Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

4/15/2009
03:14 PM
John H. Sawyer
John H. Sawyer
Commentary
50%
50%

The Certainty Of Death, Taxes and Malware

In a letter to Jean-Baptiste Leroy, Benjamin Franklin spoke of the seemingly permanent outlook for the new Constitution, and followed up with "but in this world nothing can be said to be certain, except death and taxes." I don't think we can disagree about any of those points, especially with today being when the tax man cometh. However, I think we can add something else to that quote about certainty: malware.

In a letter to Jean-Baptiste Leroy, Benjamin Franklin spoke of the seemingly permanent outlook for the new Constitution, and followed up with "but in this world nothing can be said to be certain, except death and taxes." I don't think we can disagree about any of those points, especially with today being when the tax man cometh. However, I think we can add something else to that quote about certainty: malware.Nothing is certain except for death, taxes, and malware. The recent Conficker and GhostNet exposure makes the malware angle of this statement more certain than ever. So how are you dealing with it? We all know that AV is a best effort that only catches a disturbingly low percentage of today's cutting edge malware. Malware is changing too quickly for vendors to keep up. What are you to do?

For me, I've always leaned towards a shotgun approach to fixing malware related issues. When I held helpdesk-type responsibilities and was faced an infected machine, I typically used four to five different anti-malware tools to clean up the machine, which worked the majority of the time. If I couldn't fix it in 30- to 45 minutes, it was time to rebuild it. These days, I'm more of the mindset that nearly every infection needs to be rebuilt because it's gotten harder to catch every little piece of malware dropped on a system and repair it in a reasonable amount of time.

Besides having procedures in place to rebuild systems quickly, what measures can you take to identify infected systems that AV hasn't detected yet? I've found that the Emerging Threats community has done a phenomenal job and detecting problems. Even though the malware may have been repacked or morphed slightly so local AV is blind, it is still using the same network protocols that can be detected via IDS. I highly recommend checking out their signatures if you use Snort or some Snort-based IDS/IPS.

Another useful tool I've been leveraging lately is blacklists provided by various reputable groups. The lists consist of known malicious IPs that have been identified as attackers, servers hosting malware, or C&C's (command and control servers). Tenable has a blog entry about using blacklists and links to several good lists worth reviewing. If your IDS supports adding custom rules, I recommend testing some of those lists and setting the IDS to record some of the traffic it sees to those hosts. Then, review the data and see if you've found infected machines missed by AV. I'll bet you do. Just beware of false positives because sometimes blacklists aren't vetted as well as they should be.

I hate to beat the "defense in depth" drum because it's been overused a bit in years past, but it's true. Layered security is a must when it comes to fighting malware. AV isn't enough, so we need to supplement our defenses with other measures like the Emerging Threats ruleset and blacklists. Give them a shot and let me know how it worked out for you.

John H. Sawyer is a senior security engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-18165
PUBLISHED: 2021-05-12
Cross Site Scripting (XSS) in LAOBANCMS v2.0 allows remote attackers to execute arbitrary code by injecting commands into the "Website SEO Keywords" field on the page "admin/info.php?shuyu".
CVE-2020-19275
PUBLISHED: 2021-05-12
An Information Disclosure vulnerability exists in dhcms 2017-09-18 when entering invalid characters after the normal interface, which causes an error that will leak the physical path.
CVE-2021-29511
PUBLISHED: 2021-05-12
evm is a pure Rust implementation of Ethereum Virtual Machine. Prior to the patch, when executing specific EVM opcodes related to memory operations that use `evm_core::Memory::copy_large`, the `evm` crate can over-allocate memory when it is not needed, making it possible for an attacker to perform d...
CVE-2020-19274
PUBLISHED: 2021-05-12
A Cross SIte Scripting (XSS) vulnerability exists in Dhcms 2017-09-18 in guestbook via the message board, which could let a remote malicious user execute arbitrary code.
CVE-2021-30211
PUBLISHED: 2021-05-12
Knowage Suite 7.3 is vulnerable to Stored Cross-Site Scripting (XSS). An attacker can inject arbitrary web script in '/knowage/restful-services/signup/update' via the 'surname' parameter.