Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
How Malware Bypasses Our Most Advanced Security Measures
Newest First  |  Oldest First  |  Threaded View
macker490
50%
50%
macker490,
User Rank: Ninja
2/13/2015 | 9:33:38 AM
Re: Thinking like a Hacker
on a special presentation over the BBC on U of M Public Radio the presenters noted that the internet is more than technology: it is an enabler

thus: when technology is used to provide some new service the hacker will examine that service asking "what does this enable?" how can I re-direct this to my own purpose ?

they are patient and they are persistent: if there is a way in: they will find it.
  • MALVERTISING : If I can purchase an ad on a high traffice web page and then update my ad to include malware then perhaps I can exploit a privilege escallation in your computer and get my program running in your computer.   After that when you sign into the credit union I can write myself a check.  Or if you do your taxes online I can steal your ID info
  • PHISHING : maybe I can send out some e/mail that looks legitimate but actually carries a TROJAN that can exploit a privilege escallation in your computer.   maybe I can pwn your box and add it to my BOTNET -- or other mischief
  • SQL INJECTION : if your server is feeding input data directly from the open web into your data base maybe I can send you a script where you are expecting data and get your database to transmit all your files to me
  • XSS ( Cross Site Scripting ) maybe when you are running a popular page I can get an ad or some phish bait to run a maliscious script from some hacker page
  • IDENTITY THEFT : maybe I can buy your identity from some darknet service such as SUPERGET ( See KREBS on this ) and come up with the info I need to do your taxes for you.  no charge for this service
  • AUTORUN on a thumb drive is another vector that often works to get malware into your computer
  • COMPROMISED enployee
  • SHORTCUTS -- bypassing security protocols for convenience
  • DOWNLOADS perhaps I can offer some cool program, often for free, -- and include some unpleasant surprises with the package .   often these come as SCAMWARE where it shows "check this box for ths cool added feature" -- and of course the box is already checked for you
  • SCAREWARE warnings such as "your computer is infected really really bad -- click here and we'll clean it up for you"

ROAD CLOSED

a lot of hacking depends on getting un-authorized programming, aka "malware", aka "virus" into the victim's computer(s).  and hacking also makes use of stolen identification data . reducing hacking depends on closing the opening that are being exploited.   Use a secure O/S where a secure O/S is one which will not permit itself to be modified by the actions of an application program.   A bad web page should not be able to infect your operating software.  AUTHENTICATE transactions.   Transactions include eMail obviously but also software transmittals and other important business such as your Forms 1040.

Technology is great but remember: it acts as an enabler.    Be careful waht you enable.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
2/12/2015 | 10:39:18 AM
Re: we don't use our most advanced security system
But I love free donuts! My main point is that we need to start thinking like the attackers and planning accordingly instead of always being in reaction mode.


To your point, this would very much include preventative measures and user interaction for a comprehensive approach.
macker490
50%
50%
macker490,
User Rank: Ninja
2/12/2015 | 10:35:50 AM
we don't use our most advanced security system
hack attacks are associated with un-authorized programming in many cases -- particularly the BLACKPOS and BACKOFF ram-scrapers used to steal credit card data.   these updates are installed on the victims' systems and this is possible because we fail to authenticate software changes before installing them,-- or we are using vulnerable operating software.   In many cases vulnerable operating software is exploited by malvertising or phishing -- both of which rely on our failure to authenticate.

in the case of tax fraud the hacking takes advantage of our failure to authenticate tax returns.

the authentication software -- originally PGP but now also GnuPG -- has been available for some time.   As I said: the problem is our failure to properly and effectively use or most advanced security measure: public key encryption.

proper authentication procedures require user participation.   it's not something that can be passed out like free donuts.

 

 
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
2/12/2015 | 8:30:33 AM
Re: Preventative measures?
It seems like that is the general template for now. Which is why security needs to promote further innovation instead of increasing the efficiency of dilapidated safeguards we currently use; as the vectors they seek to protect have already been exploited further than they could catch up to effectively.

I would like to see an increase in security firms seeking to construct new types of malware. I feel that with security professionals trying to think like malicious intenders that we would be able to construct strains similar to the ones that are rapidly appearing. Then in the case of an event we might be ready to mitigate it before it even becomes a threat.
alonnn
50%
50%
alonnn,
User Rank: Apprentice
2/11/2015 | 7:07:29 PM
Re: Evasion Technique Prevention
Hi RyanSepe,

It'll be tricky to cover this in a single article but we'll definitely try. To at least comment on the techniques part of your question -- essentially this is what all AV vendors are doing or trying to do, detect malware regardless of the evasion techniques it uses.
alonnn
50%
50%
alonnn,
User Rank: Apprentice
2/11/2015 | 7:01:32 PM
Re: Preventative measures?
Hi Whoopty,

Besides keeping your software stack (OS + 3rd party applications) up to date with security patches (and this also includes using the latest versions, especially for OS, since there are major security-related improvements between major OS versions), the practical solution against malware is having strong end point protection.

There is somewhat of an agreement in the security industry that there will always be some exploitable vulnerabilities, and that "something" will always get through. There are some solutions that try and isolate your sensitive data, but the main branch of solutions is about detecting the threat after it got into the system, and being able to mitigate it, before or after malicious code is executed.

In that sense, you're right in a way that it will likely always be infection-scan-cleanup although I would phrase it infection-detection-cleanup. Unless of course everyone writes perfect software :)

 
Whoopty
100%
0%
Whoopty,
User Rank: Ninja
2/11/2015 | 11:56:49 AM
Preventative measures?
It often feels like beyond practicing basic anti-phishing security and steering clear of pirated software, there isn't much to be done to actively protect yourself from malware. Will it always be a case of infection-scan-cleanup? Will new types of malware always slip through the net until they're identified? 
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
2/11/2015 | 8:26:19 AM
Evasion Technique Prevention
Can you do a follow up to this article denoting current techniques and strategies to correspond with the evasions you posted? The other side of the coin would be good to have so that they can be critiqued as to why they may not be up to par. This will be helpful for future security architecting.


Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27348
PUBLISHED: 2020-12-04
In some conditions, a snap package built by snapcraft includes the current directory in LD_LIBRARY_PATH, allowing a malicious snap to gain code execution within the context of another snap if both plug the home interface or similar. This issue affects snapcraft versions prior to 4.4.4, prior to 2.43...
CVE-2020-16123
PUBLISHED: 2020-12-04
An Ubuntu-specific patch in PulseAudio created a race condition where the snap policy module would fail to identify a client connection from a snap as coming from a snap if SCM_CREDENTIALS were missing, allowing the snap to connect to PulseAudio without proper confinement. This could be exploited by...
CVE-2018-21270
PUBLISHED: 2020-12-03
Versions less than 0.0.6 of the Node.js stringstream module are vulnerable to an out-of-bounds read because of allocation of uninitialized buffers when a number is passed in the input stream (when using Node.js 4.x).
CVE-2020-26248
PUBLISHED: 2020-12-03
In the PrestaShop module "productcomments" before version 4.2.1, an attacker can use a Blind SQL injection to retrieve data or stop the MySQL service. The problem is fixed in 4.2.1 of the module.
CVE-2020-29529
PUBLISHED: 2020-12-03
HashiCorp go-slug before 0.5.0 does not address attempts at directory traversal involving ../ and symlinks.