Sunday, June 26, 2005

The deal with malware today

Recently there has been a lot of buzz on public news sites about zombie networks used for launching DDoS attacks, and aggressive, evasive malware. The way I see it, these two problems are currently the biggest ones on the Internet. And by this, I mean the two problems which are the hardest to solve.

When I first got into the antispyware business, things were pretty easy: if your IE security settings were too low, some ActiveX applet would dump a Registry script on your system and set it to run at startup, causing your startpage and search pages to be hijacked whenever you booted up the system. Nice and straightforward, and easy to solve - once you knew where to look. Spyware and malware were very young then, and it had only recently been exposed to the mainstream news by Steve Gibson's OptOut. For the first time it became clear that it was possible to sneak something (non-viral) on your system piggybacking on an 'ad-supported' program, that was left behind when the host program was removed. Still, things were pretty quiet on the bad guys' side. Techniques that were used were fairly simple, files were easy to detect and remove.

But then things started getting nasty. Malware started using exploits in the Internet Explorer browser to sneak stuff into your system. CoolWebSearch was one of the first to do this, but since then have shifted the blame on their 'affiliates' in what seems to be the general trend now: companies that encourage their affiliates to get users to install their software in whatever way they can, looking the other way while these affiliates use various exploits, that were posted on the full-disclosure list. Since the exploits posted to this list frequently included proof-of-concept code that was easily modified for malicious purposes, most of the exploits used by browser hijackers and drive-by malware installers have simply been plucked from this mailing list. Among the exploits used were the Java.ByteVerify hole in the MS Java VM, an Outlook Express Cross-site Scripting vulnerability, and some unsafe ActiveX objects that crossed the Internet Zone, lowering security and allowing write access to the system.

Still, though keeping the system up to date from Microsoft (keep in mind all these exploits applied only to MSIE on Windows) didn't always protect you from being infected, all these hijackers and pieces of advertising malware were relatively easy to remove. Kill the running processes, kill the autostarts, kill the files, kill the Registry keys and values. Using common sense, a little experience and those steps (in that order), any malware could be removed, even without any additional tools like process managers, antispyware or antivirus programs.

Even when the next step was taken by the bad guys, it took little effort to defeat this. When malware started to emerge that scanned the system's memory for antispyware and antivirus programs and closed these (forcefully), all we had to do was rename the process manager file and kill the malware processes before continuing with the normal cleaning procedure described above. When malware started to use multiple processes that kept each other alive, the 'Delete this file on reboot' option all Windows versions had (though hidden) worked with only very few exceptions. And there was always Safe Mode in those few cases - which loads only a very bare Windows shell.

But then disaster struck. A variant of a browser hijacker emerged that hooked a few Windows system functions and hid itself from Windows itself. This behaviour is commonly known from programs known as rootkits. This type of applications is basically the next generation of Remote Access Tools that emerged around 1999-2000, hiding itself on the infected system, giving the remote attacked complete access to the system as if he were sitting behind it. Rootkits took this one step further, by hooking system functions of Windows and filtering out any information that pointed to itselves before letting Windows read it (and pass it on to the user). This essentially made them invisible down to a very low level.
When malware started to use this, at first they just included a common rootkit like HackerDefender, setup to hide the malware processes, files and Registry keys. Later on the malware itself incorporated rootkit-like features.

We're standing at this point right now - malware using rootkit techniques to hide themselves, and reinstall themselves when something is removed. Though they also started bundling each other with themselves, effectively installing more malware onto the infected system again and again, the main problem is still the rootkit behaviour.
One of the main reasons why this is so hard to detect by antispyware and antivirus tools, is that the scanners aren't on a low enough level to bypass the layer of smoke the malware pulls up. Also, these pieces malware often use random filenames and some polymorphic code so two files are never the same, and signature scanners can't find the files, essentially leaving it up to a competent technician to manually find and kill everything. And that, is exactly what a computer program doesn't have: common sense.

Next up: botnets of spam zombies.

No comments: