Preventing Malware Attacks

From CastleCopsWiki

Caution

The article below is currently in beta and has not been reviewed for factual errors.

Contents 1 General 2 Malware Specific 2.1 Adware 2.2 Keyloggers 2.3 Backdoor/Remote Administration Tools 2.4 Rootkits

[edit] General

First go to Understanding Computer Infections, and read everything there.

Be especially mindful of the following 3 steps:

1. Choosing software to install wisely.
2. Configuring a computer system correctly, this includes both the operating system and specific applications such as browsers.
3. Keep updates with patches.

These three steps will be referenced in subsequent discussion.

As discussed in the Malware Threats article, certain types of malware, like worms, and viruses spread quickly because they are self-propagating or nearly so. Computer infections can be both a curse and a blessing. On the plus side, because such malware threats spread so widely, one can be sure that antivirus companies will quickly get a copy , analyse it, and get it into the signature base posthaste. On the negative side, these malware threats morph so fast, that it is quite possible to become infected before the antivirus database is updated and distributed to clients!

The vast majority of such self-propagating malware are spread to other users as an email attachment. Other methods include propagation through network shares, direct probing and a vast majority of these methods rely on the user to actually run the attachment. Clearly prudence towards handling of email attachments is called for (Step one above).

A small minority of malware threats actually exploit vulnerabilities in the email client or operating system to autoexecute. Therefore, keeping up to date with patches (Step three above) is important.

Now let's compare this to non-propagating malware, say a rootkit hidden as part of a warez game (Basically a Trojan horse.) Such malware relies completely on the user to download and install the game. As such, the infection rate will be far lower than that of any email-borne worm since far fewer people will be exposed to it. From the efficiency point of view, antivirus programs generally focus more on wide-spread worms than on obscure malware. Depending on the quality of the antivirus program, this means the malware sample will not be recognised as malware as quickly and might not be added at all in some cases even if brought to the antivirus vendor's attention.

On the other hand, the risk of having a system contaminated by malware is drastically reduced if one refrains from downloading and installing dubious software! (Step one)

There is a class of malware that is midway between the point of downloading, and installing the software itself: driveby downloads. This class of software either tries to automatically install via poor browser configurations or security exploits when browsing the site OR such sites prompt the visitor to install the malware.

The former can be countered by configuring a browser correctly and keeping up with patches (Steps two and three) . The latter can be countered by simply realising that clicking "yes" to ActiveX prompts, Java applets, Firefox® extensions, etc. is the same as installing and running a program. Obviously one should wisely consider the consequences of doing so. This is just a disguised example of Step one.

[edit] Malware Specific

[edit] Adware

Adware typically spreads itself via driveby downloads or by being bundled in some other software.

With certain exceptions, do not rely on an antivirus program to detect adware. Adware is an area that is quickly evolving. With many adware exploits are now starting to use rootkit-like technology to hide and resist removal. The technology for detection and particularly removal of adware is not mature yet compared to antiviruses which typically detect at least 90% of in-the-wild samples. Therefore it is advisable to rely on a combination of antispyware detectors. Good behavioral blockers might also help alert when something goes wrong.

Labeling and detecting adware/spyware is also often a legal mine field, so one should be careful to look at detection results, because some of the scanners have bowed to legal pressure and set certain adware follow-on actions to "ignore" automatically rather than "remove."

[edit] Keyloggers

Antiviruses are generally competent enough to detect "illegal" keyloggers dropped by worms. However, it is well known that "commercial" or legitimate keyloggers sold on the net, are poorly detected by them. The reason for this varies, but one of the speculated reasons is that such keyloggers are used for "legal" purposes by employers to track employee usage of their computers, and they would prefer that their antiviruses installed on those computers keep silent.

There are some specialised keylogger detection programs (e.g. SpyCop For Windows®), but whether they are necessary or not depends on need. It is also possible to detect or block keyloggers by generic methods such as by blocking hooks (SnoopFree, Process Guard, etc.) or blocking kernel-based keyloggers by stopping kernel/driver installations (Processguard, AppDefend™ , etc.) Many keyloggers use rootkit-like methods to hide, so anti-rootkit detectors like Sysinternals' Rootkit Revealer, IceSword might also detect them.

Note however, that software-based solutions cannot detect hardware keyloggers. A visual inspection of the computer, keyboard cable, etc. is required to rule out any such threat.

Other measures such as using virtual keyboards to thwart keyloggers might or might not work, depending on the sophistication of the keylogger (e.g. whether they are smart enough to do screen captures at the right time.)

As always, the best way to stop keyloggers is to watch what is being installed, and restrict access to other users.

[edit] Backdoor/Remote Administration Tools

Antiviruses are generally competent enough to detect illegal backdoors installed by worms. However, things get murky when considering legitimate tools like PcAnywhere™, RemoteAdmin, VNC, etc. Some users actually do use such software packages to control their computers remotely, especially in corporate environments.

But, in some cases, such software is installed and configured for nefarious purposes. Thus again for security vendors, this presents a situation similar to that of legitimate keyloggers and, to a certain extent, adware. Security vendors have been threatened with lawsuits for daring to label such software as malware. In response, some security vendors have labeled such administrative tools differently as "potentially unwanted programs", or "riskware" (KAV) in an extended database that might not be used by default. Refer to your antivirus manual for details.

[edit] Rootkits

Rootkits have received much attention of late. In theory a 'super rootkit' would be exceedingly hard to detect 'once installed', and it is true that most antiviruses would not have the capability to detect them.

To counter rootkits, there are a lot of specialised antirookit tools such as F-Secures' BlackLight™, Sysinternals' Rootkit Revealer, Icesword, various hook enumerators, kernel system verifiers, etc. Most of these, with the exception of the first, require some user experience to interpret the results.

As always, the best way to handle rootkits is not to let one install. So, pay attention to what is run. Running with non-administrative privileges, or blocking driver installs, will stop most kernel-based rootkits. Although usermode rookits must still be contended with.

There has also been some debate as to what constitutes a rootkit. Some have charged that many security products (typically of the HIPS or behavior blocker variety) are rootkits themselves, because some rootkit methods are used (for example to hook the SSDT.) Of course, such methods are old hat and have been used by antiviruses for decades. What is new, is that some security vendors have taken to "hiding" their product's presence from the operating system itself. This is in response to evolving malware which actually tries to detect what security programs are running and attempts to subvert it (Typically terminate it.) The theory is that by "cloaking" itself, the security program becomes harder to target.

Of course, "cloaking" is exactly what rootkit programs do, and generic rootkit detectors, which use various methods to detect the presence of hidden objects, will often finger these security products as bad.