Malware and the Web - we need a NEW Approach

[jimbo45]

Hi all
just a suggestion -- Dinesh won't like this I know as he's so busy testing current AV / security systems - but I think this is the way forward with computer security.

I think we can all basically agree that the REAL problem these days is MALWARE.

Classical viruses whilst a nuisance are relatively easily dealt with and are treated in general via AV software that does a REACTIVE scan -- i.e your computer is scanned at some point in time AFTER a virus has entered your system.

These days for reasonably intelligent users we can rule out viruses being installed by people downloading "questionable software / music etc". If you get a virus from a download then you probably need to tighten up your download strategies. - If you knowingly download "dubious stuff" then it's your own fault anyway.

Malevolent software these days is installed and run almost excusively via MALWARE which classical AV software is (as far as ordinary home users are concerned) powerless to prevent in PROACTIVE mode (that is detection at the time it happens - not via a scan afterwards).

The major threat is in the so called DRIVE BY infections -- this is where you visit a site - could be a quite legal site which has been hijacked without the site owners knowing.

The site executes a rogue script in your browser which - can run anything on your computer at at least the authorisation level that the user running the browser user has - for example it can explore and upload data from your disks quite legitimately -- how would any AV software detect that for example unless you have some real time monitoring of your disks -- this adds a lot of overhead to the OS.

It can pass you to another site and even download porno on to a remote users hard drive without the user knowing -- a court case recently nearly ended up with someone nearly going to jail because of questionable material being discovered on his computer - in spite of the fact he hadn't knowingly downloaded any of it.

Remember at this point in time the script has already been executed, done its business and GONE - so AV software would never be aware of anything untoward taking place on the users computer.

It's totally not feasable to prevent script execution in a browser -- Most of the Internet sites wouldn't work at all.


So we need some way of controlling what scripts actually run in a browser and if necessary AV software should be able to check these functions online without slowing the machine down to debug levels.

A start would be in the BROWSER DESIGN itself. For example if link to a new URL is wanted this should only be done via say the browser calling a Windows API function on the HOST machine to examine the url and then allow or or deny the request. (Rogue IP addresses could be stored in a data area on the Host machine).

Similarly any I/O function - in particular data UPLOAD could also be done via an API call rather than in the browser script.

I'm not an expert in the internals of IE or Firefox but I started doing a little messing about with running some scripts and its amazing what can be done even with a tiny bit of knowledge. You can run almost anything on a remote machine from a browser without the remote machine being aware of anything -- and I'm not even an expert in the whole idea of web programming at all. (Great when you've got a LAN for testing this stuff).

Those sites that offer to fix your registry or look for drivers by checking your machine --- NEVER EVER EVER run these type of apps ONLINE as if any of these sites get hijacked you've just thrown away the keys of the kingdom.

This shows actually how easy it is for a remote site to execute something on your computer - although in these cases the sites are open about what they are doing and usually make you install a small application.

So I'd suggest (it probably won't happen until Windows 8 or later) that the whole scripting part of a browser is re-written so it works ONLY by proper documented interfaces using genuine API calls which can be protected.

The whole idea of "plugins" is also a joke and a loophole again for "nasties". If for example I need to read a PDF document why shouldn't the browser just use an API to start acrobat reader (or your pdf applicatiuon) just like the double click in windows explorer. It shouldn't need a "plug in". A simple Windows API is all that's needed.

OK it might have to start a new window for the pdf document but with multiple / large monitors and decent memory sizes these days what's the problem.

Restricting browser code to basically just calling registered API's would at a single stroke eliminate 99% of current malware.

The biggest threat to your computer is actually via sites that scan your disks looking for data such as bank passwords etc etc rather than in simply infecting them with viruses.

If you must use current AV software then at least choose one that logs ALL sites visited whether you actually see them whilst browsing or not and then rigorously check the logs later.

So until browser code is re-written here's a call to AV software companies -- If you want to stay in business forget about making bigger and bigger databases of known windows .dll's / .exe's and comparing them against typical current viruses but - try and get a handle on the REAL problem -- Browser scripting and Drive by malware with REALTIME (Pro-active) protection.

REACTIVE SCANNING (i.e "After the fact") is totally 100% USELESS in these situations.


Places like the NATO site in Brussels are aware of this and no production systems are connected in any way AT all to the public internet -- even the cabling etc is separate.

To get stuff from a test / dev environment to a QA system and then PROD is a mega hassle -- stuff is first copied on to specially authorized devices which are then scanned by military strength software. Finally after written authorisation and a "Data Quality" review the data can be uploaded to the target machine - but this is done by security personnel sitting at the local machine -- no network is used.


Cheers
jimbo

 

[Dinesh]

Hi Jimbo, nice post and I agree with what you say. some AV like nod32 and kis 2010 have web scanner to protect users from scripts. Its not 100% effective but atleast they make an effort to stop bad scripts.

 

[jimbo45]

Hi Dinesh

If you have influence with these companies - try and get them to start working on these lines.

I was horrified when I started messing around with scripts to see how easy it was to do all manner of things on remote machines -- and I'm only a beginner in Scripting -- although I do have a bit of experience in OS design -- remember IBB OS /360 / 370 systems -- still a blueprint for OS design.

Cheers
jimbo

 

[Airbot]

Avast Pro has a script blocking module. And if you use a browser like Firefox, the add on No Script is good. I don't think I'd call it a joke.

 

[Uber Philf]

Thats some great reading material, really got to me.

I'm not sure, but i think AVG also has a web scanner, i haven't used it in a while (using MSE) but yeah.

I keep an eye on what i visit, and avoid nasty sites.

Thanks for the info Jimbo.

 

[Dinesh]

Yeah the NoScript Add-on is a great tiny utility as mentioned by Aaron. I use Noscript & adblock plus with FF.

 

[Qdos]

If you get a virus from a download then you probably need to tighten up your download strategies. - If you knowingly download "dubious stuff" then it's your own fault anyway...

What a short-sighted point of view, because when one person is infected that same nasty can spread to other computers they interact with - so the 'hapless user' that's duped into being served a worm or other virals or malware... well, it doesn't take a genius to realise they're not going to be the only user affected!

Everyone who interacts with the same 'hapless user' is equally at risk, so are you saying that it's then also their own fault if they cop a hit? Sheesh... the people you should be criticising are the toerags who author the nasties...

 

[jimbo45]

Hi Qdos

Viral infection spreading usually occurs via E-mail and p2p sites so if you act carefully you shouldn't get anything just because another computer has an infection.

The actual point of the post was basically to say that a lot of classical AV software isn't much good - especially the FREE versions - aginst the newer types of Malware.

By all means install AV software - but please be aware of what it is actually PROTECTING you from and what the limitations are.

Of course if you share a computer with an 8 year old who is downloading loads of stuff from the web then you will need some sort of guard. - But as I also pointed out most AV software is REACTIVE which means by the time you discover there IS a virus on the machine it's too late.

For example you might be downloading a simple mp3 file. Most virus scanning software will look for known .exe / .dll files.

Now even a beginner could encode some binary bytes in the mp3 file (there's always a few artifacts in an mp3 so it won't sound horrible when you try and play it) which would run a small program expanding a compressed virus made up of binary bits embedded at different points of the mp3 file -- rather like the various "codices" alledged to be embedded in the bible.

Virus scans haven't got much of a chance against this type of infection - a little bit of machine code knowledge and a binary file editor is all that's required.

I'm not saying you coud do this in 5 mins but you should get an idea of one way a virus can hide itself from a virus scanner. You certainly can't have a DB containing every MP3 on the planet with all encoding options - so a comparison detecton method is impossible - and the virus writer will ensure the mp3 file has a correct CRS and SHA1.

Reasonably experienced users shouldn't normally ever encounter a Virus.

MALWARE as I said in the post is a TOTALLY different animal and blocking scripts isn't 100% effective if you want to browse the web.

BTW You don't even have to "run the script" if the browser just inserts the machine code and executes it so even a "Script blocker" isn't seriously effective.

Popup blockers just stop "known scripts".

A Malware writer isn't going to make things obvious and easy.

And I agree - of course we should vent anger against the "low-lifes" - but that's a given anyway.

To sum up all the post was trying to say is that most AV software - especially FREE or "Lite" editions are relatively ineffective against these modern types of attacks - so I'm sorry if you mis-interpreted the post.

I'm as interested as the next guy in SAFE, SECURE computer systems - but please don't let us all be lulled into a false sense of security.

No intention was to rubbish anybody - but in no way am I going to pay for a product that doesn't even realld actually do "what it says on the tin".

(And BTW - how does one know that the "Safe" site you've just visited hasn't been hi-jacked -- even IBM and MS get infiltrated from time to time).

Malware 101 -- delete all traces of "alternate" sites visited and delete all traces of the site in the software logs on remote machine. - Not that difficult to do BTW.

One of the best logs which is relatively "tamper proof" is to switch on the hardware log on your router -- simple but often overlooked. Most routers have a "IP address visited" log in them which your malware writer probably won't be able to touch.

Cheers
jimbo

 

[neoasr]

I use Noscript & adblock plus with FF

 

[jimbo45]

I use Noscript & adblock plus with FF

Hi there

Won't work 100% of the time -- every time you access web sites with any sort of designs - there's some CSS stuff there -- what about even the W7 site

even this site uses some scripting

for example as a start - code extract just view "Source" in IE.

<!DOCTYPEhtmlPUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <htmlxmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en"> <head> <metahttp-equiv="Content-Type" content="text/html; charset=ISO-8859-1" /> <metaname="generator" content="vBulletin 3.8.4" /> <metaname="verify-v1" content="KYRdS+aaZmSme3ViQqFlpzri2XmKhjPBDxF9Y7X5IO0=" /> <metaname="keywords" content="windows, seven beta, Microsoft, windows 7, Windows 7 Forums, windows 7 tutorials" /> <metaname="description" content="Windows 7 Forums the biggest Windows 7 discussion forum, friendly help and many Windows 7 tutorials that will help you get the most out of Microsofts new Windows 7 Operating System." /> <styletype="text/css" id="vbulletin_css">

Style: 'SF Default'; Style ID: 33

@import url("clientscript/vbulletin_css/style-afbf1b94-00033.css");

</style> <linkrel="stylesheet" type="text/css" href="clientscript/vbulletin_important.css?v=384" /> <styletype="text/css" id="bbcode_css"> <!-- .............................. etc etc.

cheers
jimbo

 

[TheIgster]

I think we can all basically agree that the REAL problem these days is MALWARE.

Malware is just an all encompassing term for viruses and the like. Your post seems to claim there is a distinction between malware and viruses, there is not.

To prove my point, from Wikipedia:

Software is considered malware based on the perceived intent of the creator rather than any particular features. Malware includes computer viruses, worms, trojan horses, most rootkits, spyware, dishonest adware, crimeware and other malicious and unwanted software.

Malware - Wikipedia, the free encyclopedia

 

[jimbo45]

Hi there

Technically you are probably correct but I think the meaning of the post is clear
1) A Virus or worm or trojan horse is resident on the infected machine and can be located and removed - even if it has done it's nasty business

2) My post is trying to point out those cases where code can be dynamically generated, loaded and executed on the victims machine - and then vanish so no trace can be found via detection software.

I think the point of the post is clear BTW.

Incidentally the BBC has just published this -- which shows that my post is on the right lines.


......

However, in recent months, hi-tech criminals have signalled a change in tactics away from e-mail borne viruses. Instead, many are infiltrating popular webpages in a bid to infect the machine of any and every visitor. Many seek to steal valuable information such as login names, passwords or game accounts instead of trying to install themselves on a machine.
................ (from the BBC)

BTW before Apple ( or I-phone) owners get smug have a look at this.

BBC NEWS | Technology | Worm attack bites at Apple iPhone

cheers
jimbo

 

[Crazy Buddhist]

I use Noscript & adblock plus with FF

Hi there

Won't work 100% of the time -- every time you access web sites with any sort of designs - there's some CSS stuff there -- what about even the W7 site

even this site uses some scripting

for example as a start - code extract just view "Source" in IE.

<!DOCTYPEhtmlPUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <htmlxmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en"> <head> <metahttp-equiv="Content-Type" content="text/html; charset=ISO-8859-1" /> <metaname="generator" content="vBulletin 3.8.4" /> <metaname="verify-v1" content="KYRdS+aaZmSme3ViQqFlpzri2XmKhjPBDxF9Y7X5IO0=" /> <metaname="keywords" content="windows, seven beta, Microsoft, windows 7, Windows 7 Forums, windows 7 tutorials" /> <metaname="description" content="Windows 7 Forums the biggest Windows 7 discussion forum, friendly help and many Windows 7 tutorials that will help you get the most out of Microsofts new Windows 7 Operating System." /> <styletype="text/css" id="vbulletin_css">

Style: 'SF Default'; Style ID: 33

@import url("clientscript/vbulletin_css/style-afbf1b94-00033.css");

</style> <linkrel="stylesheet" type="text/css" href="clientscript/vbulletin_important.css?v=384" /> <styletype="text/css" id="bbcode_css"> <!-- .............................. etc etc.

cheers
jimbo

I don't see how NoScript will be fooled by this. Would you be kind enough to elaborate. Thanks.

Also for those who are interested the following free AV's offer some form of real time protection. There is at least one excellent one in the list:

List of free antivirus programs with real-time protection

• Avira
• avast!
• AVG
• AOL Active Virus Shield
• Comodo AntiVirus (Now part of Comodo Internet Security)
• DriveSentry
• Microsoft Security Essentials
• Moon Secure AV
• PC Tools AntiVirus[1]

List of free antispyware programs with real-time protection

• Ad-Aware
• BitDefender
• DriveSentry
• IObit Security 360
• Spybot Search & Destroy (reduced functionality called "TeaTimer")
• SpywareGuard (only active against browser hijacking, spyware definitions not maintained since January 2004) [2]
• Spyware Terminator [3]
• Windows Defender
• Avira (From version 9) (Included in antivirus package)

From Wikipedia.

Cheers,

Matthew

 

[Dinesh]

Also, add SpywareBlaster. It gives a solid passive protection by integrating into browsers.

 

[Crazy Buddhist]

Also, add SpywareBlaster. It gives a solid passive protection by integrating into browsers.

Good call.

 

[Carbonyl]

Classical viruses whilst a nuisance are relatively easily dealt with and are treated in general via AV software that does a REACTIVE scan -- i.e your computer is scanned at some point in time AFTER a virus has entered your system.

I just had to pipe up to say, this is certainly not the case. Regardless of how the virus got there, 'classical' virus infections can still strike the weak point of your computer to deliver massive damage. Infections are great at disabling AV software. The Virut strain of infections will mutate your EXE and DLL files beyond cleaning (Seriously, the AV vendors tell you to reformat your computer if Virut is found during a reactive scan). Rootkits can't be assuredly removed without reformatting, either.

The major threat is in the so called DRIVE BY infections -- this is where you visit a site - could be a quite legal site which has been hijacked without the site owners knowing.

...

So we need some way of controlling what scripts actually run in a browser and if necessary AV software should be able to check these functions online without slowing the machine down to debug levels.

Very much agreed. Legitimate websites can unknowingly host malicious scripts. And if the website is a trusted place (i.e. National Geographic, New York Times, ect.), then you're going to be hit because there's no reason to block them.

But! Scripts are NOT the only vector of drive-by attacks. Look at the new malformed font attacks. These don't use scripts at all. They're undoubtedly the nastiest thing I've seen in a while.

 

[jav]

What do you guys think about Sandbox type based protection?
Like Sandboxie or DefenseWall HIPS or any other software implementing this type of method?
In theory it seems to be very basic and in a way effective?

Can this kind of protection to be new Approach?

 

[Carbonyl]

What do you guys think about Sandbox type based protection?
Like Sandboxie or DefenseWall HIPS or any other software implementing this type of method?
In theory it seems to be very basic and in a way effective?

Can this kind of protection to be new Approach?

Yes, but only for 32-bit systems.

 

[jimbo45]

Hi carbonyl

The whole point is that IF your computer IS infected by one of these Viruses then it's already TOO LATE as I said in the post.


The problem also in "analytical" processing AFTER the fact is a bit like as they say in the USA doing "Monday Morning Quarterbacking".

The Virus can be removed of course - even if you have to restore a 100% known clean image from a previous backup set -- but there's NO WAY of knowing what the virus actually did -- for example stuff from your machine might at this moment be travelling all over the Internet.

Even if AV software detects a virus as VIRUS-A how does it actually know that it isn't VIRUS-B masquerading as VIRUS-A and so forth.

Better and more secure routers would certainly help but "industrial" strength routers don't come cheap.

Cheers
jimbo

 

[Crazy Buddhist]

What do you guys think about Sandbox type based protection?
Like Sandboxie or DefenseWall HIPS or any other software implementing this type of method?
In theory it seems to be very basic and in a way effective?

Can this kind of protection to be new Approach?

If you are talking about something like Defensewall then though very good that one for one is not totally invulnerable. I believe in a multi pronged approach so personally I use an IPCOP firewall with ClamAV that rules my network, a multi scanner integrated suite on my windows machines + 2 additional malware scanners - and that's enough, as I don't spend a lot of time on the world wild web ... mainly stick to a few sites that need my attention or where I enjoy the community.

If the driveby's become more common and if they start getting injected into trusted sites then I'll probably add HIPS/Defensewall but wouldn't replace anything else with it. If you torrent peerguardian is a must have too.

Matthew

PS The issue with Defensewall is that it is implemented at the Windows driver level and can be beat by some rootkits and installers, as I understand it.