Continuing our live-blogging of the Anti-Spyware Coalition conference, here are StopBadware intern Josh Friedman's notes on the Technical Discussion of Spyware panel:
This talk is half short presentation and half Q&A. It opened with the presentations.
Ryan Hicks covered stealth issues of malware. He thinks that root-kits are some of the most popular stealth technology. Ultimately, once a system has been compromised it cannot be trusted. Root-kits began as an academic exercise but have developed into threats that are in the wild en masse. Botnets are integrating rootkit technology. Kernel mode threats are becoming more prevalent in all malware.
Richard Smith spoke about the new features in Internet Explorer 7 that attempt to address some of the issues of spy-ware. He broke attacks into two vectors, exploits (ie. drive by downloads) and social engineering.
New features in Internet Explorer 7:
* Protected Mode: Runs the browsers in a sandbox with a limited file-system and limited registry.
* Buffer overflow protection: "Address Space layout randomization" makes it difficult for exploit code to execute system calls.
* ActiveX Opt-in: If a control is installed on a computer, it cannot be used until the user authorizes the use of it. Hundreds of ActiveX controls are available to the browser.
As an aside, he mentioned that he thinks that MS should just use the hardware chip ability to make data pages as non-executable in the processor.
Possible new vectors of attack in Vista:
Silverlight - Allows executable code within the browser. Many different languages can be used to write Silverlight code. Buffer overflow(s) already found. Instant Search - Processing code for file types is often susceptible to multiple vulnerabilities.
Gibson, "Microsoft has been so slow in making simple changes that could have prevented many of the problems that we have had [as users]."
Some notable information shook out of the Q&A session:
Ryan, on detection of rootkits – The most popular way to find rootkits is via 'cross views' where you compare multiple different methods of looking at various parts of the system and see if there is a discrepancy.
Gibson, on the nature of the problem – Ultimately, it is the trust of a transparent system like the PC that is being subverted. Most spy-ware issues now occur from hacked sites and not ad-ware laden seemingly legitimate downloads. Web 2.0 means that there are now servers that are functioning as a clearing house for anonymous visitor’s content.
Ryan, on security – Security is hard, some bugs are not even bugs and they are not bad design decisions or incorrect code; it is just the confluence of many factors.
Ryan, on analysis in virtualized environments – When it comes to virtualized environments, there is really just a trade off between time and making sure you catch all the tricks of the mal-ware. There is a trend for some mal-ware to just waste a researcher’s time. For example, when running in a non-virtualized testing environment in Soft-ice, some mal-ware detects Soft-ice multiple times and will change it's behavior.
Ryan, on the next generation of protection – Future anti-viruses programs will likely hook into the system in a way in which all transactions on the system can be logged.