[112161] in cryptography@c2.net mail archive

home help back first fref pref prev next nref lref last post

Re: Death of antivirus software imminent

daemon@ATHENA.MIT.EDU (Anne & Lynn Wheeler)
Wed Jan 2 15:46:44 2008

Date: Wed, 02 Jan 2008 12:09:50 -0500
From: Anne & Lynn Wheeler <lynn@garlic.com>
To: Bill Frantz <frantz@pwpconsult.com>
CC: Cryptography <cryptography@metzdowd.com>
In-Reply-To: <r02010500-1049-E801C0CFB7E911DC83E60030658F0F64@[192.168.1.5]>

Bill Frantz wrote:
 > My favorite virtual machine use is for the virus to install itself
 > as a virtual machine, and run the OS in the virtual machine.  This
 > technique should be really good for hiding from virus scanners.

re:
http://www.garlic.com/~lynn/aadsm28.htm#2 Death of antivirus software 
imminent
http://www.garlic.com/~lynn/aadsm28.htm#4 Death of antivirus software 
imminent

i commented on that in reference posts mentioning that there have been
uses of virtual machines to study virus/trojans ... but that
some of the new generation virus/trojans are now looking to see if they
are running in virtual machine (studied?).

some of the current trade-off is whether that virtual machine technology
can be used to partition off basically insecure operations (which are widely
recognized as being easy to compromise) and then completely discard
the environment and rebuild from scratch after every session (sort of
the automated equivalent of having to manually wipe an infected machine
and re-install from scratch).

the counter argument is that crooks can possibly also use similar
technology to hide ... once they have infected the machine. the current
issue is that a lot of the antivirus/scanning techniques are becoming 
obsolete
w/o the attackers even leveraging virtual machine technology.

The attackers can leverage the technology in an otherwise poorly
defended machine. Some years ago there was a product claiming
that it could operate even at a public access machine because
of their completeness of their antivirus countermeasures ... even
on an infected machine. I raised the issue that it would be trivial
to defeat all such countermeasures using virtual machine technology.
Somewhat of a skirmish resulted since they had never considered
(or heard of) virtual machine technology ... for all i know there
is still ongoing head-in-the-sand situation.

for little topic drift ... this blog entry:
https://financialcryptography.com/mt/archives/000991.html

and
http://www.garlic.com/~lynn/aadsm28.htm#3
http://www.garlic.com/~lynn/aadsm28.htm#5

there is some assertion that the crooks overwhelming the
defenders countermeasures because they are operating
significantly faster and more efficiently.

however, another interpretation is that the defenders
have chosen extremely poor position to defend ... and are
therefor at enormous disadvantage. it may be necessary
to change the paradigm (and/or find the high ground)
in order to successfully defend.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com

home help back first fref pref prev next nref lref last post