Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

a concept for prevention of all viruses


  • Please log in to reply
8 replies to this topic

#1 rp88

rp88

  • Members
  • 3,059 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:38 AM

Posted 01 August 2014 - 07:27 AM

I noticed the latest virus descriptions on the site today and took a look to see, as usual that the virus you were describing executes out of an appdata/temp folder or other such thing tucked away under a username. the recommendation for prevention was, as you have given for most ransomscumware, to prevent file exe files running from the appdata folders.

 

This gave me a thought, given the way all viruses work wouldn't it be possible to prevent every virus infection by setting up a computer in a pristine state then placing some "order" deep in it's memory to only ever execute the exe files that were on it at that time. when a user wants to install/run a program they can let that new file run "just the once" before adding it to the "clean list" which would only contain every exe that was on the computer when factory fresh and a few programs deliberately added. This would prevent every virus except those that managed to trick the user into starting them in the belief that they were legitimate programs. Why hasn't such a concept been developed?


Back on this site, for a while anyway, been so busy the last year.

My systems:2 laptops, intel i3 processors, windows 8.1 installed on the hard-drive and linux mint 17.3 MATE installed to USB

BC AdBot (Login to Remove)

 


#2 Platypus

Platypus

  • Global Moderator
  • 15,158 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:07:38 PM

Posted 01 August 2014 - 07:42 AM

The technique of only allowing permitted executables to run is called whitelisting. There have been programs available that work on this principle, DriveSentry is one that springs to mind.


Top 5 things that never get done:

1.

#3 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:38 AM

Posted 01 August 2014 - 05:05 PM

This would not prevent every infection.

 

For example, exploiting a vulnerability of a networked service by injecting code into memory would not be detected by this method, as no exe is written to disk.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#4 Crazy Cat

Crazy Cat

  • Members
  • 808 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lunatic Asylum
  • Local time:08:38 PM

Posted 02 August 2014 - 12:33 AM

This would not prevent every infection.
 
For example, exploiting a vulnerability of a networked service by injecting code into memory would not be detected by this method, as no exe is written to disk.

DUQU TROJAN (METHODOLOGY)
Indicator for the duqu trojan. The initial duqu driver will decode and inject a dll (marked as .pnf) into a system process (usually services.exe). The injected dll contains another dll encoded within it's resource section which it will inject into other processes as identified within its encoded configuruation file (another .pnf file). This second injected dll is responsible for all backdoor/C2 communication.

STUXNET VIRUS (METHODOLOGY)
Generic indicator for the stuxnet virus. When loaded, stuxnet spawns lsass.exe in a suspended state. The malware then maps in its own executable section and fixes up the CONTEXT to point to the newly mapped in section. This is a common task performed by malware and allows the malware to execute under the pretense of a known and trusted process.
 
Question Didier?

Would a whitelisting app, detect and stop the above infection mechanisms?

Would EXE fingerprint hashing (eg. MD5) by the whitelisting app detect the modified EXE?
 

Two things are infinite: the universe and human stupidity; and I'm not sure about the universe. ― Albert Einstein ― Insanity is doing the same thing, over and over again, but expecting different results.

 

InternetDefenseLeague-footer-badge.png


#5 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:38 AM

Posted 02 August 2014 - 04:40 AM

DUQU: depends on how the injection is done. If it's with LoadLibrary, a whitelisting tool that also covers DLLs will detect it.

 

STUXNET: no

 

But in both cases, a whitelisting app would prevent the initial infection vector (an exe)

 

I'm talking about exploit tools like MetaSploit. With MetaSploit, one can attack an unpatched machine via a vulnerable networked services, and then inject its Meterpreter payload into that process.

This is all done without creating new processes or loading DLLs via the OS API, so a whitelisting app doesn't see this, since no new process is created or a new dll is loaded.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#6 rp88

rp88
  • Topic Starter

  • Members
  • 3,059 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:38 AM

Posted 03 August 2014 - 11:41 AM

doesn't some sort of exe file have to run to cause the modifications to existing files that the virus then uses? even with exploits and vulnerabilities surely what they do is allow an attacker to smuggle an exe into the system, which they then trick the system into running, if your "whitelisting" was setup correctly surely it could prevent the running of the exe after it had been sneakily placed on the machine. that duqu thing must use an exe file to commit the initial injection.


Back on this site, for a while anyway, been so busy the last year.

My systems:2 laptops, intel i3 processors, windows 8.1 installed on the hard-drive and linux mint 17.3 MATE installed to USB

#7 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:38 AM

Posted 03 August 2014 - 02:33 PM

No, this is precisely the point I want to make.

 

I'm talking about exploit tools like MetaSploit. With MetaSploit, one can attack an unpatched machine via a vulnerable networked services, and then inject its Meterpreter payload into that process.

This is all done without creating new processes or loading DLLs via the OS API, so a whitelisting app doesn't see this, since no new process is created or a new dll is loaded.

 

Another example: a PoC I made 4 years ago:


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#8 Paulito

Paulito

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:38 AM

Posted 03 August 2014 - 03:50 PM

Thanks Didier,

 

A very interesting video.



#9 Crazy Cat

Crazy Cat

  • Members
  • 808 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lunatic Asylum
  • Local time:08:38 PM

Posted 03 August 2014 - 10:02 PM

Thank you Didier for the excellent replies. While researching further, Pg 16. https://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599
 

Two things are infinite: the universe and human stupidity; and I'm not sure about the universe. ― Albert Einstein ― Insanity is doing the same thing, over and over again, but expecting different results.

 

InternetDefenseLeague-footer-badge.png





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users