How do security vendors differentiate between various malware?

Discussion in 'other anti-malware software' started by denniz, Apr 18, 2008.

Thread Status:
Not open for further replies.
  1. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,994
    Location:
    California
    From Dunn's article:

    This is very misleading, for "triggering a malware attack" suggests malware downloading by remote code execution.

    The Websense analysis linked by Dunn clarifies:

    This exploit is a social engineering type, where the victim is enticed to permit the download/installation of the fake software. A prompt-to-download box appears for user action.

    The exploits need detailed descriptions, otherwise the user is left with too many questions.

    How is the exploit set in motion? Remote code execution? Social engineering enticing the user to click here?The downstream effects you describe more often than not, do download a malicious executable. Otherwise, what else does the exploit do? Will one's reboot-to-restore security erase all changes? One can't know without detailed analysis.

    Buffer overflow -- and now, Null point attack -- are loaded words which are nothing more than descriptions of methods of attack.

    As shown above, when analyzed, they reveal their weaknesses and strategies for combatting them.

    One such banner ad exploit redirected to a site to display an animated fake scan, if the flash object were permitted to run:

    Code:
    document.writeln('<embed src="tpl/1/images/scanner.swf"
    
    flash.jpg
    _________________________________________________________

    I, nor anyone I know, would click to play this .swf object, which was a very realistic looking real-time scan. Therefore, not be tricked into downloading malware a la "PC Protection for Free."

    End of exploit.


    ----
    rich
     
  2. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    I'll give a different example then. Look at http://www.scmagazineus.com/Malicio...atest-social-networking-attack/article/33655/. Simply going to MySpace at one point in the past could have gotten you infected, if your system was not patched, as there was an infected banner ad. No social engineering or remote code exploit was necessary. One million computers were infected by this. Just going to MySpace with a vulnerable system did the trick - nothing more needed.

    Although I don't have hard data, I would agree, as malware would often like to run on reboot also. There are other possibilities though. For example, a poisoned video could theoretically contain keylogging code with transmission of results via web browser. Whether such malware actually exists others can maybe address.

    Yes, whatever is protected by your reboot-to-restore security. If other partitions outside coverage were messed with, then no. Remember also that stolen data cannot be undone by a reboot.
     
  3. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    If you want a specific example, check out Adobe Flash Player Multiple Vulnerabilities - http://secunia.com/advisories/28083/: "2) An integer overflow in the processing of multimedia files can be exploited to cause a buffer overflow ... Successful exploitation of the vulnerabilities may allow execution of arbitrary code."
     
  4. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,994
    Location:
    California
    Actually, it was a remote code execution exploit, exploiting the .wmf vulnerability:

    And easily blocked (no patch, in this case), as shown in another site with the same exploit:

    wmf-dl_1.gif

    wmf-dl_2.gif
    ________________________________________________________________________


    And here is a more recent one affecting other Adobe products:

    http://secunia.com/advisories/29838/

    There are two considerations I look at:

    1) What is the liklihood of encountering such an exploit? (a malformed .bmp file in the above case)

    2) What steps to I take to prevent the exploit from carrying out its intentions?

    Here is a good example: MSWord file-parsing vulnerability in 2007.
    This was of concern to my colleagues who use Word documents on a daily basis:

    http://isc.sans.org/diary.html?storyid=3757

    For consideration #1, it is a targeted attack (mostly corporate)

    For #2, White Listing will prevent the downloading of the trojan binary. Also, common practice at the college
    is to open student's MSWord documents in a text editor, in which case no embedded code (macro viruses, for example) will run.

    I think it's possible to deal with all exploits in a similar fashion.

    While security advisories are useful -- they alert to the exploit -- it's not until one can test a real one in the wild
    (or read a detailed analysis of one, as in the sans.org example) that one can formulate a strategy.


    ----
    rich
     
  5. herbalist

    herbalist Guest

    Vendor supplied whitelists have many of the same problems as AV detections or blacklists. It's physically impossible to create a whitelist that covers every version of every user application. Keeping one up to date is another impossible task, which is the scenario you described. The best the vendor producing the whitelist can do is to include the commonly used apps and keep it as up to date as realistically possible.

    Vendor supplied whitelists have another potential problem. Just because an application is whitelisted by the vendor doesn't mean that it is compatible with your system and all the other apps you have installed. An application that conflicts with something else you use can be almost as damaging as malware.

    If you're reasonably knowlegable about how Windows works, what the different processes do, and how they interact, you do have another option. Make your own whitelists. HIPS is ideal for creating and enforcing whitelists of the processes on your PC. Ideally, the best time to start building this whitelist is when you install your operating system. That's as close as you can get to being sure your PC is completely clean, that is assuming that your install disk isn't a pirated OS.

    There's always some amount of risk when installing and upgrading software. No matter what strategy you use, the risk can't be 100% eliminated. That said, you can eliminate almost all of the risk by establishing a set policy regarding how updates and software installs are done and enforcing that policyfor all users. This is the policy I follow when installing or updating software, which includes Windows updates and patches.
    1. Make a full system backup before you install anything. Ideally, the backup should be on a separate hard drive or removable media. There's several good options available for backup software. If at all possible, use something other than Windows built in system restore.
    2. Verify the digital signature of the update/installer if one is available.
    3. Regardless of what the file is or where it came from, scan the item to be installed at VirusTotal or an equivalent site with multiple scanners. No site or server is 100% secure or safe from malicious tampering. Neither are the files they contain.
    4. Keep your security software running. Update any AV or malware scanner you have before starting the install. A PC is very vulnerable when the software is being installed or the operating system is being updated. Just because you scanned the installer with every AV available does not guarantee it's clean. There are methods of encrypting malware that will conceal it from AVs. The malware might not be detectable until the installer is unpacked. Some installers download some or all of the files used in the installation. It's also not unusual for an application or its installer to "call home". If your firewall is running during the install process, you'll be alerted if these things happen.
    5. Monitor the install with a utility that detects and records changes. I like Inctrl5 for this task. It records all files and folders that are added, deleted, or modified, all registry changes, and can save the change logs as text, html, or in csv format. It's not absolutely necessary to monitor the install process but there are several benefits to doing so. The records let you see any new autostart entries that are created. You can see any file associations that get changed. If you make a file list of all the files on your PC after the initial install, then use Inctrl5 to monitor/record every install and update, You'll have records that show where every file on your system came from and what app uses it.
    If the update or software works properly on your system, gets along with your other apps, and meets your expectations, then you can create permanent rules for it with your HIPS and firewall. This effectively adds it to your whitelist. If for some reason you don't want to keep the app or update, use the system backup to get back to the exact same system you started with. There's no problems this way with uninstallers that don't remove everything or don't put the file associations back the way they were.

    A policy like this can be an inconvenience, especially when installing something big. It does minimize the risk to your system when installing, prevents leftover files and registry changes from causing unexpected conflicts later, and makes it much easier to restore your system to its previous state. IMO, the benefits easily outweigh the inconvenience.
    Rick
     
  6. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I don't need a world-wide whitelist, possible or not. I only need a whitelist of applications installed on my system partition. :)
     
  7. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    I think we don't actually disagree on anything. I use a HIPS program to control execution, whereas you use a whitelist product, and each is fine.

    On the likelihood of exposure issue, you may wish to look at a Google Feb 2008 research paper - http://research.google.com/archive/provos-2008a.pdf. Here are the concluding remarks from the paper:

    "The fact that malicious URLs that initiate drive-by downloads are spread far and wide raises concerns regarding the safety of browsing the Web. However, to date, little is known about the specifics of this increasingly common malware distribution technique. In this work, we attempt to fill in the gaps about this growing phenomenon by providing a comprehensive look at the problem from several perspectives. Our study uses a large scale data collection infrastructure that continuously detects and monitors the behavior of websites that perpetrate drive-by downloads. Our in-depth analysis of over 66 million URLs (spanning a 10 month period) reveals that the scope of the problem is significant. For instance, we find that 1.3% of the incoming search queries to Google’s search engine return at least one link to a malicious site."

    "Moreover, our analysis reveals several forms of relations between some distribution sites and networks. A more troubling concern is the extent to which users may be lured into the malware distribution networks by content served through online Ads. For the most part, the syndication relations that implicitly exist in advertising networks are being abused to deliver malware through Ads. Lastly, we show that merely avoiding the dark corners of the Internet does not limit exposure to malware. Unfortunately, we also find that even state-of-the-art anti-virus engines are lacking in their ability to protect against drive-by downloads. While this is to be expected, it does call for more elaborate defense mechanisms to curtail this rapidly increasing threat."
     
  8. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,994
    Location:
    California
    Thanks for that link, which has lots of useful references.

    A year or so ago, a friend and I experimented, using IE on Low Security for several hours each weekend, doing our normal work, including Google searches. Not once did we encounter a site with a drive-by download. And we clicked on prominent ad banners whenever encountered.

    Recently some bloggers mentioned the prevalence of compromised Google links. I repeated my experiment for a couple of weekends, again, encountering nothing.

    It made me wonder, How do people get to these compromised sites? Looking at lists posted by bloggers, I concluded that *none* would be sites that I would be likely to encounter in normal work.

    Some other revealing quotes:

    What, do you suppose, these "more elaborate defense mechanisms" could be?

    LUA and SRP can be included (discussed in recent threads here at Wilders).


    ----
    rich
     
  9. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,599
    Location:
    U.S.A. (South)
    Therein lies the premise supporting my own intense scrutiny and high suspicion regarding PATCHES, and why? Just like what's been mentioned and documented too i might add, they have all too easily been repatched by malware enthusiasts thru clever exploits and why i refuse to accept any of them anymore PERIOD!

    You can acomplish the same and realize equally exact results from the combo of Faronic's Deep Freeze with it's own Anti-Executable program which is just fantastic IMO. AE also demands that the user exercise the proper precautions however to make a CORRECT decision that their new included app is first been declared safe by a reliable scannner to ensure it's indeed whitelist-safe.

    As an alternative measure Returnil and in my case Power Shadow Master can also serve to isolate the volume(s) virtually and dismiss accumulated objects on reboot. Other alternatives also exist to improve a sound defense strategy of this nature.
     
  10. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    You're welcome :)

    I'm not sure of what to make of the differences between your experiment and Google's report, other than possibly the time the experiments were conducted. Were there differences in the browser addons present? Did you have JavaScript, etc, turned on in the browser? Were you using XP or Vista? Did you have other security software in place? Were you using a limited user account?

    As for "more elaborate defense mechanisms," I think it's the kind of stuff discussed here at Wilders :)

    You may also wish to look at this Google report, if you haven't seen it already: www.sagecertification.org/events/hotbots07/tech/full_papers/provos/provos.pdf ('The Ghost In The Browser - Analysis of Web-based Malware').
     
    Last edited: Apr 23, 2008
  11. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    You might wish to reconsider. It is true that patches can be reverse engineered to see what changed between the old and new version. But this reverse engineering gives the hacker an idea of what to attack in the old version. The new version, after all, contains the fixes.
     
  12. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,994
    Location:
    California
    I purposely use IE6 unpatched for testing -- all scripting enabled, Low Security setting, *hoping* to get something.

    After each web site encountered, I checked the cache -- sometimes, looking inside some of the page codes, and .js files -- then deleted the cache.

    Only security running was Anti-Executable and Deep Freeze. Any drive-by attempt to download an executable would be flagged by AE.

    I concluded that Mrk's statement holds true, "You have to really try to get infected."

    I suppose I just didn't get to the "right" places to encounter these dreaded Remote Code Execution exploits (aka Drive-by Downloads).


    ----
    rich
     
  13. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Maybe your testing window needs to be longer than a weekend. After all, the Google report on page 10 gives the random URL infection (counting both identified malware and behavior suspected of malware as malware) rate of approximately 0.25% for most categories and a bit above 0.6% for adult sites. Assuming you don't use adult sites for work, 0.25% translates into 1 of every 400 URLs. So you'd need to visit 400 URLs on average just to get 1 infected site. And, given that the problem is getting worse, the problem wasn't as bad one year ago when you tested, so the infection percentages were probably even lower then.

    By the way, were your tests done on XP?
     
  14. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Another point to consider: in the Google study, this is from random URLs. In your browsing habits, you're probably visiting multiple, sometimes many, pages on the same website. Thus, when you reach 400 URLs, you've probably been exposed to far fewer websites than in 400 random URL visits in the Google study.
     
  15. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,994
    Location:
    California
    Win2K and WinXP.

    400 URLs?

    That's more than my normal workload.

    My experiment was to do my regular research in my normal way (except using IE instead of Opera). My aim was to show that a drive-by download can be thwarted by White List protection. However, I never encountered a single one in normal work.

    On the other hand, going directly to compromised sites mentioned in security analyses was fruitful.
    Some time ago, I put a group of them together:

    System:

    Win2K, WinXP
    IE6 unpatched
    Anti-Executable
    Deep Freeze

    http://www.urs2.net/rsj/computing/tests/remote

    In one sense, it doesn't really matter what the code exploit is. If the end result
    is to download an executable binary, it's no show.

    The recent flash exploit which brings up a window enticing the user to download PC Protection
    is tame by the earlier RegClean exploit where the browser is completely taken over by the exploit
    and any click on any part of the window triggers the download by remote code execution:

    http://www.urs2.net/rsj/computing/tests/fontmania/


    ----
    rich
     
    Last edited: Apr 23, 2008
  16. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,994
    Location:
    California
    That's not correct. Using a list of topics for a particular project, I used Google to search for them.

    The point of my test was to use the internet in my normal fashion to see if I could encounter such a site. No one I know has ever encountered such a site.

    The problem I see with such studies is that they are not always a realistic portrayal of what a user may do, thus creating needless fear and uncertainty.

    You should do the same test -- just do your normal work, and see if your HIPS alerts to the download of any executable by remote code execution.


    ----
    rich
     
  17. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,599
    Location:
    U.S.A. (South)
    The very next night (and this is no exaggeration on my part), after a pretty strong Tornado had went thru Atlanta Georgia USA and while the SEC Basketball Playoffs were in town, i just casually as anyone would went to the CNN site to see what their reviews of it were since their CNN News building was struck too, and i got hit with an Iframe exploit the likes of which i not seen since the Windows 98 "You Are An Idiot" bombardment and it actually buffer overflowed my IE to the point i had to hit the reset button.

    Now whether somewhere there done that as a practical joke which i wouldn't think likely or someone took advantage of the ordeal to exploit their News webpage it came as a shock to me.

    I still keep that "You Are An Idiot" iFrame exploit from 98 days in my collection and it still works on XP Pro. Guess i wasn't patched for it. LoL

    It's just a nonsense silly loop throwing craze of windows. Downloads nothing but what lands in the TIF cache.
     
  18. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Thus, you shouldn't have expected to have been infected in the timeframe you did your test in. Your results were actually the expected case for your workload.

    People do sometimes do this. I'm not sure what Google's interests would be in overstating the danger of the web though? I would think Google would want to understate the danger of the web - they want you to click on their search result links, right?

    I might do this in a virtual machine. I haven't had any abnormal HIPS alerts or Comodo Memory Firewall alerts regarding my browser yet. Then again, I'm using Opera as my browser, not IE. And I also keep important programs, including browser plugins, up to date.
     
    Last edited: Apr 23, 2008
  19. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    How are things going with LUA for you? I tried this a few years ago in Windows 2000. I thus created a new part-time job for myself. Maybe things have gotten better since then? Or maybe it was just me....
     
  20. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,994
    Location:
    California
    Well you 've got to simulate what those who get hooked up to botnets run: IE unpatched and nothing else updated. Otherwise, you'll never get any pickings!


    ----
    rich
     
  21. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  22. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    I know, hehe! That's what I would do in the virtual machine.
     
  23. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,994
    Location:
    California
    I haven't done this personally. I just mentioned it as another option.

    When I searched for this type of protection years ago, I had in mind families where several, including children, use one computer. I decided that LUA was a possibility, but when Anti-Executable came on the market and replaced FreezeX, I realized that this was an ideal solution: upon installation, it creates a White List of all executables, and nothing else can be installed w/o parental permission. Essentially a Default-Deny, set-and-forget solution, password protected. Nothing else to configure.

    While it's principal purpose in these situations is to control installation of software (games, screensavers, other freebies), an added feature is protection from drive-by downloads of malware/adware/spyware.


    ----
    rich
     
  24. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,994
    Location:
    California
    Yes.

    I think I posted this in another thread discussing drive-bydownloads a while back.


    ----
    rich
     
  25. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    One of the problems with this are the demographic of exploited websites. Of those I've seen, Chinese + Russian + Ukrainian sites compose of the majority, with English websites forming a rare few. It isn't really much use, I guess, to target the European/American populace with exploits when the majority of them keep their genuine of OSes well-patched and where Firefox enjoys strong popularity.

    This might be a bold statement to make, but remote code execution exploits are all but dead and gone, as long as the digital world of the West is concerned. That's why the few sites that do get exploited are so newsworthy.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.