IN FOCUS: Malware Evolves to Bypass Common Controls > ArGoStuff

	Register Login
	December 3, 2008

Search Web Site

You are here: Articles

Home

ArGoStuff

Forums

Articles

Cyber Security Tips

FAQ

Downloads

Links

Article Categories

Email/Internet Security Issues and Tips (6)

How To (1)

In Focus (5)

News from the Web (11)

Reference (10)

Articles

Current Articles | Categories | Search

IN FOCUS: Malware Evolves to Bypass Common Controls
Posted by SteveT on Thursday, December 20, 2007 :: Last Updated on Sunday, January 20, 2008:: Views 324

by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

Botnets and Trojans are huge headaches. They're everywhere, and their numbers are growing exponentially. Sometimes that kind of malware is discovered by security scanning software. Other times it's discovered by unusual traffic patterns sent to specific IP addresses, sometimes on atypical ports.

When you discover such malware, you can typically, monitor it to learn which IP addresses it's communicating with and then block access to those addresses. The blocking technique is particularly effective in stopping bots and Trojans. Therefore one key to survival for many types of malware is decentralization of malware command and control centers. The next wave of malware promises to make the task of blocking far more difficult.

In a new report, security solution maker Finjan describes upcoming trends in malware behavior. Finjan points out that instead of using typical point-to-point communication, new forms of malware will use seemingly harmless technologies and existing Web sites to mask their traffic.

Many Web sites, such as Google, Yahoo!, and Feedburner (to name just a few) are available for access from within enterprise networks and certainly from within most every home user's network. Traffic to and from such sites wouldn't seem unusual in most cases. Several companies (including the companies I just named) provide incredibly useful technologies such as RSS feed aggregation and data aggregation from disparate sources. Malware developers realize that and aim to take advantage of it by using these publicly available resources as a go-between.

In one type of scenario, a botnet operator could post a message to a site, such as a blog on a free blog hosting site (MySpace, for example). Bots in the botnet could then download the blog's RSS feed, parse the content, extract commands, and act on them. In another scenario, spyware could do the same thing the bots do, but it could also post information back to the blog as comments if the blog is configured so that all comments must be approved before being published (thereby keeping any data out of sight). Or the spyware could post the data back to the blog as an unpublished post by using such technologies as XML-RPC.

The problem here is obvious. It's not reasonable to think you can protect your network by blocking access to sites in hopes of stopping botnets and spyware because any number of different sites could be used and blocking sites reduces overall Internet value. One solution that might help is packet content inspection, although that's not foolproof either. Any number of innocuous word combinations could be used as commands for bots and spyware. So we're facing a much more difficult problem to solve. Of course when it comes to security, an ounce of prevention is worth a megaton of cure, which means that you should use the best security products you can get.

Next week, I'll tell you about a particular set of preventive solutions and how they stack up against their peers. Until then, if you're interested, head over to Finjan's site and get a copy of its report. It's available in PDF format at

finjan.com/GetObject.aspx?ObjId=545
(http://ct.email.windowsitpro.com/rd/cts?d=33-876-803-202-5219-48838-0-0-0-1-2-207)

Previous Page | Next Page

Donations

Find our site useful? Make a donation to show your support

ArGoStuff Supporters

News from ArGoSoft

1 2 3 4 5 6

Mail Server Pro v1.8.9.6

Improved Export to .NET function - sometimes email messages were not getting exported, because the database of email messages was not up to date. Now each folder gets rebuilt before the export function;

12/2/2008 11:19:02 PM

Email Address Validator

We have discontinued our email address validation service, and launched new web site:

http://www.emailaddressvalidator.com

It provides the web service interface to validate lists of email addresses. We hope that our service will help to reduce unwanted traffic on Internet, ensuring that mail is sent only to valid and legitimate addresses.

11/25/2008 10:13:02 AM

Mail Server v1.0.5.8

Mail Server

Mailbags now have an option to accept mail only when specified server is down - will help to fight with spam which attempt to deliver mail bypassing the main server;
When delivering mail, if main exchanger returns 4xx reply (temporary problem), the server will not try other exchangers, will retry later the main exchanger;
Server options moved from registry to a XML file. 64 bit versions of Vista and 2008 server appear to be having access rights problems to the Windows registry, and the change will make our server more compatible with 64 bit versions;
Added an option to specify the number of lines on the log screen, when using the user interface. Was causing memory problems if left running for long time;
Fixed couple of problems, which were showing when SQL server was set up to use case sensitive SQL statements;
Made changes in the remoting interface to allow logging in using aliases;

Web Interface

Made changes to allow logging in using aliases;
When viewing folders, web interface now displays the name of logged in user;

11/12/2008 2:31:31 PM

FTP Server v1.0.1.6

Server settings have been moved from registry to the XML file, which will be located in the common application data directory. 64 bit versions of Windows were having trouble writing into the registry; similar change is coming to the mail server;
If used, XML files (Users.XML, Groups.XML and ServerOptions.XML) will also be moved to the common application data directory;

11/8/2008 11:41:29 PM

FTP Server v1.0.1.5

When performing active data transfers on systems with multiple IP addresses, data connections were using first available IP address, rather than one on which the control connection was active. It was causing confusion with firewalls and routers;

11/2/2008 9:39:24 PM

1 2 3 4 5 6

Home:ArGoStuff:Forums:Articles:Cyber Security Tips:FAQ:Downloads:Links
Copyright 2006-2008 by ArGoStuff Terms Of Use Privacy Statement