[ale] [OT] Databases of viruses/malware

[Greg Freemyer]

On Thu, Mar 3, 2011 at 5:11 AM, Ron Frazier
<atllinuxenthinfo at c3energy.com> wrote:
> Hi Greg,
>
> Your best defense against zero day is to use good firewalls (hardware
> and software), have well patched computers, and have users trained in
> safe computing. (Yeah, I know, "trained users" is somewhat of an
> oxymoron. "Trained responsible users" is really an oxymoron.) Clicking
> email links is a huge vector which is largely avoidable. They should
> understand not to invite things in through the firewall. Granted, on
> websites, you can't always tell what's malicious. They should be trained
> to avoid phishing and social engineering attacks, to the extent
> possible.

The current bad guy best practice AIUI is to spear-phish with a zero
day.  That's what happened to Google last year.  The key to a
best-practice spear-phish is to make it look real, and spoof the
sending account to make it look real.  And then embed your zero day in
an actual useful doc.

So lets take the recent docs on SSD wiping.  They look official to me,
I've already pulled them and opened them.  If there very existence was
part of a spear-phishing attack, I'd be infected (assuming I have the
vulnerability the zero-day is targeting.)

Not only that, but because the content of those docs is high, I may
forward the docs / links to friends and associates.  The spear-phish
grows with me as an unwitting agent of the attack.

>Running as an average user, rather than a super user with User
> Account Control on (in Windows) or the default functionality in Ubuntu
> is very helpful if something tries to execute with elevated privileges.

Absolutely, but the whole point of a zero day is to escalate past such defenses.

> Of course, if you have the admin password, and you type it in, you're
> toast. Running with scripting disabled in the browser and in PDF files
> is very helpful, in my opinion, essential. Also, in my opinion,
> disabling autorun / autoplay for all CD / DVD drives and USB ports is a
> biggie.

This is often referred to as putting users in a jail.  It is a
definite strategy and it definitely helps, but it also lowers
productivity.  Few corporations I've seen are willing to make the
trade-off.

> Firewire too, if applicable.

WebSense with all the grey-listed sites disabled is definitely a step
forward.  (I don't know if they have a free / low-cost version.  Most
of my clients have WebSense, or similar, deployed.)

> A user in a corporate environment
> should NEVER be able to pop in his memory stick and immediately get
> infected. That is the new floppy disk, and the new vector. Viruses used
> to spread like wildfire on college campuses via floppy disk.

Agreed.  That is how Stux-Net is thought to have got a toe hold before
it went viral.

> However, he
> should still be able to use the memory stick for data storage. Likewise,
> the janitor should never be able to pop in his memory stick and infect
> the users' PC's. Of course, if he has time alone with the PC, it get's
> much harder to protect. Things like bios boot passwords, and disabling
> CD / DVD / USB boot, and physically locked cases come into play; and not
> all PC's even support those features.

> If you can survive a few days
> without getting the latest THING, your virus scanner(s) will probably be
> updated and will be able to scan it, at the expense of all the poor
> souls who originally caught the THING.

Not very true today.  As I said, 10's of thousands of zero days are
created per day now.  If a bad guy is smart, he only send his zero day
to a few thousand people, not to millions.  The odds of one of those
few thousand people identifying they been had and getting the malware
to AV companies for analysis is slim.

Some of my corp. clients identify and send in several zero days per
week.  Many of them have been on their systems for months, but have
just been found by the corp.  But the AV vendor still does not have in
their database.
> As I mentioned in another post, a technical college I worked for used
> DeepFreeze to return every PC to a known state every night, just by
> rebooting. I find that fascinating, but I'm not using personally because
> of frequent data that I store and frequent updates, which are a problem
> in that scenario. In any case, at the college, the lifetime of a virus
> on a frozen PC is limited to 24 hours, because the PC's always get
> rebooted or shut down at night.

Cool stuff for a public PC.  Not practical for a typical user.

> This is one big reason I'm running Linux.

Me too.

> At the moment, I'm not running
> AV on it, but that may change over time. However, the family still runs
> Windows, and I boot into Windows periodically to do things I cannot do
> in Linux, so I still have to maintain that.

> I note that Firefox, and Java work the same regardless of platform, so I
> would think there is still a risk from infected web pages. (I use
> NoScript to disable scripting on all non trusted sites.)

Are there really any "trusted" websites?  Hackers hack legit sites and
plant their bombs all the time.

> Flash is also the same on all platforms, so all platforms may have risk.
> (Yes, I use Flash. Gotta have it for Pandora, Hulu, Youtube, and some
> web conferencing sites.)

Thanks for the intelligence, with my bad guy had on, I know now which
sites to hack and place a virus in if I want to penetrate your
systems.

Or if that is too hard, I'll hack your ISPs DNS server and redirect
you to a fake server of mine.  (yes that does happen).

Ron, I doubt anyone is targeting you, but you never know. ;)

> Also, with Wine on board, I'm capable of running native Windows
> executables, so there might be a risk there too.
>
> That brings up some Linux related questions:
>
> 1) Does the document viewer, which reads PDF's in Ubuntu, have
> JavaScript, and if so, how do I turn it off?
> 2) Leo Laporte, of the TWIT podcast network, recommends Foxit for
> reading PDF's rather than Adobe. It's available for Linux here:
> http://www.foxitsoftware.com/pdf/desklinux/
> It looks like it comes as a tarball. Does anyone know how I can install
> it through Synaptic or Apt, so I get auto updates?
> 3) How do I turn off autoplay / autorun in Ubuntu? I specifically DON'T
> want anything autoexecuting on insertion of CD / DVD / USB.
> 4) Does Ubuntu and Linux in general have Data Execution Protection?
> 5) Is anyone aware of studies of security risks related to Wine?
>
> Any help with these issues is greatly appreciated.
>
> Sincerely,
>
> Ron

I have no answers, just issues.

Greg