*>>Once code is running as system, it's irrelevant what system you try to put in place to prevent it.*
True. *>>Whitelisting is not going to help, because the rootkit can simply report that it's notepad.exe (or whatever) to your whitelisting software.* I think we have a very different understanding of what enterprise level whitelisting technology works in terms of running code. *>>The same way that a rootkit reports it's something else to your file system filter (typically what AV uses)* Actually, most rootkits that I am aware of operate in a different fashion. They interject themselves into the kernel so that they can manipulate the results of any process list requests or file system requests. As Ed mentioned, no one is suggesting that there are many good options for protection *after* your machine has been infected with a rootkit. At that point, it's too late. When it comes to prevention, however, whitelisting technologies rely not on simple name comparisons, but also combinations involving executable hash, identification of parent process, file system location, etc. Where a typical AV utility is unable to identify the new rootkit app that was just built 2 hours ago and is looking to gain a foothold on your system (because of the lack of an appropriate signature or anything that triggers the heuristics), a whitelisting solution will simply prevent the rootkit executables from executing because they do not match the identification of an app that is approved for operation in the folder in question. Both of the aforementioned technologies have some caveats, but the problems with relying on being able to identify bad code continue to increase to be point of becoming counterproductive. It is certainly not sustainable. Security solutions that focus on identifying bad are subject to more change, and perform with less accuracy than those which identify the good. And they can be sustained. (TopLayer, providers of some of the fastest and most accurate IPS devices I have ever had the pleasure of testing, have deprecated the use of signatures significantly. They represent less than 10% of the effectiveness of the device) Given the current scale of the threats, we need to approach the protection differently. Signatures do not need to go away entirely (or immediately), but other approaches need to be more widespread if we hope to gain any ground on the malware writers, and stop wasting so much corporate time guarding our windows and doors. We also need time to put more effort into regulating execution and automation what used to be considered "data", such as PDF files. Just like the prevelance of office macro viruses has diminished due to better controls of the application, so too must the same functionality be built for PDF readers and the apps for other popular "active" data types. -ASB: http://XeeSM.com/AndrewBaker On Tue, May 11, 2010 at 11:28 AM, Ken Schaefer <k...@adopenstatic.com> wrote: > > Personal experience with dealing with r00ted systems that have bypassed > AV controls has shown me a lot about how nefarious > these attacks can be > > Once code is running as system, it's irrelevant what system you try to put > in place to prevent it. > Whitelisting is not going to help, because the rootkit can simply report > that it's notepad.exe (or whatever) to your whitelisting software. The same > way that a rootkit reports it's something else to your file system filter > (typically what AV uses) > > You're a CISSP - you should know that once the system is rooted you do not > own it. You have some variable % of being able to recover the system using > tools, but the only guaranteed way to recover the system is to restore from > known good media. > > And the vulnerability you were talking about requires the AV software's > thread to be pre-empted, and between some code being run, and the rest being > run, some user-mode variables are changed. Again: how is whitelisting going > to help here? My contention is that it can't. Your explanation as to how it > can? > > Cheers > Ken > > -----Original Message----- > From: Ziots, Edward [mailto:ezi...@lifespan.org] > Sent: Tuesday, 11 May 2010 11:13 PM > To: NT System Admin Issues > Subject: RE: Life just keeps getting better.... > > Ken, > > Personal experience with dealing with r00ted systems that have bypassed AV > controls has shown me a lot about how nefarious these attacks can be, and I > am still learning a lot about the infector vectors and how to provide > controls to prevent them. If AV doesn't have a signature for the attack that > the current malware has employed, then its pretty trivial to do file system > infection, Trojan dropping, rootkit installation etc etc, trust me the > malware authors/writers are still well ahead of us in the battle and will > probably continue to be for quite sometime. Also I am not advocating any > approach except that AV by itself is almost worthless as a system control > anymore. But when you are dealing with like 10K+ new samples a day of > virus/malware then its pretty hard for any AV vendor to keep up with > signatures to detect them all. > > I would rather not turn this into a flame war, if you disagree, that is > perfectly fine, and you are well without your rights, please feel free to > contact me offline we can ramble it out there accordingly. > > Always love a good discussion about this subject as painful as it is for > business these days. > > Thanks > EZ > > Edward Ziots > CISSP,MCSA,MCP+I,Security +,Network +,CCA Network Engineer Lifespan > Organization > 401-639-3505 > ezi...@lifespan.org > > > -----Original Message----- > From: Ken Schaefer [mailto:k...@adopenstatic.com] > Sent: Tuesday, May 11, 2010 11:01 AM > To: NT System Admin Issues > Subject: RE: Life just keeps getting better.... > > -----Original Message----- > From: Ziots, Edward [mailto:ezi...@lifespan.org] > Subject: RE: Life just keeps getting better.... > > > On Access, most of the rootkits on the systems have hidden themselves > from AV, > > therefore rendering its "On Access" detection useless. > > How does a rootkit manage to hide itself in the first place? You can only > hide yourself from FSF if you have hooked the relevant system calls in the > first place. On access should detect that before it happens. > > > Its not whether AV is good or not, its just a race not worth running > anymore trying to > > fight common threat vectors with signature techniques. > > Irrelevant to the point. You were talking about whitelisting vs > blacklisting, and yet are unable to explain how whitelisting helps in the > scenario you talked about. > > Suggest you understand the situation before advocating some solution that > doesn't solve the problem. > > Cheers > Ken > > > > Been using CSA here for about 5+ yrs and its cut down the Malware/Spyware > drastically, due to controlling code execution period, its hooked into the > Kernel so it can't be bypassed, and has saved the bacon more than a few > times. > > Too bad Cisco royally screwed up CSA 6.0 and is discontinuing V5.0 which > leaves folks in a pickle and looking for other solutions and application > whitelisting seems to be the best of the choices atm. Its not fool-proof, > but again its controlling execution, and you have a method of vetting what > software is good and what is bad in your environments, which is a ton better > than just putting AV on the system and calling it a day... > > Z > > Edward Ziots > CISSP,MCSA,MCP+I,Security +,Network +,CCA Network Engineer Lifespan > Organization > 401-639-3505 > ezi...@lifespan.org > > > -----Original Message----- > From: Ken Schaefer [mailto:k...@adopenstatic.com] > Sent: Tuesday, May 11, 2010 10:44 AM > To: NT System Admin Issues > Subject: RE: Life just keeps getting better.... > > How is whitelisting or blacklisting going to help? Answer: it's not. The > problem is thread pre-emption and storing values in user-mode memory space > where it can be altered (assuming you can get the timing right). > > But, if your AV was any good, it would detect the problem "on access" > > Cheers > Ken > > -----Original Message----- > From: Ziots, Edward [mailto:ezi...@lifespan.org] > Sent: Tuesday, 11 May 2010 9:16 PM > To: NT System Admin Issues > Subject: RE: Life just keeps getting better.... > > You can also read the blurb on San's ISC page also, some vendors say its > important, and of course Mcafee discredits it, not that suprises me. But it > is an attack vector to consider. Controling the execution of code on your > system is the difference between keeping your systems clean and getting > 0wned. Whether you look at HIPS/Whitelisting/Blacklisting, otherwise, you > are going to have to have more on your systems than just AV to combat todays > threat landscape. > > Sincerely, > EZ > > Edward Ziots > CISSP,MCSA,MCP+I,Security +,Network +,CCA Network Engineer Lifespan > Organization > 401-639-3505 > ezi...@lifespan.org > > -----Original Message----- > From: Ben Scott [mailto:mailvor...@gmail.com] > Sent: Tuesday, May 11, 2010 9:11 AM > To: NT System Admin Issues > Subject: Re: Life just keeps getting better.... > > On Mon, May 10, 2010 at 12:40 AM, Kurt Buff <kurt.b...@gmail.com> wrote: > > How to bypass almost all AV software > > > > > http://www.matousec.com/info/articles/khobe-8.0-earthquake-for-windows-d > esktop-security-software.php > > Sophos's response: > > http://www.sophos.com/blogs/duck/g/2010/05/11/khobe-vulnerability-earth- > shaker/ > > They're an AV vendor and thus not a disinterested party, so take it as you > like. > > -- Ben > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
