Malware and the Web - we need a NEW Approach

Hi all
just a suggestion -- Dinesh won't like this I know as he's so busy testing current AV / security systems - but I think this is the way forward with computer security.

I think we can all basically agree that the REAL problem these days is MALWARE.

Classical viruses whilst a nuisance are relatively easily dealt with and are treated in general via AV software that does a REACTIVE scan -- i.e your computer is scanned at some point in time AFTER a virus has entered your system.

These days for reasonably intelligent users we can rule out viruses being installed by people downloading "questionable software / music etc". If you get a virus from a download then you probably need to tighten up your download strategies. - If you knowingly download "dubious stuff" then it's your own fault anyway.

Malevolent software these days is installed and run almost excusively via MALWARE which classical AV software is (as far as ordinary home users are concerned) powerless to prevent in PROACTIVE mode (that is detection at the time it happens - not via a scan afterwards).

The major threat is in the so called DRIVE BY infections -- this is where you visit a site - could be a quite legal site which has been hijacked without the site owners knowing.

The site executes a rogue script in your browser which - can run anything on your computer at at least the authorisation level that the user running the browser user has - for example it can explore and upload data from your disks quite legitimately -- how would any AV software detect that for example unless you have some real time monitoring of your disks -- this adds a lot of overhead to the OS.

It can pass you to another site and even download porno on to a remote users hard drive without the user knowing -- a court case recently nearly ended up with someone nearly going to jail because of questionable material being discovered on his computer - in spite of the fact he hadn't knowingly downloaded any of it.

Remember at this point in time the script has already been executed, done its business and GONE - so AV software would never be aware of anything untoward taking place on the users computer.

It's totally not feasable to prevent script execution in a browser -- Most of the Internet sites wouldn't work at all.


So we need some way of controlling what scripts actually run in a browser and if necessary AV software should be able to check these functions online without slowing the machine down to debug levels.

A start would be in the BROWSER DESIGN itself. For example if link to a new URL is wanted this should only be done via say the browser calling a Windows API function on the HOST machine to examine the url and then allow or or deny the request. (Rogue IP addresses could be stored in a data area on the Host machine).

Similarly any I/O function - in particular data UPLOAD could also be done via an API call rather than in the browser script.

I'm not an expert in the internals of IE or Firefox but I started doing a little messing about with running some scripts and its amazing what can be done even with a tiny bit of knowledge. You can run almost anything on a remote machine from a browser without the remote machine being aware of anything -- and I'm not even an expert in the whole idea of web programming at all. (Great when you've got a LAN for testing this stuff).

Those sites that offer to fix your registry or look for drivers by checking your machine --- NEVER EVER EVER run these type of apps ONLINE as if any of these sites get hijacked you've just thrown away the keys of the kingdom.

This shows actually how easy it is for a remote site to execute something on your computer - although in these cases the sites are open about what they are doing and usually make you install a small application.

So I'd suggest (it probably won't happen until Windows 8 or later) that the whole scripting part of a browser is re-written so it works ONLY by proper documented interfaces using genuine API calls which can be protected.

The whole idea of "plugins" is also a joke and a loophole again for "nasties". If for example I need to read a PDF document why shouldn't the browser just use an API to start acrobat reader (or your pdf applicatiuon) just like the double click in windows explorer. It shouldn't need a "plug in". A simple Windows API is all that's needed.

OK it might have to start a new window for the pdf document but with multiple / large monitors and decent memory sizes these days what's the problem.

Restricting browser code to basically just calling registered API's would at a single stroke eliminate 99% of current malware.

The biggest threat to your computer is actually via sites that scan your disks looking for data such as bank passwords etc etc rather than in simply infecting them with viruses.

If you must use current AV software then at least choose one that logs ALL sites visited whether you actually see them whilst browsing or not and then rigorously check the logs later.

So until browser code is re-written here's a call to AV software companies -- If you want to stay in business forget about making bigger and bigger databases of known windows .dll's / .exe's and comparing them against typical current viruses but - try and get a handle on the REAL problem -- Browser scripting and Drive by malware with REALTIME (Pro-active) protection.

REACTIVE SCANNING (i.e "After the fact") is totally 100% USELESS in these situations.


Places like the NATO site in Brussels are aware of this and no production systems are connected in any way AT all to the public internet -- even the cabling etc is separate.

To get stuff from a test / dev environment to a QA system and then PROD is a mega hassle -- stuff is first copied on to specially authorized devices which are then scanned by military strength software. Finally after written authorisation and a "Data Quality" review the data can be uploaded to the target machine - but this is done by security personnel sitting at the local machine -- no network is used.


Cheers
jimbo

Hi Jimbo, nice post and I agree with what you say. some AV like nod32 and kis 2010 have web scanner to protect users from scripts. Its not 100% effective but atleast they make an effort to stop bad scripts.

Avast Pro has a script blocking module. And if you use a browser like Firefox, the add on No Script is good. I don't think I'd call it a joke.

Thats some great reading material, really got to me.

I'm not sure, but i think AVG also has a web scanner, i haven't used it in a while (using MSE) but yeah.

I keep an eye on what i visit, and avoid nasty sites.

Thanks for the info Jimbo.

Yeah the NoScript Add-on is a great tiny utility as mentioned by Aaron. I use Noscript & adblock plus with FF.

Hi Qdos

Viral infection spreading usually occurs via E-mail and p2p sites so if you act carefully you shouldn't get anything just because another computer has an infection.

The actual point of the post was basically to say that a lot of classical AV software isn't much good - especially the FREE versions - aginst the newer types of Malware.

By all means install AV software - but please be aware of what it is actually PROTECTING you from and what the limitations are.

Of course if you share a computer with an 8 year old who is downloading loads of stuff from the web then you will need some sort of guard. - But as I also pointed out most AV software is REACTIVE which means by the time you discover there IS a virus on the machine it's too late.

For example you might be downloading a simple mp3 file. Most virus scanning software will look for known .exe / .dll files.

Now even a beginner could encode some binary bytes in the mp3 file (there's always a few artifacts in an mp3 so it won't sound horrible when you try and play it) which would run a small program expanding a compressed virus made up of binary bits embedded at different points of the mp3 file -- rather like the various "codices" alledged to be embedded in the bible.

Virus scans haven't got much of a chance against this type of infection - a little bit of machine code knowledge and a binary file editor is all that's required.

I'm not saying you coud do this in 5 mins but you should get an idea of one way a virus can hide itself from a virus scanner. You certainly can't have a DB containing every MP3 on the planet with all encoding options - so a comparison detecton method is impossible - and the virus writer will ensure the mp3 file has a correct CRS and SHA1.

Reasonably experienced users shouldn't normally ever encounter a Virus.

MALWARE as I said in the post is a TOTALLY different animal and blocking scripts isn't 100% effective if you want to browse the web.

BTW You don't even have to "run the script" if the browser just inserts the machine code and executes it so even a "Script blocker" isn't seriously effective.

Popup blockers just stop "known scripts".

A Malware writer isn't going to make things obvious and easy.

And I agree - of course we should vent anger against the "low-lifes" - but that's a given anyway.

To sum up all the post was trying to say is that most AV software - especially FREE or "Lite" editions are relatively ineffective against these modern types of attacks - so I'm sorry if you mis-interpreted the post.

I'm as interested as the next guy in SAFE, SECURE computer systems - but please don't let us all be lulled into a false sense of security.

No intention was to rubbish anybody - but in no way am I going to pay for a product that doesn't even realld actually do "what it says on the tin".

(And BTW - how does one know that the "Safe" site you've just visited hasn't been hi-jacked -- even IBM and MS get infiltrated from time to time).

Malware 101 -- delete all traces of "alternate" sites visited and delete all traces of the site in the software logs on remote machine. - Not that difficult to do BTW.

One of the best logs which is relatively "tamper proof" is to switch on the hardware log on your router -- simple but often overlooked. Most routers have a "IP address visited" log in them which your malware writer probably won't be able to touch.

Cheers
jimbo

I use Noscript & adblock plus with FF