Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
How Malware Bypasses Our Most Advanced Security Measures
Newest First  |  Oldest First  |  Threaded View
macker490
50%
50%
macker490,
User Rank: Ninja
2/13/2015 | 9:33:38 AM
Re: Thinking like a Hacker
on a special presentation over the BBC on U of M Public Radio the presenters noted that the internet is more than technology: it is an enabler

thus: when technology is used to provide some new service the hacker will examine that service asking "what does this enable?" how can I re-direct this to my own purpose ?

they are patient and they are persistent: if there is a way in: they will find it.
  • MALVERTISING : If I can purchase an ad on a high traffice web page and then update my ad to include malware then perhaps I can exploit a privilege escallation in your computer and get my program running in your computer.   After that when you sign into the credit union I can write myself a check.  Or if you do your taxes online I can steal your ID info
  • PHISHING : maybe I can send out some e/mail that looks legitimate but actually carries a TROJAN that can exploit a privilege escallation in your computer.   maybe I can pwn your box and add it to my BOTNET -- or other mischief
  • SQL INJECTION : if your server is feeding input data directly from the open web into your data base maybe I can send you a script where you are expecting data and get your database to transmit all your files to me
  • XSS ( Cross Site Scripting ) maybe when you are running a popular page I can get an ad or some phish bait to run a maliscious script from some hacker page
  • IDENTITY THEFT : maybe I can buy your identity from some darknet service such as SUPERGET ( See KREBS on this ) and come up with the info I need to do your taxes for you.  no charge for this service
  • AUTORUN on a thumb drive is another vector that often works to get malware into your computer
  • COMPROMISED enployee
  • SHORTCUTS -- bypassing security protocols for convenience
  • DOWNLOADS perhaps I can offer some cool program, often for free, -- and include some unpleasant surprises with the package .   often these come as SCAMWARE where it shows "check this box for ths cool added feature" -- and of course the box is already checked for you
  • SCAREWARE warnings such as "your computer is infected really really bad -- click here and we'll clean it up for you"

ROAD CLOSED

a lot of hacking depends on getting un-authorized programming, aka "malware", aka "virus" into the victim's computer(s).  and hacking also makes use of stolen identification data . reducing hacking depends on closing the opening that are being exploited.   Use a secure O/S where a secure O/S is one which will not permit itself to be modified by the actions of an application program.   A bad web page should not be able to infect your operating software.  AUTHENTICATE transactions.   Transactions include eMail obviously but also software transmittals and other important business such as your Forms 1040.

Technology is great but remember: it acts as an enabler.    Be careful waht you enable.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
2/12/2015 | 10:39:18 AM
Re: we don't use our most advanced security system
But I love free donuts! My main point is that we need to start thinking like the attackers and planning accordingly instead of always being in reaction mode.


To your point, this would very much include preventative measures and user interaction for a comprehensive approach.
macker490
50%
50%
macker490,
User Rank: Ninja
2/12/2015 | 10:35:50 AM
we don't use our most advanced security system
hack attacks are associated with un-authorized programming in many cases -- particularly the BLACKPOS and BACKOFF ram-scrapers used to steal credit card data.   these updates are installed on the victims' systems and this is possible because we fail to authenticate software changes before installing them,-- or we are using vulnerable operating software.   In many cases vulnerable operating software is exploited by malvertising or phishing -- both of which rely on our failure to authenticate.

in the case of tax fraud the hacking takes advantage of our failure to authenticate tax returns.

the authentication software -- originally PGP but now also GnuPG -- has been available for some time.   As I said: the problem is our failure to properly and effectively use or most advanced security measure: public key encryption.

proper authentication procedures require user participation.   it's not something that can be passed out like free donuts.

 

 
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
2/12/2015 | 8:30:33 AM
Re: Preventative measures?
It seems like that is the general template for now. Which is why security needs to promote further innovation instead of increasing the efficiency of dilapidated safeguards we currently use; as the vectors they seek to protect have already been exploited further than they could catch up to effectively.

I would like to see an increase in security firms seeking to construct new types of malware. I feel that with security professionals trying to think like malicious intenders that we would be able to construct strains similar to the ones that are rapidly appearing. Then in the case of an event we might be ready to mitigate it before it even becomes a threat.
alonnn
50%
50%
alonnn,
User Rank: Apprentice
2/11/2015 | 7:07:29 PM
Re: Evasion Technique Prevention
Hi RyanSepe,

It'll be tricky to cover this in a single article but we'll definitely try. To at least comment on the techniques part of your question -- essentially this is what all AV vendors are doing or trying to do, detect malware regardless of the evasion techniques it uses.
alonnn
50%
50%
alonnn,
User Rank: Apprentice
2/11/2015 | 7:01:32 PM
Re: Preventative measures?
Hi Whoopty,

Besides keeping your software stack (OS + 3rd party applications) up to date with security patches (and this also includes using the latest versions, especially for OS, since there are major security-related improvements between major OS versions), the practical solution against malware is having strong end point protection.

There is somewhat of an agreement in the security industry that there will always be some exploitable vulnerabilities, and that "something" will always get through. There are some solutions that try and isolate your sensitive data, but the main branch of solutions is about detecting the threat after it got into the system, and being able to mitigate it, before or after malicious code is executed.

In that sense, you're right in a way that it will likely always be infection-scan-cleanup although I would phrase it infection-detection-cleanup. Unless of course everyone writes perfect software :)

 
Whoopty
100%
0%
Whoopty,
User Rank: Ninja
2/11/2015 | 11:56:49 AM
Preventative measures?
It often feels like beyond practicing basic anti-phishing security and steering clear of pirated software, there isn't much to be done to actively protect yourself from malware. Will it always be a case of infection-scan-cleanup? Will new types of malware always slip through the net until they're identified? 
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
2/11/2015 | 8:26:19 AM
Evasion Technique Prevention
Can you do a follow up to this article denoting current techniques and strategies to correspond with the evasions you posted? The other side of the coin would be good to have so that they can be critiqued as to why they may not be up to par. This will be helpful for future security architecting.


COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
9 Tips to Prepare for the Future of Cloud & Network Security
Kelly Sheridan, Staff Editor, Dark Reading,  9/28/2020
Malware Attacks Declined But Became More Evasive in Q2
Jai Vijayan, Contributing Writer,  9/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17098
PUBLISHED: 2020-09-30
Use of hard-coded cryptographic key vulnerability in August Connect Wi-Fi Bridge App, Connect Firmware allows an attacker to decrypt an intercepted payload containing the Wi-Fi network authentication credentials. This issue affects: August Connect Wi-Fi Bridge App version v10.11.0 and prior version...
CVE-2020-15731
PUBLISHED: 2020-09-30
An improper Input Validation vulnerability in the code handling file renaming and recovery in Bitdefender Engines allows an attacker to write an arbitrary file in a location hardcoded in a specially-crafted malicious file name. This issue affects: Bitdefender Engines versions prior to 7.85448.
CVE-2020-5132
PUBLISHED: 2020-09-30
SonicWall SSL-VPN products and SonicWall firewall SSL-VPN feature misconfiguration leads to possible DNS flaw known as domain name collision vulnerability. When the users publicly display their organization’s internal domain names in the SSL-VPN au...
CVE-2020-15216
PUBLISHED: 2020-09-29
In goxmldsig (XML Digital Signatures implemented in pure Go) before version 1.1.0, with a carefully crafted XML file, an attacker can completely bypass signature validation and pass off an altered file as a signed one. A patch is available, all users of goxmldsig should upgrade to at least revisio...
CVE-2020-4607
PUBLISHED: 2020-09-29
IBM Security Secret Server (IBM Security Verify Privilege Vault Remote 1.2 ) could allow a local user to bypass security restrictions due to improper input validation. IBM X-Force ID: 184884.