Malware after Windows 7

Discussion in 'other security issues & news' started by Joeythedude, Sep 18, 2009.

Thread Status:
Not open for further replies.
  1. Joeythedude

    Joeythedude Registered Member

    Joined:
    Apr 19, 2007
    Posts:
    519
    Windows 7 looks to be way more secure than previous MS OS's.

    So what sort of malware will come next ?

    How much "better" will the social engineering / phishing-type exploits become ??
     
  2. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Yes, interseting to see this.
     
  3. Joeythedude

    Joeythedude Registered Member

    Joined:
    Apr 19, 2007
    Posts:
    519
    The old " I love you" virus , was very clever.
    I think we will see more of that "type".

    More facebook exploits maybe ?

    I think the bot nets that exist at the moment will become more highly prized as more people move to more secure windows versions.
     
  4. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Malware may be different, take different forms, but unless the two principal delivery methods change, the basic security procedures remain the same.

    Methods

    1) Malware sneaks in automatically

    2) Malware is installed by tricking the user

    Security Procedures

    For 1): By many accounts, the Operating System is being less and less exploited as better security measures are being built in. Even the browsers, notably IE, are much more robust. The focus is on exploiting 3rd party applications -- PDF readers, Flash, etc, and the mainstream press avoids for the most part any discussion of Browser configuration as the principal and most effective protection against this remote code execution type of attack.

    For 2): Very few mainstream security writers other than Brian Krebs of the Washington Post and some others emphasize:

    • Don't install anything that you didn't go looking for

    • Verify the reputation of the software before you decide to install

    An example of how nothing has really changed:

    Rogue ad hits New York Times site
    September 13, 2009
    http://news.cnet.com/8301-1009_3-10351460-83.html
    Soon a few blogging analyses appeared and marveled at the trickery involved with the fake scan and everything.

    Anatomy of a Malware Ad on NYTimes.com
    http://troy.yort.com/anatomy-of-a-malware-ad-on-nytimes-com

    nytimes-malware-html-2.html
    http://gist.github.com/186467

    Yet this same trick started in the late summer of 2008, as I and others found out:

    http://www.urs2.net/rsj/computing/tests/antivir/

    You will notice a similarity even in some of the file names used in the exploit, and the same types of pop-up boxes.

    In the cnet.com and troy.yort.com stories, not one word about how proper configuration of scripting in the browser prevents these exploits from starting.

    Most of the big name spyware/malware bloggers took their wrath out on the advertising component of this attack, and gave no space to protection at the user end.

    New types of sophisticated malware will continue to evolve, but as long as basic security procedures are ignored, there is no need for malware delivery methods to change. The mainstream press will continue to sensationalize the exploits, readers will ooh and ahh, and everything will continue as before.

    REFERENCES

    Rogue AV Theatrics on Extended Run
    September 15, 2008
    http://blog.trendmicro.com/rogue-av-theatrics-on-extended-run/
    Volume of Rogue Anti-Virus Applications Increasing To Alarming Rates
    July 29th, 2009
    http://www.spywareremove.com/securi...us-applications-increasing-to-alarming-rates/
    How many people here have family members/friends who could be exploited by something like this? What are you doing about it?

    ----
    rich
     
  5. Windchild

    Windchild Registered Member

    Joined:
    Jun 16, 2009
    Posts:
    571
    Exactly the same kind of malware as before, but probably with a slightly different emphasis. A whole lot of social engineering malware: "You need to download this codec to see this video of (some 'hot' celebrity) stripping in a private party." People click on that, and run it as admin, and that's that... We're likely to see some more malware that's fully LUA compatible, too. Other than that, same as before. And like Rmus noted, the same methods to defend against this stuff will still work.
     
  6. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Some entries this evening on one of the malware domain lists illustrate the two safeguards I mentioned above.

    Don't install something you didn't go looking for

    A redirect from a smog information site to a rogue antivirus site. First, with javascript enabled only for authorized sites, this redirect brings up a blank page:

    update-1.gif

    Enabling javascript to watch the exploit work: I see the usual fake scan page with a very convincing alert notice.

    update-2.gif

    No matter what I click, a prompt to Run the file appears:

    update-3.gif

    No matter if I click the "X" or "Cancel" this box keeps reappearing. Sometimes these boxes and windows are difficult to close, so stopping the Browser process is the usual method recommended. In case of an accident, some type of protection would prevent the inadvertant installation of this thing.

    update-ae.gif


    Verify the reputation of the software before installing

    Evidently people hear about a product via email, spam on bulletin boards, whatever. Here is one with a very impressive and convincing looking site:

    protectionsuite-1.gif

    [​IMG]


    But a quick search to verify the product reveals that it is a rogue:

    [​IMG]

    Another part of verifying is to check around to see how others have responded to a product before installing.

    Several have mentioned trickery on Facebook. The flash-update is a popular one:

    [​IMG]

    Users should know how their various applications handle updates, and of course, update only from the vendor's site via your own link to the site.

    ----
    rich
     
    Last edited: Sep 19, 2009
  7. developers

    developers Registered Member

    Joined:
    Apr 1, 2009
    Posts:
    62
    The problem for users will be for trusting the software they will be looking for. In other words malware will be injected into compilers (such as Induc).
     
Loading...
Thread Status:
Not open for further replies.