Digg this story   Add to del.icio.us  
Stealthy Trojan horses, modular bot software dodging defenses
Robert Lemos, SecurityFocus 2005-06-13

Software attack tools that turn PCs into remotely controlled zombies are getting better, but defenses are not keeping up, say security experts.

The latest threats are tailored to attack specific companies, forgoing rapid spread and avoiding notice. Others use modular components, such as an infector that can be changed to defeat the latest antivirus software and a second-stage component that turns off PC defenses.

"While many of these features have appeared in one virus or another, the level of sophistication of the latest malware is what's interesting," said Roger Thompson, director of malicious content research for information-technology giant Computer Associates. "It definitely can cause problems for current defenses."

In early June, Thompson and other antivirus researchers warned that the latest bot software--a program designed to compromise and control other computer systems--spread in multiple stages. The warnings followed revelations that several companies in Israel had reportedly used a previously unknown Trojan horse program to infiltrate competitor's systems. The Trojan horse reportedly used by the companies, dubbed Hotword, was not detected because it had not been deployed elsewhere.

Such attacks highlight the deficiencies of current defenses that detect known threats using pattern--or signature--matching and heuristics, said Thompson.

"Any delay in detecting the threat is already too long," he said. "In my mind, this is the death knell of signature scanners."

Thompson points to the latest three-stage attack as a sign of the times. An unknown attacker mass mailed a Trojan horse, named Glieder, which if run by the user, downloaded a second program, Fantibag. The second program stops any antivirus programs and firewall software and blocks requests to update the security software or the Windows operating system. The third program, Mitglieder, further compromised the systems, making it part of a larger bot net.

Breaking an attack up into several pieces allows the attacker to rapidly create programs that are harder to stop, Thompson said. The attackers can frequently update the component that spreads the malicious software to dodge any updated signatures. Even with software makers producing antivirus updates every day, minor modifications to the first stage of such a program could let the attackers stay ahead, said Vincent Gullotto, vice president of McAfee's antivirus emergency response team.

"Sometimes they only have 24 hours (until updates arrive), but that is all they need," Gullotto said.

Operating system and application makers tend to respond much slower to flaws, and software that takes advantage of those security holes will be effective longer. Microsoft did not provide comment for this story.

Bot software that targets only a small number of systems or use easily changed modules undermine the effectiveness of signature-based definitions, said Vincent Weafer, senior director of Symantec's security response group.

"Using signatures as a primary defense is no longer effective today," Weafer said. "But I would argue that it hasn't worked for several years." (SecurityFocus is owned by Symantec.)

To combat the threat, major antivirus software makers have added behavioral blocking to their list of defenses over the last few years. Such technology does not try to recognize a threat by its code but by its actions. Moreover, because many malicious programs now modify the operating system's hosts files--which pairs computer names to addresses--the major antivirus software makers also check that file for changes.

However, many argue that the battle is one that the good guys are losing.

The attackers are well motivated--no longer by fame, but by money, said Amit Yoran, former director of the National Cyber Security Division of the U.S. Department of Homeland Security and now an independent consultant.

"Several years ago, the high-visibility activity seemed to be ego driven--criminal to be sure, but less motivated by theft fraud and other sorts of criminal advantage," Yoran said. "In today's environment there is a well-established and thriving criminal element that works in the cyber domain."

Moreover, because the effort to clean an infected computer is much greater than the effort to infect one, PCs claimed by an attacker are much more difficult to restore to a user's control, especially if the user does not understand security issues.

"We can expect this type of measure-countermeasure game to continue," siad Joe Stewart, senior researcher for security firm LURHQ. "Fighting the 'disable antivirus software' functionality of modern malware seems to have become a separate front in the war on viruses."

Common wisdom holds that the best defense to such threats is education. But even that is becoming harder, said McAfee's Gullotto.

"The threat has become so diverse that I don't know what to tell people to look for anymore," he said. "In the end, you have to clearly be cautious about anything you download from the Internet today."

    Digg this story   Add to del.icio.us  
Comments Mode:


Privacy Statement
Copyright 2010, SecurityFocus