World's best threat detection pwned by HOBBIT Some of the world's best threat detection platforms have been bypassed by custom malware in a demonstration of the fallibility of single defence security. Five un-named top advanced threat detection products were tested against four custom malware samples written by researchers at Crysys Lab, Hungary and MRG-Effitas, UK” The …
The key piece of info is who wrote the demo malware. With all due respect, there are not that many places out there which have the competence of Crysis for both analysing malware and demoing exploitability of concepts. To put it bluntly - these guys are good, I would not want to have them as an adversary.
As far as bypassing the defences it shows something which has been known since time forgotten - no defence can stand against a determined, competent adversary in possession of the appropriate resources.
Largely it's what a lot of people either don't understand or don't realise is that computer AV, much like biological immune systems, is retrospective in that it needs a sample to be able to spot it and deal with it in the future. The advantage of computer AV systems is that the initial detection can be in one location and detection patterns can be spread to others - doesn't help the first victim much but does help the rest. Of course, the longer something remains undetected, which is the aim of the game, the further the spread.
Unfortunately we're not helped when the prevalent computer system is one that was initially designed as a standalone system with a single fully trusted local user using it. However even with a fully application sand boxed operating system with a full and sensible application permission system, the weak point will be found between the chair and keyboard.
Maybe. But the point of this article is that if you wander round the good part of cybertown you may well get mugged, and there's not a lot you can do about it.
The bad side of cybertown is where poor quality malware is used to recruit botnets to send spam and the like. The users of that side of the web want stuff for free, so by definition have limited money, information that's barely worth stealing. And the malware is of an appropriate grade.
The sort of malware this research considers is made for high value targets, who as a general rule aren't torrenting grumble flicks, trading in bitcoins, or searching for J-law with her kit off. This would be launched through apparently innocent sites - watering hole attacks, for example. Or by targeting a weak link such as low paid employees working in accounts payable with a booby trapped PDF, or even suppliers with systems access (eg Home Depot, Target).
One of my friends asked me to take a look at his computer a few weeks ago as it was slow and "behaving oddly". It was running Microsoft Security Essentials which claimed the computer had no infections. I downloaded Malwarebytes and was surprised when it found more than 100 viruses and trojans on the computer! I very much doubt that so much malware could remain undetected by the MSE anti-virus software, so the logical conclusion was that MSE had been pwned at some time to make it impotent in detecting any malware but to still give the appearance it was working fine.
Quote: "Ifs its a virus that isn't known about on the time of infection then how would it stop it, no-one runs virus scans these days they expect whatever AV product they have to protect against everything."
The thing that got my interest most wasn't the fact that one or more viruses had managed to get onto the system, but that (fully up to date) Security Essentials didn't find ANY of more than 100 pieces of malware on that computer after a full scan. I may be wrong but IMO that implies something fundamental had been compromised with the virus scanner. The point I'm making is that it is too easy and dangerous to be fooled by any one anti-virus product declaring your computer to be clean if that scanner itself can be compromised. How would you even know?
Anyway, in view of the severity of the infection I suggested a drive wipe and fresh Windows reinstall.
That wasn't a dig at MSE as such, more an observation on how dangerous it is to put faith into a single anti-virus / anti-malware product. It makes me wonder how many of the other security products out there, paid or free, can also be "neutered" rendering them useless but apparently still fully functional?
I had a user that mentioned his workstation was slow, lots of pop up ads and strange homepage even though it was set to another site. I had to nuke this install from orbit, it was way faster than Not once, twice, but three times in less than a month. I suggested to my boss to that we grab an iMac off the shelf. I installed Chrome as the default browser with adblock. Haven't heard a peep since from the pebkac.
FYI, it was running MSSE, and yes, we are behind a firewall and content filter. Take away from that situation what you like.
That should be 3 strikes and gone on the employee, not the computer. If you have a person who is constantly reinfecting a work machine then logs should be checked to see what he is messing around with. MSSE is not strong enough for the kind of person who clicks on dodgy adverts and surfs dubious sites during work hours. Grabbing an iMac isn't going to help that kind of employee as he will still click on those adverts and still go to the same dodgy sites on the iMac. This guy is still a risk to your office network.
As far as I know, the issue turned out to be: extensions/add ons/plug ins for a browser and all the love that come with those lovely extras. I would have boiled them in oil, BUT in the scheme of things I could only harm myself regardless of doing the right thing.
No, the iMac is locked down, we have to help with any and all the Java and Flash etc update issues.
On a more current note, another colleague has been challenged restricting web access. I heard something about only the company webmail...
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
