Surveillance exposes malware that comes back from the dead |
 |
By Bill Brenner, Senior News Writer
21 Mar 2006 | SearchSecurity.com |
|
|
An IT shop may use all the latest tools to snuff out viruses, spyware and rootkits, but the latest results of an ongoing endpoint surveillance project suggest the digital underground is easily outsmarting those tools.
Mitchell Ashley, CTO and VP of customer experience for Superior, Colo.-based software firm StillSecure, said his company's Endpoint Security Index shows that security-hardened computers can still be infected with certain types of malware.
"We've found that many kinds of attacks can bypass traditional security measures," he said. "Malware can live on the endpoint and hide from AV. Or, in some instances, the AV program might not clean up all the malware, and remnants of malicious files that can do more damage are left behind."
The index, now in its fourth month, monitors four different endpoints using machines running Windows XP Service Pack 2 (SP2). Ashley said well-defined security policies are applied to each endpoint. Then, using an automated process, the machines visit tens of thousands of URLs a month, opening themselves up to any sinister code lurking on these sites.
Ashley said the ultimate goal is to measure the strength of different security policies and tools so endpoint devices can be more successfully locked down.
The latest findings indicate that:
- Malware is capable of hiding from AV, antispyware and anti-rootkit technology. "For example," StillSecure said in its analysis, "a known virus was present on [one of the four test endpoints] but the antivirus tool failed to clean the machine. If this occurred in a real-world setting, the end user would have no indication that the machine was infected, leading to further destruction of the device."
- Malware can be detected by security tools but cannot be deleted. Certain sophisticated threats hide in protected folders so they cannot be removed.
- Most components of malware are visible to AV and antispyware tools, but are expendable; any components of the virus that remain after AV cleanup are often capable of replacing deleted files.
- Pop-up windows dupe end users into clicking on malicious sites.
|
|
|
An example of a malicious message found on one of StilSecure's Web-scanning PCs.
|
|
"Social engineering continues to be successful," Ashley said. "End users are presented with pop-up sites that dupe them into downloading malware. They visit sites running ActiveX plug-ins and JavaScript. It's easy for them to be infected and not know it after the fact."
The lesson, Ashley said, is that IT administrators shouldn't be content to simply update AV software and deploy the latest security patches.
"You also need to look at the security of your applications," he said, "and you have to keep eye on security settings in the browser and in the operating system."
Ashley compared StillSecure's program to a honeypot, where machines hooked to the Internet are expressly set up to invite attacks.
In this case, however, the goal is to attract attacks based on certain types of user behavior, which StillSecure does by having the machines surf through various Web sites as typical Web site visitors would.
|
|
|
|
