Malware: the blame game..

[ShyWriter]

.
Wednesday, September 11, 2013

Malware: the blame game
 

As you may know, there's a never-ending debate between who's at fault when a user is infected:

•  is it the user for being "gullable" or being social engineered to click on a malicious link?
•  is it the fault of the antivirus or antimalware application for missing an infection?
•  is it the fault of the administrator in corporate networks for not having proper policies?
•  last but not least side-question: is antivirus useless?

Here's an excellent article which goes deeper into these questions and discusses about it:

http://www.welivesecurity.com/2013/01/03/imperva-virustotal-and-whether-av-is-useful/
(TL;DR: Imperva performed an antivirus test with doubtful and possibly improper testing methods and the (antivirus) community reacted on it)

 

My personal opinion? There's only one group to blame here which seems to get missed in these debates: the malware writers themselves. After all, the people who create (and use) the malware are responsible for the millions of infected machines and affected businesses, which may both lose a considerable amount of money by either

• users: paying up to ransomware or rogueware, or CC (Credit Card) theft or fraud

• businesses: personal records stolen (user/password databases), business plans stolen, not to mention the financial & productional losses.

So what's the endless discussion on about and why are we not blaming the malware authors and botnet operators? (to learn more about botnets see my blogpost: the botnet wars: a Q&A)

Here are the main points antivirus companies are blamed on:

• making money on the back of the customer and 
• not protecting well enough.  

How much of this is true? Is antivirus dead? My only comment about this:

antivirus provides a good (basic) layer or level of protection on your machine. Is it sufficient? Maybe. Do you need extra protection? Depends. If you're a normal "home user", an antivirus and firewall will surely suffice. Free or paid antivirus doesn't really matter at that point. If you're in an organisation or corporation, antivirus will surely provide a good base to start from, not only signature-based but heuristically as well.

But you'll need more. Ideally, you need an extra set of eyes just for monitoring unusual behavior in your network. Is this realisitc? Maybe. Are there solutions specifically designed for this on the market? Yes.

I won't go any deeper into the points above, as it's been discussed & debated upon many times.

Moving on:

Do ISPs (Internet Service Provider) need to take an arrow in the knee for this? How many and which ISPs are already detecting machines which are infected? These are newer and interesting questions as well. ISPs are obviously not responsible when a user is getting infected, however... When that machine in question starts sending out quite a lot of traffic (zombie), does the ISP need to take action? (More...)

 

Continued on Bart's fine blog at: http://bartblaze.blogspot.com/2013/09/malware-blame-game.html

 

Steve

[GT500]

They used VirusTotal for testing? That right there is why their test failed.

Also, their first screenshot shows Emsisoft and COMODO detecting the sample, however neither of those end up in their first set of statistics. Now they do have Emsisoft and COMODO in a second set of statistics, however they leave them both out of the overall set of statistics on which AV providers detected the samples. In the third set of statistics, they only include 5 AV softwares, as if none of the others matter.

[Prince_Serendip]

I've authored a lot of publications on computer security in the past. I published an article recently where I explained why I stopped using an antivirus. I was almost excommunicated from the security community! Their reaction to my article surprised me. Whoops! I took down the article and am now re-writing it. A lot of people are habituated to antivirus programs. MBAM is a program I do use daily to protect my computer. It is second to none and far more useful than any AV in my opinion. In the past 13 years online I have had zero viruses, and only four trojans (all detected and removed before they could cause problems). Part of this track record of mine was included in a published book on pc security.

 

I still believe that antivirus programs have been surpassed by other more innovative applications such as MBAM. The threats out there are still increasing. What's the point of continued use of applications that don't help and just eat pc resources?

[GT500]

I still believe that antivirus programs have been surpassed by other more innovative applications such as MBAM. ...

Malwarebytes expects you to continue using standard AV protection when using their product, as MBAM is not intended to replace a traditional AV software.

As someone who works in the industry, I can say that for the average user anti-virus is essential (otherwise there would be no infected computers). There are ways of staying safe online that can be far more effective than an anti-virus software, however even an expert can make a mistake and when that happens it is great to have an AV in the background to catch that mistake for you.

Why you think AV software is ineffective and MBAM is I do not understand. MBAM does the same thing as an AV. It monitors processes and created files in real-time, it uses a combination of information about known malicious files (hashes, file info, paths, etc) and heuristics to catch infections, and it notifies the user so that they can be deleted. While the technology is different from one vendor to another, the software essentially does the same thing. The major differences with MBAM are that their focus has never been on replacing anti-virus software, blocking IP addresses rather than domain names, and of course on superior malware removal technology.

Obviously MBAM can be a very good tool to have, and I do continue to use the real-time protection, however I can never overstate the need for anti-virus software protection for the average user.

[CWB]

prince : "In the past 13 years online I have had zero viruses, and only four trojans (all detected and removed before they could cause problems)" .

 

GT500 : "... however I can never overstate the need for anti-virus software protection for the average user" .

 

as for the total number of viruses and what-have-you that your machine has "gotten" , and basing a general consensus and commentary upon this , it is and would be rather narrow in scope .

it is akin to stating that all engines only need one quart of oil to maintain good operation .

(this is obviously a falsehood)

 

from a personal perspective i can say that on a daily basis my machine is exposed to way more "stuff" than you claim your machine to have been exposed to/ "gotten" over years of time .

i am not an "average user" but i see machines that are an example of what "others" do to them based on ignorance , folly , greed and a number of other similar motivations . the snake-oil salesmen and scam artists ploy their wares by using some of the same emotional methodology .

add technical attack capabilities to the list and the results can be quite formidable .

 

software tools that assist in preventing an "infection" or the execution of malicious code (i suppose that all such things could be considered malicious in/by common definition) can be rather broad in what they "detect" or they can be less and less generalized down to the point of being able to only "find" one item , in a given environment , coded in a specific manner .

and this is where the use of certain programs in conjunction with one another come into play (compatibility aside) .

the use of multiple "tools" to prevent malicious or unwanted code from being downloaded , installed or executed on a machine is a prudent method in/of security .

 

as has been mentioned , there is a difference between these types of software tools and the terminology that describes them ... they are not interchangeable .

much as "phillips" screwdriver is not the same as a "reed and prince" screwdriver .

[GT500]

software tools that assist in preventing an "infection" or the execution of malicious code (i suppose that all such things could be considered malicious in/by common definition) can be rather broad in what they "detect" or they can be less and less generalized down to the point of being able to only "find" one item , in a given environment , coded in a specific manner .

Unfortunately, different teams of researchers/analysts will not always have the same samples to analyze. This is why different security software will miss different things, as a sample that company A may have seen when it was 0-day may not have been seen by company B, and vice versa. It is also why the "layered security" approach is so popular, due to the fact that while there will be significant overlaps in what two or more protection mechanisms can detect, you expect that one security solution will make up for the 1%/2%/etc. of things that the other won't catch, and vice versa.

Of course, a good behavior blocking technology can be even more beneficial, if a user knows how to respond to the notifications. A good behavior blocker should have whitelists and blacklists of digital signatures in order to reduce the amount of notifications that users get and allow for a certain percentage of decisions to be automated, and of course there are other technologies that could be employed to do the same (since not every program is digitally signed).

[Prince_Serendip]

  Hi CWB! Good to see you. And, pleased to meet you GT500. Foot in mouth is not something I've learned to give up yet. You're both right. The "advice" I gave up there is strictly for advanced users. My deepest apologies to one and all. I neglected to mention that I run antivirus scans about once a week just to keep on the safe side. I run MBAM, SpybotS&D (the older one) and SpywareBlaster every day. I just have a bone to pick with antivirus applications that are bloatware that cause more problems than they solve. But, do use one. Get the best you can.

[GT500]

I just have a bone to pick with antivirus applications that are bloatware that cause more problems than they solve.

It is quite true that performance can be a major issue with anti-virus software. It is very sad that some vendors think it is OK to have overly controlling or bloated software, especially when it is just basic anti-virus protection. Since users expect their time to be enjoyable (or at least not a hassle) when using their computers, it is always best when anti-virus software does not make a nuisance of itself.

[Scoop]

 

ShyWriter,

 

My choice for the best quote from your initial post:

 

My personal opinion? There's only one group to blame here which seems to get missed in these debates: the malware writers themselves. After all, the people who create (and use) the malware are responsible for the millions of infected machines and affected businesses, which may both lose a considerable amount of money by either

 

 

I agree, that's where the focus should be when it comes to the blame game.  As most know, there's no AV product that can provide 100% PC protection. 

 

I've been on the 'net at home since '04 and have used 3 AV products during that time with various results.

 

Trend Micro:  That was my 1st AV back in my XP days.  I'd grade it a "C-" since it blocked a lot of attacks during that time but was unable to prevent some of the residual results from getting past its frontline security schemes.

 

ESET: I had this one installed at the same time that I bought a new PC with Windows 7 (64) back in '10 .  It was recommended due to its streamlined approach to system resource usage compared to the other mainline AV tools.

 

I liked its user interface and I could see that my PC response time was slightly faster than my current (Norton) AV but the bottom line for me is that ESET failed to block all effects of intrusions to my PC.  It detected a "parent" threat and appeared to block the intrusion but I wound up having to run safe-mode scans or remove my HDD and install my cloned backup HDD to recover from the incidents.

 

Norton (360): I installed it in December '12 and so far so good on my PC.  I read some online articles about AV comparisons and spent some time at various AV forums before deciding on Norton for my 3rd AV tool.

 

After ESET failed to protect my PC while I was at a reputable site, one where I visit daily, I decided to try another AV product.  The interesting thing about that attack was, I happened to be on the phone with a friend that was running Norton and was visiting the same site.  Norton protected his PC from the same intrusion.  Both PC's are running Windows 7 64-bit (my friend's and mine) although he's running Firefox browser and I use IE(10).

 

I was going to choose "Bitdefender" last December but my shopping research discovered that Bitdefender isn't compatible with Office '03.  I'm still running Office '03 since it meets my needs at present although I know that next April, MS will discontinue Office '03 security updates (at the same time as XP).

 

Regarding PC performance and AV's in general, I look at it this way:  I'd rather lose a slight (for me, being an average PC user) drop in system performance and rely on an AV tool that has a better % track record with blocking intrusions.

 

Prince_Serendip

 

In the past 13 years online I have had zero viruses, and only four trojans (all detected and removed before they could cause problems).

 

 

I have a couple of friends that have the same track record as home 'net PC users.  I've averaged about 1 intrusion per year since '04, where those intrusions got through my AV tool's frontline protection schemes.

 

With those occasions, I was able to recover about 60-70% of the time by running safe-mode AV scans.  For those incidents where I wasn't able to recover, due to my lack of knowledge on the subject, I installed my spare HDD. 

 

In my opinion, that's the best approach with home PC protection.  I maintain a spare HDD which is 4 weeks behind my everyday HDD in terms of real-time replacement readiness.  I clone my Desktop PC HDD every 4 weeks which takes about an hour or so to complete the cloning process and test the "Target" HDD as a complete bootable HDD replacement.

 

For me, this setup works well since I no longer need to spend time and possibly $'s with online AV support to clean my original HDD.

 

I'd rather maintain a cloning or imaging routine since I can completely recover from any virus or malware intrusion within a few minutes.

 

This worked for me twice last year before switching to Norton.  When I was running ESET, I got hit with that "FBI" virus, complete with the official-sounding FBI audio and completely blocking my 'net, etc, the typical symptoms.

 

The good part is that I was on the phone with my friend at the time it happened, and I laughed at the FBI voice since I knew I had my spare HDD on the shelf ready to go.  I was recovered in a few minutes and cruising in 'net land.

 

I'm a cautious 'net user, as are my friends.  I know from my experience that prudent, safe surfing can't prevent all attacks out there.

 

What I've seen with friends, myself, is that AV product opinions and personal experiences with their performance records are very diverse and the best defense for one's home PC's is to have that cloned HDD or image ready to go in case it's needed to recover the PC.

 

GT500, Very good point:

 

Since users expect their time to be enjoyable (or at least not a hassle) when using their computers, it is always best when anti-virus software does not make a nuisance of itself.          

 

 

Everyone has their own approach to PC protection.  I can only give my 2 cents on this topic.  For me, there's no substitute for having a complete HDD with the OS, all personal data, ready to go on the shelf.

 

It's a peace of mind thing for me in the home PC world.

 

I used to run with a Raid 1 setup on my Desktop PC but due to unrelated complications with the array, I discontinued Raid 1 use.

 

Raid 1 is a good setup for a HDD real-time replacement tool but it won't help if a virus/malware intrusion gets past the AV/MBAM protection as both HDD's will be affected by the attack.

[GT500]

Raid 1 is a good setup for a HDD real-time replacement tool but it won't help if a virus/malware intrusion gets past the AV/MBAM protection as both HDD's will be affected by the attack.

This is very true, and I see it almost daily with things such as ransomwares.

The safest course of action is to back up your files frequently (daily if you save documents/pictures/etc on a daily basis) to some sort of external storage media, which you disconnect from the computer when the backup is done. Most ransomwares do decide what data to encrypt based on file type, so it is possible that backup formats used by backup software would be left alone, however if ransomware creators start to see a decrease in income due to people making use of backup software then I imagine it would not be beyond the realm of possibility for them to redesign their ransomwares to also encrypt or delete these types of backups if the backup media is connected to the computer.

[Scoop]

This is very true, and I see it almost daily with things such as ransomwares.

The safest course of action is to back up your files frequently (daily if you save documents/pictures/etc on a daily basis) to some sort of external storage media, which you disconnect from the computer when the backup is done. Most ransomwares do decide what data to encrypt based on file type, so it is possible that backup formats used by backup software would be left alone, however if ransomware creators start to see a decrease in income due to people making use of backup software then I imagine it would not be beyond the realm of possibility for them to redesign their ransomwares to also encrypt or delete these types of backups if the backup media is connected to the computer.

 

That's a good idea, disconnecting the external backup HDD.  The only reason I don't do that for my daily (overnight) backups is that the unattended backup couldn't run with my USB HDD disconnected.

 

The good part for me is that I only run specific items in my overnight backup which are also duplicated on my other PC.  I guess if both PC's got hit the same day, I'd possibly lose those items but I always have my cloned HDD on the shelf, isolated from my PC's.

 

I hope that scenario doesn't become commonplace, malicious attacks seeking personal items (ie, not OS Registry's, OS structure), and disk images.

 

I've played with Imaging, compressed backups using specific software extensions but I haven't set up any Imaging schedules since cloning works a little better for my recovery preference.

 

When I began reading about Imaging vs cloning, I had thought that I would be able to store several full-disk images of my 1 Tb "C" HDD onto another 1 Tb HDD but the typical compression rates weren't as small as I had originally thought.

 

Also, according to what I've read at various forums, video files don't compress well.  So I moved all of my video files onto another HDD which also saves a lot of space in my "C"  HDD.