Where do you think malware is going?

It seems like you have malware that makes use of exploits or you have malware that makes use of social engineering.

It seems that lately malware is being forced to use social engineering in order to deploy and infect because modern operating systems are taking security into account.

However, relying on social engineering isn't exactly future proof because with the new generation comes a group of people that were raised with computers and more and more we should see social engineering become less and less effective.

So how will malware reconcile this? New methods of social engineering? Or will they have to start focusing on exploits?

Or is malware simply being phased out?

 

I don't see how the '1 GHz smartphone-CPU' generation differs from the previous '1 GHz desktop-CPU' one.
As they were also raised with computers. Just not with 24/7 'in your face' social media.
I also wonder if the premise 'raised with computers=>social engineering becomes less effective' is true.

 

Remains to be seen. I think it's fair to say that the younger generation is more familiar with computers and therefor is more open to education on malware and computer security.

 

Then, the same would apply to people who grew up knowing about fradulent schemes, in the real world. The reality says something different, though. Most of these people still fall for it.

Why?

The schemers have skills. They manage to make people believe they need whatever is they're trying to sell.

I like to say that I'm part of a generation who grew up with computers, and the same to many relatives and friends. They simply don't care or aren't interested in computer security.

Our government has a national scheme that makes the kids use computers at school, to assist them in learning with games and all that. Some of them may use the Internet for studies. But, are they being educated in what concerns security?

I have BFD about that. So, it doesn't matter if you belong to whatever generation. What matters is if you get to know about it, and then if you get interested to know more.

There are workshops about fradulent schemes, in the real world... most people don't go to them. Why? It makes them lose their time.

 

pardon my ignorance, but please could you specify what people mean when they say 'social engineering'? thanks

 

Tricking the user into installing. Saying something like "Hey this software will clean up your computer, install it now!" and it doesn't make use of any exploits. The user walks the virus right into their computer.

 

The fraudulent schemes thing... doesn't really work imo. It's too broad. Computer viruses are something everyone our age is aware of. Everyone knows to, at least, install an antivirus. Most people at least hear from the media/ nerdy friends that "IE6 is crap blah blah blah" and even if half of it is misinformation they pick up enough. That's my experience with my computer-illiterate friends, they've picked up enough to protect themselves from the simple attacks.

Then again my girlfriend had a trojan not long ago. That attack was purely social engineering.

 

Maybe not against everything... but being fooled to pay for something the person didn't even buy? I just saw it in the news sometime ago. Many fraudulent schemes could be avoided, if people cared. They don't.

I disagree. You'd be surprised. Many don't even know how to look for a FREE and legitimate AV. So, there you go... Schemers made them believe they need the PAID products they don't want to pay for. It's a different fraudulent scheme, but still a fradulent scheme.

The same goes for other applications.

It's funny you say that. A month/~ two months ago a relative's system was infected with a rootkit.

I decided to let my relative know of the serious problems that may happen, like ZeuS, SpyEye, etc. I even sent e-mails with information saying companies/people are losing $$ because of that.

I did that, so that I could make my relative understand the importance of a standard user account, etc.

It was 100% ignored.

So, each person is different. And, that's what I'm talking about. Maybe she has no interest in wanting to know about these sort of thing. Or, she simply believed that whatever was offered to her, was something she needed. That's the problem with social engineering.

 

Do you think that will always be the case?

 

Not until my sister was visibly affected by malware (a fake antivirus that she picked up on Facebook...that even functioned in Safe Mode) did she actually start listening to me about computer security.

Computer security is analogous to parents talking to their kids about "don't do this" or "don't do that". In the end the parents are wasting their time. Not until the kids actually experience the consequence of their bad decision will they learn. Hopefully nothing of value is lost due to they're not heeding the good advice. My sister was doing online banking which scared the dickens out of me.

Later...

Bob

 

They will only change their behavior when something bad happens. And, by bad I mean their bank accounts.

Some will change their behavior... others will maybe simply stop doing online shopping/home banking, not exactly changing behaviors... But, better stop doing that, than anything else.

Some people don't care about computer security, but they do know that accessing their bank accounts is risky, and therefore they don't susbcribe to such service. I know people that fit in this description.

 

People will always get fooled. Once most people clue into a certain social engineering trick the bad guy put a new spin on it. People know not to click on an attachment in email (supposedly) so bad guys send links sited. People start looking at the links, so they use shortened links. Or they get into social media and send them a "haha funny video" to check out.

In my mind the original question is easy to answer: Social Engineering! We are in the golden age of social engineering. At least I hope it's the golden age (meaning it can't get worse than this). With Facebook, LinkedIn and every other place people are revealing information about themselves online it's really easy to get enough pieces of information to create a convincing social engineering attack.

My company (Symantec) will tell you there are a ton of vulnerabilities out there. And I'm smart enough not to argue with my employer. We post the data here: https://www4.symantec.com/mktginfo/downloads/21182883_GA_REPORT_ISTR_Main-Report_04-11_HI-RES.pdf

But when the malware authors use a vulnerability they always pair it with social engineering. They need to get you to a web site or click on the attachment in order to get you to launch the vulnerability. All those vulnerabilities would be useless if they couldn't get people to click.

 

ah thanks for that

 

Hmm, well, imho, it's this "new generation" that is most susceptible to these social attacks. Why? Because they are the Facebook generation, the social generation. Social engineered attacks don't have to be limited to "you're infected! Install this now!" tricks. Those attacks are still easily fell for, but the better attacks come in the form of games and web apps from Facebook, emails from "your bank", and so on. The Facebook generation is growing up in a world where sharing data is all but expected. To the younger crowd, if you don't have a Facebook, you're simply not "in". It would be like not having a MySpace back in its day, preposterous.

It's this willingness to share data that is far more dangerous than any 0 day will ever be. No, not "everybody" knows to install an AV. Think about it, why would malware be as prevalent as it's said to be, if people were becoming smarter? To give a direct answer to your question though, I see malware moving away more and more from exploiting software, and just sticking to exploiting people. The one place that may not hold true for a while, is the mobile market. That fun is just beginning

 

Here's a little more:

The rest is here:
-http://news.cnet.com/8301-27080_3-20013901-245.html-

 

Malware isn't going anywhere as long as evil exists in humans (and maybe other intelligent beings).

Actually, you don't even have to be evil. For example, keyloggers and other monitoring tools are being used for legitimate reasons.

 

Beg to differ. You can stop malware as long as you throw out all of the bad designs that got us here. I offer that the evil exists in peddling obsolete designs and solutions. Wrote about it in some articles available in another thread nearby here. You can't attach malware to something that isn't sticky and refuses to run it.

 

How does eliminations of bad designs stop social engineering and hacking? If the OS refuses to run anything outside of itself, I doubt its popularity.

 

The same direction it's been going since malware was discovered.

That's it! Those are the two principal attack vectors. One or the other will be at the top of the list, depending on how quickly vulnerabilities for exploits are patched, and how quickly new ones are discovered.

"Social Engineering" attacks can be subdivided into two categories,

1. Those which trick the user into granting administrative privileges to install something, such as a codec or fake AV program.
   
   
2. Those which run a malware executable automatically once the user clicks on something, such as a naughty video which is disguised as an executable. In this case, the user may or may not be protected, depending on the security in place.

Social engineering tricks, while at the forefront of many recent discussions, are certainly nothing new. Back at least as far as 2000, the LoveLetter/VBS worm arrived by email with a double extension, and automatically executed a VBS script when the user opened the attachment.

As far as I'm concerned, nothing has changed, and nothing probably will, except for different platforms (mobile) to deliver/receive the malware goodies, whether by an exploit or some trickery.

For myself as a home user, I'm not too bothered by all of the hoopla about the sophistication of today's malware (TDL4 as an example) because it first has to install to do something.

Actually, following the malware scene has been rather boring of late, since there is nothing really new as far as delivery methods to investigate, so the security media pick the most sensational of attacks to write about, and the non-critical reader is likely to generalize and assume the worst for her/his home user situation.

The protective measures haven't really changed since Win95 days. They involve

1. Intelligent computing policies/procedures
   
   
2. Protection in place in case of an accident or mishap.

Take the VBS double-extension trick in 2000.

That trick had been talked about in security circles much earlier, as had the potential danger of accidently running malicious scripts.

The common protective measure to suggest for home users was to change the file association for those potentially dangerious file extensions, such as VBS. By making the default action Edit to open in Notepad, the user was in no danger of having a malicious script run via double-clicking on a file:



Not too long after that, Script Blocking programs which did something similar, came on the scene.

How about Autorun.inf exploits? Years before the deluge of USB exploits, people warned about the potential danger of autorun, via floppy disks in those days.

Well, the standard protective measure was to hold down the SHIFT key when inserting a disk. This prevented Windows from from executing any commands in the autorun.inf file. This was documented in a Microsoft technical article. Also, to prevent the double-clicking action when clicking on the drive letter of the disk in My Computer, the standard protective measure was to access the drive in Windows Explorer (two pane view of My Computer). No commands in autorun.inf would run because you don't d-click in the left pane of Windows Explorer.

Now, of course, the problem is pretty much taken care of by neutralizing autorun. Too bad to do away with such a nice feature.

So, those who followed the security scene back in Win95 days were pretty much immunized against the coming onslaught of sophisticated malware exploits because we kept up with things.

With PDF exploits, for example: knowing that the PDF plugin is required for the exploit to work was upfront protection against the exploit from even starting.

For tricks to view a video or open a MSWord document, anti-execution (Later HIPS) protection blocks the malware from executing in the first place.

For social engineering tricks to get the user to grant administrative privileges -- fake AV, for example -- the standard protective measure suggested to home users was to ignore anything that attempted to have you install something. One writer recently coined a good phrase, something like, "If you didn't go looking for it, don't install it."

Seem's pretty simple? It is, from my point of view!

regards,

-rich

 

Where do you think malware is going?

Answer: hard-wired/coded or in the firmware(BIOS) or the trusted OS itself is the malware, ie., depending on one's perception, will have malicious actions as benign as collecting machine ID with personal identifiers(more like a privacy concern) to trojan-like or outright malware activity and the person will be clueless because all his tools/antimalwares will not detect anything except perhaps network sniffers flagging some suspicious packets