Skip to main content

Exploit Chaining: Virus, Worm, and Malware Evolution

All y'all might be interested in these articles. I've slogged through hundreds in the last week of evenings, and these are some of the most interesting. The first few regard using Internet Explorer features and defects for installation of trojans. With last Tuesday's release of several new Windows and IE vulnerabilities, it became clear that it was possible to chain together remote-non-root exploits and local-root-exploits, to gain Administrator access on a Windows system remotely, though indirectly. It seemed to me at the time that this would be somewhat complicated and we probably wouldn't see these types of exploits until the universe had harvested the low-hanging-fruit of remote-root exploits. After reading up a bunch this week (someday there will be pop music bemoaning the lonely nights spent with google...) I'm revising that opinion. There already exist documented examples of complex MSIE-exploit-chaining malware in the world, so we can expect to see more. Internet Explorer carved up by zero-day hole Hackers Manipulating Internet Explorer Add-Ons Internet Explorer Being Exploited Mozilla Feeds on Rival's Woes Trojan horse technology exploits Internet Explorer (This one is from 2002, but contains a good description of an interesting exploit, which, if I recall correctly, remains unpatched, and it's possible that some other Windows browsers are vulnerable to similar techniques.) The following articles discuss recent virii and worms using stealth techniques to avoid detection. This is just a sample of information I found on this area, and they don't even mention the simpler techniques used by most worms these days, like selecting process names that resemble or are identical to standard system processes, and polymorphic techniques like changing the process name at start time so it's different on different systems, etc. Stealth Virus is Stealthiest of them All Worm Sleeps to avoid detection Finally, here are some interesting related but miscellaneous bits. The "Worm Design" article is a five-year-old description of an experiment to fold many techniques into a single worm, and despite the poor grammar it's got some interesting and relatively clear descriptions of worm tricks. A few of these techniques have appeared in worms in the last couple years, and a few are becoming "standard" in modern worms. Worm Design Techniques This other article gives a hint about the complexity of virus and worm analysis, and I find it amusing. The author seems to have started out intending to simply explain at a high level how it's done, but then kept thinking of variant and exception cases that required different tools and techniques. The take-home lesson there is that even the people engaged in analyzing these things on a full time basis with the right tools and a well equipped lab have a hard time keeping up with just the technology evolution, let alone all the actual variants. Virus Algorithm Analysis - Kaspersky

Technorati Tags: , , , , , , , , ,

Comments

Post a Comment

Popular posts from this blog

Verified by Visa (Veriphied Phishing?)

If you have used a Visa card to make a purchase online lately you may have encountered a relatively new program, Verified by Visa . I've encountered it twice. The system is an interesting attempt by Visa to reduce online fraud and identity theft. It's a noble effort, but the user experience is unsettling, and the security implications are not exactly crystal clear. Here's what happened to me, both times the Verified by Visa system was activated. I was redirected away from the domain at which I was shopping, to a URL which was: not the domain where I was shopping, not the domain of the bank that issued my card not visa.com I've been telling people for years that if anything like that happens to you, close your web browser immediately and do not under any circumstances enter any personal information into the form, because this is a sure sign of a man in the middle or phishing scam. (Never mind that all the best phishing scams now-a-days look like the actual dom...
20 comments
Read more

SQL Injection - So Easy, Your Server is Already Cracked

In a simple demonstration, a hapless team discovers the truth. "Your server is vulnerable. It's already been cracked. Oh, and by the way, it's already distributing malware for a botnet." A Big Case of Oops! Attitude of management in many organizations is one of the biggest barriers to improved security on the internet. People simply don't want to believe that their systems are vulnerable. Denial is pervasive, and affects organizations from the biggest of the Fortune 500 or Federal government agencies, down to modestly sized companies, local governments, and non-profit corporations. The attitude of the unnamed client described at the "Following the White Rabbit" blog (link above) is all too common. I suspect that an underlying cause is that people want to believe several things that worked pretty well from an evolutionary perspective, but don't work very well on the internet. When everybody around is a bunch of cave dwellers, consumed entirely with...
1 comment
Read more

Splunk acquires Phantom Cyber

I hope it doesn't come across as too cynical, the observation that most acquisitions in the tech domain fail to produce anything useful and often as not wind up killing a promising upstart technology, even if only by accident. I have hope for this one, though. Splunk strikes me as a likely exception. This acquisition of fresh ideas and talent might breathe new life into a solid, if somewhat staid, security company. Splunk’s data analytics gets a security boost with $350 million acquisition of Phantom Cyber
Post a Comment
Read more