> Personal experience with dealing with r00ted systems that have bypassed AV > controls has shown me a lot about how nefarious > these attacks can be
Once code is running as system, it's irrelevant what system you try to put in place to prevent it. Whitelisting is not going to help, because the rootkit can simply report that it's notepad.exe (or whatever) to your whitelisting software. The same way that a rootkit reports it's something else to your file system filter (typically what AV uses) You're a CISSP - you should know that once the system is rooted you do not own it. You have some variable % of being able to recover the system using tools, but the only guaranteed way to recover the system is to restore from known good media. And the vulnerability you were talking about requires the AV software's thread to be pre-empted, and between some code being run, and the rest being run, some user-mode variables are changed. Again: how is whitelisting going to help here? My contention is that it can't. Your explanation as to how it can? Cheers Ken -----Original Message----- From: Ziots, Edward [mailto:[email protected]] Sent: Tuesday, 11 May 2010 11:13 PM To: NT System Admin Issues Subject: RE: Life just keeps getting better.... Ken, Personal experience with dealing with r00ted systems that have bypassed AV controls has shown me a lot about how nefarious these attacks can be, and I am still learning a lot about the infector vectors and how to provide controls to prevent them. If AV doesn't have a signature for the attack that the current malware has employed, then its pretty trivial to do file system infection, Trojan dropping, rootkit installation etc etc, trust me the malware authors/writers are still well ahead of us in the battle and will probably continue to be for quite sometime. Also I am not advocating any approach except that AV by itself is almost worthless as a system control anymore. But when you are dealing with like 10K+ new samples a day of virus/malware then its pretty hard for any AV vendor to keep up with signatures to detect them all. I would rather not turn this into a flame war, if you disagree, that is perfectly fine, and you are well without your rights, please feel free to contact me offline we can ramble it out there accordingly. Always love a good discussion about this subject as painful as it is for business these days. Thanks EZ Edward Ziots CISSP,MCSA,MCP+I,Security +,Network +,CCA Network Engineer Lifespan Organization 401-639-3505 [email protected] -----Original Message----- From: Ken Schaefer [mailto:[email protected]] Sent: Tuesday, May 11, 2010 11:01 AM To: NT System Admin Issues Subject: RE: Life just keeps getting better.... -----Original Message----- From: Ziots, Edward [mailto:[email protected]] Subject: RE: Life just keeps getting better.... > On Access, most of the rootkits on the systems have hidden themselves from AV, > therefore rendering its "On Access" detection useless. How does a rootkit manage to hide itself in the first place? You can only hide yourself from FSF if you have hooked the relevant system calls in the first place. On access should detect that before it happens. > Its not whether AV is good or not, its just a race not worth running anymore trying to > fight common threat vectors with signature techniques. Irrelevant to the point. You were talking about whitelisting vs blacklisting, and yet are unable to explain how whitelisting helps in the scenario you talked about. Suggest you understand the situation before advocating some solution that doesn't solve the problem. Cheers Ken Been using CSA here for about 5+ yrs and its cut down the Malware/Spyware drastically, due to controlling code execution period, its hooked into the Kernel so it can't be bypassed, and has saved the bacon more than a few times. Too bad Cisco royally screwed up CSA 6.0 and is discontinuing V5.0 which leaves folks in a pickle and looking for other solutions and application whitelisting seems to be the best of the choices atm. Its not fool-proof, but again its controlling execution, and you have a method of vetting what software is good and what is bad in your environments, which is a ton better than just putting AV on the system and calling it a day... Z Edward Ziots CISSP,MCSA,MCP+I,Security +,Network +,CCA Network Engineer Lifespan Organization 401-639-3505 [email protected] -----Original Message----- From: Ken Schaefer [mailto:[email protected]] Sent: Tuesday, May 11, 2010 10:44 AM To: NT System Admin Issues Subject: RE: Life just keeps getting better.... How is whitelisting or blacklisting going to help? Answer: it's not. The problem is thread pre-emption and storing values in user-mode memory space where it can be altered (assuming you can get the timing right). But, if your AV was any good, it would detect the problem "on access" Cheers Ken -----Original Message----- From: Ziots, Edward [mailto:[email protected]] Sent: Tuesday, 11 May 2010 9:16 PM To: NT System Admin Issues Subject: RE: Life just keeps getting better.... You can also read the blurb on San's ISC page also, some vendors say its important, and of course Mcafee discredits it, not that suprises me. But it is an attack vector to consider. Controling the execution of code on your system is the difference between keeping your systems clean and getting 0wned. Whether you look at HIPS/Whitelisting/Blacklisting, otherwise, you are going to have to have more on your systems than just AV to combat todays threat landscape. Sincerely, EZ Edward Ziots CISSP,MCSA,MCP+I,Security +,Network +,CCA Network Engineer Lifespan Organization 401-639-3505 [email protected] -----Original Message----- From: Ben Scott [mailto:[email protected]] Sent: Tuesday, May 11, 2010 9:11 AM To: NT System Admin Issues Subject: Re: Life just keeps getting better.... On Mon, May 10, 2010 at 12:40 AM, Kurt Buff <[email protected]> wrote: > How to bypass almost all AV software > > http://www.matousec.com/info/articles/khobe-8.0-earthquake-for-windows-d esktop-security-software.php Sophos's response: http://www.sophos.com/blogs/duck/g/2010/05/11/khobe-vulnerability-earth- shaker/ They're an AV vendor and thus not a disinterested party, so take it as you like. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
