How to catch what is not. Part one. Terms and Definitions
The reason for writing this article was the article "Tales of the anti-virus forest . " Honestly, at first I just wanted to comment on the content, but after reading the comments I decided that it was better to start with the basics, and leave the analysis of flight beliefs for a snack.
To begin with, let's try to decide how to accurately name what we should protect ourselves from. Why it is so important - we will show in the examples below.
From a variety of sources, I chose several definitions:
• Malware - software designed to gain unauthorized access to computing resources of the computer itself or to information stored on a computer for the purpose of unauthorized use of computer resources or harm (causing damage) to the information owner and / or computer owner, and / or computer network owner, by copying, distorting, deleting or tampering with information (Wikipedia).
• Malicious computer program - a computer program or other computer information that is knowingly intended for the unauthorized destruction, blocking, modification, copying of computer information or neutralizing the means of protecting computer information (Art. 273 of the Criminal Code).
• Malicious code - a computer program designed to be introduced into automated systems, software, computer equipment, telecommunications equipment of a credit institution and its clients - users of remote banking services, resulting in the destruction, creation, copying, blocking, modification and (or) transfer information (including protected in accordance with clause 2.1 of Regulation N 382-), as well as to the creation of conditions for such destruction, creation, copying, blocking, mod verification and (or) transfer (Letter of the Bank of Russia of March 24, 2014 No. 49-T “On recommendations on the organization of the use of means of protection against malicious code in banking activities).
• Software specifically designed to cause damage to a single computer, server, or computer network, regardless of whether it is a virus, spyware, etc. (definition of Microsoft).
• A program designed to provide access to unauthorized information and (or) impact on information or resource information systems (GOST R 50922-2006).
• Software that purposefully leads to violation of the legal rights of the subscriber and (or) user, including collecting, processing or transmitting information from the subscriber terminal without the consent of the subscriber and (or) the user, or deterioration of the parameters of the subscriber terminal or communication network PP number 575).
• malware, also known as malicious code, refers to a program that is, it is usually covertly, (OS) or of otherwise annoying or disrupting the victim. (NIST SP 800-83).
')
This is not all definitions, but perhaps the sample is quite characteristic. In fact, it shows that there is no consensus on what the antivirus protects - among the theorists. Moreover, there is not even unity about the word “malicious” - in a number of translated documents the concept of “Protection against malicious codes” is used (for example, but not only - GOST R ISO / IEC 13335-4-2007 Information technology. Security methods and means , ISO / IEC 27002 Information Technology - Code of Conduct for Information Security Management).
Are there any correct ones among the above?
All of the above (with the exception of the definitions from NIST, but about it below) definitions are distinguished either by a clear enumeration of specific functions (which eliminates the appropriate countermeasures), or by vagueness of concepts, which does not allow formulating requirements for anti-virus protection on their basis. Here, for example, an interesting analysis of the definition of the Criminal Code :
• “Knowingly” For what particular subject the consequences of the application of the program must be “notorious”: for the creator of this program; for the user of this program, that is, for the person launching it; for the owner of the computer or device on which this program runs; for the owner of the copied, modified, destroyed information; for the copyright holder of the corresponding work.
• “Information” The definition of information is given in the Law “On Information ...”: “information is information (messages, data) regardless of the form in which they are presented”. Should this definition be applied here, or is it a different one, broader or narrower? Is any information meant or only “external” in relation to the program in question? Are temporary technological copies of the processed information covered, or is it meant only information available to a person?
• “Unauthorized” Who exactly should authorize the specified actions on the information so that they are not considered unauthorized ?: user of the program; the owner of the computer, device or media; owner of the processed information; holder of exclusive rights to intellectual property represented by the processed information.
? Far from it. For example, remote control programs can be secretly installed by both system administrators and intruders (at one time, the closure of incoming traffic, according to representatives of Sberbank, significantly reduced the number of RBS incidents). How can antivirus program determine who installs the program? Theoretically, there is a behavioral analyzer that must respond to attempts to install any programs and issue queries that the user must confirm. But:
• The work of admins on network computers is usually held secretly for users - notifications to the user should not be shown (a frequent request from customers is to hide the antivirus icon in the tray)
• The majority of users are not information security specialists and do not know what works on their computer and why. What do you think users click on pop up requests? And is a new malware capable of not yet recognized by the antivirus creating a window similar to a behavioral analyzer request?
But let's talk about the shortcomings of the behavioral analyzer later, but for now let us return to the terminology.
It is no less dangerous when the definition describes all the actions that a malicious program performs. Based on such definitions, it turns out that you need to defend only against these actions. But attackers are constantly coming up with more and more new ways of withdrawing money, penetration, etc. To fix the present means to remain in the past. Moreover, the famous four books also relied on the description of specific types of malware and their actions when calculating risks. But in the end - are you personally confident that you are tracking the emergence of all new threats and can implement measures to protect against them in real time (even without looking at the need for funds and time for holding tenders)?
An example of the result of excessive detailing cut off from the method of calculating threats, in front of everyone is the protection of personal data. We will not talk about the impossibility of protection and gaps in the legislation. But a huge list of measures (each of which is individually justified in general) of protection makes its creation impossible for financial reasons.
The definition from NIST is good for everyone, but besides the concept of malware, NIST introduces the concept of spyware in parallel. Which leads to the legalization of software such as antispyware, anti-rootkit, etc.
Software that is secretly or surreptitiously; malicious code (NIST Special Publication 800-53 rev.4)
Formally, a spoover is described as one of the types of malware, but why not then describe all other types of malware? As a result of such an emphasis on attention, even reputable journals in all seriousness recommend installing an anti-rootkit with an antispuvare in addition to the antivirus.
Due to official duties, personal interest or for other reasons, the user or computer administrator constantly installs or updates the software. In the automatic mode, updates of already installed programs can be installed. But all these are programs whose installation is authorized and which the user or administrator at least suspects is present on computers - even if they are not used. In addition, a number of programs are launched without notifying the user (more precisely, without notifying the user if the corresponding settings have not been made). Such programs can include scripts running in the browser, macros of programs included in the office suite, and many others. A number of programs are installed during the installation of other programs (warning or not warning at the appropriate stages of the main program installation).
Naturally, any of the above actions may lead to the introduction of a malicious program - including in connection with the substitution of sources of programs or an attack such as man in the middle - but for now we don’t talk about it.
Legally (or almost legally) installed programs have documentation or at least a license in which they list their functions - and it is these functions that the user or administrator expects to see from them.
Also, as a result of user or administrator actions (unfortunately this also happens), the presence of vulnerabilities may cause programs or programs installed on your computer to be your permission (and it happens that such programs are also preinstalled). As a result, the system (or the program - in the case of the introduction of a virus) begins to perform actions, not at all those that were expected of it.
Thus, from the point of view of the user or the administrator, unwanted programs are those programs that are installed without permission or perform actions not indicated in the relevant documentation or license (we will not consider cases of Easter eggs / bonus functionality, but from the point of view of security any unknown functionality - not eat well). It is easy to see that all the above definitions are a special case given in this paragraph. Accordingly, since all unwanted programs somehow cause harm (working with information, expenditure of resources or otherwise), the exact term for them will be the definition of “malware”.
The definition of the Bank of Russia Regulation No. 382- dated June 9, 2012 (with changes according to Bank of Russia Instructions 3007-U of 06/05/2013, 3361-U) fits the definition of the term “malicious program” (along with the definition from NIST). of August 14, 2014) “On the requirements for ensuring the protection of information when making money transfers and on the procedure for the Bank of Russia to monitor compliance with the requirements for ensuring the protection of information when making money transfers”:
- software codes that lead to disruption of the normal functioning of a computer equipment (hereinafter - the malicious code).
The definition of 382-P is even more correct in principle than the one we have, but it is not feasible from the point of view of implementation, since it involves the analysis of the program code — the detection of malicious code in it.
2.7.4 If there is a technical possibility, a money transfer operator, a bank payment agent (subagent), and a payment infrastructure service operator ensure the implementation of:
• pre-testing for the absence of malicious code of software installed or modified on computer equipment, including ATMs and payment terminals;
• checks for the absence of malicious code of computer equipment, including ATMs and payment terminals, performed after installing or modifying software.
It is impossible for the end organization to conduct such a check (in fact, certification on TU and NDV) due to the huge amount of code, its closeness and the lack of the necessary number of specialists. And indeed (as will be shown) the measures proposed by the 382-P are aimed at protecting against the programs as a whole, and not against codes. The implementation of clause 2.7.4 de facto, even in the case of its implementation, will be purely formal - antivirus check - which is completely indifferent in the case of malicious programs that are not yet defined by a remedy (we'll also talk about the need for this).
It is possible that the emphasis on malicious code is associated with attention to this type of malware, such as viruses - a type that implements its code in other programs. But from this point of view, the definition of 382-P is incorrect, since at the moment most of the malware is trojans
The most interesting thing is that in the late nineties of the last century in the Republic of Dagestan. Antivirus protection. The security indicators and requirements for protection against viruses were defined as best suited to rely on them when creating anti-virus protection systems (of course we make allowances for the fact that at that time viruses were the main type of malware):
• Active virus - a virus, the program code or part of the program code of which is in the operational or virtual memory and is periodically executed.
• Known virus - a virus, information about which is contained in the ABC.
• Unknown virus - a virus information about which is not contained in ABC.
• Viral exposure (VO) - a change in the state of the AU, caused both by the penetration of the elements of the virus program code into the system, and the result of its execution (activation of the virus).
• Virus infection (OT) - a change in the status of the AU or its individual elements, caused by the spread of the virus.
• Virus-like effect (destructive program action, RPT) - a change in the state of the AU, caused by the execution of the code of a specially created program subject or a set of such subjects that do not have the replication property.
As a seed for the next article, I suggest Habrazhiteli (based on my own experience or on standards, letters, orders, etc.) to answer in the comments on three simple children's questions:
• How many malicious programs are created by cybercriminals on average per day?
• What percentage of malware can antivirus skip to be considered a valid means of protection, and why can antivirus skip them?
• What is an antivirus for - what tasks does it perform in the protection system? The answer "must catch viruses" is not considered.
Hint - the first question is not closely related to the rest.
I promise, there will be a lot of unexpected things.
PS Any additions to the article with links to sources are welcome. Any opinions that refute the provisions of the article are welcomed even more, but also with an indication of the source of knowledge (personal experience, research, comparison, order, etc. - there is a plan to write about it).
To begin with, let's try to decide how to accurately name what we should protect ourselves from. Why it is so important - we will show in the examples below.
From a variety of sources, I chose several definitions:
• Malware - software designed to gain unauthorized access to computing resources of the computer itself or to information stored on a computer for the purpose of unauthorized use of computer resources or harm (causing damage) to the information owner and / or computer owner, and / or computer network owner, by copying, distorting, deleting or tampering with information (Wikipedia).
• Malicious computer program - a computer program or other computer information that is knowingly intended for the unauthorized destruction, blocking, modification, copying of computer information or neutralizing the means of protecting computer information (Art. 273 of the Criminal Code).
• Malicious code - a computer program designed to be introduced into automated systems, software, computer equipment, telecommunications equipment of a credit institution and its clients - users of remote banking services, resulting in the destruction, creation, copying, blocking, modification and (or) transfer information (including protected in accordance with clause 2.1 of Regulation N 382-), as well as to the creation of conditions for such destruction, creation, copying, blocking, mod verification and (or) transfer (Letter of the Bank of Russia of March 24, 2014 No. 49-T “On recommendations on the organization of the use of means of protection against malicious code in banking activities).
• Software specifically designed to cause damage to a single computer, server, or computer network, regardless of whether it is a virus, spyware, etc. (definition of Microsoft).
• A program designed to provide access to unauthorized information and (or) impact on information or resource information systems (GOST R 50922-2006).
• Software that purposefully leads to violation of the legal rights of the subscriber and (or) user, including collecting, processing or transmitting information from the subscriber terminal without the consent of the subscriber and (or) the user, or deterioration of the parameters of the subscriber terminal or communication network PP number 575).
• malware, also known as malicious code, refers to a program that is, it is usually covertly, (OS) or of otherwise annoying or disrupting the victim. (NIST SP 800-83).
')
This is not all definitions, but perhaps the sample is quite characteristic. In fact, it shows that there is no consensus on what the antivirus protects - among the theorists. Moreover, there is not even unity about the word “malicious” - in a number of translated documents the concept of “Protection against malicious codes” is used (for example, but not only - GOST R ISO / IEC 13335-4-2007 Information technology. Security methods and means , ISO / IEC 27002 Information Technology - Code of Conduct for Information Security Management).
Are there any correct ones among the above?
All of the above (with the exception of the definitions from NIST, but about it below) definitions are distinguished either by a clear enumeration of specific functions (which eliminates the appropriate countermeasures), or by vagueness of concepts, which does not allow formulating requirements for anti-virus protection on their basis. Here, for example, an interesting analysis of the definition of the Criminal Code :
• “Knowingly” For what particular subject the consequences of the application of the program must be “notorious”: for the creator of this program; for the user of this program, that is, for the person launching it; for the owner of the computer or device on which this program runs; for the owner of the copied, modified, destroyed information; for the copyright holder of the corresponding work.
• “Information” The definition of information is given in the Law “On Information ...”: “information is information (messages, data) regardless of the form in which they are presented”. Should this definition be applied here, or is it a different one, broader or narrower? Is any information meant or only “external” in relation to the program in question? Are temporary technological copies of the processed information covered, or is it meant only information available to a person?
• “Unauthorized” Who exactly should authorize the specified actions on the information so that they are not considered unauthorized ?: user of the program; the owner of the computer, device or media; owner of the processed information; holder of exclusive rights to intellectual property represented by the processed information.
? Far from it. For example, remote control programs can be secretly installed by both system administrators and intruders (at one time, the closure of incoming traffic, according to representatives of Sberbank, significantly reduced the number of RBS incidents). How can antivirus program determine who installs the program? Theoretically, there is a behavioral analyzer that must respond to attempts to install any programs and issue queries that the user must confirm. But:
• The work of admins on network computers is usually held secretly for users - notifications to the user should not be shown (a frequent request from customers is to hide the antivirus icon in the tray)
• The majority of users are not information security specialists and do not know what works on their computer and why. What do you think users click on pop up requests? And is a new malware capable of not yet recognized by the antivirus creating a window similar to a behavioral analyzer request?
But let's talk about the shortcomings of the behavioral analyzer later, but for now let us return to the terminology.
It is no less dangerous when the definition describes all the actions that a malicious program performs. Based on such definitions, it turns out that you need to defend only against these actions. But attackers are constantly coming up with more and more new ways of withdrawing money, penetration, etc. To fix the present means to remain in the past. Moreover, the famous four books also relied on the description of specific types of malware and their actions when calculating risks. But in the end - are you personally confident that you are tracking the emergence of all new threats and can implement measures to protect against them in real time (even without looking at the need for funds and time for holding tenders)?
An example of the result of excessive detailing cut off from the method of calculating threats, in front of everyone is the protection of personal data. We will not talk about the impossibility of protection and gaps in the legislation. But a huge list of measures (each of which is individually justified in general) of protection makes its creation impossible for financial reasons.
The definition from NIST is good for everyone, but besides the concept of malware, NIST introduces the concept of spyware in parallel. Which leads to the legalization of software such as antispyware, anti-rootkit, etc.
Software that is secretly or surreptitiously; malicious code (NIST Special Publication 800-53 rev.4)
Formally, a spoover is described as one of the types of malware, but why not then describe all other types of malware? As a result of such an emphasis on attention, even reputable journals in all seriousness recommend installing an anti-rootkit with an antispuvare in addition to the antivirus.
Due to official duties, personal interest or for other reasons, the user or computer administrator constantly installs or updates the software. In the automatic mode, updates of already installed programs can be installed. But all these are programs whose installation is authorized and which the user or administrator at least suspects is present on computers - even if they are not used. In addition, a number of programs are launched without notifying the user (more precisely, without notifying the user if the corresponding settings have not been made). Such programs can include scripts running in the browser, macros of programs included in the office suite, and many others. A number of programs are installed during the installation of other programs (warning or not warning at the appropriate stages of the main program installation).
Naturally, any of the above actions may lead to the introduction of a malicious program - including in connection with the substitution of sources of programs or an attack such as man in the middle - but for now we don’t talk about it.
Legally (or almost legally) installed programs have documentation or at least a license in which they list their functions - and it is these functions that the user or administrator expects to see from them.
Also, as a result of user or administrator actions (unfortunately this also happens), the presence of vulnerabilities may cause programs or programs installed on your computer to be your permission (and it happens that such programs are also preinstalled). As a result, the system (or the program - in the case of the introduction of a virus) begins to perform actions, not at all those that were expected of it.
Thus, from the point of view of the user or the administrator, unwanted programs are those programs that are installed without permission or perform actions not indicated in the relevant documentation or license (we will not consider cases of Easter eggs / bonus functionality, but from the point of view of security any unknown functionality - not eat well). It is easy to see that all the above definitions are a special case given in this paragraph. Accordingly, since all unwanted programs somehow cause harm (working with information, expenditure of resources or otherwise), the exact term for them will be the definition of “malware”.
The definition of the Bank of Russia Regulation No. 382- dated June 9, 2012 (with changes according to Bank of Russia Instructions 3007-U of 06/05/2013, 3361-U) fits the definition of the term “malicious program” (along with the definition from NIST). of August 14, 2014) “On the requirements for ensuring the protection of information when making money transfers and on the procedure for the Bank of Russia to monitor compliance with the requirements for ensuring the protection of information when making money transfers”:
- software codes that lead to disruption of the normal functioning of a computer equipment (hereinafter - the malicious code).
The definition of 382-P is even more correct in principle than the one we have, but it is not feasible from the point of view of implementation, since it involves the analysis of the program code — the detection of malicious code in it.
2.7.4 If there is a technical possibility, a money transfer operator, a bank payment agent (subagent), and a payment infrastructure service operator ensure the implementation of:
• pre-testing for the absence of malicious code of software installed or modified on computer equipment, including ATMs and payment terminals;
• checks for the absence of malicious code of computer equipment, including ATMs and payment terminals, performed after installing or modifying software.
It is impossible for the end organization to conduct such a check (in fact, certification on TU and NDV) due to the huge amount of code, its closeness and the lack of the necessary number of specialists. And indeed (as will be shown) the measures proposed by the 382-P are aimed at protecting against the programs as a whole, and not against codes. The implementation of clause 2.7.4 de facto, even in the case of its implementation, will be purely formal - antivirus check - which is completely indifferent in the case of malicious programs that are not yet defined by a remedy (we'll also talk about the need for this).
It is possible that the emphasis on malicious code is associated with attention to this type of malware, such as viruses - a type that implements its code in other programs. But from this point of view, the definition of 382-P is incorrect, since at the moment most of the malware is trojans
The most interesting thing is that in the late nineties of the last century in the Republic of Dagestan. Antivirus protection. The security indicators and requirements for protection against viruses were defined as best suited to rely on them when creating anti-virus protection systems (of course we make allowances for the fact that at that time viruses were the main type of malware):
• Active virus - a virus, the program code or part of the program code of which is in the operational or virtual memory and is periodically executed.
• Known virus - a virus, information about which is contained in the ABC.
• Unknown virus - a virus information about which is not contained in ABC.
• Viral exposure (VO) - a change in the state of the AU, caused both by the penetration of the elements of the virus program code into the system, and the result of its execution (activation of the virus).
• Virus infection (OT) - a change in the status of the AU or its individual elements, caused by the spread of the virus.
• Virus-like effect (destructive program action, RPT) - a change in the state of the AU, caused by the execution of the code of a specially created program subject or a set of such subjects that do not have the replication property.
As a seed for the next article, I suggest Habrazhiteli (based on my own experience or on standards, letters, orders, etc.) to answer in the comments on three simple children's questions:
• How many malicious programs are created by cybercriminals on average per day?
• What percentage of malware can antivirus skip to be considered a valid means of protection, and why can antivirus skip them?
• What is an antivirus for - what tasks does it perform in the protection system? The answer "must catch viruses" is not considered.
Hint - the first question is not closely related to the rest.
I promise, there will be a lot of unexpected things.
PS Any additions to the article with links to sources are welcome. Any opinions that refute the provisions of the article are welcomed even more, but also with an indication of the source of knowledge (personal experience, research, comparison, order, etc. - there is a plan to write about it).
Source: https://habr.com/ru/post/253545/
All Articles