Malware and the Web - we need a NEW Approach

TheIgster · 17 Nov 2009

jimbo45 said:

I think we can all basically agree that the REAL problem these days is MALWARE.

Malware is just an all encompassing term for viruses and the like. Your post seems to claim there is a distinction between malware and viruses, there is not.

To prove my point, from Wikipedia:

Software is considered malware based on the perceived intent of the creator rather than any particular features. Malware includes computer viruses, worms, trojan horses, most rootkits, spyware, dishonest adware, crimeware and other malicious and unwanted software.

Malware - Wikipedia, the free encyclopedia

jimbo45 · 17 Nov 2009

Hi there

Technically you are probably correct but I think the meaning of the post is clear
1) A Virus or worm or trojan horse is resident on the infected machine and can be located and removed - even if it has done it's nasty business

2) My post is trying to point out those cases where code can be dynamically generated, loaded and executed on the victims machine - and then vanish so no trace can be found via detection software.

I think the point of the post is clear BTW.

Incidentally the BBC has just published this -- which shows that my post is on the right lines.

......

However, in recent months, hi-tech criminals have signalled a change in tactics away from e-mail borne viruses. Instead, many are infiltrating popular webpages in a bid to infect the machine of any and every visitor. Many seek to steal valuable information such as login names, passwords or game accounts instead of trying to install themselves on a machine.
................ (from the BBC)

BTW before Apple ( or I-phone) owners get smug have a look at this.

BBC NEWS | Technology | Worm attack bites at Apple iPhone

cheers
jimbo

Crazy Buddhist · 18 Nov 2009

jimbo45 said:

neoasr said:

I use Noscript & adblock plus with FF

Hi there

Won't work 100% of the time -- every time you access web sites with any sort of designs - there's some CSS stuff there -- what about even the W7 site

even this site uses some scripting

for example as a start - code extract just view "Source" in IE.

<!DOCTYPEhtmlPUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <htmlxmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en"> <head> <metahttp-equiv="Content-Type" content="text/html; charset=ISO-8859-1" /> <metaname="generator" content="vBulletin 3.8.4" /> <metaname="verify-v1" content="KYRdS+aaZmSme3ViQqFlpzri2XmKhjPBDxF9Y7X5IO0=" /> <metaname="keywords" content="windows, seven beta, Microsoft, windows 7, Windows 7 Forums, windows 7 tutorials" /> <metaname="description" content="Windows 7 Forums the biggest Windows 7 discussion forum, friendly help and many Windows 7 tutorials that will help you get the most out of Microsofts new Windows 7 Operating System." /> <styletype="text/css" id="vbulletin_css">

Style: 'SF Default'; Style ID: 33

@import url("clientscript/vbulletin_css/style-afbf1b94-00033.css");

</style> <linkrel="stylesheet" type="text/css" href="clientscript/vbulletin_important.css?v=384" /> <styletype="text/css" id="bbcode_css"> <!-- .............................. etc etc.

cheers
jimbo

I don't see how NoScript will be fooled by this. Would you be kind enough to elaborate. Thanks.

Also for those who are interested the following free AV's offer some form of real time protection. There is at least one excellent one in the list:

List of free antivirus programs with real-time protection

Avira
avast!
AVG
AOL Active Virus Shield
Comodo AntiVirus (Now part of Comodo Internet Security)
DriveSentry
Microsoft Security Essentials
Moon Secure AV
PC Tools AntiVirus [1]

List of free antispyware programs with real-time protection

Ad-Aware
BitDefender
DriveSentry
IObit Security 360
Spybot Search & Destroy (reduced functionality called "TeaTimer")
SpywareGuard (only active against browser hijacking, spyware definitions not maintained since January 2004) [2]
Spyware Terminator [3]
Windows Defender
Avira (From version 9) (Included in antivirus package)

From Wikipedia.

Cheers,

Matthew

Dinesh · 18 Nov 2009

Also, add SpywareBlaster. It gives a solid passive protection by integrating into browsers.

Crazy Buddhist · 18 Nov 2009

Dinesh said:

Also, add SpywareBlaster. It gives a solid passive protection by integrating into browsers.

Good call.

Carbonyl · 18 Nov 2009

jimbo45 said:

Classical viruses whilst a nuisance are relatively easily dealt with and are treated in general via AV software that does a REACTIVE scan -- i.e your computer is scanned at some point in time AFTER a virus has entered your system.

I just had to pipe up to say, this is certainly not the case. Regardless of how the virus got there, 'classical' virus infections can still strike the weak point of your computer to deliver massive damage. Infections are great at disabling AV software. The Virut strain of infections will mutate your EXE and DLL files beyond cleaning (Seriously, the AV vendors tell you to reformat your computer if Virut is found during a reactive scan). Rootkits can't be assuredly removed without reformatting, either.

jimbo45 said:

The major threat is in the so called DRIVE BY infections -- this is where you visit a site - could be a quite legal site which has been hijacked without the site owners knowing.

...

So we need some way of controlling what scripts actually run in a browser and if necessary AV software should be able to check these functions online without slowing the machine down to debug levels.

Very much agreed. Legitimate websites can unknowingly host malicious scripts. And if the website is a trusted place (i.e. National Geographic, New York Times, ect.), then you're going to be hit because there's no reason to block them.

But! Scripts are NOT the only vector of drive-by attacks. Look at the new malformed font attacks. These don't use scripts at all. They're undoubtedly the nastiest thing I've seen in a while.

jav · 18 Nov 2009

What do you guys think about Sandbox type based protection?
Like Sandboxie or DefenseWall HIPS or any other software implementing this type of method?
In theory it seems to be very basic and in a way effective?

Can this kind of protection to be new Approach?

Carbonyl · 18 Nov 2009

jav said:

What do you guys think about Sandbox type based protection?
Like Sandboxie or DefenseWall HIPS or any other software implementing this type of method?
In theory it seems to be very basic and in a way effective?

Can this kind of protection to be new Approach?

Yes, but only for 32-bit systems.

jimbo45 · 18 Nov 2009

Hi carbonyl

The whole point is that IF your computer IS infected by one of these Viruses then it's already TOO LATE as I said in the post.

The problem also in "analytical" processing AFTER the fact is a bit like as they say in the USA doing "Monday Morning Quarterbacking".

The Virus can be removed of course - even if you have to restore a 100% known clean image from a previous backup set -- but there's NO WAY of knowing what the virus actually did -- for example stuff from your machine might at this moment be travelling all over the Internet.

Even if AV software detects a virus as VIRUS-A how does it actually know that it isn't VIRUS-B masquerading as VIRUS-A and so forth.

Better and more secure routers would certainly help but "industrial" strength routers don't come cheap.

Cheers
jimbo

Crazy Buddhist · 18 Nov 2009

jav said:

What do you guys think about Sandbox type based protection?
Like Sandboxie or DefenseWall HIPS or any other software implementing this type of method?
In theory it seems to be very basic and in a way effective?

Can this kind of protection to be new Approach?

If you are talking about something like Defensewall then though very good that one for one is not totally invulnerable. I believe in a multi pronged approach so personally I use an IPCOP firewall with ClamAV that rules my network, a multi scanner integrated suite on my windows machines + 2 additional malware scanners - and that's enough, as I don't spend a lot of time on the world wild web ... mainly stick to a few sites that need my attention or where I enjoy the community.

If the driveby's become more common and if they start getting injected into trusted sites then I'll probably add HIPS/Defensewall but wouldn't replace anything else with it. If you torrent peerguardian is a must have too.

Matthew

PS The issue with Defensewall is that it is implemented at the Windows driver level and can be beat by some rootkits and installers, as I understand it.