Greg Hoglund pokes holes in "Whitelisting" concept

Discussion in 'other security issues & news' started by Longboard, Aug 19, 2008.

Thread Status:
Not open for further replies.
  1. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,187
    Location:
    Sydney, Australia
  2. sukarof

    sukarof Registered Member

    Joined:
    Jun 22, 2004
    Posts:
    1,714
    Location:
    Stockholm Sweden
    Maybe I´m little slow but...

    Where does the injected code come from? How does it start? Doesnt it have to be executed (ie whitelisted before it can run) to do the injection.
    How can the malware author inject subversive code into processes in RAM if the software that injects the code are not allowed to start in the first place? Is there malware out there that doesnt have to be executed?
     
  3. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,697
    Hello,
    sukarof, I agree ...
    And most of the article later on uses bomblastic words to frighten the readers.
    Mrk
     
  4. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,046
    Of course there is. It can infect your machine even when it is unplugged.:D
     
  5. EraserHW

    EraserHW Malware Expert

    Joined:
    Oct 19, 2005
    Posts:
    588
    Location:
    Italy
    Do "exploits" and "bodyless malwares" ring you a bell?
     
  6. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Indeed Code Red, Slammer. I have my opinions and one is security solutions should be simple, robust and I do think av has to some extent gone down the wrong path, signatures are great for business, a never-ending cash flow :) .

    Exactly what I do, dump the memory.

    Check out HBGary - Hoglund.
    HBGary : Responder, Fastdump, Flypaper.
     
    Last edited: Aug 20, 2008
  7. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    They write this as they want users to continue with traditiona AV, AS etc etc...

    After all it,s a matter of money. I will not be surprized if I come to know that these people are being paid by security companies.
     
  8. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    I have a very different read of the piece.

    To me it's a fairly straightforward comment that the next magic bullet (you name it - AV, HIPS, virtualization, whitelisting, and so on, there have been many and there will be many more) coming around the bend is not the panacea of a complete solution. There will be complexities and unintended secondary dependencies to deal with. Ignore the nuances and you're quickly back where you started, except that the precise origins of the problem have simply been recast. Attempt to understand the complexities, and you have a chance to make some progress.

    Further, as with any measure, even though it may not be a magic be-all/end-all bullet, it may be very effective in specific situations.

    Blue
     
  9. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Yes, it can never be magic bullet but it is far more effective than tradionional AV , AS etc.
     
  10. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    If the whitelisting the author refers to is simply a listing of apps and processes that are allowed and this "whitelist" is the primary means of defense, then the article is at least partially true. If every whitelisted process can launch any other whitelisted process, it will not be a very effective security setup. For whitelisting to be effective, it has to go further than that. In addition to whitelisting the processes themselves, the activities of each should be individually whitelisted as well, especially in regards to what other processes each one can launch or access. It's the integration of apps with the OS and each other that makes most exploits as effective as they are. When the browser is part of the OS, a browser exploit is an OS exploit. When the media player, PDF reader, etc are allowed to launch/access that browser that's part of the OS, and exploit for one of them becomes an exploit for the entire OS. Removing or blocking that integration often prevents a compromised application from becoming a completely compromised system. Applications that handle internet and other external content should be as isolated from the OS as possible, not integrated into it, and not into each other. It may be convenient to play media files and read PDFs in your browser, but it also increases the number of points from which it can be attacked.

    This won't stop all possible exploits. Nothing can, at least nothing that anyone would want to use. It will stop a lot of them and will also make many more much less effective by limiting what they can gain access to.
     
  11. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,697
    Even the bodiless malware begins with an executable. The fact it later runs in RAM is a different story.

    As to exploits, unless the particular exploit results in a whitelisted application, like browser, directly accessing a system file, then yes. Most of the time, you will have a download, which initiates a secondary, so-called arbitrary piece of code < with whitelisting, this won't work.

    Whitelisting is not a silver bullet, but it is several orders of magnitude more efficient than blacklisting. Default deny is better than default allow.

    And the best example to how robust whitelisting is is our fellow member Rmus. He tests malware all the time and his approach kept him fairly safe so far.

    Mrk
     
  12. EraserHW

    EraserHW Malware Expert

    Joined:
    Oct 19, 2005
    Posts:
    588
    Location:
    Italy
    Yes, but that's not the point ;) the executable can be run from another PC where whitelisting is not active. Remember Slammer? Just run the first dropper, then it spread as it want, without dropping any executable on the victim machine.

    You've given the answer. Moreover, don't use the word "Most of the time", because the one you've shown it's simply one of the ways an exploit can hit.
     
  13. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,697
    Hello,

    Some browsers do not have system access - Firefox, Opera.

    Second, it may take a single machine to become infected, but it has always bee the Achilles' Heel of LAN - a single weak machine.

    However, proper patches + firewall, Slammer is a non issue.

    That said, show me one exploit where an exploit is executed directly on the system, through the browser, skipping the drive-by and secondary execution.

    That said, show me one exploit where this works in non-IE browsers.

    Mrk
     
  14. sukarof

    sukarof Registered Member

    Joined:
    Jun 22, 2004
    Posts:
    1,714
    Location:
    Stockholm Sweden
    Thanks Mrkvonic.

    I´ve just been surfing around an hour reading in about how exploits and "bodyless malware" works to ask the questions you just did :)
     
  15. EraserHW

    EraserHW Malware Expert

    Joined:
    Oct 19, 2005
    Posts:
    588
    Location:
    Italy
    Mh, maybe my english has not been so clear. Let me explain everything again.
    What are you saying?

    What do you mean with "system access"?

    What does this sentence mean? You can even adapt multi layered defense and you'll have only few chances to get infected. That's not the point!
    We're talking about whitelisting, and whitelisting by itself would not have have been able to stop Slammer by design. It could have been able to block only the starting dropper, yes.

     
  16. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,697
    Hello,

    Maybe, my English was not clear.

    For people at home, Slammer is a non-issue. You use whitelisting, you stop the initial execution, game over. Stopping the dropper is the whole thing.

    System access - ability to read, write to root, in Windows case this being the Windows registry, folders etc. IE can do this via FSO, Firefox / Opera and other browsers cannot. Only if there's a vulnerability in the JS engine or similar, but you can also allow a file and defeat whitelisting yourself. Nothing will protect against the user.

    And what's your point? People should use blacklisting products? Because of one worm that infected a few unpatched corporate machines in 2003 or so? And was gone with a reboot?

    Give me another example. Furthermore, give me one example that will work for Opera or K-Meleon or Firefox.

    Mrk
     
Loading...
Thread Status:
Not open for further replies.