Measure and counter measure – malware and anti-malware


There is a small, high-tech and rather geeky war going on and the battlefield is your PC. Like any war, each side is trying to learn from the other. This war is for the ownership of resources – and ultimately for money. Maybe most wars are. Let us look at some of the details.


 


Much as it irritates users, sometimes the kindest thing that an administrator can do is to limit the abilities of an unskilled user to harm themselves. There is also the corporate network to consider – the safety of organization sometimes requires that individuals are limited. IE has features to limit what the user can do which an administrator can set. They are detailed here:


 


http://technet.microsoft.com/en-us/library/bb457144.aspx


 


These can be turned against the user by malware and that does sometimes happen. Let us consider a few of them and how malware has used them to protect itself rather than the user:


 


Download signed ActiveX controls – disable that and pretty much every online virus scanner will stop working.


 


Various settings allow the administrator to block the downloading of various file types including .exe files – which would prevent the user from downloading a lot of the “quick fix” type of malware removers.


 


Sites can be added to the restricted zone – and if security sites are added to this zone, the user is effectively blocked from them.


 


Group policies can also be set even if the machine is not in a domain.


 


We have seen malware doing these things lately. Of course, if the user is an admin (and home users generally are) then the changes can be reversed if the user knows how - but many home users do not.


 


For quite a while, one tool in the arsenal of the techie removing malware is to alter the rights on an executable using cacls to prevent it running. The same trick has been used maliciously to block access to cmd.exe – The black hats have access to all the same tricks as we do.


 


The white hat community has stolen a trick or two in their turn. Anti-virus solutions increasingly hijack the kiservicetable or overwrite function prologues to try to prevent malware doing the same or to detect malware by getting underneath it. One of the truisms of malware detection is that you can only trust the layer above you because you have complete visibility of it. Conversely, it is hard to see what has happened below you because it may be changing your behavior without you knowing – a malicious kernel fooling a benign application. The phrase that we most commonly use is “He who hooks lowest wins”. Anti-virus and virus are both heading down the stack from userland to kernel and eventually to hypervisor level.


 


Malware tries to hide from antivirus programs and kills AV products when it can. Some AV software is now using stealth technology to hide from malware and try to avoid being killed or more commonly, crippled to leave the appearance of function without actually blocking the malware. It can be a challenge to work out whether subversion of the kernel is benign or malicious without a good rummage around in the debugger.


 


So, we have measure and counter measure, each sharing the same tools. The legitimate software community has more resources but the malware industry has everything to play for. The balance shifts all the time and it may well be that user education and not technology has the most to contribute. Social engineering remains the number one way to compromise a system… and maybe limiting the user is the lesser of the two evils.


 


Of course, we have done this in a very small but important way. Later versions of the browser on later operating systems run content with fewer rights. Most users never notice.


 


We live in interesting times, my friends


 


Signing off


 


Mark


 

Skip to main content