Innovative Bots Spell Ruin for Malware Analysis

Discussion in 'malware problems & news' started by Searching_ _ _, Mar 23, 2010.

Thread Status:
Not open for further replies.
  1. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    Locking Botnet Agents to Thwart Malware Analysis
     
  2. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Thanks nice article :thumb:

    Except there is/are ! AntiExecution software like ProcessGuard for eg. would prevent them. As would Sandboxes and Returnil, DeepFreeze etc type Apps :D

    The AV peeps though admittedly would be more busy than they already are :D I'm sure they would try and find some way of countering these events. How long it might take them, or how they do it ? No doubt they should be aware of this technique by now, hope so anyway, and be Actively working on ways to combat it, before any serious onslaught emerges :eek:
     
  3. wat0114

    wat0114 Guest

    No expert here, so I’m just going to attempt to determine to the best of my ability how this exploit might fair on my Win 7 Ultimate setup:

    Okay, fair enough, this could happen.
    This could also happen, but not if the browser’s fully patched and has no current vulnerabilities?
    With my Applocker rules in place and running in a limited account, I don’t see this happening. Exploit should be stopped dead in its tracks by now.

    Win 7’s two way firewall setup with default deny on both inbound and outbound connections. No downloading is going to happen the way I see it. Once again, because of Applocker and the limited account, how, again, is the file going to execute? I see no point with further analysis. The exploit, the way I see it, has already been rendered a non-factor.

    This goes without even mentioning the relatively simple methods of denying the automatic launching of Java scripts and such in the browser as mentioned by member Rmus time and time again as he keeps proving to be such a highly effective defense against so many of these exploits.
     
  4. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Locked to a given computer? What if I want to move malware on an infected computer to a new computer? :p

    Anyway, thank you for the post Searching :).
     
    Last edited: Mar 25, 2010
  5. EraserHW

    EraserHW Malware Expert

    Joined:
    Oct 19, 2005
    Posts:
    588
    Location:
    Italy
    Already seen in Rustock.C sample :)
     
  6. Threedog

    Threedog Registered Member

    Joined:
    Mar 20, 2005
    Posts:
    1,125
    Location:
    Nova Scotia, Canada
    Once again....if it can't execute it can't infect.
     
  7. EraserHW

    EraserHW Malware Expert

    Joined:
    Oct 19, 2005
    Posts:
    588
    Location:
    Italy
    True, but misleading :) That's not the point of the whole topic. It means that the malware is starting to be more targetted than ever.

    For instance: I got my pc infected with a malware which runs only on my PC, and anywhere else. This doesn't help us analyzing the threat because if you send our laboratories such sample, we probably could see little to nothing because maybe the sample is heavily crypted and it's "impossible"to get it decrypted
     
  8. Threedog

    Threedog Registered Member

    Joined:
    Mar 20, 2005
    Posts:
    1,125
    Location:
    Nova Scotia, Canada
    I get your point Eraser...and you do have your work cut out for you to stay ahead of this one.

    The point I was making is that if the malware doesn't get a chance to download or execute on your system in the first place that there is no threat. As more and more malware will adopt this new system of avoiding detection by blacklisting scanners more and more people will be getting infected. Simple education and a few safety measures will greatly reduce the risk of getting hit in the first place. More and more the emphases will have to be on prevention.
     
  9. EraserHW

    EraserHW Malware Expert

    Joined:
    Oct 19, 2005
    Posts:
    588
    Location:
    Italy
    Now I get your point :)
     
  10. Threedog

    Threedog Registered Member

    Joined:
    Mar 20, 2005
    Posts:
    1,125
    Location:
    Nova Scotia, Canada
    I should have elaborated more on my first post. Sorry about that. :)
     
  11. Threedog

    Threedog Registered Member

    Joined:
    Mar 20, 2005
    Posts:
    1,125
    Location:
    Nova Scotia, Canada
Loading...
Thread Status:
Not open for further replies.