot be changed. (A centrally administered PG could offer the same protection.)

    2.
    Also the PG approach does not protect you with respect to a number of real-world scenarios. Frequently, users WANT to install new applications/drivers. Almost every game, many copy-protected applications, many image editing applications etc. require the installation of a driver. If such applications are "trojanized" PG cannot prevent the installation of a rootkit.

    3.
    AVs cannot detect a rootkit after it was installed. AVs may detect a rootkit prior to its installation if (and only if) the rootkit has not been modified. As you may know it is quite easy to modify known malware (no programming skills required)...

    4.
    Dedicated rootkit detectors may be hard to use for the average user. Moreover, even dedicated rootkit detectors may be useless because of anti-rootkit detector technology employed by the rootkit ( DCS published a respective screenshot -- it seems that it was removed ).

    5.
    In my opinion, there is reason to worry (not to panic). Something needs to be done. I wish there were a reliable high-tech rootkit detector. Current detectors are generally not too sophisticated.
     
  14. Pollmaster

    Pollmaster Guest

    OMG you are right!!! Guest.
     
  15. Vikorr

    Vikorr Registered Member

    Joined:
    May 1, 2005
    Posts:
    662
    Re: AntiX: is it for you?… dispelling the fear of malware

    First of all, very nice Post.

    In relation to PG, and it's vulnerable area...ie - users installing an new executable...that's where RegDefend can come in - you don't need to switch it off, and as it monitors the autostart areas...if your program isn't an autostart type, well it can certainly give you a very big heads up....and don't forget your AV/AT that's probably also running as well.

    One thing in the original post that I did find somewhat irksome was the use of the word 'terrorism' as a way to strengthen the argument, which seems to be a very flavour of the month method/word. Most people 'worry' that they'll get infected, and some don't do that enough even.

    Also, on the topic of malware companies using medical terms for malware/malware behaviour...this would be because medical terms are the terms that best describe malware/behaviours (as opposed to using military terms...which happens sometimes).

    There is a possibility that rootkits will become more common. Certainly there are now more open source rootkits on the internet. And certainly as security gets better and better, malware authors will be looking for sneakier ways to get around that same security.

    Those things aside, as I said, a very good post.
     
  16. Pollmaster

    Pollmaster Guest

    Re: AntiX: is it for you?… dispelling the fear of malware

    Sadly, if it can install itself as a driver, all bets are off. Regdefend won't fair any better than any polling registry monitor.

    And of course, there are a lot of simple ways to autostart not caught by Regdefend, because it doesn't monitor files or folders.

    That's why I and you use Prevx I guess :))
     
  17. Vikorr

    Vikorr Registered Member

    Joined:
    May 1, 2005
    Posts:
    662
    Re: AntiX: is it for you?… dispelling the fear of malware

    err...yeah, as per my other posts in the RD forum :)
    I like prevx too.
     
  18. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,697
    Re: AntiX: is it for you?… dispelling the fear of malware

    Hello,
    Pollmaster? What's so darn about asking about faronics?
    Mrk
     
  19. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    On rootkits:

    They are a trojan. Eventually better detection/removal techniques will emerge. One should deal with their prevention as with any other trojan. I don't fear them more than any other trojan, which is no fear.

    Guest, Pollmaster, and others write that the whitelist approach does not work because

    -- frequently, they want to try & install new applications; drivers

    -- it's the users who choose to run the malware which makes your anti-X products helpless to protect you.

    I covered this in the "installation of software" part of my post. This situation exists with *any* security program: you have to disable it when you install, and this is a point of vulnerability - the user has to assess the risks. But this is another topic.

    The point of my post is that once you've locked down your system, nothing "unauthorized" can get into it while it's locked down. If you have to "unlock" it 10 times a day to install stuff, and that's a hassle, then this type of security program is not for you. I covered that in how you choose your security setup: each user's system/computing habits are different.

    My reference to terrorism is to point out that writers of malware prey on fear. I think it's an apt reference.

    My reference to the use of medical terms was to point out that they cause unnecessary alarm, often making people feel helpless. I just think that there are better ways of dealing with talking about security. It has to start from day one when a person jumps into computing: involves user education which dispels fear, provides an intelligent way of dealing with problems, etc., but that's another topic.

    regards,

    -rich
     
  20. pollmaster2

    pollmaster2 Guest

    Re: AntiX: is it for you?… dispelling the fear of malware

    I think this is overstating matters. You generally don't have to disable your Antivirus when installing new programs do you? Similarly, programs that monitor suspicious behaviour (modification of hosts file, process injection etc) do not have to be turned off either and can help you detect something unusual.

    It is the "antiX" portion as you call it, that is 100% helpless when dealing with trojans.
     
  21. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    True: I was referring to other lockdown programs, such as ShadowUser, Deep Freeze, where you unlock, install, then lock back down.

    AV, scanning, etc, would be part of your risk assessment, where you determine to the best of your knowledge that a program you want to install is clean.

    -rich
     
  22. Matt_Smi

    Matt_Smi Registered Member

    Joined:
    Jul 7, 2004
    Posts:
    359
    Re: AntiX: is it for you?… dispelling the fear of malware

    I thought this was a very good post. About the people who say PG is useless or can be easily compromised when disabled to install a new program. Well this is not PG’s fault; it cannot make up for user awareness. If you choose to download “shady” programs from un-trusted sources and then disable PG to install it and get infected with something, well then that’s your fault not PG’s. That’s why it is important to research any program before you install it. I always research any program that I am looking at before I install it; it just takes a quick google search or a search/post here (or on a similar forum) to find out if the program is legit or suspect, and if you cant find any info on it, don’t install it. If you have common sense and only download researched programs from trusted sites then you should never have to worry about something slipping though PG when it is disabled to install that program.
     
  23. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,697
    Re: AntiX: is it for you?… dispelling the fear of malware

    Hi,
    Although computers tend to be advertised as your best buddy around, they aren't very intuitive and you need to know quite a bit to be able to use it properly. Think of your average user, how much fuss he needs to go through to disable messenger in the services?
    So, the best thing anyone with limited knowledge is to limit the scope of damage he/she can do. If windows is concerned, and that's usually the choice of the inexperienced user, is to run a non-admin account, preferrably a restricted account. Few people will be able to know what to do if pg or any other program prompts about kkrss.exe is trying to this and that. But when you're boxed and all you can do is delete your own folder... there's little left to think and do.
    And there are nice programs called dropmyrights and secureit, which allow the user, in the case of the former, to create shortcuts with non-admin privileges for ie or firefox or any other program, or in the case of the latter, right-click shell option to run the application as non-admin, allowing safe surfing.
    And finally, format is like moving to a new house. New neighbors, new start. Takes a few hours, but it's not that painful.
    Mrk
     
  24. StevieO

    StevieO Guest

    Re: AntiX: is it for you?… dispelling the fear of malware

    I just wanted to say thanks to Rmus for starting the very informative thread which was good to read. And for the others who have contributed to it.

    I expect we'll all be hearing much more about things like this before too long i fear, so it's as well to be as fore armed as we are able to be.


    StevieO
     
  25. Pollmaster

    Pollmaster Guest

    Re: AntiX: is it for you?… dispelling the fear of malware

    Most are. A rare few are spread by worms of course.

    I fully agree, similarly vendors of security products prey on the same fear.

    Eg People fear unauthorised processes that magically run on their system automatically leading to a rootkit being installed. This fear of an unknown magical technique that can run processes without user interaction is what's fueling the whole AntiX market .

    Whenever a article comes out about a new threat, people assume it can somehow (fear of the unknown) magically execute and install itself, and they
    feel warm and fuzzy when they think about their antiX product that will stop this.

    Of course, 9 out of 10 times, there is no such technique, the user still has to run it, against which no antiX product can protect against.

    -rich[/QUOTE]
     
Loading...
Thread Status:
Not open for further replies.