Shit and sword
Here I look at all this struggle (antivirus companies and malicious virus and trojanmakers) and I understand that the situation is akin to a chicken anecdote (and not if I run too fast from the rooster).
Let me explain, in one comment I spied a good phrase: the end user will still give his money, either to attackers or for an antivirus. Everybody, ultimately, is ruled by money, hello, capitalism! It is not profitable for anyone to make a proactive antivirus that will work without signatures - what then will antivirus programs sell? Anticipating obvious objections, I will clarify: an antivirus that works without constantly updating the rules base of behavioral analysis.
What do we have today? Two large classes of malware: mass (Zeus, ZeroAccess, Sality, etc.) and APT (read, malware written for specific tasks). Who are the main buyers of anti-virus products? That's right, big companies. The main damage to them is caused by the threats of the APT class, because the mass is already all detected. Now, attention - who's stopping to keep track of new workarounds (on which, in fact, APT is based)?
')
Embedding the code (inject) according to the Richter book is, of course, not rolling (glory to the bytes, even though antiviruses are catching it). The two most popular vehicles today are CreateProcess / MapViewOfSection / QueueUserAPC / ResumeThread and Shell_TrayWnd / SetWindowLong / SendNotifyMessage. And they are known in narrow circles of trojan makers since 2009 (or even earlier), by the way. Who prevented them from revealing and closing - this is a mystery covered in darkness.
A simple example: injecting into svchost.exe by running it in the suspended state - is it really difficult to make a proactive rule that svchost.exe always starts from the System account, and not on behalf of any other user? That's why APT exists, because antivirus developers have it all deep on the drum. They have a different principle of operation - here there will be an infection on one hundred thousand computers, we will add a signature, and the proactiva has nothing to twist, and so, the infection a lot of resources and memory eats.
One gets the impression that anti-virus analysts are busy only with the analysis of the next APT threat, with the thoughts: “Damn, but what was it possible?” The fact that all sorts of anti-weapons, vasmahs and damage-lablages with might and main barbarjat malvaryu with various new tricks and regularly arrange debriefing, they seem to be unaware.
Apparently, the money for the antivirus is paid for the sense of false security, and not for protecting the computer from computer infection.
Each report on a regular cyber spy company begins with the words: as a result of an investigation ordered by a company that wished to remain anonymous, our “experts” discovered a new malware that has been active for N years (where N varies, on average, from two to five). That is, APT is not detected by antiviruses (which is logical), but is found manually. And where are all these praised proactive technologies?
One of the postings of the note is the following - how long will antivirus offices feed us with marketing noodles? Maybe we should get to work (constantly monitor what is happening in the camp of the enemy), and not scribble reports in style: we have found this here!
Separate greetings to sandbox fans, I was somehow rebuked in the comments that the sandbox would save the father of Russian democracy. However, one should not forget the principle that the user can do everything that the program does, and it is running. For those who are particularly interested in the topic of isolation - see the project Qubes OS from Joana Rutkovskaya.
There is always a contradiction between convenience and safety; the safer, the more uncomfortable. It immediately suggests an analogy with dictatorship and democracy. As long as antivirus programs continue in the Windows-like security style (which is not prohibited, it is allowed), nothing good will happen.
Again, an example: svchost.exe is in trusted applications, because Windows updates go through it. So, what is next? Yes, make a rule that it is allowed to go only to Microsoft servers! But no, what if we are updating inside the corporate network via wsus? Therefore, Sophos is driving here, by default it doesn’t even allow itself to be updated (it’s necessary to prescribe the rule itself).
Very amused by the initiative to maintain white lists of applications that are launched. The fact that ordinary administrators have been doing for years, wrapped in a GUI and presented an innovation for a new super-duper (and patented, I suppose)! Where were you ten years ago?
Summary (premise number two): stop playing with the user in a democracy, limit it and that's it. And the manufacturer who decides to do so will sever the market. Until then, we will enjoy a long time reading another opus about some "orange September".
Let me explain, in one comment I spied a good phrase: the end user will still give his money, either to attackers or for an antivirus. Everybody, ultimately, is ruled by money, hello, capitalism! It is not profitable for anyone to make a proactive antivirus that will work without signatures - what then will antivirus programs sell? Anticipating obvious objections, I will clarify: an antivirus that works without constantly updating the rules base of behavioral analysis.
What do we have today? Two large classes of malware: mass (Zeus, ZeroAccess, Sality, etc.) and APT (read, malware written for specific tasks). Who are the main buyers of anti-virus products? That's right, big companies. The main damage to them is caused by the threats of the APT class, because the mass is already all detected. Now, attention - who's stopping to keep track of new workarounds (on which, in fact, APT is based)?
')
Embedding the code (inject) according to the Richter book is, of course, not rolling (glory to the bytes, even though antiviruses are catching it). The two most popular vehicles today are CreateProcess / MapViewOfSection / QueueUserAPC / ResumeThread and Shell_TrayWnd / SetWindowLong / SendNotifyMessage. And they are known in narrow circles of trojan makers since 2009 (or even earlier), by the way. Who prevented them from revealing and closing - this is a mystery covered in darkness.
A simple example: injecting into svchost.exe by running it in the suspended state - is it really difficult to make a proactive rule that svchost.exe always starts from the System account, and not on behalf of any other user? That's why APT exists, because antivirus developers have it all deep on the drum. They have a different principle of operation - here there will be an infection on one hundred thousand computers, we will add a signature, and the proactiva has nothing to twist, and so, the infection a lot of resources and memory eats.
One gets the impression that anti-virus analysts are busy only with the analysis of the next APT threat, with the thoughts: “Damn, but what was it possible?” The fact that all sorts of anti-weapons, vasmahs and damage-lablages with might and main barbarjat malvaryu with various new tricks and regularly arrange debriefing, they seem to be unaware.
Apparently, the money for the antivirus is paid for the sense of false security, and not for protecting the computer from computer infection.
Each report on a regular cyber spy company begins with the words: as a result of an investigation ordered by a company that wished to remain anonymous, our “experts” discovered a new malware that has been active for N years (where N varies, on average, from two to five). That is, APT is not detected by antiviruses (which is logical), but is found manually. And where are all these praised proactive technologies?
One of the postings of the note is the following - how long will antivirus offices feed us with marketing noodles? Maybe we should get to work (constantly monitor what is happening in the camp of the enemy), and not scribble reports in style: we have found this here!
Separate greetings to sandbox fans, I was somehow rebuked in the comments that the sandbox would save the father of Russian democracy. However, one should not forget the principle that the user can do everything that the program does, and it is running. For those who are particularly interested in the topic of isolation - see the project Qubes OS from Joana Rutkovskaya.
There is always a contradiction between convenience and safety; the safer, the more uncomfortable. It immediately suggests an analogy with dictatorship and democracy. As long as antivirus programs continue in the Windows-like security style (which is not prohibited, it is allowed), nothing good will happen.
Again, an example: svchost.exe is in trusted applications, because Windows updates go through it. So, what is next? Yes, make a rule that it is allowed to go only to Microsoft servers! But no, what if we are updating inside the corporate network via wsus? Therefore, Sophos is driving here, by default it doesn’t even allow itself to be updated (it’s necessary to prescribe the rule itself).
Very amused by the initiative to maintain white lists of applications that are launched. The fact that ordinary administrators have been doing for years, wrapped in a GUI and presented an innovation for a new super-duper (and patented, I suppose)! Where were you ten years ago?
Summary (premise number two): stop playing with the user in a democracy, limit it and that's it. And the manufacturer who decides to do so will sever the market. Until then, we will enjoy a long time reading another opus about some "orange September".
Source: https://habr.com/ru/post/220083/
All Articles