- It's the applications, stupid
- Will a whitelist save personal computing?
- Thousands of Web sites under attack
- To solve the unsolvable problem
- Re-thinking the security of virtual machines
- Security Development Lifecycle trumps code complexity
- Is your Web site FIPS compliant?
- Computer security: Why have least privilege?
- Strategic security: Get a handle on authentication
- Control user installs of software
October 15, 2006 | Comments: (0)
Companion worms making it harder to discover malware
A new series of worms (called Downloader.Agent.awf by some AV products) read infected computer's HKLM (or HKCU) \Run keys to find previously installed programs.
Then the worm copies the original executable to a new location, and replaces the original copy with a copy of the worm. When the computer executes the \Run keys, it runs the worm instead, which then launches the original program.
(Malware which renames itself as other legitimate called files are known as spawners, twins, or companions).
This complicates detection and removal process, because the worm will appear as a "known and trusted", previously installed executable. While this behavior is not new, it's apparently becoming popular again. So, when looking for malicious code, you cannot simply trust file names and locations. You must verify each file's integrity hash against a known good copy.
There are many free hash programs available for Windows and Linux. The book 'PGP and GPG' turned me onto one for Windows called DigestIT 2004. It like it because it does MD5 and SHA-1 hashs and integrates into Windows as a right-click context menu.
Posted by Roger Grimes on October 15, 2006 09:38 AM
RATE THIS ARTICLE:
-
- COMMENTS
The Tiny Firewall (now sold by Computer Associates; Tiny's old site is not redirecting to CA for some reason -hard feelings on somebody's part about the sale, I guess...) automatically maintains checksums.
It's just one of the reasons I preferred it to Zone...
I take that back; the tinysoftware site is now back up (maybe my post had something to do with it? Nah!!!)
Pros: Besides the checksums, Tiny also has granular controls over file and registry access.
Cons: It is more challenging to configure than Zone (for example, if your software is doing something tricky involving cross-application access...), and their upgrade policies have been unclear at times in the past (hopefully they/CA won't be anymore...)
But they have a centralized server configuration capability (_functionally_ similar to GPOs in Active Directory...), so a company's security gearhead can configure it for their novice users.
i believe these are more properly called companion viruses or companion infectors, rather than companion worms...
Posted by: kurt wismer at October 16, 2006 09:27 PMWell, yes, traditionally they have been called companion viruses or infectors, but over the last decade defining what a worm or virus is has been solidified. Companion viruses have always been a dodgy one to classify because they straddle both types of families. But if there is nothing else that completely defines a virus versus a worm, it is that viruses MODIFY code and worms add new malicious, but separate code. After a decade of thinking hard about it, I (and others) can no longer call companion viruses...viruses.
Thanks for writing. Kurt.
Roger A. Grimes
Posted by: Roger A. Grimes at October 17, 2006 02:15 AM
