dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
4106

Smokey Bear
veritas odium parit
Premium Member
join:2008-03-15
Annie's Pub

2 recommendations

Smokey Bear

Premium Member

Desktop antivirus isn't enough anymore

Symantec Internet Security Threat Report Trends for 2010
DarkReading | Apr 05, 2011

Main conclusion:

• Desktop antivirus isn't enough anymore
• Mobile is the next big target
quote:
Last year will likely go down as the year of the targeted attack, with the litany of big-name breaches that began with Google's revelation that it had been hit by attackers out of China and the game-changer Stuxnet. But it was also a record-breaking year for new malware and variants, with 286 million new samples identified by Symantec.

The newly published Symantec Internet Security Threat Report Trends for 2010 counted some 6,253 new bugs -- the most ever in a year -- that were mostly driven by malware attack toolkits. The ease of deployment that comes with these kits resulted in some 286 million new malware variants, according to Symantec.

"A lot of times [the attacks] were using staged downloaders," says Mark Fosse, executive editor of the Symantec Internet Security Threat Report. "With Zeus, [for example], it's generally through a kit, and it's customizable. Every time someone creates their own customization to Zeus, it creates a new variant.

"This is the single biggest sign that desktop antivirus isn't enough anymore," Fosse says.

In another indication that mobile is the next big target, Symantec counted 163 vulnerabilities, up from 115 in 2009. This near-40 percent jump included more Trojans on mobile platforms, Fosse says. But no major attacks on mobile platforms have occurred -- yet, he says. "In the next year or two, we're going to see [Trojans and other attacks] starting to emerge" with the increased use in enterprises of mobile devices, he says.

"Once there's a sufficient financial motive, [attackers] will focus more on mobile," he says.

»www.darkreading.com/vuln ··· 010.html
SipSizzurp
Fo' Shizzle
Premium Member
join:2005-12-28
Houston, TX

SipSizzurp

Premium Member

When I saw the thread title I was thinking "Hell Yes !" It is about time these guys figured out that virtualizastion is the only real solution. Freeze the OS partiton and enjoy the cure for Windows Rot as an extra bonus.

But no, they just want to load yer smart phone down with Norton.

virtuitall
@mtsallstream.net

virtuitall

Anon

said by SipSizzurp:

When I saw the thread title I was thinking "Hell Yes !" It is about time these guys figured out that virtualizastion is the only real solution. Freeze the OS partiton and enjoy the cure for Windows Rot as an extra bonus.

But no, they just want to load yer smart phone down with Norton.

There is always hope that windows 8 has that, atleast thats one of the changes I hope for.

Smokey Bear
veritas odium parit
Premium Member
join:2008-03-15
Annie's Pub

2 recommendations

Smokey Bear to SipSizzurp

Premium Member

to SipSizzurp
said by SipSizzurp:
When I saw the thread title I was thinking "Hell Yes !" It is about time these guys figured out that virtualizastion is the only real solution. Freeze the OS partiton and enjoy the cure for Windows Rot as an extra bonus.
Symantec wrote a realistic report, based on real numbers. They also acknowledged the need for a layered defense, without naming any solution, they kept it neutral. IMO nothing wrong with that.
quote:
But no, they just want to load yer smart phone down with Norton.
Hmm maybe I didn't read the article well but I can't discover any advertising or promotional text in favor of Norton products.
SipSizzurp
Fo' Shizzle
Premium Member
join:2005-12-28
Houston, TX

SipSizzurp

Premium Member

said by Smokey Bear:

....
Hmm maybe I didn't read the article well but I can't discover any advertising or promotional text in favor of Norton products.

I agree, and my assessment was too hasty. I'm sure they are starting to see the light and are leaning towards an eventual and inevitable merger into Faronics.

Smokey Bear
veritas odium parit
Premium Member
join:2008-03-15
Annie's Pub

1 recommendation

Smokey Bear

Premium Member

Symantec saw the light already long ago, how they react on incredibly fast evolving threat landscape will be an open question, only time will tell.

CajunTek
Insane Cajun
Premium Member
join:2003-08-08
Arlington, TX

CajunTek

Premium Member

said by Smokey Bear:

Symantec saw the light already long ago, how they react on incredibly fast evolving threat landscape will be an open question, only time will tell.

I think most of us who help clean up messes in various forums saw the light a long time ago. Most of the folks I have helped over the years did have an up to date AV. Of course their are horror stories about those who didn't as well.

sivran
Vive Vivaldi
Premium Member
join:2003-09-15
Irving, TX

sivran to Smokey Bear

Premium Member

to Smokey Bear
Hmm, what's that thing mysec's always using? Executable whitelisting. I wonder why no one's really tried it mass-market? I wonder how it would do in the mass-market.

One of the big names should produce and market such a product. If Faronics were to do it (I've not seen their product on a shelf), people would say, "Who are these guys and why is their approach different? Sounds like snake oil!" If, say, Norton or McAfee did it, people would try it.

I think it would end up much the same as traditional antivirus software, except that the people who actually had it working properly would be much better protected than they are now.
BlitzenZeus
Burnt Out Cynic
Premium Member
join:2000-01-13

BlitzenZeus to Smokey Bear

Premium Member

to Smokey Bear
What I don't get is that this could be a shock to some people anymore, they are just small laptops now, and run processors that are as powerful as computers a decade, or less old.

Anyone running rooting their phone to run 3rd party roms, or software from possible untrusted sources is opening themselves up to this. Apple missed how a approved flashlight app allowed people to tether their data connection to their phone, and it should have been obvious, seriously a flashlight app does not need access to the tcp/ip kernel so somebody really screwed up. Google recently pulled multiple applications, and they had to approve these applications as far as I know.

So all this comes down to is that people need to realize these are computers, as much as some don't realize it, and this can bring up security issues.

Now I don't want to be installing Norton to my phone, but as long as people run approved, signed software the risk should be minimal as even these smartphones by default are smart enough to not run all of the software as root, even though some people still insist on running all of their software on their home computer as root which would allow any malicious program full access to the phone. At least some of these apps might have to show what they are approved to access before you install them.
mysec
Premium Member
join:2005-11-29

3 edits

mysec to sivran

Premium Member

to sivran
said by sivran:

Executable whitelisting. I wonder why no one's really tried it mass-market? ... One of the big names should produce and market such a product. If Faronics were to do it (I've not seen their product on a shelf), people would say, "Who are these guys and why is their approach different? Sounds like snake oil!" If, say, Norton or McAfee did it, people would try it.


Executable whitelisting is still considered a "niche" product in the mainstream security market, mainly due to what you just implied: the computer security market has been (for many years) dominated by the marketing strategies of the antivirus industry. When someone purchases a computer from a big box store, it more than likely will be bundled with an AV with a free 6-month subscription.

Years ago, when I started helping home users, I had to decide what types of products to install for security. All I ran was a Firewall and Opera browser.

All browser exploits were targeted against IE in those days, and Opera provided means to disable plugins and Javascript, so that pretty much took care of the remote code execution (drive-by) exploit.

Later, USB autorun.inf exploits emerged, but I had already learned about the dangers of autorun.inf back in the floppy disk days, so it was easy to protect against that.

However, I could not depend on average users, not so knowledgeable in these things, to run in such a manner.

What to do? I had dismissed AV years earlier, since I saw too many infections where systems were up-to-date with an AV. I understood the limitations of black listing, and never did get involved with that type of security.

So, I started investigating "alternative" means, and came across Process Guard (PG) by DiamondCS. I think Mele and fcukdat on this forum still use that product.

The execution prevention part of it was what interested me. However, the alert is a prompt to Permit/Deny (test provided by fcukdat),




and I had already decided that I wanted some type of Default-Deny solution so that the average user would not have to make a decision: if such an alert popped up, it would be an unauthorized executable attempting to run/install, and there should be no provision to allow it under those circumstances.

Shortly after that, I heard about Faronics FreezeX -- the predecessor of Anti-Executable (AE). Its approach is to Deny by Default in a remote code execution attack:




In both cases above, the exploit is MS06-014 (MDAC) against IExplorer 6: an executable is cached, renamed to svchost and copied to the Temp directory and executed.

An unsuspecting user with PG might recognize svchost as a legitimate file and be inclined to permit it to execute.

EDIT: I knew about Default-Deny from learning how Software Restriction Policies (SRP) work. Here is the same exploit blocked by SRP (on a friend's computer):




However, SRP requires Win XP Pro, which most home users did not have. Also, it really requires knowledge to implement that most home users do not have. That might be the reason why Microsoft did not include it in the Home editions of Windows.

I was already familiar with Faronics' Deep Freeze (DF), and AE was modeled on the bullet-proof strategy of DF.

Designed for corporate and institutions, these products are a bit restrictive in home environments where users are constantly making changes to their systems, but I found them, especially AE, almost perfect for the home situations I encountered. Once installed, AE just sits there in the background and waits for an attempted intrusion of an unauthorized executable.

Here is a PDF exploit blocked:




Mass marketing? Recently, I became aware that Faronics wants to attract the home user. Whether or not that means the product will go on the shelf, I don't know.

"White Listing"has become a buzz word in recent years, and the term means different things to different people. One far-fetched notion is some global white list of executable files, against which anyone could check a particular file. You can see the fallacy of that scenario: you will eventually end up with a situation like black listing -- until the file gets into the data base, the database is useless.

AE, on the other hand, creates a White List of all executables on the computer it's installed on. Any other executable that attempts to install/run will be Denied by Default.

The "administrator" or parent has the password when wanting to install a new program or update an old one.

In recent years, other anti-execution products have emerged on the scene: AppGuard by BlueRidge. This gets high marks over at Wilders. Also, Returnil, a Reboot-to-Restore program has an anti-execution component. Coldmoon on this forum can answer questions about that product, which also gets high marks at Wilders (Returnil has its own forum there).

AV has its uses for many people, but as a preventative measure against today's remote code execution attacks, it's not reliable. Recently, an acquaintance got hit with a drive-by, and she had a big name AV up to date. I got the malware executable and uploaded to VT with a return of 15/42 vendors. Not too impressive.

An anti-execution program would have stopped that exploit at the gate.

Unfortunately, the mainstream security media (both print and online) ignore other than AV most of the time. Even good analysts of exploits often end up with the recommendation to "keep your AV up to date."

That's fine, but in the current thinking of "layering" it's just wise to bolster that defense with something to block the remote code execution exploit where an unauthorized executable is involved.

As far as mobile devices -- I don't use other than a regular cell phone, so I haven't investigated security solutions for those devices. I do know that f-secure has been a leader in mobile security, although I can't attest to how their products work.

regards,

-rich

Trel
Good Evening
Premium Member
join:2002-10-08
USA

Trel to BlitzenZeus

Premium Member

to BlitzenZeus
said by BlitzenZeus:

Anyone running rooting their phone to run 3rd party roms, or software from possible untrusted sources is opening themselves up to this.

Actually it was the people who rooted and ran 3rd party roms who were safe this past time. Because the rooted phones (android) require you to allow/deny apps requesting root permissions.

Those people were tipped off that something was not quite right.
claudiubotez
join:2009-06-28

claudiubotez to Smokey Bear

Member

to Smokey Bear
Hi,

Some time ago I advocated a similar solution: no AV at all, only a HIPS and firewall.

Most of the posters, including a moderator, were outraged by this idea and the post was removed.

I am happy to see somebody else embracing this idea.

Thanks,
Claudiu

coldmoon
Premium Member
join:2002-02-04
Fulton, NY

coldmoon to sivran

Premium Member

to sivran

...Executable whitelisting. I wonder why no one's really tried it mass-market? I wonder how it would do in the mass-market.

It is included in the Anti-execute and Virus Guard components in RSS and the AE in RVS. This comes in the form of white list updates sent directly from our AI/Machine learning analysis and research department with the client being updated automatically to remove false positive detections and execution blocking.

The AE in our solutions does not allow for specific user rule creation as that is where white listing, like HIPS can fail: make the wrong decision or create a bad rule and the game is up. This is also likely where the industry will be going in the future as automation improves over time.

Mike
coldmoon

coldmoon to claudiubotez

Premium Member

to claudiubotez
said by claudiubotez:

Hi,

Some time ago I advocated a similar solution: no AV at all, only a HIPS and firewall.

Most of the posters, including a moderator, were outraged by this idea and the post was removed.

I am happy to see somebody else embracing this idea.

Thanks,
Claudiu

This is problematic for new to average users who cannot make the proper decision based on the types of arcane information the alerts usually provide in a HIPS. For an expert user, this configuration can be both light weight and effective, but for others, it is a road filled with hidden land mines.

For many, virtualization is a better approach with some form of expert feedback on how well the strategy is working. This is usually the combination of boot-to-restore and AM/AV in some form where the detection provides warning the restart provides elimination of any malicious changes.

Mike

cableties
Premium Member
join:2005-01-27

cableties

Premium Member

What irks me the most is how MS "still" leaves the default setting for IE (internet) on the Empty Temporary Internet items as OFF.
Folks use faster speeds and no longer worry about "caching" images, etc.
This folder caches the payloads (along with the system restore file).

I fault the OS for this and agree that VM is best way (i've fell back on snapshots only twice when something in the wild caught me...and my MSE/MalwareBytes/Superantispyware by surprise).

I"m all for layered defense, but the individuals I have to support are lazy and ignorant ("Why do I have to have a password?) sigh...
So for me, I run a VM just for certain surfing, and another VM (BIG restrictions set) for banking/financial. Just works.

sivran
Vive Vivaldi
Premium Member
join:2003-09-15
Irving, TX

1 recommendation

sivran to coldmoon

Premium Member

to coldmoon
No user rule creation? I suppose your database must be huge. Or is there also some way that your software handles the situation? For example, my favorite file manager is Q-Dir. If it by chance wasn't on the whitelist, how could I go about getting it to run?

coldmoon
Premium Member
join:2002-02-04
Fulton, NY

coldmoon

Premium Member

said by sivran:

No user rule creation? I suppose your database must be huge. Or is there also some way that your software handles the situation? ...

The white list is derived from the data collection feature. It works by detecting things that are suspicious and also unknown in a general way. It then sends that information (both behavioral and file) to our AI server that then works to determine the true nature of the content and/or behavior and then updates all clients as soon as they connect for an update.

If the content is not malicious, the white list is updated. If the content is malicious, then the black list is updated. If the content is indeterminate, then it is sent to a researcher for more detailed analysis and update as appropriate.

So the more people using the software and participating in the malicious/good data feedback, the better the protection becomes with a corresponding reduction in false positives with exposure to a wider range of applications previously unknown. As soon as we are able to "miniaturize" the AI analysis process, we are planning to move it down closer to the client level for a form of hive mind where clients in the same network can update each other in near real time to stop the beginnings of an outbreak dead in its tracks.

... If it by chance wasn't on the whitelist, how could I go about getting it to run?

If the program is already installed, the default setting (Virtual Mode > Settings > Additional Protection Options) to allow only known services should allow the program to run. this may be blocked however at the more restrictive "only known executables" (full paranoid mode) option.

If it is blocked, is is also appropriate to assume information about the program is sent to the AI server for analysis and update of the white list if it is found to be good. But in a situation where you are getting false positive blocks, let us know and the team can do an immediate investigation and update the lists manually as required.

Mike

sivran
Vive Vivaldi
Premium Member
join:2003-09-15
Irving, TX

sivran

Premium Member

Thanks for the reply. It sounds solid, I might give Returnil a try.