Malware: mitigating maladies might matter

  • Article

Well, another update Tuesday done and dusted. We are not supposed to use the word "Patch"

So, the question that I left you with was what could be done to make it safer to run on a compromised computer; that is to ask how could you mitigate the risks?

The answer is that it very much depends on the malware in question. Let us consider what would happen with some common types. In each case, I will be assuming that the type is pure and has no function other than that stated – a little unrealistic, I know.

Adware. This is pretty common stuff. It pops up pages advertising various goods or services, often adult in nature and is normally associated with a malicious Browser Helper Object in IE or a Plug-in under Firefox. Adware typically has little effect on applications that don’t use the browser although you might be surprised what does. HTML help? Hosted in ShDocView. That could load malware into a custom application but it is unlikely that the Adware would do anything sensible injected into another process. It might well crash an application though – indeed, the first malware I ever looked at was doing just that. The Adware could have additional functionality making it not a pure Adware component, of course. Is it safe to have it in your process? No. It could be very unsafe if your application is web based.

Spyware. These monitor user action, normally in a limited context so search strings and keystrokes. A lot of them are browser based. Many of them include an adware component. Spyware tends to replace more of the system functionality but for the sake of clarity, let us assume that we are only talking about spyware that monitors and possibly redirects input in the browser. Well, in that case, all the caveats for Adware apply and some more. It wouldn’t be hard to write a bit of spyware that looked at all WM_CHAR messages processed in a browser window. For a web-based application, this could represent a huge leak of confidential information. For a non-web based app, it would again be less of a threat. Hooking in to the HMTL help would probably only send out search strings that users were entering against the help. That is probably not all that worrying but Spyware has the power to be much more dangerous than Adware – not at all safe.

Remote Admin Tools. Ouch. These are typically classed as Trojans and range from relatively simple bots which churn out bulk mail and are only controllable to a limited degree to more flexible apps that allow file transfer and command lines to be passed. It is pretty easy for a BlackHat controlling one of those to insert a more complete admin tool (several commercially available) to allow proxying of the GUI – oh, and Blackhats rarely pay license fees. Just one of those things. If one of the more flexible ones is running then pretty much all bets are off because it can do pretty much anything that a local admin could do. How much will this affect a given application? It is difficult to say as these are the most variable of malware types. Worst case, your database could change under you, your data could be snooped. Best case? You run slow because you are competing with an application which is churning out SPAM.

Keyloggers. Nasty things, keyloggers and all too common. Go to eBay and hardware and software keyloggers are freely (and legally) available – and there is no way for software to find hardware keyloggers. They generally hook in at kernel level and log all keystrokes. That would steal a lot of data from pretty much any application, browser based or not. It could steal credit card numbers, log-ons or whatever else. There is not much mitigation that is possible against these.

Not much? Well, nothing directly. However, 2 factor authentication is a helpful against these. Ok, a Blackhat could still grab the credentials to log on to your banking application but unless they exploit them on the original system with the second factor present then they have taken less than they otherwise would.

Viruses? We don’t see those so much these days and they have limited functionality typically. They want to be small and that means that they are fairly simple. It is a similar deal with Worms though they often drop Trojans.

So, is there something that mitigates against all of these? Yes, as it happens, there is :-) All of these except Adware needs to be able to contact somewhere else to do its damage. It needs to get out of the local area network and onto the world wide web. A great many companies very sensibly have great protection against packets from outside coming in. Most companies are more relaxed about requests going out.

What does most malware do if it can’t call home? Very little. Remote Admin tools sit idle. Keyloggers send their data nowhere (although beware of those that email the collected data). Spyware reports nothing to no-one.

Good protection against threats coming in can prevent infection. Good protection against data going out can be a good mitigation

Until next time, signing off

Mark