Antivirus: June 2004 Archives

Whenever there is a virus outbreak everyone is quick to blame the usual suspects. "Its Microsoft's fault. They shouldn't have bugs in their code," trumpet the Microsoft haters as they run for a microphone or schedule a press conference. "Its the dang users, they don't listen and they click on everything they see," laments the administrator. "Its societies fault for raising the kind of children who code viruses." "No wait its the University of Calgary's fault."

It seems its the fault of everything but the antivirus software itself. We need more antivirus they cry!! So updates go from monthly to weekly to daily to hourly. Hell, just stick in an IV and keep feeding me virus definitions non-stop.

Degrade our ability to use mail! That must be the solution to virus woes. Block all attachments. No, that's not enough, BLOCK HTML. Stop all messages containing the words "the, and a or of."

The viruses still aren't being stopped? We better stack one virus engine upon another. I've got it, we'll call it "Defense in Depth." We can start making analogies about "castle protection." And if anyone says that our plan is 15th century protection, we'll get medieval on their...oh sorry, I was just getting a bit carried away there.

Perhaps its time to look in a new direction. Antivirus software that stops viruses. Not stops virus if it has the current daily security patch necessary to stop the latest badness. Antivirus that stops the virus. You say it cant be done. That it is prone to false positive. It is done. And it is being done today at the email layer. Two companies have the temerity to WARRANTY their work. They are Message Labs and Avecho. Sure that requires outsourcing your mail. But Message Labs is worldwide with some major customers and some major redundancy built in. It is worth it to know that viruses aren't getting through the SMTP layer.

If only someone would build something similar for the desktop. I had high hopes for NOD32. But I've read it has some false positive problems . Perhaps one day vendors will hear the demand and bring about some innovation in the antivirus industry.

__

Note, some of these ideas were shaped by years of reading Rob Rosenberger over at vmyths and at kumite before that. And yes his post today at his site did inspire this entry.

Microsoft rumored to be interested in acquiring network associates

http://www.broadbandreports.com/shownews/46417

http://www.securitypipeline.com/news/22101181

Network Associates is for sale, and Microsoft is rumored to be the buyer.
The maker of McAfee antivirus and security products has not made it public, but a "for sale" sign figuratively hangs from Network Associates' front door, according to Wall Street sources and channel partners.
A public announcement concerning either the pending or closed sale of the company to a buyer could come as early as July 1 when Network Associates also plans to announce layoffs associated with the company's for-sale status, these sources said.
After initially declining to comment, Network Associates spokesperson Jennifer Keavney said Tuesday the company was "not considering offers from Microsoft or any other company at this time." She did say however that the company would "need to legally consider offers that benefit its owners, the shareholders of Network Associates."

Alternative Data Streams (ADSes) are a substructure to NTFS. These "streams" are not visible to the Windows file system and thus can be used to hide malicious code. A couple of years ago there was great wringing of hands over the inability of antivirus vendors to detect files hidden inside ADSes. It seems that this has not been rectified.

In the June issue of Information Security Mag, Ed Skoudis compares several antivirus products. When testing these hidden streams, he found that most antvirus vendors are still lacking.

Aware of the threat, but not really educated yet, I searched further. I found a Computerwold article posted to the Symantec site. It said that
1. Alternate Data Streams cannot be removed from a file. The original file will need to be deleted.
2. Windows File Protection introduced in Windows 2000 cannot prevent hackers from adding an ADS with hidden executable code to a system file.
3. Users without "write" permissions to a file cannot add an ADS.

I also found a really cool GIAC paper by Jeff Garrett. In the paper Jeff demonstrates how to use netcat in a ADS to avoid detection by an administrator. Very cool stuff!!

It looks like for now this is more evidence for the need to not perform day to day computer tasks as the administrator. Furthermore it may be a good idea to check on whether your antivirus company scans ADSes.

http://www.f-secure.com/v-descs/montp.shtml
Montp.f is actually a rather clever virus.

When you connect into your bank or use webmail you are likely making a secure connection using SSL. You'll notice a little "lock" icon down in the system tray and a https:// prefix up in the address field. That means that the traffic between you and them is encrypted so that no one can eavesdrop on it.

What you probably didn't know is there are troubleshooting tools to allow you to see the traffic going by anyway. One way to do this is to set a couple of registry keys, and install a dll. Immediately you'll start collecting a clear text log file containing all of the traffic.

This virus does something very similar. But once it collects the data, its not trying to help you. Of course not. It searches the collected data to see if you went to one of 74 bank websites along with some other websites that have passwords. If you have been to one of those sites it collects the relevant login information and sends that information to the author via the Internet.

That's where this virus isn't as clever. Attempting to upload to a static IP address is not going to work. Sites like these usually get shut down rather quickly.

The virus also attempts to kill processes for security related software (antivirus).

All in all, you've got to hand it to them for this one. Two thumbs up for the information collection feature. They've got to work on a better way to get the information back to themselves without being caught. I've got a few ideas on the subject. :)