Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

The Rise of Polymorphic Malware

Unknown Lamer posted more than 3 years ago | from the dot-zip-dot-pdf-dot-virtual-exception dept.

Security 202

twoheadedboy writes "The level of aggressive, polymorphic malware intercepted by Symantec doubled in July, when compared to figures from six months ago. This kind of malware has been typically found inside an executable within an attached ZIP file disguised as a PDF file, and is pretty darn good at getting around traditional anti-virus products. 'There are powerful Darwinian forces acting on the development of malware by criminals,' said Martin Lee, senior software engineer at Symantec. 'Those who look to innovate and improve their malware tend to infect more computers and acquire the resources to reinvest in further development and innovation.'"

cancel ×

202 comments

Sorry! There are no comments related to the filter you selected.

OOPS (2)

mehrotra.akash (1539473) | more than 3 years ago | (#36885822)

Virus writers discover OOP??

Re:OOPS (1)

Anonymous Coward | more than 3 years ago | (#36885896)

polymorphic means "many forms" it isn't just a programming concept (i.e. "runtime polymorphism").

Re:OOPS (0)

Anonymous Coward | more than 3 years ago | (#36885952)

Time to actually start hunting down these fuckers and give them a lead virus.

Re:OOPS (1)

snemarch (1086057) | more than 3 years ago | (#36886042)

Context comprehension fail.

See the other [wikipedia.org] wiki article on polymorphism.

Re:OOPS (0)

Anonymous Coward | more than 3 years ago | (#36886410)

Sarcasm detection fail.

Re:OOPS (1)

snemarch (1086057) | more than 3 years ago | (#36886650)

Sarcasm? On the intarwebs? Wow, that'd be a frist!

Disregard red-light camera tickets in LA (-1, Offtopic)

Anonymous Coward | more than 3 years ago | (#36885834)

Motorists who get tickets under the city's controversial red-light camera program can shrug them off, Los Angeles officials agreed Monday.

That was one of the few points of consensus to emerge from a three-hour City Council committee hearing on the future of the much-debated photo enforcement system. The session ended with a recommendation to stop issuing citations at the end of the month and "phase out" the program.

Richard M. Tefank, executive director of the city's Board of Police Commissioners, told the Budget and Finance Committee that the tickets are part of a "voluntary payment program" without sanctions for those who fail to submit fines.

"The consequence is somebody calling you from one of these collection agencies and saying 'pay up.' And that's it," said committee member and Councilman Bill Rosendahl. "There's no real penalty in terms of your driver's license or any other consequences if you don't pay."

The five-member committee recommended that the full City Council endorse an earlier decision by the Los Angeles Police Commission to terminate the camera program at the end of the month.

The committee also recommended that city agencies work to resolve issues with the system contractor, American Traffic Solutions, including removing equipment from 32 intersections and attempting to collect on about 65,000 outstanding tickets. Officials said it was unclear how long it could take to completely end the program.

About 45,000 citations are issued annually with a collection rate of about 60%, according to a report from the city's chief legislative analyst. But that collection rate could fall drastically as more motorists realize the current penalty collection program lacks teeth, officials said.

Whether the full City Council will go along with the recommendation remains unclear. The City Council previously deadlocked over the fate of the program after the Police Commission voted to kill the program in June.

That decision put Los Angeles in the center of a national debate over the effectiveness of the cameras. Many major cities, including Anaheim, and smaller areas such as Loma Linda have banned them.

An audit by City Controller Wendy Greuel last year found that the cameras cost the city more than it receives in revenue, and that the program has not "conclusively shown to have increased public safety."

college drop outs (0)

Anonymous Coward | more than 3 years ago | (#36885876)

so college drop outs have finally found a way to pay off all that school debt?

Re:college drop outs (0)

Anonymous Coward | more than 3 years ago | (#36886072)

Or in this economy, college grads even.

Getting out of student loans is easy if you know how, and are willing to bend the rules. I was able to permanently evade over 30k in loans. It felt good being the one doing the screwing for a change, instead of getting screwed. It must be how bankers and Wall Street scum feel every day.

Re:college drop outs (1)

ChikMag777 (1337235) | more than 3 years ago | (#36886528)

Proudly proclaiming what a deadbeat you are isn't going to win you any points around here.

Re:college drop outs (1)

Mitchell314 (1576581) | more than 3 years ago | (#36886804)

Hm . . . I wouldn't be surprised if there was a +5 "I'm a deadbeat post" somewhere on /. .
- Your friendly neighborhood dead beet

Re:college drop outs (1)

Anonymous Coward | more than 3 years ago | (#36887042)

When an individual does it, they are a deadbeat; when a corporation does it they get a bailout and the CEO gets a huge bonus.

It's 2011, don't open the attachment (1)

ThinkWeak (958195) | more than 3 years ago | (#36885880)

It still blows my mind that people open attachments from individuals they do not know. Despite years of computer virus education and the general public becoming "aware" of tainted files and links, people still do it. They'll put "the club" on their car parked at a Walmart in the middle of no where, but open up random attachments and video links to spiders under the skin from people they don't know. Amazing.

Re:It's 2011, don't open the attachment (1)

m2vq (2417438) | more than 3 years ago | (#36885936)

Yes, because all malware comes from emails, and you've never ever searched or done anything new or something you don't really know about on the internet.

Re:It's 2011, don't open the attachment (1)

Chemisor (97276) | more than 3 years ago | (#36886030)

If you use Adblock and Noscript, it is nearly impossible to get infected. Why that functionality is not in every browser and enabled by default I simply don't understand.

Re:It's 2011, don't open the attachment (1)

m2vq (2417438) | more than 3 years ago | (#36886100)

If you use Adblock and Noscript, it is nearly impossible to get infected. Why that functionality is not in every browser and enabled by default I simply don't understand.

Because it's pain in the ass even for us geeks, and much more so for normal users. Build-in adblock with filters in every browser would also put most of the sites out of business, or they would start charging subscription fees to access their content. I rather take the possibility to install such myself if I want to rather than destroy the existing "free" models that currently make the internet possible the way it is.

Re:It's 2011, don't open the attachment (1)

BenoitRen (998927) | more than 3 years ago | (#36886366)

Given that most advertising formulas are pay-per-click, I doubt people who want to block ads would make a difference. They are the type to not click ads, so they actually save the advertisers bandwidth.

Re:It's 2011, don't open the attachment (2)

snemarch (1086057) | more than 3 years ago | (#36886112)

AdBlock implemented default in browsers? Oh my an outcry there'd be... and there'd be a lot more incentive for trying to circumvent AB, leading to more websites where those of us running AB wouldn't have ads automatically blocked - ugh.

NoScript is simply a too advanced feature for Regular Joe & Jane. They'd be confused to death why 90% of the internet suddenly breaks for them, and they don't have the skills to selectively whitelist just the non-dangerous stuff. If you think noscript is trivial, your whitelist is probably too permissive.

Flashblock (1)

tepples (727027) | more than 3 years ago | (#36886146)

AdBlock implemented default in browsers? Oh my an outcry there'd be

Then let's backpedal a bit. I'd recommend implementing content-type blocking (e.g. Flashblock) by default in browsers. That'd keep the user safe from untrusted rich media in an exploitable non-free player, and the circumvention (advertise using a medium other than Flash) wouldn't be much of a burden for advertisers.

Re:Flashblock (1)

snemarch (1086057) | more than 3 years ago | (#36886308)

That's something I can fully agree with - I like what Chrome does with Java content (too bad it doesn't do the same for flash). It's good for helping against drive-by exploits, and it's simple enough to not confuse the Johns and Janes too much.

Of course it doesn't help for sites that lure people to enable whatever with the promise of "zomg hilarious pictures" or "britney dyking out with olsen twins", but you can't really help people who fall for that anyway.

Re:It's 2011, don't open the attachment (1)

arth1 (260657) | more than 3 years ago | (#36886140)

If you use Adblock and Noscript, it is nearly impossible to get infected. Why that functionality is not in every browser and enabled by default I simply don't understand.

How is Adblock and Noscript protecting against e-mail attachments?

Only people engaging in rational thinking will stop this. And that isn't going to happen.

Re:It's 2011, don't open the attachment (2)

Nanosphere (1867972) | more than 3 years ago | (#36886156)

Noscript functionality is in Chrome and IE, just not enabled by default. In Chrome go to Options > Under the hood > Content Settings and disable then add your white-listed domains. In IE its a little more complicated, Internet Options > Security > Set Internet to HIGH then go to Trusted Sites and add your white-listed domains. Then go to Internet Options > Programs > Manage Addons > Toolbars and Extensions > Disable any addons you will not use, for addons you do use right click them > More Information > Remove all sites and add only white-listed domains.

Re:It's 2011, don't open the attachment (1)

Jaysyn (203771) | more than 3 years ago | (#36886788)

Sorry, but those steps aren't really comparable to the two clicks it takes to white-list something in with NoScript / Firefox.

Re:It's 2011, don't open the attachment (1)

Nanosphere (1867972) | more than 3 years ago | (#36886904)

Actually in Chrome it does have a little icon that shows up in the URL bar when it blocks something, two clicks and the domain is added to the white-list.

Re:It's 2011, don't open the attachment (5, Insightful)

CohibaVancouver (864662) | more than 3 years ago | (#36886170)

If you use Adblock and Noscript, it is nearly impossible to get infected. Why that functionality is not in every browser and enabled by default I simply don't understand.

I have good enough karma with Slashdot that I'm given the option to disable ads. I don't. Why? Because ads fund Slashdot and keep it free. If ad blockers were on by default most of the sites people like and use would go out of business.

Re:It's 2011, don't open the attachment (1)

BenoitRen (998927) | more than 3 years ago | (#36886458)

If you don't click the ads you're likely not funding anyone.

Re:It's 2011, don't open the attachment (1)

g0bshiTe (596213) | more than 3 years ago | (#36886474)

What would Adblock and Noscript do to prevent this in the form of PDF, or say an IE image processing buffer overflow?

Re:It's 2011, don't open the attachment (1)

loxosceles (580563) | more than 3 years ago | (#36886780)

If you use noscript, about 90% (made-up large percentage) of the web is broken or functionally degraded.

Re:It's 2011, don't open the attachment (0)

Anonymous Coward | more than 3 years ago | (#36886116)

Last major infection I got was from reading an article on a professional news site. I clicked the article link, by browser closed, and I was greeted by an unfamiliar "virus scanner" dialog. My guess is one of the embedded ads had been hacked. Took quite a while to remove the little bugger because it closed everything I opened.

You can never be 100% safe. If the newest malware has been placed on a trusted site, all bets are off. While I'm leery of trusted computing, it would be nice to have something like a scrambled addressing scheme. When the app runs, its memory space (or alternately its data values) could be scrambled according to a value assigned by the OS, and any attempt to inject foreign code into memory will fail. I remember some early arcade games did this make it difficult to disassemble the ROM code.

Re:It's 2011, don't open the attachment (1)

TheLink (130905) | more than 3 years ago | (#36886314)

I just run my browser as a different user account from my main account. You can do it on Unix or Windows. Just set the permissions so that your main account can access the downloads if necessary, and the browser account can't access much.

It's not 100%, but as the joke goes, I don't have to run faster than the bear, I just have to run faster than the average person ;).

Re:It's 2011, don't open the attachment (1)

Ross R. Smith (2225686) | more than 3 years ago | (#36885940)

Never underestimate the stupidity of the human race.

Re:It's 2011, don't open the attachment (4, Insightful)

fuzzyfuzzyfungus (1223518) | more than 3 years ago | (#36885946)

Given the frequency with which a cracked webmail account or compromised PC with an email client will immediately start spamming its former owner's entire address book, expecting the "people you know" rule to save you is fairly naive...

Re:It's 2011, don't open the attachment (2)

oneiros27 (46144) | more than 3 years ago | (#36886024)

My ISP e-mailed me 'my invoice' as an attachment last week, when they had previously sent a summary in text, and a link to their site to view the invoice.

I e-mailed and told them that I wouldn't open attachments from them, and I wanted the plain, boring, text summary ... and I get a response back about how the invoice has always been PDF, and they closed the ticket.

So, anyone know of any good ISPs in the Maryland/DC area? (and Verizon and Comcast don't qualify as 'good' in my opinion).

Re:It's 2011, don't open the attachment (1)

TheLink (130905) | more than 3 years ago | (#36886358)

Is it possible to pay their bill by credit card, 1 cent at a time?

Re:It's 2011, don't open the attachment (0)

Anonymous Coward | more than 3 years ago | (#36886796)

When I lived there, I used Smartnet. I don't know if they're still around, though.

Re:It's 2011, don't open the attachment (2)

Culture20 (968837) | more than 3 years ago | (#36886048)

It still blows my mind that people open attachments from individuals they do not know.

"But Culture20, the email came from you, and you're our systems administrator."
"Did it contain my gpg/pgp signature?"
"What?"
"That gobbledygook at the beginning and end of all my emails that you apparently don't pay attention to."

Malware spreaders using people's address books stand a good chance of faking an email from someone the target knows and trusts. Users are still surprised that identities can be faked in an email.

Passphrase to access an address book (1)

tepples (727027) | more than 3 years ago | (#36886164)

Malware spreaders using people's address books

If malware can sniff the passphrase to read an address book, it can sniff the passphrase to sign mail.

Re:Passphrase to access an address book (1)

Culture20 (968837) | more than 3 years ago | (#36887036)

The address book can be (and probably is) a third party's; usually the people in "from" and "to" are paired up from similar domain names.

Re:It's 2011, don't open the attachment (0)

Anonymous Coward | more than 3 years ago | (#36886160)

You mean "don't open the attachment in the attachment in the attachment." How the hell does an executable within an attached ZIP file disguised as a PDF get launched anyway?

Re:It's 2011, don't open the attachment (1)

ColdWetDog (752185) | more than 3 years ago | (#36886382)

How the hell does an executable within an attached ZIP file disguised as a PDF get launched anyway?

Click
Click
Click
WHAM

Re:It's 2011, don't open the attachment (4, Interesting)

Grishnakh (216268) | more than 3 years ago | (#36886180)

While "the club" really isn't very effective as an anti-theft device, wanting to protect your car from theft at a Walmart is actually pretty sensible, as that's an extremely likely place for it to be stolen. And there's no such thing as a Walmart "in the middle of no where": Walmart always locates stores in locations where there's plenty of customers. Even if that's some small town, it's the nexus for a large number of customers from surrounding areas and towns, so just putting the Walmart there will draw lots of people to that place, and consequently it is no longer "the middle of no where", it's actually a giant gathering place.

Here's a better anecdote: a couple months ago, I visited a place called Arcosanti, north of Phoenix in Arizona. It's a strange little artists' community built by an architect named Paolo Soleri, who has dreams of a Utopian city where everyone lives together in harmony in shared buildings (i.e., there's no separate houses, everyone has a small apartment, that kind of thing). His dreams are much bigger than the reality, which is a small community of people who've basically given up their normal lives to come live with him and, as they get enough money for concrete, build more of his vision. They basically live off selling some weird wind chimes they make there, and tour fees. Anyway, my wife and I went up there to check it out and take the tour, as it's a cool idea although not that realistic, and there were only two other visitors, one single woman and one older couple. This older couple pulled up into the parking lot right after us and parked next to us, and what did the man do when he stopped? He got out The Club and put it on his steering wheel! Now, keep in mind (take a look at Arcosanti on a map if you want), this place really IS "in the middle of no where": it's in Arizona's high desert, about 2 miles down a gravel road from the nearest civilization, which is nothing more than a couple of gas stations at an interstate exit, about 3 miles from a tiny development called Cordes Lakes, and about 20 miles from the nearest real town called Camp Verde. There really is nothing there, except some funny-looking concrete buildings with a few dozen residents, and it's probably the safest place for your vehicle to be in the whole state. The idea of needing additional vehicle security in such a place is laughable. Car thieves don't go out to remote destinations to steal peoples' vehicles, they go to population centers (i.e., cities), and crowded locations in those population centers such as shopping center parking lots, apartment parking lots, etc.

Re:It's 2011, don't open the attachment (1)

poena.dare (306891) | more than 3 years ago | (#36886536)

We learn to put on the club out of habit so that when we do go to Walmart our car is left alone. Sometimes it's a good idea not to interrupt automatic processes with rational thought... believe it or not.

Always wanted to go to Arcosanti...

Re:It's 2011, don't open the attachment (1)

Grishnakh (216268) | more than 3 years ago | (#36886786)

A few seconds with a hacksaw and your Club is rendered useless. Get an alarm that disables the ignition and stop wasting your time with something that doesn't work.

Re:It's 2011, don't open the attachment (1)

FoolishOwl (1698506) | more than 3 years ago | (#36886622)

In fairness to the person using the club, it only takes a couple of seconds to put it on, and routines tend to be all-or-nothing: if you look around and try to assess whether your current surroundings justify using the club, you're likely to fall out of the habit of using it at all.

I've been wanting to visit Arcosanti, by the way. It sounds like a crazy utopian scheme, but with something to it. I've wondered if Soleri was an influence on the design of the Marine Towers in Chicago.

Re:It's 2011, don't open the attachment (1)

maxume (22995) | more than 3 years ago | (#36886860)

Wait, is Walmart really an extremely likely place for a car to be stolen?

I can believe it in areas where there are chop shops (or whatever) that will move popular stolen parts, but in smaller population centers where that activity is a little harder to hide, not so much.

Re:It's 2011, don't open the attachment (4, Insightful)

jdgeorge (18767) | more than 3 years ago | (#36886190)

Isn't the problem that the application that renders the PDF/Flash/etc attachment has access to resources on the system that shouldn't be allowed?

In other words, why aren't all attachments files rendered by applications running in a "jail"?

Re:It's 2011, don't open the attachment (2)

starfishsystems (834319) | more than 3 years ago | (#36886852)

The only real need for sandboxing is for executable content. The data itself is harmless. Rendering it is not an issue. But you're absolutely right, sandboxing is necessary whenever an application might treat stray content as instructions ordering the application to perform some potentially unsafe action. Java bytecode is a good example, and consequently the Java Virtual Machine is sandboxed. But JavaScript, PDF, and Flash are other good examples, and they're not sandboxed.

It's ironic therefore that the article is talking about a considerably more trivial exploit.

This kind of malware has been typically found inside an executable within an attached ZIP file disguised as a PDF file, and is pretty darn good at getting around traditional anti-virus products.

To me, this explanation seems outrageous. Exploits of this kind can only be successful on systems that are so badly designed that they will indiscriminately treat everything as executable content, even content posing as something else. That's a big problem, but it's easy to solve with a bit of care in system design. Most operating systems don't have this problem, and so they're not vulnerable. As far as I know, Microsoft Windows is the only exception.

Re:It's 2011, don't open the attachment (0)

Anonymous Coward | more than 3 years ago | (#36886666)

It still blows my mind that people open attachments from individuals they do not know.

Good comments, but it's not enough just to avoid opening attachments from individuals you do not know. A common virus behavior is to send infected messages to all an infected person's contacts. So a better rule of thumb is to never open an attachment unless you both know and trust the sender, and also have reason to be very confident that the attachment itself was created by the sender, and not by the sender's account under the control of a botnet.

"powerful Darwinian forces" (2)

tripleevenfall (1990004) | more than 3 years ago | (#36885958)

"powerful Darwinian forces" is an interesting way to describe the process by which the designers of these viruses are using progressively more intelligent designs.

Re:"powerful Darwinian forces" (1)

Chemisor (97276) | more than 3 years ago | (#36886056)

Which brings up an even more interesting question: were humans designed by God or malware hackers? Or are we God's malware?

God's son had to die to pay the ransom (1)

tepples (727027) | more than 3 years ago | (#36886236)

What I gather from the Christian Bible is that humans were designed by God (created in his image) but has had malware implanted by a hacker named Satan. God's son had to die to pay the ransom for the self-destruct code [wikipedia.org] for Satan's malware, and this code will be applied after the tribulation.

Re:"powerful Darwinian forces" (1)

arth1 (260657) | more than 3 years ago | (#36886168)

I find it quite fitting. It's not the most advanced or strongest of the species that survive, but those that can adapt.
This is evolution in a nutshell.

Re:"powerful Darwinian forces" (1)

Dunbal (464142) | more than 3 years ago | (#36886628)

On the other hand what does this say about the evolution of computer users... it seems that there isn't any.

Re:"powerful Darwinian forces" (1)

debrain (29228) | more than 3 years ago | (#36886778)

I find it quite fitting. It's not the most advanced or strongest of the species that survive, but those that can adapt.
This is evolution in a nutshell

Sir –

I agree that evolution is present, but it is not of the Darwinian sort. The Darwinian theory of evolution is based upon natural selection, as distinguished from (even in his day) widely understood and accepted forms of artificial selection (e.g. husbandry, horticulture). Darwinian selection is controversial because it removes from the equation of evolution the guiding hand of God – Darwin posited that we "advance" not because of some divine purpose, but as a response to criteria set out in our environment that permits certain individuals who are subject to random mutation that confers upon them some sort of benefit in that environment as it relates to the likelihood of breeding. Artificial selection as a form of evolution was widely accepted before Darwin; where we would steer the animals and plants in the direction we chose by culling or inhibiting the breeding of undesired characteristics, so God would steer our evolution.

The selection process for the advancement of computer viruses is based upon the contrived criteria of their creators, namely avoidance of detection by anti-virus software. Further, computer viruses at present lack the autonomy to advance beyond the confines of what is generally a limited (albeit perhaps complex) instructions, and in any case the mutation rate for computer viruses is effectively zero, meaning survivability for preferable characteristics does not arise from random chance but from (re)design by human authorship.

While we often seek those comfortable references to Darwin as his ideas relates to all forms of evolution, the reference in this case was completely inappropriate in the scientific sense. The author misspoke or misunderstood Darwin's theory of evolution. There is evolution at work as virus manufacturers and their anti-virus counterparts address the advancements of the other, but this evolution is not due to any form of natural selection or evolution from random probabilities, therefore it is not Darwinian.

Vendor SPAM (0)

Anonymous Coward | more than 3 years ago | (#36885972)

Hooray! Another vendor advertisement disguised as a /. article.

Darwinian??? martin lee is an idiot (1)

MichaelKristopeit424 (2018894) | more than 3 years ago | (#36885988)

darwinian forces dictate that the most fit survive... malware designed to evade detection does not survive because it was most fit to survive... it survived because it was DESIGNED to survive.

antivirus products waste far more resources than they claim (and fail) to protect.

Yet another free advert for Symantec (1)

Anonymous Coward | more than 3 years ago | (#36885996)

But nobody uses Macs or Linux, so it's not worth bothering writing malware for those platforms ...

Some good readings (1)

Ceriel Nosforit (682174) | more than 3 years ago | (#36886016)

Polymorphic Shellcode Engine Using Spectrum Analysis
http://www.phrack.org/issues.html?issue=61&id=9 [phrack.org]
Release date : 13/08/2003

Naturally I'm paranoid about what AVG and Comodo have not detected since then. NOD32 didn't say anything either about my normal use, but I'm actually glad the technique is becoming a threat that AV suppliers must address.

Not News (2)

mikazo (1028930) | more than 3 years ago | (#36886038)

Polymorphic and metamorphic malware has been around for years. They're probably seeing a rise in detections simply because of the popularity of a certain malware generation tool or something. You can read about polymorphic and metamorphic malware in a book written by a guy from Symantec that was published in 2005: http://www.amazon.com/Art-Computer-Virus-Research-Defense/dp/0321304543 [amazon.com]

Re:Not News (0)

Anonymous Coward | more than 3 years ago | (#36886196)

There is also lots of free information on metamorphism [netlux.org] and polymorphism [netlux.org] . There are articles on polymorphism that date back to 1992. The basic techniques are relatively easy to implement, however, I guess in most cases using polymorphism has just not been necessary for malware writers until now.

Re:Not News (1)

elsurexiste (1758620) | more than 3 years ago | (#36886242)

Thank you! I thought I was the only one that knew this. I even programmed a little polymorphic program in 2004.

I was beginning to think I had lost a great opportunity. :P

The Giant Black Book all over again (0)

Anonymous Coward | more than 3 years ago | (#36886086)

In the middle 90's I ordered a book called "The Giant Black Book of Computer Viruses". Loved it. Still have it. Signed by the author even. Some good info in the book about polymorphic and genetic viruses.

Rollback and recovery - what a concept? (1)

davidwr (791652) | more than 3 years ago | (#36886096)

Future devices that are not in a "walled garden" ecosystem will have to provide users with an easy, virus-immune way to roll back to a previous state then automatically "roll forward" with scrutiny on every "going forward" change.

To make this work, OS and machine vendors will need to give their customers a way to "clean boot" into a read-only-boot-media recovery environment, a way to store changes, and a way to store one or more "roll-back-to" points in a form that viruses cannot write to.

Nothing here is really new - rollback and recovery have been around for decades. Making it easy for Joe User to do is the hard part.

Oh, and this still won't completely solve the problem - a few viruses WILL find a way to tamper with data that's supposedly "read only," but if 99% of today's malware infections that can't be easily treated today can be treated with "roll back and attempt recovery of safe changes since last commit date" then there will be a lot fewer "wipe the drive and reinstall" scenarios.

even then they can still F* user data (1)

Joe_Dragon (2206452) | more than 3 years ago | (#36886700)

even then they can still F* user data and maybe even infect data files.

Polymorphic Software (4, Informative)

Atmchicago (555403) | more than 3 years ago | (#36886106)

Polymorphic Software
Prerequisite: Industrial Base, Information Networks
Technology: Advanced Subatomic Theory, Optical Computers, Adaptive Doctrine
Special Ability: Heavy Artillery
Improves Probe Team success rate.
Track and Level: Discover 2
"Technological advance is an inherently iterative process. One does not simply take sand from the beach and produce a Dataprobe. We use crude tools to fashion better tools, and then our better tools to fashion more precise tools, and so on. Each minor refinement is a step in the process, and all of the steps must be taken."
-- Chairman Sheng-ji Yang,
"Looking God in the Eye"

Re:Polymorphic Software (0)

Anonymous Coward | more than 3 years ago | (#36886466)

i loved that game.

Random E-Mail Attachments = Sidewalk Cuisine (1)

Lance Dearnis (1184983) | more than 3 years ago | (#36886108)

A lot of people just innately trust anything on the PC. Not just their address book, but anything they find. What we need to do is, yes, build a culture of suspicion into this - Why is this thing you want available? Why is someone sending you this offer? Why are you receiving an attachment from this person? If you can't figure it out, then you need to either realize you're taking a risk and search for more info/evalute if it's worth it (What we do, particularly if we're searching for pirated software or the like where there IS a risk), or just back away and don't do it.

What most people do is find out by clicking - the equivalent of taste-testing stuff off the New York Sidewalk. Maybe if someone started a seminar where attendees who blindly open attachments are forced into such unsavory blind taste tests, we'd see a little improvement. Even the BEST viruses I've seen as far as making a 'believable' e-mail, are obvious to me. Even if it came from my brother I wouldn't click on 'em. Because I have some healthy mistrust and suspicion of the internet.

Re:Random E-Mail Attachments = Sidewalk Cuisine (1)

arth1 (260657) | more than 3 years ago | (#36886238)

As an antivirus author myself, I think that antivirus programs are partly to blame. They give people a false sense of security, believing they cannot get a virus if they have an antivirus program. So they let all caution out the door; it becomes the responsibility of the AV program to keep them safe.

It's as mindboggling as if people thought that wearing a seat belt and having air bags means they can drive without looking at the road. Mind, there seems to be a few drivers like that.

Re:Random E-Mail Attachments = Sidewalk Cuisine (1)

TheLink (130905) | more than 3 years ago | (#36886440)

As an AV author, how would you deal with polymorphic malware written in perl or similar? OSX supports perl out of the box.

Re:Random E-Mail Attachments = Sidewalk Cuisine (1)

Joce640k (829181) | more than 3 years ago | (#36886856)

All perl code looks polymorphic to me. I don't ever recall seeing the same perl code twice.

Re:Random E-Mail Attachments = Sidewalk Cuisine (1)

Lance Dearnis (1184983) | more than 3 years ago | (#36887002)

Oh, for sure. I remember dealing with one system as the Family Tech Guy that had Anti-Virus software - that had not been updated since I first installed it 850 days ago. When I informed them they had a virus, they thought it was impossible. Didn't I put Anti-Virus software on it?

The computer wound up trashed because it needed a reformat and they had long ago thrown out things like their Windows discs, and I wasn't going to bother with that much work for free.

Why the hell should PDF allow zipped executables? (2)

david.emery (127135) | more than 3 years ago | (#36886136)

I think a lot of our problems come from these 3rd party packages that have grown WAY too complex and provide too many vulnerabilities. Why, for example, should the PDF format permit -anything executable or coded-, whether it's JavaScript or ZIP files? It's time in my view for the developer and system integrator community to simplify; let's get back to the idea of tools and programs that have well-defined scope and do a few things well, rather than turning into Yet Another Vendor Platform that can be used to distribute viruses/trojans/malware/crapware/etc.

"Powerful Darwinian Forces" huh (3, Informative)

pathological liar (659969) | more than 3 years ago | (#36886162)

Whale [wikipedia.org] is more than 20 years old now, and it was polymorphic. An issue of 40hex from 1993 [textfiles.com] provides source for a polymorphic engine. This isn't a new development, the technique was "mastered" 20 years ago :P

Maybe they've seen a recent spike in it, but... who cares? Well, unless it means they'll put a little more thought into AV than signature-based bullshit. "heuristics"-based detection that isn't a complete joke, for a start.

Process Permissions (4, Insightful)

Doc Ruby (173196) | more than 3 years ago | (#36886176)

I'd like to see the OS, especially one like Android in the hands of unsupported, naive, and promiscuous users, require permissions for InterProcess Communication the it does for files. And for DB access. All strongly typed. Those kinds of familiar patterns in combination, upon every access between processes on objects. Mediated by an OS capable of supporting the user and using a support Internet to warn others when threats (or patterns that represent threats) appear to correlate to risky objects of the same kind.

The OS and Internet should act as an integrated immune system bathing our objects, not just a special case intervention when opening the first file from an email. Dedicate one or two cores of these multicore CPUs (and prefilter at servers for smaller/mobile devices). Attacks are now the norm, not the exception. The network and OS infrastructure design should recognize the new reality.

Re:Process Permissions (1)

gl4ss (559668) | more than 3 years ago | (#36886762)

oh you want symbian? you want to go insane developing applications someone could actually use for it too? I mean, I even went and bought a book for it, a highly recommended one. you know what it said about IPC? that't it's too fucking complicated to go into in the book as thick as harry potters.
 
  and for the record android asks for permission (install time, but anyways) for just about anything. you know what's wrong with it? you can't know what the app will actually do with those permissions - if you always did, like if all file api access always told you which file and asked for every operation.. the programs would be unpractical to use(choose any nokia with default permissions, or hell, even a signed j2me app).

  if you want real security, do your computing on a j2me device. but most people don't want to give up so much practicality.

Antivirus makes a better suggestion than solution (5, Interesting)

sl4shd0rk (755837) | more than 3 years ago | (#36886202)

Several reasons why Antivirus is a fail:
    1) 0-day. Your AV will never pick it up
    2) polymorphism - if the virus sig changes, you're hosed
    3) People think: "Since I have AV, I can't get infected"
    4) People think: "AV didn't find anything wrong, so I must be clean"
    5) When AV doesn't work, people assume it's broken

Antivirus has evolved into a "solution" when it's clearly not capable. How many infected windows installs have you found where Norton took a head-shot, or some kind of AV *was* installed at one time but got smoked?

What's needed: OSs need to plug their holes. Browsers could be fixed so it doesn't hand off malicious content to system executables. The OS itself should be trimmed down so not everyone is running SMB/RPC (or other commonly exploited services) by default. Executables which handle web contect could be sandboxed and run by a lower privilege user (this can be done in Unix, so why not windows?). Why do these things not happen?

AV is great when it works but it's proving not to be enough.

Re:Antivirus makes a better suggestion than soluti (0)

Anonymous Coward | more than 3 years ago | (#36886350)

There are problems with AV software, not the least of which is that it's a system resource-hog, usually far worse than the malicious code it's supposed to defend against.

I've been ok for a few years now running Windows XP without any full-time anti-virus software, but I'd hesitate to recommend that for non-technical users. Of course, most of the time I run Linux, and I only boot Windows when I have to...

Re:Antivirus makes a better suggestion than soluti (0)

Anonymous Coward | more than 3 years ago | (#36886420)

Some time ago, I was doing experiments where I wanted a Windows desktop to automatically send experiment results back to the server. Using sftp wasn't very attractive due to the need for passwords or usernames, so sending an E-mail seemed the best way to go. But the problem was the anti-virus/anti-spam software which didn't like unknown applications sending E-mail. Problem was solved by renaming the application "agent.exe". Problem solved.

Re:Antivirus makes a better suggestion than soluti (1)

twocows (1216842) | more than 3 years ago | (#36886450)

Follow the money. Who stands to profit from a market of security vulnerabilities? I can tell you, Symantec sure isn't hurting for cash right now.

Re:Antivirus makes a better suggestion than soluti (0)

Anonymous Coward | more than 3 years ago | (#36886478)

1) you forgot that root/administrator is for installing software and not a user.

2) a system user should not exist. All software needs to run as the user who initiated it (sandbox).

Re:Antivirus makes a better suggestion than soluti (0)

Anonymous Coward | more than 3 years ago | (#36886480)

What's needed: OSs need to plug their holes.

Problem is, the biggest hole sits in front of the computer and can't be plugged (no pun intended).

0) People didn't think. (1)

davidwr (791652) | more than 3 years ago | (#36886538)

3) People think ...
4) People think ...

0) People didn't think.

Oh wait, this is redundant to one of the existing replies. Sorry for wasting your time guys.

Re:Antivirus makes a better suggestion than soluti (3, Interesting)

Caerdwyn (829058) | more than 3 years ago | (#36886548)

The first polymorphic file-infecting virus that saw wide dispersion was DAV (Dark Avenger), back in 1991. It was detected just fine.

Not all virus detection is performed via signature-checking. In the case of Dark Avenger, McAfee used curve-fitting. A histogram of the frequency of various byte values in specific locations within an executable file was generated, and a frequency-distribution curve generated from that. This curve was compared to the curves of legitimate executables and to what the DAV virus tended to create as it altered the files it infected. How well the curves matched, and where any anomalies in otherwise-perfectly-matching curves were, became the basis of determining confidence that there was a"hit". This technique proved to be extremely accurate, moreso than string-matching. While false-negative (failed detection) and false-positive rates were never perfect, they were in the "many 9's" of accuracy. In many cases, this heuristic was more accurate against DAV than string-matching was against other non-polymorphic viruses

Point 1 is incorrect. Heuristics will often pick up a 0-day virus, as will behavior-based (anomaly detection) systems. String-based virus detection is only a part of modern antivirus products.
Point 2 is incorrect, and has been for 20 years. Polymorphism is no more a perfect virus cloaking mechanism than antivirus software is perfect malware defense.
Points 3 and 4... no antivirus software will ever stop infection if the user explicitly grants permission for something to run. There is no functional difference between malware and legitimate software; everything that malware does (from a functional perspective) is something that some piece of legitimate software or another can do. Malware is defined by deception, not function. Antivirus software does not detect deception, nor should it be expected to.
Point 5... yeah. People expect magic bullets. People demand perfection for free. People can go fuck themselves and their slimy little tort lawyers.

And... stack-based exploits are not viruses. Antivirus software is not intended to defend against such attacks.

But yes, all applications should run in their own sandboxes, memory-wise, file-system-wise, privilege-wise. This isn't a perfect defense either, as the software which attempts to enforce the sandbox is itself subject to attack. And there are many components of a system which are user-installed but are not sandboxed (device drivers, maintenance utilities). As long as operating systems and applications are architected as they are, there will be vulnerabilities which are deception-based. The only defenses there are education and reputation.

Sigh (5, Insightful)

Sycraft-fu (314770) | more than 3 years ago | (#36886646)

I get real tired of this one. This naive geek idea that OSes can be made perfect and somehow immune to viruses. News flash: They can't, at least not if you wish to keep the ability to run arbitrary code. The only way to make an OS safe against viruses is the Apple "walled garden" idea where only authorized apps run. Even then, you could potentially sneak something by the authority that says if apps are ok. However so long as you can run arbitrary code, you can run evil code. There is no evil bit, the computer will execute anything it is given.

Please remember when talking about malware as opposed to worms you are talking about stuff that comes in to the computer through user action. It is bundled with an application, or is an app all by itself. The user downloads and runs it. There is no patching against that.

Also you have the silly idea of "if something isn't 100% effective it shouldn't be used." Bullshit. Look at security in the real world some day, where there is no such thing, ever, as perfect security. You get used to the concept that everything is fallible and you need defense in depth. Virus scanners help provide that defense in depth. They scan incoming things for known threats (by the way good ones are updated more than once a day). It is not your only line of defense, but one of them.

Run a virus scanner, and run as a deprivledged user, and patch your OS, and make sure to get software from trusted sources, and monitor your system, and so on. Don't have a defense, have layers. Only then do you have a real security solution.

PS, web executables can be sandboxed on Windows, IE does this, other browsers just don't care to use the interface to do so.

Re:Antivirus makes a better suggestion than soluti (0)

Anonymous Coward | more than 3 years ago | (#36886858)

There are two things from AV which are useful:

First, is catching non zero days. A machine gets infected at an AV lab, someone finds the culprit, and pushes out an infected signature library. This at least forces malware to have to be polymorphic or at least change with each push out.

Second is a host intrusion protection system. A HIPS is a good thing to have to catch unknown things. For example, if a game started wanting to read and erase everything in the home directory, or Excel wanted to make low level hard disk writes to the MBR. Heuristics are a very useful tool, especially when combined with whitelists.

However, against 0-days, which most drive-bys tend to be, I have found blocking ads far more effective than any AV program out there. Because ads are an ecosystem that allows for content without having to do microtransactions, in return, I try to donate something or purchase a subscription at the sites I go to. This way, the provider gets cash even though I don't see their ads, and I keep my security.

Re:Antivirus makes a better suggestion than soluti (1)

Jeng (926980) | more than 3 years ago | (#36886948)

How many infected windows installs have you found where Norton took a head-shot, or some kind of AV *was* installed at one time but got smoked?

Normally it is because the AV subscription hasn't been paid up. I don't think I have seen an infection on a computer with a working anti-virus.

Then again if you are basing this on Norton, well yea then All AV's are crap if you only judge it by Norton, they may have name recognition, but that is about all.

What? (1)

elsurexiste (1758620) | more than 3 years ago | (#36886222)

There have been polymorphic viruses since the dawn of time. I even wrote one in 2004. Why is this news?

Re:What? (0)

Anonymous Coward | more than 3 years ago | (#36886586)

Would they meant "metamorphic" ? that is "somewhat" news. Geez... what happened to my slashdot :(

Fear not, good citizens! Symantec will save us! (1)

Anonymous Coward | more than 3 years ago | (#36886224)

Malware authors are combining ever more powerful buzzwords to create frightening malicious software packages that could, in theory, cause system slowdowns and system crashes more severe than those caused by Symantec software. Symantec researchers anticipate seeing examples of this malware "in the wild", rather than only on their testing lab dev boxes, at any moment.

This malware uses code so sophisticated and complex, and yet somehow so compact, that it cannot currently be detected, even as it hides in PDFs and ZIP files -- file types familiar to most people who sign purchase orders.

Fortunately, Symantec is almost ready to release its new software to fight this menace, available for $69.99/year; estimated release date is when "polymorphic malware" peaks on Google Trends.

Hey... grep can only do so much... (1)

mark-t (151149) | more than 3 years ago | (#36886252)

One has to wonder, as viruses get more sophisticated and are able to obfuscate their own signatures, what methods are going to be utilized in the future to detect them... because I can't see it.

For some reason, this is reminding me of the Turing Halting Problem.

And even trying to practice safe web surfing habits isn't always effective. I have seen a virus get onto a work computer that was behind the company's firewall, where the user did not install any software at all, used mozilla for 100% of his browsing, and did not download or install any plugins or extensions. However it got on there, it happened without any user-intervention whatsoever.

The virus was easy enough to remove as another user of course... but my point is that even what should be "safe" web practices doesn't always work.

Re:Hey... grep can only do so much... (1)

arth1 (260657) | more than 3 years ago | (#36886406)

One has to wonder, as viruses get more sophisticated and are able to obfuscate their own signatures, what methods are going to be utilized in the future to detect them... because I can't see it.

I wrote the first heuristic AV program back in the late 80s, which would not just look at signatures, but what the code actually did and whether THAT posed a risk. A mini disassembler and risk analysis tool, if you like.
Unfortunately, it requires that the user doesn't blindly trust the AV software, but makes decisions too. Perhaps there's a good reason why a program would patch an IO vector, and the AV software can not know this for certain. But it can point it out.

AV software can also patch an OS to make known attack vectors inoperative, but that is never future proof.

Re:Hey... grep can only do so much... (0)

Anonymous Coward | more than 3 years ago | (#36886574)

magic

Doubled in July? (1)

flibbidyfloo (451053) | more than 3 years ago | (#36886268)

[grammar_nazi_mode=ON]

This may win me the pedant of the year award, but the summary says "The level ... doubled in July, when compared to figures from six months ago." This is incorrect and doesn't even make sense. Reading the original article reveals the truth. The level doubled in the six months leading up to July. I suppose it's theoretically possible that the level stayed perfectly flat for 5 months, then suddenly doubled, but I think the article would have mentioned that.

[grammar_nazi_mode=OFF]

This headline brought to you by the year 1989 (1)

rickb928 (945187) | more than 3 years ago | (#36886322)

And the 1260 [wikipedia.org] virus.

The 'methods' of encryption have changed (once was ZIP, now ZIP AND PDF, requiring a PDF reader in addition to ZIP libraries), but the concept isn't new, and I;m surprised has not been in continuous use since then.

And this passes as either new or unusual for /.? Doubling the deteciton volume for a month? July? And July isn't even over yet?

So was it the word 'darwinian' that justified this as interesting?

feh.

ahhh (1)

Nyall (646782) | more than 3 years ago | (#36886476)

I've been wondering about this for 13 years now (when I started learning z80 and 68k assembly) if antivirus software was smart enough to analyze for things like:

  jmp lbl_1 .ds 50 /* declare 50 bytes of storage */
lbl_1:

And those 50 bytes are filled in with random patterns. But this article makes it sound like there are multiple jumps that are being generated which I've also considered. Or dummy for loops.

I'm surprised virus writers are only starting to do this. Any assembly coder worth his salt should be smart enough to think of this.

Re:ahhh (1)

Nyall (646782) | more than 3 years ago | (#36886492)

Sorry there should be a carriage return between the the "jmp lbl_1" and the ".ds 50"

Polymorphic is old news (1)

Nimey (114278) | more than 3 years ago | (#36886490)

MS-DOS had polymorphic viruses in the early '90s.

NULL (1)

Artem Tashkinov (764309) | more than 3 years ago | (#36886818)

A very good article about ... nothing.

Ah, sorry, Symantec is good for you! how could I have missed that?

powerful Darwinian forces (1)

mevets (322601) | more than 3 years ago | (#36887006)

Then these must affect OS X.....

I suppose we should be thankful he didn't go for something like:

These Darwinian forces are causing an acceleration of Moore's Law in the prevalence of super-intelligent malware.

sigh.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>