digg

Facebook Connect Join Digg About

Botnets Can Trample Most Anti-Virus Programs

pcworld.com Many anti-virus programs are near to useless in blocking the binaries used to spread botnets.

Who dugg this? Made popular Nov 29, 2008

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

66 Comments

show profanity settings
expand all
  • s0m31john, on 11/29/2008, -2/+58Many anti-virus programs are near to useless in blocking stupid people from downloading and running that greeting card maker executable they get in their email.
  • Chairboy, on 11/29/2008, -1/+44This is an advertisement for FireEye. If it was news, it would have mentioned the names of the av programs that did well.
  • JakeKreber, on 11/29/2008, -1/+30Cool, a page-long ad for FireEye.
  • fuckingusername, on 11/29/2008, -0/+16free Smiley faces.exe
  • Wesside, on 11/29/2008, -0/+15because its just an ad. Buried for being inaccurate.
  • Igor39, on 11/29/2008, -3/+17Dugg because I initially read Bonnets Can Trample Most Anti-Virus Program, and thats just silly
  • hmunkey, on 11/29/2008, -1/+15Why doesn't the article say what programs a botnet can't trample? Seems kind of dumb to say some are immune but not mention which ones.
  • inactive, on 11/29/2008, -0/+12we're talking about the botnet recruiting your computer through a virus, not attacking it
  • angusm, on 11/29/2008, -1/+11If I were a Bad Person, I would write a virus of my own, and distribute it through email spam and the kind of websites that say "Click here to download a required software extension needed to view these XXX movies". When activated, it would selectively delete the parts of Windows that support TCP/IP networking, and then display a message that read "Dear User, your right to access the Internet has been revoked. Your data has not been harmed."

    My guess is that it would pretty much solve the botnet problem in six weeks at the most.
  • inactive, on 11/29/2008, -0/+10and stopping them from turning off all the warnings that 'this might infect your computer'
  • smotpoker, on 11/29/2008, -0/+8What about the chances of someone using your or your neighbours' measly computer(s) as part of a botnet to attack someone else's computer which can hurt your (and everyone else nearby with the same isp) computer's performance and/or connectivity with the internet? Not quite so low.
  • antjenkins, on 11/29/2008, -0/+6Gee, a company that makes network security appliances says that your network isn't secure and that you need a network security appliance to compensate...
  • inactive, on 11/29/2008, -13/+18they're still gay
  • wmpp, on 11/29/2008, -0/+5Here's the original blog post that the press release mentions:

    http://blog.fireeye.com/research/2008/11/does-anti ...

    He gives some example results on the page, but it's not evident which AV apps were more successful.
  • azbmr, on 11/29/2008, -0/+5That's what college is for. It could be a project for an OS's class or something. I remember writing a virus for my final project in assembly. It played the user a single game of blackjack for the contents of the MBR and FATs. It would write that section of the drive with 0s after copying the data into memory. If you won, it restored that chunk of the drive from memory and closed. If you lost it reboot the machine. Of course, it was made to work in a DOS-based environment, so it wouldn't do much good these days.
  • trghpy, on 11/29/2008, -1/+5Bot Nets are all custom written and updated on a daily basis. Exploit framework makes it real simple to keep up to date and make mods for specific purposes. The constant change makes finger printing impossible, and intention detection sucks.

    What to be safe?
    More updates, firewalls HW and SW, don't use IE, and start learning a new OS like Linux or Mac.
  • MattBD, on 11/29/2008, -1/+5Also, Apple are very slack in issuing security updates compared to most Linux distros (I'd imagine the same is true for the BSD's, and possibly other *nixes).
  • smotpoker, on 11/29/2008, -0/+4"you can probably count on your hands how many viruses require reinstallation(all detectable by nearly every virus scanner due to the mass of changes they make)"

    I think that depends at least partially on what form of malware they are infected with and how long they are infected before action is taken to quarantine/remove it.

    The only time I ever got infected, I followed the drones' connection back to an IRC server with only one channel and confronted the only two occupants. This server apparently existed solely to control the drones that connected (within a few minutes of threatening to call LEO it was shut down). This was around 8 or 9 years ago and various drones were already capable of receiving anonymous instructions and modifying their behaviour on the fly. I don't really know what exactly they are capable of now but I am certain many [can] still do at least this much.

    These drones/worms may be detectable by AV but what they do before they get detected can be changed rather trivially. For example, say Norton discover a new virus, watch what it does, generate a definition/removal procedure. It turns out "what it does" is download kits and connect to some sort of server for instructions. The content of those kits and type of instructions given to the drones can be changed at any given point without Norton techs having any way to tell their behaviour had changed or their removal instructions could now be inadequate without constantly monitoring activities of every variation of every worm/virus that can receive later instructions/kits in the wild.

    In summation, while reformatting *may* not always be necessary it is not always simply the lazy way out but the safest and most effective. Without wanting to do significant research (which desktop OSes are supposed to avoid) each time you are infected with a new malware [variation], reinstallation is the surest/safest method of removal on any system that has known local exploits or where the predominate user(s) has/have full access to the entire OS.
  • heartsblood, on 11/29/2008, -0/+32001 called they want their "news" back.
    No seriously this is pathetic. Botnet's can have thousands if not hundreds of thousands of variants of the same AI due to their dynamic nature. Virus software is only as good as it's virus definitions, unless those definitions can evolve on their own virus software will always be one step behind.
  • magamiako, on 11/29/2008, -0/+3The sad thing is that this is a fundamental problem with network and internet security as a whole, and it's not something relegated to any specific operating system.

    If you do not count things such as Coreforce and SELinux, you notice that a vast majority of malware detection and removal is all about blacklisting. This is a fundamental flaw. Your implementation, by default, is already intended to be a reactive mechanism to an already assumed threat.

    So the tables really need to be turned, we need to work on the concept of "white listing". And white listing at all levels of the OSI communications layer is necessary.

    The problem is that this is extremely difficult to manage even for technically minded people. It comes back to that balancing act of usability versus security. If a user can't, for example, access the web because their PC doesn't know the Firefox or Chrome executables, you have a dilemma. Do you prompt them to allow it? Then they just get into the habit of just clicking yes to everything. Or do you prevent the software from running in the first place? No, that's not a good move.

    I know I'm going to get dugg down for this, but this "problem" is precisely what trusted computing has been created to solve. The idea that at all levels of your system from the time of boot, the PC trusts the layer below it. The BIOS boots, and trusts the system components. The OS trusts the BIOS, and then software should trust the OS.

    All of this is handled by digital certificates. If you sign the application to run, then the OS trusts the 3rd party signature. In this method. By this method, the burden is on the software developers to ensure their software runs on the PC. Furthermore, if malware does come out to infect a PC, you can now trace back the certificate to a person or company and revoke it immediately. This would immediately stop the spread of say, a worm or trojan, and on top of that prevent it from running on computers it already infected.

    I know that a lot of people may bring up philosophical arguments on things like "freedom" and stuff like that, but which would you rather have? Do you have any alternatives? Experts in the field have thought about this for a long time and this is what they've come up with.
  • vat0r, on 11/29/2008, -1/+4Really if you know what you're downloading and who you're downloading from you don't need an AV. I rarely get anything close to a virus yet my mom and sister are constantly getting walloped (myspace). I feel as if an AV is more for the uninformed, average computer user. That being said I do run Nod32 just to watch my back in case I get into "uncharted" territory.
  • trghpy, on 11/29/2008, -0/+3Software firewalls can be de-activated.
    If you can get a hardware firewall you'll have an extra layer.
  • infiniphunk, on 11/29/2008, -0/+3Righhhhhhhhhhht. Except for the times when a program totally takes over your PC and doesn't even let Zone Alarm do anything.
  • neutronphaser, on 11/29/2008, -0/+3Make one then
  • mrsteveman1, on 11/29/2008, -0/+2This is why Apple pulls code from FreeBSD:

    http://en.wikipedia.org/wiki/Jordan_Hubbard
  • linagee, on 11/29/2008, -1/+3HotGirlOnGirlPorn.exe
  • shadus, on 11/29/2008, -1/+3I quit using anti-virus when I felt McAfee/Norton were becoming bloatware that took more resources on a constant basis than I would lose by having to go chase a virus off my hardware... if my memory serves me that sometime in the early/mid 90s. I had a virus at the very end of the 90s (chernobyl if memory serves me) that I got from a some game company or another, it was big news then. Took me about an hour or so to figure out how to fix my hard disk (viruses back in the day were destructive things, not trojans that added your computer into a botnet.) I've not had any virus or spyware issues since and I don't just browse the web in safe areas. I download cracks for games, trainers, etc. I just use some common sense and reasonable security settings. It's not hard for someone who is a little technically adept, but its 100% impossible for complete morons. "Ooh look an attachment, I've gotta open that..."
  • apastafarian, on 11/29/2008, -1/+3Comodo!
  • Matt88, on 11/30/2008, -0/+2Buried as spam
  • Clbull, on 11/29/2008, -2/+4According to Wikipedia, the majority infected by botnets are usually PCs running Windows but other operating systems can be infected too.
  • inactive, on 11/29/2008, -6/+8mac fags beat them to it
  • LilRabbitFooFoo, on 11/30/2008, -0/+2Why am I being dug down? This is 100% true. Oh, maybe I am being dugg down by the people who make money off these scam products...ahem.
  • radu79, on 11/29/2008, -0/+2Antiviruses are a joke..
    Recently I got infected with 3 nasty worms, I have no idea how, I was just browsing a website using Opera, when I got a message from the Windows firewall that an application is trying to act as a server. Then my computer automatically restarted, and no antivirus would even start (the worm made sure to kill all the antiviruses and stuff).
    Well, long story short, I had to fix the whole thing by hand, from my linux partition. Lots of fun, took me a few hours.
  • hmunkey, on 11/29/2008, -0/+2Make the firewall strict. Use Firefox with adblock plus and noscript on (optional flashblock).

    You won't have to worry.
  • spectxim, on 11/29/2008, -3/+5I'd worry about this if I viewed the internet with windows.
  • inactive, on 11/29/2008, -0/+2Quantum Field Theory? What does that have to do with Macs?
  • shadus, on 11/29/2008, -1/+3A massive percentage of the viruses on any platform are user error. That being said, user permissions on *nix-like operating systems tend to prevent viruses from spreading across and infecting the entire system and isolate the virus itself to pretty much only the user's files. Which make it much easier to locate and eliminate. Protecting the basic system from infection based on the actions of the users is what Windows needs to do.

    I think that's one of the most annoying things in Windows, you *need* to be administrator to do so many normal everyday tasks that you want to do as a user. Users files aren't segregated from each other and the system like they are in *nix-like systems. Windows made some strides in this area, but honestly, they really should just take apples approach (start over with a unix base)... but I don't foresee that happening, to much money in maintaining a monopoly... which incidentally is the reason I don't foresee the multi-billion dollar virus industry going out of business anytime soon.
  • LilRabbitFooFoo, on 11/29/2008, -1/+3Yes, the 95% of the world that uses Windows are the only one that are worth the time to bot net.
  • bot001220, on 11/30/2008, -0/+1"I was just browsing a website using Opera..."

    I got infected a while back, too. It turns out I got infected just by browsing a website who's ad servers had gotten hijacked. It took a while for everyone to figure out where it came from, but by then it was too late.

    I also was using an old version of Opera, so I guess it was my fault as well.
  • radu79, on 11/30/2008, -0/+1I was using the latest version, 9.62
    But from reading on various forums, it seems that people using other browsers got infected as well, so maybe it wasn't the browser itself.
  • radu79, on 11/30/2008, -0/+1Actually, I *THINK* that the exploit might have come via an infected PDF.
    Anyway, the Firefox noscript thingy really bothers me, because many websites have a limited functionality without JS, and it is annoying to manually allow sites.
    As for makinf the firewall strict, it is useless if the malware disables the firewall. Google brastk.
  • jjvors, on 11/30/2008, -0/+1Excellent comments on white listing applications and trusted security from the hardware on up.

    I have white lists on my email at home and work--much better than black lists.

    As I read the article, I wondered why they didn't address the issue of not permitting "strange" programs to run. The other comments on this thread show it was primarily an ad.
  • LilRabbitFooFoo, on 11/29/2008, -0/+1Software firewalls are for noobs who don't have top drawer anti-virus (Kaspersky or NOD32) and don't have a hardware firewall/router in between their computer and their cable/dsl modem. Take these two steps and you will be protected. Software firewalls are a scam.
  • Genma, on 11/30/2008, -0/+1the point is that none of the blacklisting systems follow a unified collection of signatures, so it doesn't really matter which one because each has a chance of missing some that another might catch.

    blacklisting has been a moneymaking sham from the beginning anyway, just like this article. if you wanted true security you would use a whitelist instead. the only reason we still use them is because of the way security has progressed, no efficient whitelisting software has been made because the entire industry is focused on the opposite method. why make it easy for users and admins to build their own whitelists when you can charge them constantly for useless blacklists?
  • kurough, on 11/29/2008, -0/+1I do computer training and repairs and I have found that everyone who is infected with nasty malware/spyware and lately anti virus xp 2009 is usually running Norton, McAfee or Trend Micro. Why isn't this software protecting them?

    A lot of the users I run in to actually paid for Anti Virus XP 2009, including my grandmother I visited over Thanksgiving.

    All I have to do to completely clean their computer of threats is run SpyBot S&D and Malwarebytes on their system. So, I'd recommend Malwarebytes over the other passive protection software. NOD32 is really good too. Avast and AVG aren't good for the average user because they tend to report false positives and can confuse computer illiterates.
  • inactive, on 11/29/2008, -3/+4basically I object to mac taking some credit for the Unix operating system being secure... mac gots nothing to do with that, all they did was round the corners off.
  • ErikHK, on 11/29/2008, -0/+0common sense, hopefully.
  • trghpy, on 11/29/2008, -2/+2I want a bumper sticker...
    My botnet searches for alien life.
  • LilRabbitFooFoo, on 11/29/2008, -2/+2No, the best AV software have heuristics which stop the variants in between updates...which happen multiple times per day for the good AV programs like Kaspersky and Nod32.
  • briLo, on 12/01/2008, -0/+0A scam....noobs........top drawer anti-virus. And where the hell have you been Kevin Mitnick? Good to see your probation is finally over!
  • Fetching more discussions...
    Show 51 - 66 of 66 discussions

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...


© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.