Death of antivirus software imminent
Anne & Lynn Wheeler
lynn at garlic.com
Wed Jan 2 12:09:50 EST 2008
Bill Frantz wrote:
> My favorite virtual machine use is for the virus to install itself
> as a virtual machine, and run the OS in the virtual machine. This
> technique should be really good for hiding from virus scanners.
re:
http://www.garlic.com/~lynn/aadsm28.htm#2 Death of antivirus software
imminent
http://www.garlic.com/~lynn/aadsm28.htm#4 Death of antivirus software
imminent
i commented on that in reference posts mentioning that there have been
uses of virtual machines to study virus/trojans ... but that
some of the new generation virus/trojans are now looking to see if they
are running in virtual machine (studied?).
some of the current trade-off is whether that virtual machine technology
can be used to partition off basically insecure operations (which are widely
recognized as being easy to compromise) and then completely discard
the environment and rebuild from scratch after every session (sort of
the automated equivalent of having to manually wipe an infected machine
and re-install from scratch).
the counter argument is that crooks can possibly also use similar
technology to hide ... once they have infected the machine. the current
issue is that a lot of the antivirus/scanning techniques are becoming
obsolete
w/o the attackers even leveraging virtual machine technology.
The attackers can leverage the technology in an otherwise poorly
defended machine. Some years ago there was a product claiming
that it could operate even at a public access machine because
of their completeness of their antivirus countermeasures ... even
on an infected machine. I raised the issue that it would be trivial
to defeat all such countermeasures using virtual machine technology.
Somewhat of a skirmish resulted since they had never considered
(or heard of) virtual machine technology ... for all i know there
is still ongoing head-in-the-sand situation.
for little topic drift ... this blog entry:
https://financialcryptography.com/mt/archives/000991.html
and
http://www.garlic.com/~lynn/aadsm28.htm#3
http://www.garlic.com/~lynn/aadsm28.htm#5
there is some assertion that the crooks overwhelming the
defenders countermeasures because they are operating
significantly faster and more efficiently.
however, another interpretation is that the defenders
have chosen extremely poor position to defend ... and are
therefor at enormous disadvantage. it may be necessary
to change the paradigm (and/or find the high ground)
in order to successfully defend.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list