How to catch what is not. Part Two: Projectile and Armor
Part one was devoted to the choice of a definition for the notion of “malware” and, quite logically, the article attracted little attention - well, in fact, who cares what color the rat is - the main thing is that the cat regularly chokes them.
In the second part, we will try to determine what the antivirus should do in the local network. If someone else thinks that the antivirus should catch viruses - we ask under the cat.
At the end of the first part, the habrogs were asked to answer three simple, childish questions:
Contrary to the expectation, the first question was immediately given a close to the truth answer. Unfortunately, in reality, customers and conference participants are not so knowledgeable. Personal statistics show that clients, participants of conferences where I was able to conduct a survey, and even partners who, in theory, should know a lot, in response to the question: “How many malicious programs are created on average per day” - call the figure 100. After the proposal to increase - 500 or a thousand. And fall into a slight thoughtfulness when the real figure is voiced.
')
Let's look at live.drweb.com , Infected tab:
This is the receipt of samples for analysis. The numbers on the graph, by the way, are not at all record highs. If I am not mistaken, then at the beginning of December 2013 one of the days was a peak of up to 6 million. Naturally, not everything that came is malware (this will be a separate topic when we talk about the level of knowledge of a typical user). And of course, there are repetitions, but, nevertheless, all this is transformed into the growth of the virus base.
At the same time the incoming flow is constantly growing. Unfortunately, I did not find fresh figures for other companies, but in 2011 Evgeny Kaspersky wrote : “70 thousand. Daily. Yeah.
A small digression. A common misconception is the opinion that antiviruses catch malware by signatures. This opinion is usually actively exploited by programs that implement the "trendy" types of protection. Not so long ago, behavioral analyzers appeared from this position, then it was the turn of cloud antiviruses. "Regular signature antiviruses that consume resources will become extinct, they will take their place ...". So, for those who are in the tank. Pure signature anti-viruses have become extinct in the 90s of the last century, when polymorphic viruses appeared, changing on each launch and, accordingly, not caught by signatures (by the way, this was the reason for the emergence of one of two domestic anti-viruses - Dr.Web). Therefore, it is correct to measure virus databases in records.
Let's return to the number of malicious files created per day. Why am I telling all this? The fact is that almost every second conference is asked - is it true that you write viruses? Moreover, the recruited employees quietly hint - well, I’m already your own - show me where? The myth is so ingrained that customers constantly turn to antivirus companies with a request to issue something else unknown for testing. Anti-virus companies do not send any samples, Western companies do not even hire former hackers because of their moral instability. Employees of companies are not shot when they are fired, and if someone once finds out that xxx has created a sample ...
Myth is extremely dangerous. Based on it, the number of malicious files released per day is extremely small - how many vendors will create to get into the news? From the myth, it turns out that anti-virus programs should know all the malicious programs - or almost all. But with such a stream of malicious files (and according to different estimates for analysis, no more than 70–80 gets to the antivirus laboratories (and I won’t be surprised that this estimate is overestimated) percent of malicious programs released into the “wild” on this day) Immediately release an update - you can not.
Let's announce the first two reasons for the virus skipping by the antivirus kernel (we will talk about behavioral analyzers later):
But these two problems are solvable. The number of analysts is increasing, until the analysts receive the stream, it is analyzed by a special robot that automatically generates records in databases, etc. Some of the malware that has not been included in the analysis is caught by heuristics.
Once we mentioned heuristics, there is another digression in technology. Unfortunately, the first reaction to the story about the number of malicious programs being released are the words: “This is understandable, such viruses should be detected by heuristics”. Unfortunately, many, based on the myth of tests, consider heuristics to be a panacea. So here. Heuristics only detect new modifications of malicious programs that have previously been included in the analysis, and malicious programs with known antivirus behavior. Suppose some time ago, attackers developed a malicious program. After some time, it began to be detected. What do attackers do? Start all over again? You can do it easier - pack it in an archive with an unknown antivirus format / encrypt the malware. No heuristics will take such a hidden program. What to do antivirus? You can add each such sample to the virus database (and so do it!), Or you can catch it using FLY-CODE and structural entropy analysis technology, as Dr.Web does (each company has its own technology, therefore, experts of other products are invited to replenish the list) . The first provides verification of packaged executable objects, unpacks non-standard packers using the file execution virtualization method, the second detects unknown threats according to the peculiarities of the location of code sections in scanned objects protected by crypto-packers.
Let's go back to the reasons for non-detection. The worst problem is the third. The most dangerous malware has long been done by no lone hackers. This is a well-organized criminal business, built in the image and likeness of companies developing ordinary programs. The structure of such "firms" includes:
And testers play a key role. Testing for non-detection (and why release a malicious program that will be detected?) Of the malware being developed with current antivirus solutions provided the possibility of releasing only malware that is not detected (before receiving updates) by any antivirus solutions - including using heuristic mechanisms. How many malicious programs can a single group release? Characteristic in this respect was the group that produced Carberp (http://updates.drweb.com - ONLY added to the virus database on March 2, 2012):
TrojanCarberp.14 (2) Trojan.Carberp.15 (7) Trojan.Carberp.194 Trojan.Carberp.195 Trojan.Carberp.196 Trojan.Carberp.197 Trojan.Carberp.198 Trojan.Carberp.199 Trojan.Carberp.200 Trojan .Carberp.201 Trojan.Carberp.202 Trojan.Carberp.203 Trojan.Carberp.204 Trojan.Carberp.205 Trojan.Carberp.206 Trojan.Carberp.207 Trojan.Carberp.208 (14) Trojan.Carberp.209 Trojan.Carberp .210 Trojan.Carberp.211 Trojan.Carberp.213 Trojan.Carberp.214 Trojan.Carberp.215 Trojan.Carberp.216 Trojan.Carberp.217 Trojan.Carberp.218 Trojan.Carberp.219 Trojan.Carberp.220 Trojan.Carberp .221 Trojan.Carberp.222 Trojan.Carberp.224 Trojan.Carberp.225 Trojan.Carberp.226 Trojan.Carberp.227 Trojan.Carberp.228 Trojan.Carberp.229 Trojan.Carberp.230 Trojan.Carberp.231 Trojan.Carberp .232 Trojan.Carberp.233 Trojan.Carberp.234 Trojan.Carberp.235 Trojan.Carberp.236 Trojan.Carberp.237 Trojan.Carberp.238 Trojan.Carberp.239 Trojan.Carberp.240 Trojan.Carberp.241 Trojan.Carberp .242 Trojan.Carberp.243 Trojan.Carberp.244 Trojan.Carberp.245 Troja n.Carberp.246 Trojan.Carberp.247 Trojan.Carberp.248 Trojan.Carberp.249 Trojan.Carberp.250 Trojan.Carberp.251 Trojan.Carberp.252 Trojan.Carberp.253 Trojan.Carberp.254 Trojan.Carberp.255 Trojan.Carberp.256 Trojan.Carberp.257 Trojan.Carberp.258 Trojan.Carberp.259 Trojan.Carberp.260 Trojan.Carberp.261 Trojan.Carberp.262 Trojan.Carberp.263 Trojan.Carberp.264 Trojan.Carberp.265 Trojan.Carberp.266 Trojan.Carberp.267 Trojan.Carberp.29 (14) Trojan.Carberp.33 (10) Trojan.Carberp.45 (4) Trojan.Carberp.5 (3) Trojan.Carberp.60 (6) Trojan.Carberp.61 Trojan.Carberp.80
Impressive? One day. One group.
The number of programs released by one group can reach hundreds of samples per day — and none of them will be detected by antivirus software used by the target group of victims.
TOTAL:
At present, at any arbitrary point in time, no antivirus program — without the use of additional protection — can provide protection against the penetration of as yet unknown malicious programs — which have not been submitted for analysis to the antivirus laboratory.
If a company / user / administrator relies only on antivirus software to detect malware, they are completely defenseless. This is what determines the success of encryptors (and in the recent past, WinLock).
The typical opinion is that the antivirus should catch everything at the entrance. This is unfortunately not the case. The anti-virus can detect known malware (including using heuristic mechanisms) at the time of its penetration, and after receiving updates, detect and destroy (but not roll back the actions!) Already running and actively counteract the detection of malware.
Conclusion 1. Alas and ah. The choice of antivirus based on the victories in the tests - does not make sense. There will be a separate article about tests, but somehow all tests are performed on already known malware.
Conclusion 2. Antivirus function - the destruction of already active, previously missed by all means of protection of malicious programs. And no one except the antivirus can perform this task. But the function of countering the penetration of unknown malicious programs should be taken by access control systems, launch restriction systems, behavioral analyzers (plus antivirus as a traffic analyzer).
Again. Currently, only antivirus cannot be used to protect against malware. It is necessary to implement an antivirus protection system as part of the antivirus itself, a firewall, a behavioral analyzer, office / parental control, and a backup system. This is the minimum minimum.
User access should be limited only by the actually necessary resources of the local network and the Internet. The use of removable media should be limited. It should be prohibited for the user to install any programs that will not allow the virus that bypassed the protection of security tools to be installed on the computer. The composition of the installed and used software must comply with the well-known list.
A centralized system for installing updates should be used. The situation should be excluded when the user decides whether to install the update. Using a centralized update system allows real-time monitoring of the absence of known vulnerabilities on protected workstations and servers.
The user should only work under an account with limited rights.
(Taken from the presentation of CyberArk at the recent interbank forum in Magnitogorsk)
I apologize for the enumeration of elementary truths. But many are so sure of the absolute unnecessary protection of servers ...
Where is the discovery of America?
Conclusion 3. The anti-virus solution used to protect workstations and file servers should:
And finally the question:
Analysis of the mythology of IT will continue in the next article.
In the second part, we will try to determine what the antivirus should do in the local network. If someone else thinks that the antivirus should catch viruses - we ask under the cat.
At the end of the first part, the habrogs were asked to answer three simple, childish questions:
- How many malicious programs are created by cybercriminals on average per day?
- What percentage of malware can antivirus skip to be considered a valid means of protection, and why can antivirus skip them?
- What is an antivirus for? What tasks does it perform in the protection system?
Contrary to the expectation, the first question was immediately given a close to the truth answer. Unfortunately, in reality, customers and conference participants are not so knowledgeable. Personal statistics show that clients, participants of conferences where I was able to conduct a survey, and even partners who, in theory, should know a lot, in response to the question: “How many malicious programs are created on average per day” - call the figure 100. After the proposal to increase - 500 or a thousand. And fall into a slight thoughtfulness when the real figure is voiced.
')
Let's look at live.drweb.com , Infected tab:
This is the receipt of samples for analysis. The numbers on the graph, by the way, are not at all record highs. If I am not mistaken, then at the beginning of December 2013 one of the days was a peak of up to 6 million. Naturally, not everything that came is malware (this will be a separate topic when we talk about the level of knowledge of a typical user). And of course, there are repetitions, but, nevertheless, all this is transformed into the growth of the virus base.
At the same time the incoming flow is constantly growing. Unfortunately, I did not find fresh figures for other companies, but in 2011 Evgeny Kaspersky wrote : “70 thousand. Daily. Yeah.
A small digression. A common misconception is the opinion that antiviruses catch malware by signatures. This opinion is usually actively exploited by programs that implement the "trendy" types of protection. Not so long ago, behavioral analyzers appeared from this position, then it was the turn of cloud antiviruses. "Regular signature antiviruses that consume resources will become extinct, they will take their place ...". So, for those who are in the tank. Pure signature anti-viruses have become extinct in the 90s of the last century, when polymorphic viruses appeared, changing on each launch and, accordingly, not caught by signatures (by the way, this was the reason for the emergence of one of two domestic anti-viruses - Dr.Web). Therefore, it is correct to measure virus databases in records.
Let's return to the number of malicious files created per day. Why am I telling all this? The fact is that almost every second conference is asked - is it true that you write viruses? Moreover, the recruited employees quietly hint - well, I’m already your own - show me where? The myth is so ingrained that customers constantly turn to antivirus companies with a request to issue something else unknown for testing. Anti-virus companies do not send any samples, Western companies do not even hire former hackers because of their moral instability. Employees of companies are not shot when they are fired, and if someone once finds out that xxx has created a sample ...
Myth is extremely dangerous. Based on it, the number of malicious files released per day is extremely small - how many vendors will create to get into the news? From the myth, it turns out that anti-virus programs should know all the malicious programs - or almost all. But with such a stream of malicious files (and according to different estimates for analysis, no more than 70–80 gets to the antivirus laboratories (and I won’t be surprised that this estimate is overestimated) percent of malicious programs released into the “wild” on this day) Immediately release an update - you can not.
Let's announce the first two reasons for the virus skipping by the antivirus kernel (we will talk about behavioral analyzers later):
- The delay in the detection of a new malicious program is the delta between its arrival at the victim and the receipt for analysis.
- The delay in processing due to the large number of programs submitted for analysis / incorrect assessment of the danger of the program at the time of detection. By the way, the myth of greater effectiveness of Dr.Web CureIt! compared to a regular antivirus program — often between malware infecting a computer and downloading a utility, malware gets into the databases.
But these two problems are solvable. The number of analysts is increasing, until the analysts receive the stream, it is analyzed by a special robot that automatically generates records in databases, etc. Some of the malware that has not been included in the analysis is caught by heuristics.
Once we mentioned heuristics, there is another digression in technology. Unfortunately, the first reaction to the story about the number of malicious programs being released are the words: “This is understandable, such viruses should be detected by heuristics”. Unfortunately, many, based on the myth of tests, consider heuristics to be a panacea. So here. Heuristics only detect new modifications of malicious programs that have previously been included in the analysis, and malicious programs with known antivirus behavior. Suppose some time ago, attackers developed a malicious program. After some time, it began to be detected. What do attackers do? Start all over again? You can do it easier - pack it in an archive with an unknown antivirus format / encrypt the malware. No heuristics will take such a hidden program. What to do antivirus? You can add each such sample to the virus database (and so do it!), Or you can catch it using FLY-CODE and structural entropy analysis technology, as Dr.Web does (each company has its own technology, therefore, experts of other products are invited to replenish the list) . The first provides verification of packaged executable objects, unpacks non-standard packers using the file execution virtualization method, the second detects unknown threats according to the peculiarities of the location of code sections in scanned objects protected by crypto-packers.
Let's go back to the reasons for non-detection. The worst problem is the third. The most dangerous malware has long been done by no lone hackers. This is a well-organized criminal business, built in the image and likeness of companies developing ordinary programs. The structure of such "firms" includes:
- Malware Developers
- Software testers
- Explorers of vulnerabilities in operating systems and application software for criminal purposes
- "Specialists" in the use of viral packers and encryption
- Malware Distributors, Social Engineering Specialists
- System administrators ensuring distributed secure work within the criminal community and botnet management
- droppers
- ...
And testers play a key role. Testing for non-detection (and why release a malicious program that will be detected?) Of the malware being developed with current antivirus solutions provided the possibility of releasing only malware that is not detected (before receiving updates) by any antivirus solutions - including using heuristic mechanisms. How many malicious programs can a single group release? Characteristic in this respect was the group that produced Carberp (http://updates.drweb.com - ONLY added to the virus database on March 2, 2012):
TrojanCarberp.14 (2) Trojan.Carberp.15 (7) Trojan.Carberp.194 Trojan.Carberp.195 Trojan.Carberp.196 Trojan.Carberp.197 Trojan.Carberp.198 Trojan.Carberp.199 Trojan.Carberp.200 Trojan .Carberp.201 Trojan.Carberp.202 Trojan.Carberp.203 Trojan.Carberp.204 Trojan.Carberp.205 Trojan.Carberp.206 Trojan.Carberp.207 Trojan.Carberp.208 (14) Trojan.Carberp.209 Trojan.Carberp .210 Trojan.Carberp.211 Trojan.Carberp.213 Trojan.Carberp.214 Trojan.Carberp.215 Trojan.Carberp.216 Trojan.Carberp.217 Trojan.Carberp.218 Trojan.Carberp.219 Trojan.Carberp.220 Trojan.Carberp .221 Trojan.Carberp.222 Trojan.Carberp.224 Trojan.Carberp.225 Trojan.Carberp.226 Trojan.Carberp.227 Trojan.Carberp.228 Trojan.Carberp.229 Trojan.Carberp.230 Trojan.Carberp.231 Trojan.Carberp .232 Trojan.Carberp.233 Trojan.Carberp.234 Trojan.Carberp.235 Trojan.Carberp.236 Trojan.Carberp.237 Trojan.Carberp.238 Trojan.Carberp.239 Trojan.Carberp.240 Trojan.Carberp.241 Trojan.Carberp .242 Trojan.Carberp.243 Trojan.Carberp.244 Trojan.Carberp.245 Troja n.Carberp.246 Trojan.Carberp.247 Trojan.Carberp.248 Trojan.Carberp.249 Trojan.Carberp.250 Trojan.Carberp.251 Trojan.Carberp.252 Trojan.Carberp.253 Trojan.Carberp.254 Trojan.Carberp.255 Trojan.Carberp.256 Trojan.Carberp.257 Trojan.Carberp.258 Trojan.Carberp.259 Trojan.Carberp.260 Trojan.Carberp.261 Trojan.Carberp.262 Trojan.Carberp.263 Trojan.Carberp.264 Trojan.Carberp.265 Trojan.Carberp.266 Trojan.Carberp.267 Trojan.Carberp.29 (14) Trojan.Carberp.33 (10) Trojan.Carberp.45 (4) Trojan.Carberp.5 (3) Trojan.Carberp.60 (6) Trojan.Carberp.61 Trojan.Carberp.80
Impressive? One day. One group.
The number of programs released by one group can reach hundreds of samples per day — and none of them will be detected by antivirus software used by the target group of victims.
TOTAL:
At present, at any arbitrary point in time, no antivirus program — without the use of additional protection — can provide protection against the penetration of as yet unknown malicious programs — which have not been submitted for analysis to the antivirus laboratory.
If a company / user / administrator relies only on antivirus software to detect malware, they are completely defenseless. This is what determines the success of encryptors (and in the recent past, WinLock).
The typical opinion is that the antivirus should catch everything at the entrance. This is unfortunately not the case. The anti-virus can detect known malware (including using heuristic mechanisms) at the time of its penetration, and after receiving updates, detect and destroy (but not roll back the actions!) Already running and actively counteract the detection of malware.
Conclusion 1. Alas and ah. The choice of antivirus based on the victories in the tests - does not make sense. There will be a separate article about tests, but somehow all tests are performed on already known malware.
Conclusion 2. Antivirus function - the destruction of already active, previously missed by all means of protection of malicious programs. And no one except the antivirus can perform this task. But the function of countering the penetration of unknown malicious programs should be taken by access control systems, launch restriction systems, behavioral analyzers (plus antivirus as a traffic analyzer).
Again. Currently, only antivirus cannot be used to protect against malware. It is necessary to implement an antivirus protection system as part of the antivirus itself, a firewall, a behavioral analyzer, office / parental control, and a backup system. This is the minimum minimum.
User access should be limited only by the actually necessary resources of the local network and the Internet. The use of removable media should be limited. It should be prohibited for the user to install any programs that will not allow the virus that bypassed the protection of security tools to be installed on the computer. The composition of the installed and used software must comply with the well-known list.
A centralized system for installing updates should be used. The situation should be excluded when the user decides whether to install the update. Using a centralized update system allows real-time monitoring of the absence of known vulnerabilities on protected workstations and servers.
The user should only work under an account with limited rights.
(Taken from the presentation of CyberArk at the recent interbank forum in Magnitogorsk)
I apologize for the enumeration of elementary truths. But many are so sure of the absolute unnecessary protection of servers ...
Where is the discovery of America?
Conclusion 3. The anti-virus solution used to protect workstations and file servers should:
- have a system of self-defense that does not allow an unknown malware to disrupt the normal operation of the antivirus - the antivirus solution should function normally until an update is received that allows the infection to be treated;
- Both the management system and the anti-virus solution update system should be independent of the corresponding mechanisms used in the operating systems (no WSUS and Windows Update) and included in the anti-virus self-defense system, which eliminates the possibility of malware interception of the update system. In general, the number of components of the operating system, independent libraries, etc., used by the antivirus, but naturally not placed under the protection of the self-defense system, should be minimal;
- the anti-virus protection management system should ensure the fastest possible receipt of updates by protected workstations and servers;
- The anti-virus system must rely primarily on the technologies of the anti-virus kernel - which are difficult to circumvent by malware, and not on external components that may be compromised anyway due to misuse and / or exploitation of vulnerabilities in external programs or libraries shared with them ( We will analyze this situation when we talk about the advantages and disadvantages of various technologies and the influence of the media on the level of security).
And finally the question:
- Do you currently have tests that adequately assess the quality of protection systems?
Analysis of the mythology of IT will continue in the next article.
Source: https://habr.com/ru/post/253769/
All Articles