Malware "best practices"

Ben Scott dragonhawk at gmail.com
Wed Jul 26 14:35:00 EDT 2006 

On 7/26/06, Chris Brenton <cbrenton at chrisbrenton.org> wrote:
> Probably the best solution I've seen is corporate wide white listing.
> something similar to this:
> http://www.bit9.com/

  Interesting.

  What I really like are things along the lines of the nix mount(8)
"noexec" option.  If one sets that on filesystems contain
user-writable directories[1], it should drastically reduce the attack
surface.  Combined with standard least privilege restrictions[2], I
think it would be very effective, and a heck of a lot easier to manage
than a whitelist of specific software[5].

  Windows[6] has a feature that can be used to restrict which programs
users can run.  It's buried in Group Policy and is a bitch to
configure, but I've often wondered how it might be put to use in this
way.

[1] Mainly /home and /tmp on nix, and "Documents and Settings" on doze
[2] In other words, don't give regular user accounts admin rights.[3]
[3] I do this, and I find it stops practically all the common malware dead.[4]
[4] I expect that won't last forever, but it's nice right now.
[5] Development machines have been and likely will remain vulnerable points.
[6] Windows NT 5.0 and later

On 7/26/06, Chris Brenton <cbrenton at chrisbrenton.org> wrote:
> With good reason. AV vendors make most of their money off of
> subscription services. So why "fix" something that is not broken in that
> its keeping their bottom line in the black. ;-)

  They certainly have little incentive to improve things on this
front, but I suspect even if they did, there isn't much they could do.
 As already noted, there are many more ways to do bad then things than
one can effectively scan for, and whether a thing is "bad" often
depends on context.

> Mass infections are soooo 1990's.

  I wish.  Recall that SQL Slammer hit in 2003, and severely impacted
the whole Internet.  Our mail AV software drops tens of mass-mailed
malware messages every day, and we're a tiny site.  The existence of
sophisticated attacks does not preclude the continuance of
unsophisticated ones.

> Virus writers worth their salt are available for hire and have turned it into a
> business model.

  It's the American dream!  ;-)  [7]

[7] Yes, I'm aware much malware comes from outside the US.

> Over the last three years I've been involved with multiple clients that have had
> their networks breached by custom viruses that easily avoid AV software.
> In fact many of these clients had two different vendor AV solutions
> running in parallel when they've been hit.

  *Very* interesting.  Can you speak more on this, or give pointers to
published info?  Specifically targeted attacks aren't anything new, of
course (indeed, they came first), but a significant increase in
occurrences is another thing entirely.

> The model has changed but IMHO most networks have not changed their
> defense posture to deal. We are still building moats while the enemy has
> taken to the sky to attack from above.

  I find blocking all executable files in email and on the web is
pretty effective.  There's still an arms race factor, but it's a lot
easier to look for "any kind of executable" then it is to look for
"executable that does bad things".

> On the plus side, I have yet to see a Linux box compromised this way.
> It is consistently Windows systems.

  That is like just a reflection of overall deployment percentages.
If we're talking targeted attacks, there is certainly nothing
preventing anyone from targeting nix.  And Lord knows nix isn't immune
to buffer overflows and other stupid mistakes.

-- Ben

More information about the gnhlug-discuss mailing list