Harder, Better, Faster, Stronger - The Malware

Sat, 22 Nov 2008 18:48:59 GMT

I am sure that you know this song. Yes, Daft Punk absolute rocks, although this post is about malware not the band.

Anyway, I was going through some blogs today and I stumbled across some articles regarding a malware affecting MacOS. Apparently this piece of malicious software is of a type downloader/installer. All it does is to connect to a remote server, fetch the payload and execute. Nothing special really!

One advantage this malware has over other types of malware is that the payload can be changed over time, which is cool. However, the antivirus folks will continue taking samples of the new payloads and add more signatures to their software. The game is on!

At the end of the day, regardless whether the malware runs for MacOS (the new hype), Windows or Linux, it is composed of pretty much the same routines. If you think about it, there is a common pattern among most malware, which means that at some point, once we have better technologies to map any given application behavior, we will be able to insulate potential problematic processes and perhaps even drop them in a sandbox while running. Actually, this is possible today to one degree or another.

My point is that once a malware sample is found, it can be quite quickly neutralized. We know that Antivirus software is not perfect but at least antivirus vendors try to solve a quite complicated problem, so you have to give them some credits. The key point which we have to draw from all of this nonsense which I wrote so far, is that we do not know if a particular type of malware exists until we find a sample of it, which brings me to my main point in this post:

What if it is not possible or it is very hard to get a malware sample?

I blogged about these stuff before, but my question still remains. What if the malware does not persist on the system, instead it weakens the security perimeter and than it destroys itself? What if the result of this "weakening" looks very similar to the environment you will usually find in corporate networks (yes, corporate networks tend to be quite weakened). In this case the antivirus software has no clue whether this "weakening" was intentional or not? I am not malware researcher so I am not sure if such a beast exists, but if it doesn't than I find it scary that there is no practicel advice what to do apart from trying not to get infected on first place. I hardly doubt that antivirus software can do much about the situation either.

_Ok, I will leave this concept to sink with you. If you have anything to say please do so bellow. Some may say, "hey you spreading FUD", but I don't think that this is FUD. I believe in impossibilities but some stuff are simply impractical for the time being.

nyenye
Hey PDP, I do malware research full-time for a large company, and malware reducing a machine's security posture is quite common. We've seen various ways of doing this...most often killing the running AV processes, modifying the firewall to be more permissive and modifying the web browser to allow automatic execution of code. In many cases, a first stage bit of malware does this, which allows a full compromise once the initial stage runs successfully. Scary stuff!
daemonmididaemonmidi
Nice concept - How do you get around periodically performed security audits? They would detect the infected hosts. Assuming you run these scans (using e.g. nessus) in very short intervals (every 8h ??) -- there's still some time to get data from the infected system - Ok, but chances are vanishing the shorter the scan interval gets...
pdppdp
nye, thanks for sharing. daemonmidi, yes, perhaps with the help of nessus and other auditing tools you can detect abnormalities and perhaps even insulate any problem. still, my point is that you might end up in the situation where you don't know whether the change was intentional or it is the result of a malware infection. The auditing tool may end up with too many false-positives, which is undesirable.
natenate
Good point but I think this idea is a little premature. My experience has taught me that most bosses take their IT recommendations with a grain of salt. How many companies want to pay $4k on antivirus when they can bury their heads in the sand? Without a tangible effect, most attack vectors go unnoticed. I work in healthcare with the leading software apps and they give unadulterated ActiveX access despite any security software we could have bought. You want to tighten our auditing measures and make it difficult to do our job? You can't confirm that the weakened security is malware-related? Personally, I've learned that IT has a big mouth and management has closed ears. You're talking about a silent attack vector. My experience has taught me that without seeing the whites of their eyes, management tends to disregard hypotheticals. And I say hypothetical only because they won't invest in tracking down the cause of your proposed attack. This is why Windows networks are such easy targets. Why hack a *nix box when 90% of PCs are running a vulnerable Win install? Just my opinion.