Throwing in the Towel: The Sorry State of Client Security

Thursday, July 07, 2011

Kevin McAleavey


Note: This is the first in a multipart series on the history of the antivirus and security industry by a long time insider. We will explore how antivirus and antimalware technology works, and why a 1980's solution is no longer applicable to the current threat landscape. The series will conclude with solutions and recommendations on where we might all go next.

Now that the Lulzboat has run aground during its three hour tour, and the rats have gone overboard in search of the relative safety of a pineapple under the sea, the computer media continues with the personal soap operas of "Anonymous" and "AntiSec" with the kids engaged in their infighting, whereas the attention of security people returns once again to the larger, more serious issues that involve the client side of the world.

When we last left our heroes, Microsoft had announced the takedown of a major botnet known as "Rustock." Well... not a complete takedown of course, but it's dwindled a bit as eWeek reports. Rustock had a good run before it was wrestled to the ground (almost) given that it first appeared in 2006.

A mere five year half life for malware is considered perfectly acceptable these days in the computer security realm.

Even bigger headlines continue over a rootkit and botnet known as the "TDSS family" or "TDL" depending on which antivirus created the signature definition for it and has been with us for a much shorter time - April of 2008.

The latest incarnation, gathering press as "TDL4" however has publicly caused the security industry to transition into full panic mode and literally throw in the towel as the solution to this and other malware continues to elude the industry according to widespread reports while our attention was distracted by the kiddie wars on the lulzboat.

Computerworld reported "Massive botnet 'indestructible,' say researchers" on this latest variant, and Infoworld ramped it up yet another notch with their headline of "How to live with malware infections" making it quite clear that all is lost, give up and in a paraphrasing of Dr. Strangelove, "How I Learned to Stop Worrying and Love the infection".

Meanwhile KasperskyLab went apoplectic over the interpretation of their own report on the TDL4 analysis - Kaspersky and "corrected" the bad press, resulting in Infoworld releasing a story that reminisces of Kevin Bacon as Chip Diller in 1978's Animal house in the middle of the mayhem screaming at the top of his lungs, "Remain calm! All is well!" as he's crushed by the fleeing mob.

And just this past week, yet another catastrophe was reported in the computer media over a rootkit called Popureb which according to Microsoft, requires not only a complete trashing of the system, but extreme geekery in having to redo your boot sector first or any repair will fail.

And of course, once the public relations departments got wind of the story, another correction of the original report is the solution. See? Not much of a problem at all. Nothing to see here.

The Lulz attacks depended entirely on botnets to perform their DDOS, provide their anonymity, and gather their lists of targets to hit their victims. Backdoors, rootkits and bots. All CLIENT side malware. Without it, they couldn't have succeeded in the first place! "Spear-fishing" attacks also depend on malware slipping past the guards on client desktops as well, extending the damage far beyond simple social engineering.

Sadly, the antivirus industry has been losing the battle on Windows for a very long time. I know, I was in that business and was there since the very beginning of antivirus. And I tried very hard to get their attention and direct them to solutions that would have worked. They weren't interested. To see this public admission that 1980's technology has utterly failed is nothing short of breathtaking.

And for those on the Linux side of the world nodding their heads and snickering over Redmond's misfortune, I can only offer one word: Android. You can stop snickering now. It's the number two petri dish these days.

In this series, I will set forth the history of antivirus and the industry because it's important to know how we got from there to here, then a litany of mistakes along the way on the part of the operating system vendors, the end users, administrators and most significantly how marketing and mindsets impacted our current situation in hopes that perhaps some changes might help mitigate the problem, and finally some actual solutions that can make a difference if an entirely different regime is applied in the future.

We didn't get here as the result of some evil plan, it was the result of the same factors that turned those erstwhile nautical script kiddies into a powerful force: complacency, intractability, incompetence and the cover of public relations.

Stay tuned for the next part of this series where I will explain the history of malware and how it's been dealt with for nearly 30 years by the security industry.

About the Author: Kevin McAleavey is the architect of the KNOS secure operating system ( and has been in antimalware research and security product development since 1996.

Possibly Related Articles:
Viruses & Malware
Information Security
Antivirus malware Botnets Rootkits TDL4 vendors AntiSec Client Security
Post Rating I Like this!
Don Eijndhoven Excellent article again, mr. McAleavey. I look forward to the next installment.
Phil Agcaoili .
I have been espousing a new paradigm for companies for the past few years—collapsing the perimeter, establishing secure enclaves, and treating all connecting endpoints as hostile. Gartner calls this Zero Trust and is very similar to my approach.

These philosophies defend corporate data more holistically and thoroughly.

The challenge remains at the endpoint for the end user. We give up on the notion that the endpoint will be secure and secure the access gateway that they use to do important work. The endpoint becomes a dumb terminal.

So what happens with personal information, access, etc. for the end user? All we have left is traditional, albeit failed, security mechanisms to protect the endpoint.

I’ve been a user of the cdrom/DVD-based, non-writable boot operating system Knoppix because it’s an operating system based on Debian designed to be run directly from a CD / DVD (Live CD) because I know that I can ALWAYS start on a CLEAN operating system regardless of my travels on the Internet—where I go, what I open, what I install on the writeable portion of disk (outside of the DVD/CD drive) because the operating system is loaded from the non-writable DVD/CD medium and decompressed into a RAM drive. The decompression is transparent and on-the-fly.

With the increase in 0-day attacks that are focused to specific targets, this seems to be one of the best ways to safely access the Internet.

Is this cumbersome? Not really actually. I use a armored browser (IronKey) and keep bookmarks there, and use another storage device to removable files that need read/write.
The endpoint needs to be secured and do not see security salvation in sight for the endpoint regardless of numerous vendor pitches and it’s gotten worse with smart phones and tablets running the new OSes (Apple iOS and Android) and very interested to see the pending disaster with embedded devices like Bluray players and televisions that have Wifi/networking, that can run Netflix/Hulu and have webkit browsers, and are powerful platforms themselves with zero security built in.
Can someone say botnet zombie? Imagine that? Your new Sony or Samsung now is a zombie in a multi-billion dollar botnet fraud ring?
Kevin McAleavey I think you'd like our approach at the KNOS Project then. One of the problems with most Linux CD's is that by necessity, they are limited in their usability and so to get the maximum benefit from them, you have to go ahead and install Linux to writable media anyway. Once you have a system installed, the end user will then want to add goodies to it including easily exploitable things like Adobe's stuff and perhaps other untrustworthy items. Once this line is crossed, you're back to a similar situation as with Windows. And as much as Apple is having problems, Linux is the number two petrie dish.

In our KNOS operating system and environment, we provide a complete and useful client system on our public commercial release, but there's additional advantages. KNOS is based on BSD which is much more secure and we do custom builds for particular end client needs. In addition, our proprietary design is secure enough to be installed onto a bootable USB stick or even to hard drives while maintaining the same level of security that one would expect from a read only puck. I saw all of this coming many years ago and saw that antivirus/antimalware was already overwhelmed at that time. That's the reason why we created KNOS, and it was designed for not only business users on the road, it was even designed for grandma without any of the complexities of futzing with Linux.
Pete Herzog I don't really blame the end users. They run with what they've got and considering the amount of conflicting information, they just go into herd mentality and follow what others are doing. Many times, people would look for an unbiased authority (like in med they have WHO and CDC - both of which have degrees of compromise but less so than those selling meds) but when the governments and the powerhouse higher education institutions use the commercial industries for advice and guidance, what you end up with is a "keep em needing us and coming back" model of greed over improvement (similarities to big tobacco come to mind). It has gotten so big that no one little org can break it. Actually it's gotten so big that people have come to really believe that what they are saying is true and right and the sun really does revolve around the Earth (or some such deja vu pops up). Really, I blame all the security professionals who repeat what others say but don't think for themselves and are afraid to speak up that the model is broken and they see it is broken because it keeps friggin breaking in front of their faces every g-damn day! But no, the just keep their mouths shut and collect that paycheck from those sales percentages. But why pick on AV when it's so many other things too? It's so many industries around the world all doing this and all affecting us. We see it in medicine publishing only successes, child rearing based on a 150 year old model of making subservient workers, an education system based on an industrial model focused on being on time, regurgitating what the teacher says, and shutting up, and so on. No, the users nor the security industry are the problem. It's everywhere. Oh, wait, I just made myself the paranoid, crazy guy again, didn't I? Nevermind then.
Kevin McAleavey @Pete: Heh. That's OK ... sometimes they really ARE trying to get ya. :)

I'm not actually blaming the end user as much as I'm blaming the technology companies for not considering their situation intelligently. Compare it to the auto industry. When you buy a car, they don't hand you a bunch of tools and a Chilton's manual and say good luck, expecting you to tune to 4 degrees before top dead center. The end user is expected to just drive, put some gas in it and if anything goes wrong, the automotive infrastructure takes care of it without the driver needing to know anything beyond not confusing the gas pedal and the brake pedal.

Some of us in the computer realm believe that the end user shouldn't have to go through all sorts of hoops either. They just want to "go on the computer" and not have to RTFM and be on the lookout for anything other than the boss catching them on an NSFW site. And like their car, they expect their computer to just work. The automobile industry has even considered the mechanical tinkerer to be a problem and have designed cars of late to make it very difficult and expensive for the end user to screw up the car since the blame is going to end up in the manufacturer's hands either way.

I think folks will find the remainder of this story rather interesting. :)
Pete Herzog Kevin, I'm a fan of your "security model is flawed" topic and am an eager reader but your analogy is flawed. For one, there is always great risks to driving a car that have nothing to do with your car or the driver. Same as the computer. There is no "just go" with the car because environment, terrain, visibility, traffic, etc. all are factors which limit where one can go. The car is a single purpose gadget, so to speak. We have those gadgets too. They usually stay free of malware and problems- my transistor radio hasn't ever had a virus or been hacked. But change the environment and the user no longer can control the vehicle the same mostly because the vehicle wasn't built for that terrain. The home PC wasn't built for networking to millions of unknown and anon PCs. It wasn't built to handle corrupted or malicious applications. So along came companies to pimp that ride and make it work on the new terrain. AV was one fix kind of like adding a tougher air-intake filter to keep out the dust from unpaved roads. Then to sell it, they told people that's all they need to go there. But we know that's not true. But then came security pros, selling security add-ons, who told them that they also needed knobby tires, and a roll bar to be safe as long as they only stay on well known roads. Then as these well known roads began to get polluted the security pros kept on saying the same "wisdom" while fully aware that it didn't even help if they stayed on well known roads. Instead now they say it protects from opportunists and talk of low-hanging fruit, which still kinda sorta works with the old advice.

I don't think people want computers to be single gadget devices or else they would buy them instead. They want something they can use for whatever they want especially if someone else is doing it. That's why I blame the security pros for not updating the model and the advice they give the users. After all, would you want your doctor giving you old advice when the evidence is clear its harmful? (And unfortunately many still do).
Kevin McAleavey Yeah, gotta admit that it was a dumb analogy, but hey ... weekend. Brain is purposefully stuck in neutral. :)

You're actually spinning along successfully with my dumb analogy though because that's pretty much the way it went in practice. I sincerely think you're going to like where I'm going to take this in the next six or seven articles because I actually agree with you.

I wish that how we got from hither to yon wasn't so complicated, would have been nice to have been able to put it all together in one story. Alas, I don't think there's enough hard disk in here to do so. After all, even google+ ran out of hard disk and I don't want to honk off my editor here. Heh.
Kevin McAleavey (grin)

We'll see how that works out on Wednesday then. The next chapter in this saga is already in the bit bucket. :)
Don Turnblade What about the financial model of AntiVirus? If I pay for a subscription with updates every year, then it is more profitable to make short term AntiVirus fixes.

If I wanted to white list the activity of every released production code, the manufacture would produce a signature of correct operations as part of its release. (We know they know what that is, because the architecture documents and QA tests before release tested it.)

But, what if they do not know this? Why should anyone buy such a software that has no architecture nor test validation to process information? Why would such a software maker be allowed to have limited liability for damages in court? They should not! They did not not practice due care, did they?

When the release notes tell us what updates to the white list of activity is needed, then we just update the NIPS and HIPS signatures in the deployment packages. If it is not our software that is running on our systems or its a undocumented service running, guess how fast the white list HIPS will kill that process? Nano-seconds.

But, what is the profit motive to get out of the AV Signature Subscription business and into the White List Signature Business? This is the piece that needs the real work.

JAVA cannot launch a child process to act as a server if it was never on the white list in the first place. Why do I have to write HIPS white lists for it?

I think we have legal cover actually preventing a solution to the problem.
Kevin McAleavey What happens though when there isn't a process at all and it's one of your trusted processes that turns rogue? I hear ya but as you'll see in the next chapter, there are ways around process monitoring.

And as to legal cover, just about every piece of software out there uses the old Microsoft boiler plate that absolves the vendor of everything. Now you didn't try to hook up Windows to a respirator or a nuclear power plant now, did you? :)
Phil Agcaoili .
You guys aren't being very imaginative...

Most Bluray and HDTVs today are sold with an embedded OS with a built-in browser. "Client" security all goes haywire when the embedded OS or the browser gets compromised and the device becomes a zombie in a botnet.

There is NO client security on at all on any of these new platforms, including smart phones and tablets running Apple iOS and Android.

We're in for interesting times for sure.
Kevin McAleavey Yes indeed!

Props go out to Linux embedded, they've pulled ahead into the number two spot behind Billy for wrigglies. I intend to get into all of that come Friday - but first a stop tomorrow for a good sniff at how antivirus actually (ahem) "works" first and then we go into how operating systems fail. Rest assured that Apple and Linux will also be well represented in the "they did WHAT?!?!" corner. :)

Stay tuned, one heck of a ride coming up to the grand conclusion of "you mean we can actually STOP this?" The answer is YES with some conditions ...
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.

Most Liked