New
#1
Malware and the Web - we need a NEW Approach
Hi all
just a suggestion -- Dinesh won't like this I know as he's so busy testing current AV / security systems - but I think this is the way forward with computer security.
I think we can all basically agree that the REAL problem these days is MALWARE.
Classical viruses whilst a nuisance are relatively easily dealt with and are treated in general via AV software that does a REACTIVE scan -- i.e your computer is scanned at some point in time AFTER a virus has entered your system.
These days for reasonably intelligent users we can rule out viruses being installed by people downloading "questionable software / music etc". If you get a virus from a download then you probably need to tighten up your download strategies. - If you knowingly download "dubious stuff" then it's your own fault anyway.
Malevolent software these days is installed and run almost excusively via MALWARE which classical AV software is (as far as ordinary home users are concerned) powerless to prevent in PROACTIVE mode (that is detection at the time it happens - not via a scan afterwards).
The major threat is in the so called DRIVE BY infections -- this is where you visit a site - could be a quite legal site which has been hijacked without the site owners knowing.
The site executes a rogue script in your browser which - can run anything on your computer at at least the authorisation level that the user running the browser user has - for example it can explore and upload data from your disks quite legitimately -- how would any AV software detect that for example unless you have some real time monitoring of your disks -- this adds a lot of overhead to the OS.
It can pass you to another site and even download porno on to a remote users hard drive without the user knowing -- a court case recently nearly ended up with someone nearly going to jail because of questionable material being discovered on his computer - in spite of the fact he hadn't knowingly downloaded any of it.
Remember at this point in time the script has already been executed, done its business and GONE - so AV software would never be aware of anything untoward taking place on the users computer.
It's totally not feasable to prevent script execution in a browser -- Most of the Internet sites wouldn't work at all.
So we need some way of controlling what scripts actually run in a browser and if necessary AV software should be able to check these functions online without slowing the machine down to debug levels.
A start would be in the BROWSER DESIGN itself. For example if link to a new URL is wanted this should only be done via say the browser calling a Windows API function on the HOST machine to examine the url and then allow or or deny the request. (Rogue IP addresses could be stored in a data area on the Host machine).
Similarly any I/O function - in particular data UPLOAD could also be done via an API call rather than in the browser script.
I'm not an expert in the internals of IE or Firefox but I started doing a little messing about with running some scripts and its amazing what can be done even with a tiny bit of knowledge. You can run almost anything on a remote machine from a browser without the remote machine being aware of anything -- and I'm not even an expert in the whole idea of web programming at all. (Great when you've got a LAN for testing this stuff).
Those sites that offer to fix your registry or look for drivers by checking your machine --- NEVER EVER EVER run these type of apps ONLINE as if any of these sites get hijacked you've just thrown away the keys of the kingdom.
This shows actually how easy it is for a remote site to execute something on your computer - although in these cases the sites are open about what they are doing and usually make you install a small application.
So I'd suggest (it probably won't happen until Windows 8 or later) that the whole scripting part of a browser is re-written so it works ONLY by proper documented interfaces using genuine API calls which can be protected.
The whole idea of "plugins" is also a joke and a loophole again for "nasties". If for example I need to read a PDF document why shouldn't the browser just use an API to start acrobat reader (or your pdf applicatiuon) just like the double click in windows explorer. It shouldn't need a "plug in". A simple Windows API is all that's needed.
OK it might have to start a new window for the pdf document but with multiple / large monitors and decent memory sizes these days what's the problem.
Restricting browser code to basically just calling registered API's would at a single stroke eliminate 99% of current malware.
The biggest threat to your computer is actually via sites that scan your disks looking for data such as bank passwords etc etc rather than in simply infecting them with viruses.
If you must use current AV software then at least choose one that logs ALL sites visited whether you actually see them whilst browsing or not and then rigorously check the logs later.
So until browser code is re-written here's a call to AV software companies -- If you want to stay in business forget about making bigger and bigger databases of known windows .dll's / .exe's and comparing them against typical current viruses but - try and get a handle on the REAL problem -- Browser scripting and Drive by malware with REALTIME (Pro-active) protection.
REACTIVE SCANNING (i.e "After the fact") is totally 100% USELESS in these situations.
Places like the NATO site in Brussels are aware of this and no production systems are connected in any way AT all to the public internet -- even the cabling etc is separate.
To get stuff from a test / dev environment to a QA system and then PROD is a mega hassle -- stuff is first copied on to specially authorized devices which are then scanned by military strength software. Finally after written authorisation and a "Data Quality" review the data can be uploaded to the target machine - but this is done by security personnel sitting at the local machine -- no network is used.
Cheers
jimbo
Last edited by jimbo45; 17 Nov 2009 at 05:42.