heuristics problem (was: Re: Malware "best practices")

bmcculley at rcn.com bmcculley at rcn.com
Wed Jul 26 21:12:00 EDT 2006 

>From: Chris Brenton <cbrenton at chrisbrenton.org>  
>On Mon, 2006-07-24 at 15:03 -0400, Ben Scott wrote:
>>
>> > How do you tell when code executing with root privs is
malware?  (NOT a rhetorical
>> > question btw, I'd seriously like to know if it is
possible, and how)
>> 
>>   For the general case, I don't think you can. 
>


That was my thought too, but I refrained from voicing it to
avoid biasing the discussion.  If nobody has taken up the
cudgel to dispute this so far I guess it's safe to assume it's
conventional wisdom at the moment.  Lord knows this group
would certainly be quick enough to assert the contrary if a
good case could be made!  :-)

THANKS!

>Agreed. Look at the latest dll injection code in Metasploit
and be
>afraid. ;-)
>

Yes.


>Probably the best solution I've seen is corporate wide white
listing.
>something similar to this:
>http://www.bit9.com/
>
>> > Virtual machine with heuristics in the vm host not in the
virtualized client.
>> 
>>   Indeed.  I'm told this is the way many IBM mainframe OSes
handle
>> security.  Don't bother trying to make a secure OS;
implement a secure
>> VM, give each subject their own VM, and let them trash it
as they
>> like.


I think the mainframe world is concerned with making the VMs
robust enough to endure unintentional abuse not malicious
intent.  Outside attackers are controlled at the perimeter,
long before they get to the mainframe.  The VMs are used for
keeping QA and devos isolated from production operations, and
there are enough esoteric auditing and access control
facilities to deter the applications developers from
attempting system hacking.  Good practice in large shops with
heavy iron includes separation of duties, so sys programmers
and app programmers are in different worlds, and never the
twain shall meet.

>
>At the recent SANS conference in DC Ed Skoudis & Mike Poor of
>IntelGuardians did a pretty cool talk on breaking out of
VM's. Seems its
>not as hard as people might think. 
>

Sounds interesting.  Were they talking about VMs as VMware or
did they encompass IBM mainframe os architectures as well? 
I'm very very interested in knowing that!

Thanks!

-Brucem

More information about the gnhlug-discuss mailing list