security software vs. 0day malware

Discussion in 'other security issues & news' started by gambla, Dec 11, 2013.

Thread Status:
Not open for further replies.
  1. gambla

    gambla Registered Member

    Joined:
    Sep 4, 2007
    Posts:
    161
    Location:
    Frankfurt, Germany
    Guys,
    didn't find a better title. We know that malware creators are testing their new code vs. all the most popular security software. So even we have a real good setup, we need to assume that the latest malware was tested against and adjusted to circumvent it.

    What do you do to counter this threat ? What additional layers could be added ?

    cheers,
    gam
     
  2. Nebulus

    Nebulus Registered Member

    Joined:
    Jan 20, 2007
    Posts:
    1,582
    Location:
    European Union
    It is impossible for malware creators to try every configuration for every security tool out there, but I'm pretty sure that they test their tools against the default configuration. So my first idea would be to spend some time with any security software that you want to use, and configure it to your needs instead of leaving the default settings enabled.
     
  3. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    You stop relying on tools that need to detect/ know malware.
     
  4. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,984
    Location:
    Canada
    That sums it up perfectly :thumb: I only see them as a second opinion, but one I don't place too much faith in.
     
  5. Dave0291

    Dave0291 Registered Member

    Joined:
    Nov 17, 2013
    Posts:
    553
    Location:
    U.S
    But what does one replace these ineffective tools with, or use alongside them? As I understand it, HIPS-like software can help. But those seem so very complicated to understand and deal with for us less knowledgeable folks. I am not the type of individual that gets a thrill from my computer asking me questions all the time, bothering me with jargon-filled pop-ups wanting me to allow something or denying my ability to do something without telling me in plain English why it doesn't like what I or a program is doing.
     
  6. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    3,768
    Location:
    Nicaragua
    Dave0291, try Sandboxie. And don't use it only for sandboxing browsers. Looking for the perfect tool (for me) to handle Zero day threats is how I ended up using SBIE. It didn't take me long after discovering it to know that SBIE was for real.

    Bo
     
  7. guest

    guest Guest

    Mitigation techniques. Not saying AVs are useless, but in extreme cases they will be more helpful to prevent advanced exploits and other "magical" bypasses.
     
  8. Nebulus

    Nebulus Registered Member

    Joined:
    Jan 20, 2007
    Posts:
    1,582
    Location:
    European Union
    Believe it or not, becoming more knowledgeable about security matters can also be as a security "asset", alongside other software that provide various degrees of protection.
     
  9. Dave0291

    Dave0291 Registered Member

    Joined:
    Nov 17, 2013
    Posts:
    553
    Location:
    U.S
    Nebulus, that is precisely what I have been attempting to do over a period of time. I don't feel it is very wise to just sit back and let programs watch over me. If I understand how the most common threats work and what they can and cannot do, then perhaps I can avoid the mistake of having too many programs overlapping and causing issues. More importantly, I might avoid dangers in the first place.

    Graf Zeppelin, mitigation techniques such as EMET? Although I do not understand all of the terminology, I had been looking into using that as it seemed fairly straightforward.

    Bo Elam, I am a bit on the fence when it comes to programs such as Sandboxie. I have read many glowing reviews and praises for the work that one lone man has put into it. However, I understand it has its drawbacks as well and may not stop threats, but rather contain them.

    I had been thinking of switching to Chrome for browsing, running EMET and MBAM Pro, and either continuing on with Avast or perhaps going to Panda Cloud for an AV. It seems rather basic, but perhaps it will hold me until I learn more about more effective tools and how to use them.
     
  10. guest

    guest Guest

  11. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    That is a potential weakness of containment based policies. For the typical malware a user might encounter, a sandbox is usually sufficient, for now anyway. It's entirely possible to create malware that will defeat sandboxing. It's not likely at this time that a user will encounter it, unless they're being directly targeted, and the adversary knows that you're using one. As sandboxing becomes more common, attacks against it will also become more common. Sandboxing is also of limited value against malware that can do its work from within the sandbox, eg a one time use that steals passwords or login data.
     
  12. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,459
    ... And note that HIPS/AE programs are for the most part a (limited) subset of sandboxes.
     
  13. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    3,768
    Location:
    Nicaragua
    Five years ago I learned that protecting my computers against Zero day threats was possible if I got out of the box regarding computers security. And that's exactly what I did when I decided to use Sandboxie and learned basic security. In my personal case, that was enough to make a difference.

    Glowing reviews and praises about SBIE meant nothing to me then or now, results do. After five years of using Sandboxie, to this day, I haven't seen anything get out of any sandbox unless I allow it. And that's really all that matters Dave.

    Perhaps Sandboxie is not for you but I can assure you, protecting yourself against Zero day threats is easy, all you really have to do is find your own way of doing it like I did. If you do, you ll enjoy using computers and the internet a lot more than you do now.

    Bo
     
  14. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    3,768
    Location:
    Nicaragua
    Regarding Sandboxie, SBIE is not an anti keylogger but I have never seen a piece of malware do its thing as described above in any of my sandboxes ever. If you don't carry an infected addon that hijacks your browser or your system is infected by a keylogger, it is not likely that your passwords, etc can be stolen and send out if you are using an internet restricted sandbox.

    Bo
     
  15. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    You wouldn't be logging into such an account from an internet restricted sandbox. Sandboxing is good for preventing malware from infecting your physical system. It's not a solution against browser exploits, compromised sites, malware that runs in memory, etc. Sandboxing can't be viewed as a solution to zero day malware. It's effective against some type, useless against others. Users need to understand its abilities and limitations.
     
  16. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    3,768
    Location:
    Nicaragua
    What are you talking about, what do you mean?
    I cant believe you believe what you are saying.

    Bo
     
  17. gambla

    gambla Registered Member

    Joined:
    Sep 4, 2007
    Posts:
    161
    Location:
    Frankfurt, Germany
    Thanks for your thoughts. Would you say that even popular HIPS like OA or Commodo are tested for bypassing before they realease any new more sophisticated malware ? I'm using OA free but i'd agree that EMET, SBie and/or MB Anti-Exploit are strongly needed.
     
  18. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    I'm not sure how to be clearer. You said:
    Why would you need those passwords in an internet restricted sandbox? You'd enter login passwords from a sandbox that has internet access. Malware injected by a malicious site could steal them at that time. Look back at the attack on the Bank of India.

    Regarding:
    I'm not a fan of sandboxing as the primary defense. IMO, if malicious code is allowed to execute, all bets are off. I base my security policy around default-deny, a reduced and hardened attack surface, and restricting permissions as much as possible.
    Here's a current example of a sandbox failing against 0-day exploits. Check the link HM posted there.
    https://www.wilderssecurity.com/showthread.php?t=357131
    As sandboxing becomes more commonplace, malicious code that targets sandboxes will become more common. This is just another step in an unending arms race. It's unending because it's based on a default-permit policy at its core.
    You might find this interesting:
    The Six Dumbest Ideas in Computer Security.
     
  19. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,459
    Default-deny on the level that actually matters - the level of machine code - is not possible by any sensible definition, at least not on x86. Default-deny for executable files is really a pretty abstract concept, and is not worth much vs. zero-day exploits.

    (It can be really effective against e.g. spear phishing though.)

    For dealing with real zero-day stuff, I think the best solution - the only one, really - is strength through diversity. Don't use what everyone else is using, and you're less likely to be a target.
     
  20. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    3,768
    Location:
    Nicaragua
    Noone, because you are not a fan of sandboxing don't mean that Sandboxie can not contain Zero day threats. If you are browsing and there is an exploit of Flash or Java, for example, and malware is dropped in your computer, it is contained within the sandbox and isolated from your system. That is exactly what Sandboxie does. In my personal case, I use nothing but Sandboxie and SBIE has never let me down so I know for sure that it does contain all kind of threats.

    Let me give you an example of what I do with a PDF when its downloaded into my computer. If you sent me a PDF like the one that escapes Adobes sandbox, the PDF wil go into my download folder. When I run the PDF out the downloads folder, it will run sandboxed if it is a PDF. If the file that you sent me looks like a PDF but it aint, it will not run as it will blocked by Sandboxies Start/Run restrictions. After I move the PDF from my Downloads folder, the PDF will always run in a sandbox until the day it gets deleted from the computer. And it will run in a sandbox where only Foxit is allowed to run and no program is allowed to connect. If the PDF had an exploit, it is contained and deleted when I get rid of the sandbox.

    For users using an antivirus, Sandboxie works great as it can be used to handle Zero day threats while the antivirus takes care of threats that are known. That really is the best way of using SBIE. The main reason really to use something like Sandboxie is so you do not depend on signatures to be protected. Thats why Sandboxie treats all programs and files alike. Sandboxie is not for everyone but it really works against Zero day threats you just don't know it.

    Bo
     
  21. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    I would say sandboxing easily has the most potential for security of anything out there. Default deny *still allows code to execute*, which has been covered in depth on wilders - so if you think 'all bets are off' after that, they aren't helping.

    Properly implemented containment, which involves quite a lot (and is really only possible on Linux with significant effort into a programs architecture -> vsftpd, chrome), is one of the most significant ways to stop an attacker from monetizing the system.

    Of course, that requires full rearchitecture of programs. But that's becoming less of an issue.

    There's some really cool research into 'intent' based capabilities. Capability research will probably lead to the most significant advancement in security - it's the foundation for seccomp, for example.

    Of course, all of that hits Linux first, and we're a long ways away from full hardware based capabilities.
     
  22. Dave0291

    Dave0291 Registered Member

    Joined:
    Nov 17, 2013
    Posts:
    553
    Location:
    U.S
    I'm sorry for getting back into the thread a little late. I have been reading more and looking at the responses here..and I must say the differing opinions are confusing. :D What I really wish I could do, is not let any malicious code execute. I don't even want it to look at my computer and think it has a chance. Perhaps that is asking a bit much. Regarding Sandboxie, this article is one of a few that put me on the fence about sandboxing. http://www.insanitybit.com/2013/09/12/browser-exploitation-expanded-noscript-sandboxie/. It seems like you would really have to know what you are doing and perhaps face usability difficulties to set up Sandboxie as a proper defense option.

    I am curious though. Since many people have a lot of faith in NoScript, for Chrome would the extension talked about at https://www.wilderssecurity.com/showthread.php?t=356427 be a good alternative? It seems close to what NoScript does.
     
  23. guest

    guest Guest

    YES! I mean... yes. I personally consider it as the best content filtering extension for Chrome/Chromium-based browsers ATM. If I understand it right, it even can block known bad domains from various database, just like ScriptSafe.
     
  24. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,828
    Location:
    Last Breath Farm
    As a Sandboxie user who believes in restricting what can run, and what can access the internet from within all of my sandboxes, I also believe that it is critical to close the sandboxes frequently and have it configured to auto-delete the contents.

    Doing so limits the amount of time that any malware is permitted to run, and if emptied prior to connecting to important sites, assures the user that a keylogger is not present in the sandbox.

    I know it sounds obvious, but I'm guessing that even some regular SBIE users don't close their sandboxes very frequently. It's a good habit to get into.
     
  25. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    3,768
    Location:
    Nicaragua
    In my opinion, new Sandboxie users should use Sandboxie on default settings, changing settings as they learn the program. Most of the people that I know in life that are using Sandboxie have never gone into settings, they use a default settings sandbox and dont get infected anymore.

    The only settings that I recommend to change immediately after installing Sandboxie are: 1) Set the sandbox to delete on closing, 2) Set bookmarks or favorites to be saved out of the sandbox and 3) Set the browser and sandbox to save files that you download out of the sandbox. That and knowing how your antivirus (if you use one) and Sandboxie interact with each other is all thats needed on Day 1.

    Later, as you go and learn more about Sandboxie, you can start restricting the sandbox and create more sandboxes to make isolation work better. The more you separate programs from each other and the system, the better Sandboxie works and the safer you are. There are settings for you to keep your personal information out of reach of programs that are running within the sandbox, you can learn about them on Day 4.

    By the way, the reason I use Firefox is NoScript:cool:. Sandboxie, NoScript is all I use and it works.....for me.

    Bo
     
Loading...
Thread Status:
Not open for further replies.