Beyond AV: Eliminating evasive malware

Here are filtering approaches and malware-specific technologies that can help you to keep self-installing malware from sneaking by your defenses.

Malware is program or file that is harmful to a computer user. It includes viruses, worms, and Trojan horses, and

also adware, programming that gathers information about a computer user without permission. The risks from malware range from merely annoying ads, to serious identity or financial information theft. Even strict firewall rules, fully up-to-date patches and your antivirus software won't stop the most dangerous type of malware from secretly installing itself on systems. Additional filtering approaches and malware-specific technologies are necessary to keep self-installing malware from sneaking by your defenses.

Self-installing malware, also known as a drive-by download, slips past network security via ActiveX and Browser Helper Objects (BHOs) in insecure browsers. Drive-by downloads may hijack your Web browser or log your key strokes. Malware is able to sneak in undetected because OSes and browsers lack the ability to see the threat. What's more, ActiveX and BHOs fundamentally and inherently allow anyone on the Internet to write code that can be transparently downloaded to a computer where it inherits the rights and permissions of the current user. Downloading new functions is the sole use of BHOs and one of the main purposes for ActiveX. Unfortunately, Microsoft didn't build in any security. That's why it's important not to use privileged accounts (e.g., Administrator) for day-to-day activities, especially Web surfing.

Anitvirus tools differ from anti-malware tools because they watch different infection vectors. While AV programs are beginning to address a broader spectrum of malware, the market is immature. But it's growing rapidly, with vendors like Microsoft, Symantec and McAfee entering the game or integrating new features into existing tools (It's interesting to note that Microsoft's Windows Malicious Software Removal Tool and Windows AntiSpyware (Beta) will only run on Windows 2000 or newer, leaving many millions of users on older systems unprotected). Conversely, a number of commercial and free anti-malware products from smaller vendors have been available for some time. These products generally fall into two categories: inoculation and detection/removal, though, the lines are beginning to blur as more mature products begin to do both. Innoculators such as Javacool Software SpywareBlaster and Spybot-Search & Destroy feature an immunize function, which aims to prevent malware from being installed via the ActiveX kill bit (see Blocking spyware via the ActiveX kill bit), and similar means. Whereas, detection and removal products like Lavasoft Ad-Aware and Aluria Software Spyware Eliminator can help you clean up after the fact. Running multiple products on a workstation is best, since each employs different detection methods and has different malware databases.

Alternatively, Mike Lin's StartupMonitor takes a different approach and warns you when any program tries to configure itself to be started on boot. Though, if malicious code isn't set to run on a system boot, the product is ineffective. This is an interesting approach, but many programs such as AV scanners and updaters legitimately do need to run at startup. Distinguishing between the two types isn't easy for end users. Running this tool on a test box or personal workstation could be a good learning experience for an administrator.

Self-installing malware downloads originally on a Web server. But once it's installed, it may try to spread using other means, which can be blocked. You can filter content at the firewall, proxy and mail servers, and even via IPSes. However, it's difficult to remove malicious content in all of those places without affecting legitimate business activities. For instance, if you block all ActiveX at a firewall or IPS, you've just broken the WindowsUpdate service.

Monitoring firewall or IDS logs can alert you to an infection after the fact. In addition, various types of egress filtering (applied on firewalls, routers and IPSes) can block the spread of malware beyond your perimeter by limiting outgoing access. This may negate some malicious software, such as keystroke loggers, but clever malware will still find an outgoing pathway.

Both egress and content filtering may be performed by a modern firewall. The difference is that egress filtering involves firewall rules or router access control lists. Egress filtering identifies what traffic (ports/protocol, sources, destinations) can go where. Whereas, content filtering controls what content is allowed to pass.

You can also create hosts files (or DNS records) that resolve known malware servers to localhost, which has the effect of pointing back to your own computer, thus preventing the malware from communicating or spreading. Or, you can create a blacklist of sites to block at the firewall. And, egress filtering on individual computers can be effective. For example, Check Point's ZoneAlarm indicates what programs on the computer are accessing the network. This strategy will require you to educate users on how to determine the legitimacy of the programs that trigger the firewall.

As a final thought, you may want to consider using any browser but Internet Explorer. Of course, switching browsers is a difficult task, particularly for large enterprises, but it may be worth consideration, given the additional security, pop-up blockers and tabbed browsing available in all other major browsers.


About the author
JP Vossen, CISSP, is the Integration Manager for Counterpane Internet Security. He is involved with various open source projects including Snort, and has previously worked as an information security consultant and systems engineer.

This was first published in February 2005

Dig deeper on Malware, Viruses, Trojans and Spyware



Enjoy the benefits of Pro+ membership, learn more and join.



Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: