PROOF AGAINST MALWARE
Proofing against malware attacks
Marco Slaviero
PROOF AGAINST MALWARE
• State of anti-malware
• Chronic malware treatment
Summary
PROOF AGAINST MALWARE
• Obvious– Virii– Spyware– Worms– Trojans
• Less obvious– “Legal” rootkits (ala
Sony)– EULA-protected tools– Dual purpose tools– Poorly designed tools
Malware? What’s that?
PROOF AGAINST MALWARE
INTENT MATTERS
PROOF AGAINST MALWARE
CAN WE DETERMINE PROGRAM INTENT IN A
GENERAL WAY?
PROOF AGAINST MALWARE
• Real-time / point-in-time• Signatures
– Byte sequences on disk– Byte sequences over the network– Known suspicious system calls
Specific solutions
PROOF AGAINST MALWARE
• Polymorphic malware– Encrypt the virus, and include a tiny
decryption engine that runs first.– Response: virtualise the first couple of
hundred instructions, then see if known signatures are present
• Metamorphic malware– Alter the instruction sequence such that it
remains semantically identical, but syntactically different
Antimalware fails
PROOF AGAINST MALWARE
• Signature stream:“Our computing systems are generally very insecure.”
• Polymorphic manipulation:“Replace each ‘ZZ’ with an ‘e’ in the next sentence. Our computing systZZms arZZ gZZnZZrally vZZry insZZcurZZ”.
• Metamorphic manipulation:“Mankind’s information systems do not exhibit safe security practices.”
Examples
PROOF AGAINST MALWARE
Dan Geer’s security monoculture
PROOF AGAINST MALWARE
Artificial distinctions
PROOF AGAINST MALWARE
SO, CAN WE MALWARE-PROOF A COMPUTER?
PROOF AGAINST MALWARE
Safe from infection
PROOF AGAINST MALWARE
Safe from infection #2
PROOF AGAINST MALWARE
Safe from infection #3
&
PROOF AGAINST MALWARE
State of the art
PROOF AGAINST MALWARE
And it ignores the unexpected
PROOF AGAINST MALWARE
NO
Verdict
PROOF AGAINST MALWARE
DOES IT GET LESS GLOOMY?
PROOF AGAINST MALWARE
Side bar: Attack Graphs
Create and host malicious website
Obtain target’s contact details
Entice user to click on link
Exploit flaw in unpatched
Adobe Flash Player
Download body of malware
Execute malware
Search disk for information
Upload documents via
configured proxy
PROOF AGAINST MALWARE
LENGTHEN THE ATTACK GRAPH
PROOF AGAINST MALWARE
Not like this
PROOF AGAINST MALWARE
Or this
PROOF AGAINST MALWARE
Better…
PROOF AGAINST MALWARE
MOST IMPORTANT: PROTECT THE ORGANISATION, NOT THE
COMPUTER
PROOF AGAINST MALWARE
Where does your risk lie?
PROOF AGAINST MALWARE
• Not much infrastructure to lengthen attack chains
• Consider– Decentralising your online life– Multiple (virtual) machines, each devoted to a
single level of task– Security by isolation– Examples: VMWare, Qubes
Practical strategies: Home users
PROOF AGAINST MALWARE
http://qubes-os.org/Architecture.html
Qubes
PROOF AGAINST MALWARE
• Regular stuff (remove unneeded software, patch, segregated networks, etc)
• Expect that you’re infected• Develop rapid response measures to detect and
isolate infection using signatures on both the host and network.
• Monitor and log process execution• Whitelist binaries• Close access channels (no browsing, severe email
limitations, no flash disks)• Risk management: loss is inevitable, absorb the cost• Introduce heterogeneity
Practical strategies: Enterprise users
PROOF AGAINST MALWARE
Side bar: walled gardens
PROOF AGAINST MALWARE
BUT DON’T FOOL YOURSELF.
YOU’RE STILL NOT MALWARE-PROOF.
PROOF AGAINST MALWARE
Questions?
Thank you to Prof. Ojo and TUT for the opportunity
Top Related