heuristics problem (was: Re: Malware "best practices")
Chris Brenton
cbrenton at chrisbrenton.org
Wed Jul 26 13:22:01 EDT 2006
On Mon, 2006-07-24 at 15:03 -0400, Ben Scott wrote:
>
> > How do you tell when code executing with root privs is malware? (NOT a rhetorical
> > question btw, I'd seriously like to know if it is possible, and how)
>
> For the general case, I don't think you can.
Agreed. Look at the latest dll injection code in Metasploit and be
afraid. ;-)
Probably the best solution I've seen is corporate wide white listing.
something similar to this:
http://www.bit9.com/
> > Virtual machine with heuristics in the vm host not in the virtualized client.
>
> Indeed. I'm told this is the way many IBM mainframe OSes handle
> security. Don't bother trying to make a secure OS; implement a secure
> VM, give each subject their own VM, and let them trash it as they
> like.
At the recent SANS conference in DC Ed Skoudis & Mike Poor of
IntelGuardians did a pretty cool talk on breaking out of VM's. Seems its
not as hard as people might think.
Doesn't look like they've posted the work on their site as of yet, but
they do have some interesting AV info:
http://infosecuritymag.techtarget.com/ss/0,295796,sid6_iss407_art803,00.html
Pretty much mirrors what Ben is saying.
HTH,
Chris
More information about the gnhlug-discuss
mailing list