Ron DuFresne wrote:
>
> Nice suggestion, but, incorrect I think. A trojan in nothing but a
> variant of a virus, let the proper software deal with it.
Oh, no. Not another terminology war. Perhaps we should define network,
open, switch, and hacker while we're at it :)
To wade in momentarily and against my better judgment a virus spreads
itself while a trojan is a generic term for something that carries
something hidden and hostile inside itself. A lot of people confine
the definition to something that listens on a port and lets others
control the computer. In the strictest definition, Back Orifice isn't a
trojan. The program that it was attached to (if any) is. A trojan doesn't
have to have any self replicating functionality and often doesn't so you
can't call a trojan a virus which definitely does have replication
included in its definition.
Now that I've shlopped through the muck, I'm going to have to forcefully
say that IT DOESN'T MUCH MATTER. Its all malware and its all code running
on the desktop from one of four sources:
1) I ran it (social engineering, clicked email attachments, trojaned or
virus laden downloads)
2) My application ran it:
a) my app *automatically* allowed code to run that had the power to do
something I didn't want it to do. Most likely because of file extension
associations. For example wsh, hta, or pl scripts. Note that if the
user
was required to click the script, this falls under #1, not here.
b) my app allowed code to run that wasn't supposed to have the power to
do what it did. For example, the numerous bugs reported in various
ActiveX controls that are exploited by scripts. This sometimes involves
2c.
c) my app ran code directly submitted by an outsider. For example, a
web server or email client buffer overflow.
If we attack this using tools on the desktop, they're all going to be
susceptible to compromise from any of the above sources. Microsoft is getting
blasted for 2a and 2b. Items 1 and 2c have been with us for decades across
platforms.
AV products traditionally handle malware of any type by code pattern
recognition.
It will stop malware of any type THAT IT KNOWS ABOUT if the AV product's
feature
that examines code as it is loaded is enabled. No traditional AV product that I
am aware of will stop a running process once it is started...i.e. remote
control
trojans. No AV product will stop a 2c attack like a buffer overflow because the
code is already in executable memory.
To defeat AV products, you write new code, disguise old code, turn off the
AV product, or attack an in-memory process.
Desktop firewalls deal with malware, rather incidentally IMHO, by blocking
unauthorized communications. In one sense, they are a good generic defense
against things that you don't want talking on the network like trojans because
they don't have to be updated to recognize a particular trojan. However, and
this is a BIG however, they allow the malware to run...they just block its
communications. This means the malware is free to do anything to the machine
it wants...including reconfiguring the desktop firewall, turning it off,
replacing
any file names or checksums, etc. Like AV products, desktop firewalls haven't
traditionally stopped a running process.
To defeat a desktop firewall, simply have your code turn it off or otherwise
undermine its operation.
Sandbox products block malware by not letting it do things that could hurt
the machine. I'm not personally familiar with any of the commercial offerings.
I think there is a product from Finjan that works like this. But for comparison
purposes, think of them as similar to a Java Virtual Machine. They turn the
general purpose PC into a restricted machine. Of course, the average user
doesn't want a restricted machine so I'm not sure how good this will work.
I would imagine it would depend upon a database of authorized "good programs"
that are allowed to do what they want. Unknown programs are probably authorized
at the users request similar to desktop firewall authorizations which means
they have similar vulnerabilities. Sandbox products probably come closest to
implementing the ultimate "prevention" software Dave Mikulka was requesting
if you consider all malware and not just viruses. Personally, I don't care
if its a replicating virus if its going to delete my C: drive...I just want
it stopped.
In all cases, the access control is in the hands of the end user. As long
as they can run any code they want, and as long as they're using a general
purpose computer that allows the code complete access, any desktop resident
security code is built on sand. Now we can build some pretty intimidating
fences in sand that are hard to get through but we'll always be seeing
those magazine articles saying "SecureFence isn't Secure" because of one
newly found and implemented exploit or another.
True, a more protected operating system like unix or NT would protect
user accounts from compromising the whole machine or kernel level
security but how many end users, particular those at home, are going
to put up with the complexity? If they login as admin or root to install
that neat software they just downloaded (trojaned and virus laden of
course), the results are going to be the same. In addition, if the end
user can freely create files and open sockets, they're still vulnerable
to having personal data compromised.
You know, a lot of folks jokingly suggest that the AV companies write
viruses to keep themselves in business. If I was a suspicious person,
I'd more likely suspect the for-profit software vendors as they have
an interest in discouraging people from running unblessed code. :)
Unfortunately, with our present computer architectures, unblessed code
on our unrestricted desktops will always defeat any security measure
put on them. Computers are presently too complex for untrained personal
to keep up completely with what code should be trusted and what code
shouldn't be. This means an entertainment computer that is used to
download unknown code should probably not also be used for sensitive
applications.
While our highways are vulnerable to wrong way drivers, our overpasses
to bricks, our communications to pirate transmitters, our windows to
rocks, our mailboxes to thieves, and our parks to thugs, those perpetrators
don't have the advantage of instant worldwide access, near anonymity,
lagging laws and enforcement, and a public that hasn't yet made up
its mind whether their activity is a crime.
I'm ranting. Sorry. I'm going home.
--
Gary Flynn
Security Engineer - Technical Services
James Madison University
Please R.U.N.S.A.F.E.
http://www.jmu.edu/computing/info-security/engineering/runsafe.shtml
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
