Saturday, March 28, 2009

Weaponized Malware - Your Protection

Has anyone noticed that malware is being weaponized at an alarmingly increasing rate lately?  What's worse, it's the dollar amount that seems to be stolen as a result of these malware payloads [often incorrectly referred to as viruses] that is being reported on more and more... and the victims are starting to pile up.

To see the far-reaching effects of [potentially] custom/purpose-written malware check out this story out of Carl Junction, MO.
"School superintendent Phil Cook said Monday that agent Gayle Warrener took the payroll department computer, which was believed to have been compromised during the theft. A computer virus that struck on Feb. 26 allowed someone to access the district account.

The $196,000 was electronically transferred to a number of banks nationwide in increments of about $8,000."

Obviously, the FBI has its hands full... and they're certainly investigating these incidents but in yet another "forest for the trees" move I think a point is being missed.

As the carnage mounts I can't hep but to look at my work laptop and wonder.  I've got anti{spam|virus|adware|spyware} agents all over the place sucking down my CPU cycles like I drink Mt. Dew... and I just have to wonder is it really keeping my laptop safe?  Symantec, McAfee, and many others continue to sell desktop protection products - but are they keeping your computer any safer than the operating system would have natively?  I won't argue that point because the answer is obviously yes... but to what extent?  Is leaving your computer's safety and security to a piece of "anti-virus software" a smart idea in 2009?  I think that answer is best answered by looking at what some of these anti-malware companies are charging for their products.  Symantec's product is FREE if you get the 100% rebate, others have been selling for a similar price... does that mean these companies are valuing their products at $0?

Think about this the next time you go to check that compliance report box for anti-virus software... "Check! We're secure..." isn't a valid answer.


dre said...

Yes, don't use AV but do use something in its place. Wehntrust is one good alternative (for Windows 2000, XP, and Server 2003). Or even simple Hardware DEP "AlwaysOn".

Exploitation countermeasures (e.g. Processor-based security, compiler-based security, and runtime security features such as DEP, ASLR, SEH, /GS, PREfast, PREfix, SafeInt, et al) are great in combination with HIMS such as Osiris (Windows) or Samhain/Beltane (Unix) -- which take a more whitelist perspective to OS filesystem and running services usage.

Rafal Los said...

@Andre: Well put, great suggestions. Do you have any direct suggestions like this list for *average home users*?

dre said...

@ Rafal:

Buy from notable and reputable vendors and OEMs that do not install third-party applications and crippleware?

If you get an OS and it comes with Adobe Reader, Flash, Java, RealPlayer, and iTunes/QuickTime that are all severely out of date -- then the vendor/OEM has now just provided you with several ways of getting yourself owned.

So I might suggest that vendors/OEMs that sell to the mass public run LookingGlass on third-party applications that they plan on installing. If the application isn't perfect (correct use of DEP, ASLR, and safe C functions), then they should drop the product as an OEM install until that ISV can make their product meet this minimum bar for a standard to install apps.