Myths about Malware Infections and Protection

There are a number of misconceptions and myths in the industry about malware infections and protection technologies that impact the security countermeasures in fighting malware infections. A number of issues are detailed as follows:

• Anti-virus (AV) engines provide robust protection. AV engines are software programs that are installed in the operating systems to prevent the execution of malware and protect legitimate installed applications against any infections. AV engines use techniques such as signature drafting, heuristics, and emulation. Some believe that AV engines protect the end-user system from all types of attacks and malware. For example, some users feel that if an AV solution is installed, they can surf anywhere on the Internet without getting infected. Unfortunately, such users get infected based on this false sense of security. AV engines fall short of providing robust security against zero-day attacks in which attackers use exploits for undisclosed vulnerabilities. Sophisticated malware such as rootkits having administrative access can easily tamper the functioning of AV engines thereby making them inefficient. In addition, AV engines are not considered as a strong security solution to defend against malware classes using polymorphic or metamorphic code which mutates itself on every execution.

• Deployment of an Intrusion Prevention System (IPS) or Intrusion Detection System (IDS) protects malicious code from entering my network. The majority of IPS and IDS are signature based, so detecting infection or malicious traffic requires a signature. But attackers can easily bypass IPS and IDS using techniques like unicode encoding, canonicalization, null byte injection, overlapping TCP segments, fragmentation, slicing, and padding.

• Malware is distributed primarily through shady and rogue web sites such as torrents and warez. While rogue sites do distribute malware, many more-trustworthy sites also deliver malware. For example, in targeted attacks based on waterholing, legitimate and highly ranked web sites are infected with malicious code that downloads malware onto user machines through drive-by download attacks. It is hard to flag sites as secure to ensure users that they are interacting with legitimate web sites free of malware.

  Email filtering mechanisms only allow secure and verified attachments to be delivered with emails. Email filtering is a process of filtering out the emails containing malicious attachments and illegitimate links that instantiate infections in the organization network. As described earlier, social engineered emails are used extensively in targeted attacks. In the corporate world, employees believe that their personal inboxes receive only secure emails with attachments from verified identities. This is not true because attackers can use several tactics such as social engineering with zero-day attacks to slip malware through enterprise email solutions and successfully deliver the malicious emails. The idea is to embed a zero-day exploit inside an attached file that bypasses through the filter and successfully delivers to the target. This technique has been seen in a number of recent targeted attacks.

• Malware infections are specific to certain operating systems. For example, Mac OS is much more secure than Windows and is less prone to exploitation. This is false. Mac OS also gets infected with malware and has been targeted by attackers, the recent Flashback malware being one of many. In addition, malware families such as DNS changer are platform independent and infect almost all operating systems.

• Mobile devices are completely secure. A number of users believe that mobile platforms are secure. Well, that’s not true. There has been a significant growth in Android-based mobile platforms, and attackers are targeting these devices to steal information. In this way, mobile devices provide a plethora of information that can help to carry out targeted attacks. For example, contact information is stolen from the infected mobile devices.

• Virtualization technologies are untouched by malware. Virtualization is based on the concept of building security through isolation. Virtualization is implemented using hypervisors which are virtual machine monitors that run Virtual Machines (VMs). Hypervisors can be bare-metal (installed directly on the hardware) and hosted (installed in the operating system running on underlying hardware). In virtualized environments, guest VMs are not allowed to access the resources and hardware used by other guest VMs. Virtualization also helps in building secure networks as access controls can be restricted to target networks. Infected virtualized systems can be reverted back to previous snapshots (system state) in a small period of time as opposed to physical servers. Patching is far easier in virtualized servers, and migration of virtualized servers is easy among infrastructure which shows how virtualization provides portability. A number of users believe that hypervisors are immune from malware infections. Unfortunately, virtualized hypervisor malware does exist in the real world. Malware such as Blue Pill is a VM-based rootkit that exploits the hypervisor layer, so that it can circumvent the virtualization model. Basically, when blue pill type of malware is installed in the operating system, the malware creates a new hypervisor on the fly and this hypervisor is used to control the infected system which is now treated as a virtualized system. As a result, it is very hard to detect the malware as it resides in the hypervisor and has the capability to tamper the kernel. These are sophisticated attacks that are difficult but not impossible to implement. A large set of users use VMs for critical operations such as banking which they think provide a secure mode of Internet surfing. The potential compromise of VMs (guest OS) in a network is vulnerable to the same set of attacks as the host OS. In addition, compromising VMs could result in gaining access to other hosts in the network. Several current families of malware are VM-centric which means they incorporate techniques that can easily detect whether the malware is running inside the virtualized machine or not. Based on this information, malware can alter the execution flow. Full hardware-based virtualization (host OS kernel is different from guest OS kernel) prevents malware from gaining access to the underlying host, but the malware can still control the complete guest OS. Partial virtualization (sharing same OS kernel as host) in which privilege restrictions are heavily used to manage virtual file systems can be easily circumvented by malware, if the kernel is exploited.