Where are the malware scanners?
November 29, 2007 3:34 PM   Subscribe

Every month or two there seems to be an ominous report from a research organization about the prevalence in internet connected computers of spam bot software and trojans that (apparently) aren't picked up by pc based virus scanning programs. So how do the researchers identify them? Are there online scanners for end users that can identify spam bots, trojans, key loggers and other malware not picked up by the usual anti virus programs? Bonus: I'm running without a real time antivirus scanner, depending on regular online scanning from several sites. No problems so far. Is this an acceptible practice?
posted by bbranden1 to Computers & Internet (18 answers total) 1 user marked this as a favorite
Finding them is a science. They typically set up honey-pot machines that aren't patched or obviously vulnerable. Then they wait for it to get attacked and then study what happens. Usually this involves finding the code that gets installed, or detecting its network-activity signature.
posted by jeffamaphone at 3:55 PM on November 29, 2007

But to answer your question, no, there isn't. You have to wait until your favorite virus scanner / spyware detector / malicious software removal too / whatever gets updated with the new signatures.

Or become an expert yourself. Start by downloaded Process Explorer from Microsoft.
posted by jeffamaphone at 3:56 PM on November 29, 2007

I'm running without a real time antivirus scanner, depending on regular online scanning from several sites.

I believe so, I've ran this way for years. The only time it was a problem has been:

1. windows 2000 machine without an admin password (ie, admin password was blank) hooked up directly to the internet (no firewall). Result: immediate slammer worm (or was it blaster? maybe both).

2. XP machine with an admin account that I forgot to log out of before my computer-unsavvy friend nerded out on myspace/etc with IE6 all night. (I was super amazed at how much he managed to fuck it up in 2-3 hours . I had to reinstall completely).

if you know how to use the internet, you're pretty much alright.
posted by fishfucker at 3:57 PM on November 29, 2007

an ominous report from a research organization An ominous report from someone who is trying to sell something, no doubt.

Most antivirus and antispyware programs are reasonably good at their jobs. The greater problem is people who just don't care or don't know how to keep their computer clear of infestations, and their ISPs, who allow infected machines to stay on their networks, spewing spam and participating in botnets.

Yours is an acceptable practice as long as you know what you're doing online. You sound like you do. I never run antivirus on Windows, and I've never caught anything in a decade of computing.
posted by evariste at 4:01 PM on November 29, 2007

Every month or two there seems to be an ominous report from a research organization about the prevalence in internet connected computers of spam bot software and trojans that (apparently) aren't picked up by pc based virus scanning programs. So how do the researchers identify them?

Many trojans open ports on the host machine. One common way to detect them by pinging common trojan ports on random IP addresses and seeing if any come back with a response consistent with the trojan. This is called port scanning.

I doubt that many research groups would use that method though, because its generally considered unethical. None the less, its pretty easy to setup software that will check every port on a given IP (at least one of your online scanners probably already does that). Port scan traffic from various hackers and viruses also make up part of the internet background noise.
posted by burnmp3s at 4:20 PM on November 29, 2007

A lot of the numbers are generated from researchers examining the command-and-control structure for the botnets. By counting how many zombies are connected to the command-and-control machines at any given time, you can estimate the total size of a botnet. Thus, they generate their estimates without ever scanning or otherwise touching any end-user PCs.
posted by event at 4:23 PM on November 29, 2007

You should be fine as long as you are vigilant about scanning manually, about the sites you visit, what you download, etc. If you want to be extra careful about some files in particular, you can scan them with various engines here:

Honeypots are definitely a huge part of collecting new viruses/malware. Heuristic scanning is important too*. There are also some researchers that accept samples and collect them from users. I see a lot of super-targeted spear phishing where I work, for example, and I submit them to an independent researcher who is interested in the very specific stuff we receive. He then shares some of that around, and from what I understand the antivirus community is pretty collaborative.

*"Heuristic scanning uses what is known about existing malware and what it has learned from past experience to identify new threats even before the antivirus vendor creates an update to detect it."
posted by gemmy at 4:38 PM on November 29, 2007

Gemmy: Is spear-phising different from regular phising?
posted by jeffamaphone at 4:45 PM on November 29, 2007

Spear-phishing is targeted to an individual or institution, rather than being sent to millions of people who have nothing in common with each other. It's a more sophisticated scam because by targeting people with appeals tailored to their place of work or other role in life, it's a lot more likely to succeed in hitting paydirt. However, it's also more effort for the bad guys.
posted by evariste at 5:50 PM on November 29, 2007

From the "Know thine enemy" perspective, you can't get a better introduction to malware that this: The Economics of Malware. [pdf] found here at mefi.

The best protection against malware? Don't participate in the windows monoculture. It literally doesn't pay to create malware for the non-dominant operating systems. There is no way for anyone to stay ahead of 0-day exploits.
posted by Freen at 6:00 PM on November 29, 2007


The best way to protect yourself against Malware is not to change your life to use some random OS. The vast majority of Windows systems that get infected are ones that are not patched.

The best way to protect yourself is to a) install patches via Windows Updated, and b) use common sense when browsing the web.

Actually, the best way is to always browse the web in a virtual machine that you blow away when you're done browsing.
posted by jeffamaphone at 7:10 PM on November 29, 2007

Is this an acceptible practice?

Keep up to date on patches, and stay behind a (hardware, for lack of hassle) firewall, and you'll be right. Even on Windows.
posted by pompomtom at 7:20 PM on November 29, 2007

So how do the researchers identify them?

The Honeynet Project.
posted by scalefree at 8:00 PM on November 29, 2007

Is spear-phising different from regular phising?

evariste already ably answered this, but I thought I'd elaborate because it's a huge issue for me. It's also a really insidious social engineering technique that not enough people are aware of. Like evariste said, it's a targeted attack towards a company/organization/government entity, and is a lot harder to spot than "normal" phishing.

Let me give you an example. I work on China/Taiwan issues in Washington, D.C. Each week, my (small but prominent) non-profit distributes a newsletter via email to a small audience that consists of government officials, think tank analysts, defense company executives, etc. One day this spring I got an email that mimicked exactly the email we had sent out the week before, which happened to contain an unusually interesting newsletter. It looked just like it, with the exception being that the correctly-named attachment was a Trojan-infected Word document rather than our normal PDF file. This email was distributed to a huge group of people with an interest in China/Taiwan, a lot of whom are familiar both with the organization and with the newsletter itself, even if they are not on the normal distribution list. I don't even want to think about how many people fell for that.

One more example. A non-profit in D.C. held a seminar on safety issues with Chinese imports (i.e. lead paint on toys, etc.) that I was invited to but did not attend. The next day, I received an email from that think tank with a Word attachment billed as an event summary and analysis written by the program director. Ah, so tempting to read! But it just so happens that I correspond with the program assistant often, and the tone of the email was all wrong. Once I started to look into it, the email header was way off, and the attachment, I wasn't surprised to find, contained a Trojan.

We have seen such an increase in these kinds of spear phishing attacks this year that nobody in my office opens any attachments without checking email headers and/or doing malware scans first. We are extremely diligent, but that's easy to do with a small staff. Let's just say that I wasn't surprised to read about the recent issues at the Department of Commerce and at DoD...

Sorry, more than you ever wanted to know. It's an important issue, though, and more people should know about it.
posted by gemmy at 8:57 PM on November 29, 2007 [5 favorites]

gemmy: jesus. Sounds like you should do something on the server side to blanket kill attachments.
posted by blenderfish at 9:51 PM on November 29, 2007

gemmy, that is mind-blowing and scary.
posted by evariste at 11:06 PM on November 29, 2007

Mind-blowing and scary is exactly right, evariste. I wish we could blanket kill Word attachments like blenderfish suggested, but given the amount of collaboration we do with others off-site on things like letters, that's not really an option. We have been blowing the whistle on this in the community throughout this year, though, so hopefully it will taper off when it ceases to be so successful - particularly since it's a lot of work for the people who orchestrate it.
posted by gemmy at 6:40 AM on November 30, 2007

No need to apologize gemmy. I was actually quite interested.

One way you guys could prevent these types of attacks is to let it be known that you no longer send attachments. Instead you should put the documents on a web-server, give everyone who wants/needs access a free login, use EV SSL at login, and let them read the documents on-line.

Even if you skip the login, not sending attachments would still be an improvment.

This, combined with whatever their favorite anti-phising filter might be, should help I would think.
posted by jeffamaphone at 9:33 AM on November 30, 2007

« Older Web-savvy CPAs in Washington, D.C.?   |   using my account to pay friend's debt Newer »
This thread is closed to new comments.