Surveillance exposes malware that comes back from the dead

Article

Surveillance exposes malware that comes back from the dead

Bill Brenner, Senior News Writer

An IT shop may use all the latest tools to snuff out viruses, spyware and rootkits,

    Requires Free Membership to View

    Login

    When you register, you’ll also receive targeted alerts from my team of editorial writers and independent industry experts with the latest news, tips, and advice to help you do your job more efficiently and effectively. Our goal is to keep you informed on the hottest topics and biggest challenges faced by IT professionals today working with desktop management and security technologies.

    Cathleen A. Gagne, Senior Editorial Director

    By submitting your registration information to SearchEnterpriseDesktop.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchEnterpriseDesktop.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

but the latest results of an ongoing endpoint surveillance project suggest the digital underground is easily outsmarting those tools.

More on malware

Companies fear dark corners of the virtual world

Proof-of-concepts heighten malware fears

'Crossover' malcode could jump from PC to handheld
Mitchell Ashley, CTO and VP of customer experience for Superior, Colo.-based software firm StillSecure, said his company's Endpoint Security Index shows that security-hardened computers can still be infected with certain types of malware.

"We've found that many kinds of attacks can bypass traditional security measures," he said. "Malware can live on the endpoint and hide from AV. Or, in some instances, the AV program might not clean up all the malware, and remnants of malicious files that can do more damage are left behind."

The index, now in its fourth month, monitors four different endpoints using machines running Windows XP Service Pack 2 (SP2). Ashley said well-defined security policies are applied to each endpoint. Then, using an automated process, the machines visit tens of thousands of URLs a month, opening themselves up to any sinister code lurking on these sites.

Ashley said the ultimate goal is to measure the strength of different security policies and tools so endpoint devices can be more successfully locked down.

The latest findings indicate that:

  • Malware is capable of hiding from AV, antispyware and anti-rootkit technology. "For example," StillSecure said in its analysis, "a known virus was present on [one of the four test endpoints] but the antivirus tool failed to clean the machine. If this occurred in a real-world setting, the end user would have no indication that the machine was infected, leading to further destruction of the device."
  • Malware can be detected by security tools but cannot be deleted. Certain sophisticated threats hide in protected folders so they cannot be removed.
  • Most components of malware are visible to AV and antispyware tools, but are expendable; any components of the virus that remain after AV cleanup are often capable of replacing deleted files.
  • Pop-up windows dupe end users into clicking on malicious sites.

An example of a malicious message found on one of StilSecure's Web-scanning PCs.
"Social engineering continues to be successful," Ashley said. "End users are presented with pop-up sites that dupe them into downloading malware. They visit sites running ActiveX plug-ins and JavaScript. It's easy for them to be infected and not know it after the fact."

The lesson, Ashley said, is that IT administrators shouldn't be content to simply update AV software and deploy the latest security patches.

"You also need to look at the security of your applications," he said, "and you have to keep eye on security settings in the browser and in the operating system."

Ashley compared StillSecure's program to a honeypot, where machines hooked to the Internet are expressly set up to invite attacks.

In this case, however, the goal is to attract attacks based on certain types of user behavior, which StillSecure does by having the machines surf through various Web sites as typical Web site visitors would.

This article originally appeared on SearchSecurity.com.