keith2468
Premium,MVM
join:2001-02-03
Winnipeg, MB
| Changing what is in Anti-Virus tests
In a post in here
»Voicing complaints against antivirus products
I suggested that I thought part of getting reluctant AV vendors to be more aggressive with malicious adware and hijackware would be to get such malware added to popular AV tests.
Let us face it, the number one security problem computer users are having with installed software is not real viruses or worms, it is adware and hijackware that requires expert analysis, special tools, and 2 hours of hand-holding by an expert to remove.
So does anyone have any idea how to do this stuff into anti-virus effectiveness tests? Any contacts or anything like that?
I realize that some AV vendors don't want to get involved in labelling poorly written software that causes abends as malware. And I realize that some AV vendors don't see automatic update facilities or connection quality monitoring as spyware. I'm a programmer, not a lawyer, but I can still sympathize with some AV vendors wanting a harder definition of malware that doesn't include software that is poorly written.
So what I'm looking to do is to ensure that tests on anti-virus programs include some malware samples that do not uninstall in any of the normal ways and have at least one of these other features:
1. Has components to automatically re-install itself if it is manually removed.
2. Uses pseudo-random filenames to hide itself in and is not itself pure security protection software. (Security software may have a legitimate reason to do use random filenames -- it is one way to avoid being killed by malware.)
3. Prevents access to multiple security sites.
4. Kills anti-virus scanners.
5. Prevents anti-virus software updating.
6. Records computer activity not remotely related to the use of a related service, such as the URLs or account names on totally unrelated websites.
7. Is documented as downloading and installing automatically without user intervention.
If 7 is a maybe, because of disagreements over documentation and malware that is only sometimes installed without user intervention, I'm okay with leaving that kind of malware out for the time being.
So, do AV tests already include samples like this?
And if not, how do we get this sort of thing included?
--
(Virus&Hijacking FAQ+Submit suspected malware+Security FAQ) |
|
B
Premium,MVM
join:2000-10-28
| Some nits, using your list:
1. Auto-reinstall -- Some programs like Quicktime and RealPlayer do that, among others.
2. Random names -- Mozilla does this with its profile directory -- I think they call it "salting" a random directory name, but I just find it annoying and rather stupid.
3 and 4. No nits.
5. Prevent AV updates -- Lots of programs can do this inadvertently or even intentionally. AOL, anyone?
6. Activity logging -- Of course lots of security software (and the OS itself) does this.
7. Automatic installations -- Umm, ah... er... too easy!  You know, all those threads about certain owsers-bray?
End of nits.
Of course I agree with you that AV companies should catch all malware including these horrid spyware mutations.
-- B
--
In a realm outside causality and function |
|
Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
| said by B  :
2. Random names -- Mozilla does this with its profile directory -- I think they call it "salting" a random directory name, but I just find it annoying and rather stupid.
It's done for a legitimate security reason (badware has no predictable place to muck with your browser configuration), so in that respect it's the right thing to do, but the fact that you can't disable this behavior is just maddening to me.
I try to park my personal-configuration type data (bookmarks for browser, quicken data files, pcAnywhere host files, etc.) in a different place from the C: drive, and salt nonsense makes it much more difficult.
Steve
--
Stephen J. Friedl * Security Consultant * Tustin, California USA * my web site |
|
B
Premium,MVM
join:2000-10-28
1 edit | said by Steve :
It's done for a legitimate security reason (badware has no predictable place to muck with your browser configuration), so in that respect it's the right thing to do, but the fact that you can't disable this behavior is just maddening to me.
I try to park my personal-configuration type data (bookmarks for browser, quicken data files, pcAnywhere host files, etc.) in a different place from the C: drive, and salt nonsense makes it much more difficult.
Uh, so is it legitimate and the right thing, or maddening and nonsense?
I vote for the latter two. I don't see ANY practical benefit to make up for the annoyance factor. Every time you want to check your own profile (fix it, futz with bookmarks, install or fix extensions, retrieve mail, etc.) you're faced with that silly name.
Are there really tons of exploits that are smart enough to attack the profile, but are dumb enough NOT to be able to find the (usually only one) profile directory off Application Data or Documents and Settings, no matter what it's named?
And if it's such a legitimate security reason, why isn't anyone else doing it?
-- B
Edit: sorry for the mild threadjack, keith.
--
In a realm outside causality and function |
|
Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
| It should be apparent that if badware is actually running code on the machine, that this subterfuge won't go very far, but in the past there was a class of browser exploit that relied on being able to overwrite a file if the name were known. I don't remember the details, but I'm sure it was a response to a particular set of threats.
So I think it ought to be there by default, but let a savvy user turn it off. I know that technically I could find the code in Mozilla and do it myself, but that's a lot of work to get a small local change. quote:
And if it's such a legitimate security reason, why isn't anyone else doing it?
Outlook Express does this too.
Steve
--
Stephen J. Friedl * Security Consultant * Tustin, California USA * my web site |
|
B
Premium,MVM
join:2000-10-28
1 edit | Outlook Express is not as bad -- I'm pretty sure the first 3 or 4 characters are always the same (and I think they do this only for TEMP files, not for storage of data). (I may be confusing it with Outlook's behavior.)
Then again, Outlook and variants have the lovely habit of storing files in hidden directories, which makes support so much fun.
-- B
--
In a realm outside causality and function |
|
antiserious
The Future ain't what it used to be
Premium
join:2001-12-12
Scranton, PA
|  reply to keith2468
said by keith2468 :
4. Kills anti-virus scanners.
So, do AV tests already include samples like this?
And if not, how do we get this sort of thing included?
... I would think this one on it's own would be a prime motivator for A/V vendors ... and the first one that does it will get a TON of great press and, I daresay, a boost in business ...
--
... "It's always been my hope that God has a sense of humor" ... Andy Sipowicz ... |
|
B
Premium,MVM
join:2000-10-28
| reply to keith2468
said by keith2468 :
So, do AV tests already include samples like this?
And if not, how do we get this sort of thing included?
I feel bad. No one's really tried to answer keith's questions.
-- B
--
In a realm outside causality and function |
|
ttt2525
@cable.rogers | reply to Steve
Steve, why can't the badware just look for *.slt instead of the full name? |
|
B
Premium,MVM
join:2000-10-28
|
I think because "in the past there was a class of browser exploit that relied on being able to overwrite a file if the name were known" but those exploits weren't smart enough to follow paths and subdirectories.
Of course many trojans or other exploits can find anything they want (finding the Moz profile by looking for bookmarks.html, cookies.txt, the chrome directory, etc.).
And my opinion is that the annoyance of the "salted" directories far outweighs their possible utility.
-- B
--
In a realm outside causality and function |
|
novaflare
The Dragon Was Here
Premium
join:2002-01-24
Barberton, OH
| reply to Steve
said by Steve :
said by B :
2. Random names -- Mozilla does this with its profile directory -- I think they call it "salting" a random directory name, but I just find it annoying and rather stupid.
It's done for a legitimate security reason (badware has no predictable place to muck with your browser configuration), so in that respect it's the right thing to do, but the fact that you can't disable this behavior is just maddening to me.
I try to park my personal-configuration type data (bookmarks for browser, quicken data files, pcAnywhere host files, etc.) in a different place from the C: drive, and salt nonsense makes it much more difficult.
Steve
Sort of like what i do with my windows dir its on a non c: drive witha non windows related name of random letters and numbers. sort of like f:\5t76yghf So far ive yet to run in to a program that screws up because of it. I was probly the only person online who could have gotten away with running a unpatched nimda infectable server back when it first hit. A very simple and effective way to stop the vast majority of scripted attack out there that rely on a given windows dir or a few of them. Now i am not talking about scripts that get run localy on a computer as they can find this dir by useing %systemroot%. But a good old fasion scripted exploit that some script kiddie would run on his computer against a server/service on my ip. Hmm does sasser and blaster variants use a hard wired dir or dirs?
Any how i agree its a valid security mesure.
A tad anoying but hey a tad anoying or very anoying high jack hmm ill take a tad anoying any day.
--
new 3d chat comunity at »planetvirtuel.com my site »spellbound.valshea.com/news.php |
|
mens rea
Premium
join:2002-01-31
Canada
 ·Shaw
| reply to keith2468
Probably one of the more formidable obstacles faced by AV companies in dealing with malicious adware and hijackware is how it actually comes to be installed on an individuals machine.
Obviously drive by downloads and non-consented to installs made by misrepresentation are more easily dealt with. The very fact of no agreement with the user (or victim) clearly indicates the offending program has no business on the persons pc.
It is the grey area that becomes most problematic. It is understandable that an AV vendor may be reluctant to become involved with the removal of spyware programs that are bundled with other software, regardless of their deleterious effects.
Usually the unwanted additions are consented to by the user when he/she fails to read the EULA, but clicks on the "I agree" button, and thereby becomes the hapless victim of all weird and wonderful things that come with the software they thought they were getting.
Unfortunately, the issue then becomes the validity of the EULA, or the contract between the potential user of the software and the resulting damage it may engender, and whether the agreement is binding in law etc. In other words the problem becomes a legal one, and certainly is not as clear cut as a virus or worm attached to an email, or a trojan downloaded via deliberate subterfuge.
I would assume the above may explain the reticence of most AV vendors to become pro actively involved in targeting adware and hijackware in their tests, since the offending program may have arguably been installed with the users consent, and the issue of the informed nature of that consent becomes more properly a legal matter, in spite of the apparent security ramifications. |
|
Randy Bell
Premium
join:2002-02-24
Santa Clara, CA
| reply to keith2468
@Keith, @B, and @antiserious:
To answer your question, YES -- NAV has a generic Trojan.KillAV detection and KAV has a similar set of specific "KillAV" signatures. {KAV is more specific in its nomenclature, doesn't usually resort to generic names like NAV}
--
"But now abide faith, hope, love, these three; but the greatest of these is love." (1 Cor. 13:13) |
|
mens rea
Premium
join:2002-01-31
Canada
·Shaw
| said by Randy Bell :
@Keith, @B, and @antiserious:
To answer your question, YES -- NAV has a generic Trojan.KillAV detection and KAV has a similar set of specific "KillAV" signatures. {KAV is more specific in its nomenclature, doesn't usually resort to generic names like NAV}
Randy are you aware of any criteria they use to determine what gets included. Just curious. |
|
keith2468
Premium,MVM
join:2001-02-03
Winnipeg, MB
1 edit | reply to keith2468
Now that the weekend is here, let's talk about this some more.
My proposed list of 7 factors is a list that something would have to have in order for the testor to include it as "obvious malware" in the test -- a way of excluding questionable malware that is maybe simply software that is merely of poor quality, or something that pursists disagree on the value of.
Some clarifications of what I was thinking:
1. Not just install automatically, but re-install itself automatically without permission after you delete it.
Yes this means that some legitimate software may want to use a registry setting to see if it was manually removed previously and ask for permission if it was.
If this doesn't make sense to you on your home computer, remember that some computers are used in places other than homes.
All software, even software by Macromedia, should ask permission to install. But, on a default Windows system, with default MSIE settings, does it install automatically, or just update automatically? Updating software automatically should be okay for the purposes of this (although some anti-malware vendors sometimes give demerit points for this).
2. Maybe this tactic is used by more software than I thought. Maybe this one should be refined.
There are random folder names, and random file names. Also there are file properties. Maybe we can refine this rule.
I believe that in HijackThis analysis random program names that don't show up in google or other reference sources are a flag for considering removal.
3. Pretty clear right.
4&5 I'm not thinking of including XXXX software just because the current or an old version has a new bug that does this. We are looking for design features, not programming errors. And things that are left in, not fixed. And in malware type software.
6. Maybe we could make that "Reporting activity unrelated to itself and its published functions." So for the OS, anything done on the computer using the OS could be logged.
7. See 1.
So how do we get some AV comparison tests to include "obvious malware" somewhere in its tests.
--
(Virus&Hijacking FAQ+Submit suspected malware+Security FAQ) |
|
keith2468
Premium,MVM
join:2001-02-03
Winnipeg, MB
| reply to mens rea
There is flagging the file as questionable; there is publicly describing the files as malware, spyware, hijackware, or spyware; there is asking the user to verify whether the file should be executed; there is making a tool for manual file removal; and there is automatically removing the file without asking the user.
Software can be written that does one or more of these things without doing all of them.
What KAV does is prefix merely abusable files (potential hacker tool files that also have common benign uses) in its paranoid database as notavirus.xxxxxx in messages to the user.
I'm not sure what it does for suspicious files in its extended database.
So AV vendors could have a lot of options on how they respond to the "obvious malware" and still not have to worry about a libel suit succeeding in front of a sane disinterested judge in a developed country.
--
(Virus&Hijacking FAQ+Submit suspected malware+Security FAQ) |
|
Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
| Symantec (Corporate edition, at least) includes much of this in what they call "expanded threats". It does allow enabling/disabling broad categories ("adware", "joke programs", "remote access", etc.) but the control is not very granular.
My customer uses RAdmin from Famatech for remote administration (instead of pcAnywhere), and it's flagged as a remote access threat.
It's right to do this - RAdmin can be installed quietly so the user doesn't know - but in our case it's a valid program. I have not found a way to say "don't flag RAdmin but do look for other remote access trojans".
Steve
--
Stephen J. Friedl * Security Consultant * Tustin, California USA * my web site |
|
sheepexplode
Premium
join:2002-06-02
Duality
clubs:
| said by Steve :
Symantec (Corporate edition, at least) includes much of this in what they call "expanded threats". It does allow enabling/disabling broad categories ("adware", "joke programs", "remote access", etc.) but the control is not very granular.
My customer uses RAdmin from Famatech for remote administration (instead of pcAnywhere), and it's flagged as a remote access threat.
It's right to do this - RAdmin can be installed quietly so the user doesn't know - but in our case it's a valid program. I have not found a way to say "don't flag RAdmin but do look for other remote access trojans".
Steve
A number of AV engines do the same with some of the pstools, psexec specifically.
Also the NAV expanded threat included in 9.0 corp. edition will find spyware files, but cannot or will not do anything with them. You still have to clean them yourself. We are in the process of identifying a new/better AV enterprise solution and spyware removal/prevention tools. We currently use NAV, but find it does not meet our needs, but were hoping that 9.0 would give us more protection and cleaning abilities and it has not.
--
»Security »I think my computer is infected or hijacked. What should I do? |
|
B
Premium,MVM
join:2000-10-28
|
sheepexplode, please post, or even better pseudo-IM me, when you decide. I've got a smallish size installation coming (75-100 seats/servers) and was planning on SAV CE, but am willing to go with something else, and I'd like to hear your thoughts.
-- B
--
In a realm outside causality and function |
|
sheepexplode
Premium
join:2002-06-02
Duality
clubs:
| said by B :
sheepexplode, please post, or even better pseudo-IM me, when you decide. I've got a smallish size installation coming (75-100 seats/servers) and was planning on SAV CE, but am willing to go with something else, and I'd like to hear your thoughts.
-- B
I will, but we may be a while before we deicde, our current contract with Symantec ends in October so we will have a decision before then. But there is also considerable pressure to get the spyware problem under control. We have tech's that are speding 50% of their time dealing with spyware.
Regards,
SE
--
»Security »I think my computer is infected or hijacked. What should I do? |
|
