Servers

BLADE: Can it stop drive-by malware?

Right now, there is an abundance of websites successfully serving malware to unsuspecting visitors. Is there a cure? Some researchers think so.

Right now, there is an abundance of web sites successfully serving malware to unsuspecting visitors. Is there a cure? Some researchers think so.

-------------------------------------------------------------------------------------

BLADE (BLock All Drive-by download Exploits), the brainchild of researchers from College of Computing at Georgia Institute of Technology and SRI International, is positioned to help stem the tide of drive-by malware. A big deal according to Dasient.com, the company is tracking over 200 thousand different web-based malware threats.

What is drive-by malware?

I've written about this type of malware before. But, the team's research paper BLADE: An Attack-Agnostic Approach for Preventing Drive-By Malware infections (pdf) pointed out something I was not aware of:

"The goal of the drive-by exploit is to take effective, temporary control of the client web browser for the purpose of forcing it to fetch, store, and then execute a binary application (e.g., .exe, .dll, .msi, .sys) without revealing to the human user that these actions have taken place."

The part about drive-by malware being a temporary conduit to get the desired malware loaded onto the computer was new to me. Let's look at how the researchers believe the process works.

The process

It all starts when a hapless victim stumbles onto a compromised official web site or possibly a knock off of an official site that's serving drive-by malware. Next, the code injection process begins and consists of the following three phases:

  • Shellcode injection phase: Code purposed to subvert the web browser is downloaded by exploiting a vulnerable component of the web browser.
  • Shellcode execution phase: The downloaded code is then injected into the web browser process.
  • Covert binary install phase: The web browser, now compromised, tries to retrieve malware from the attacker's web server. That code installs on the victim's computer and does all the damage we hear about.

The researchers also determined that drive-by malware somehow avoids the need for user permission to download and execute unsupported file type such as .exe, .dll, and .sys. With this information in hand, the research team developed BLADE.

BLADE's design criteria

BLADE a browser-independent operating system kernel extension designed to prevent unauthorized content execution. I interpret that to mean BLADE intercepts all downloaded content that has not been okayed by the user and prevents it from executing.

To accomplish that, the research team implemented the following in BLADE:

  • Real-time user authorization capture and interpretation: The key to BLADE working properly, user-to-browser interaction is monitored to capture information pertaining to a user authorizing a download.
  • Robust correlation between authorization and download content: BLADE must be able to distinguish between user-initiated web-browser downloads and unauthorized ones.
  • Stringent enforcement of execution prevention: Unauthorized content must not be allowed to execute.
  • Browser agnostic enforcement: BLADE must not rely on how a web browser should work. This is critical, because new web-browser technology is introduced all the time.
  • Exploit and evasion independence: BLADE must also be independent of any exploit that attackers use to subvert the web browser.
  • Efficient and usable system performance: Web-browser performance must not be compromised, nor any delays allowed. In fact, BLADE should not have a perceptible impact on any computer operation.

How BLADE operates

To spot unsolicited download attempts, BLADE places the following processes in kernel space,

  • User-interaction tracking: BLADE uses a screen parser, hardware-event tracer, and a supervisor to track the user's physical interactions with the web browser, specifically when download authorization is asked for.
  • Consent correlation: This process is required by BLADE to distinguish between transparent downloads and those requiring user permission.
  • Disk I/O redirection: When BLADE locates un-authorized downloads, it redirects the code to a secure zone. The data is also prevented from loading into memory as an executable.

The following slide (courtesy of the research team) represents BLADE's system architecture.

The key ingredient that makes BLADE work is its ability to discern whether the download is authorized or not. How that's done is based on another fact that I did not know about web browsers.

What the research team has found is that web browsers use a well-defined process to implement download confirmations. That means an application like BLADE, looking specifically for download authorizations, would only need a few examples from the different web browser in order to recognize most download authorization attempts.

The following slide (courtesy of the research team) explains how BLADE checks for authorization:

For an in-depth analysis of each component, please refer to the research team's paper.

How effective is BLADE?

BLADE was tested using real-world circumstances as the following quote explains:

"Our testbed automatically harvests malware URLs from multiple whitehat sources on a daily basis and evaluates BLADE against potential drive-by URLs that were reported within the past 48 hours. To validate BLADE's browser and exploit independence, each URL is tested against multiple software configurations covering different browser versions and common plug-ins. System call and network traces are used to test for missed attacks (false negatives)."

The research team has a web page containing the results of their evaluation.Interestingly, their data seems to verify what other security experts have been saying about Adobe products:

According to the research paper, almost 19,000 trials have taken place, with zero false positives and zero false negatives. Meaning, BLADE prevented in-the-wild drive-by malware from installing in every case.

Not a cure-all

BLADE is designed to block drive-by malware that tries to write to the hard drive. Right now, that works, as a majority of drive-by malware uses that approach. But, security experts are aware of certain threats that reside in memory only and BLADE will not recognize them.

Then there is malware that installs by leveraging social engineering. BLADE is of no help, as the user willingly agrees to the download.

Finally, developers have expressed concern that BLADE may break legitimate applications like Windows Update that download software in the background.

Final thoughts

The research team's work points out once again how important it is to keep the operating system and all applications (specially Adobe products) up to date. With no vulnerabilities, drive-by malware cannot gain a foothold.

I did point out that BLADE will not solve every problem, but it has promise to be a good tool in our security arsenal. If you are interested, check back at the BLADE-Defender.org web site, as BLADE V1.0 (a free research prototype) will be available soon.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

121 comments
tony
tony

Why is it that articles on tech republic containing images are linked to images that are of no better quality? For instance, in this article, all 3 diagrams when clicked open in their own page and with same characteristics as when they are embedded in the article. Why make it clickable if it will not be a blown out image??? In this article, the first image could benefit if it opens a higher resolution image so that the wording is more legible. OK, enough gripping for the day... I feel better now having vented!

AnsuGisalas
AnsuGisalas

Of course, doesn't mean no vulnerabilities, just no old vulnerabilities. One thing I wonder about; how does Blade differentiate a link that says "click here to download malware and hose your system" and a link that says "click here to take the IQ test"? They lead to the same place, but clicking on the first entails consent, clicking on the latter does not. Or how about "A new version of Flash Player is available, click here to update?" Of course, that's social engineering, and neither is drive-by. So, yeah, answered my own questions. But a point, if I have one, is that this BLADE is very narrow-purpose. Not that there's anything wrong with that, spoons are for spooning, forks for forking and all that. The list of components for the layered protection just keeps growing doesn't it? What are they now; AV, Firewall, HIPS, Behaviour Blocker, Hosts, DNS, Sandbox, VM and now Browser Driveby Interceptor... how many did I forget to mention?

Michael Kassner
Michael Kassner

Thanks for pointing that out Tony. What you see is how WordPress works. We do have the ability to upload to a site that uses larger images. I normally do that if there is no other source. But all the images I posted are available in the paper or on BLADE's web site.

pgit
pgit

Thanks for the link, I took a quick look and already forwarded to a client that's been balking at taking security measures... that'll show 'em. Thanks for taking the time to dig this stuff up, digest it and best of all share it along with your views, which I always find highly valuable. You and TR do us a great service. On the other hand I called Avis yesterday for a quote, (son and his family coming in for T-day) "service" like in farm country. Geez. They bounced me to two people who turned out to be nothing but salesmen. High pressure at that. I had to tell all of the people several times I was not actually renting anything just yet. PS- I called to see if what I found on priceline dot com was accurate or not. It was dead on, to the penny in fact. Chalk one up for priceline.

Michael Kassner
Michael Kassner

The packets that you want to focus on. It sounds like ZA is still phoning home more than I'd like.

AnsuGisalas
AnsuGisalas

And terrifying too. Old vulnerabilities... ancient in some cases. With victims like that, I wonder why they bother looking for zero days... But I guess they're looking for a higher grade of "clientele". Also, they probably get sick of competing with the other botnets for control of the strings of all those multiple-times-zombified computers that must be out there.

Ocie3
Ocie3

:-( Logger detection is included in the Online Armor firewall, though. HIPS = Host Intrusion Prevention (each computer is a "host") NIPS = Network Intrusion Prevention (usually independent of a router but may be part of a firewall executing on a different "network gateway" or "network appliance")

JCitizen
JCitizen

So far I've evaluated many utilities that have moved into the kernel space. You mention HIPS - Comodo Defense + does this at the sub-kernel level - I surmise this, because it got into a fight with Snoopfree Privacy Sheild as soon as Comodo deployed the new version of it. Only by turning off Defense + was I able to continue using Snoopfree. At the time, I wasn't aware how obsolete the old key and video spy blocker was, so I figured it was more important to maintain. However, now I've used Prevx which works entirely in the kernel space, and supposedly works as a modern spy blocker and browser "bubble". This prevents session riding during SSL events with one's bank or favorite financial institution. You mention AV, but in this area Avast has an object blocker, that only blocks page controls that are deemed dangerous, but it is seemless, so I had to compare it to Mozilla's No Script to get a handle on how it behaves. I have no idea how it does it without slowing the browser experience down! So far No Script is only as good as blocking script object dependant on page layers. If you give too many objects permission you will still be pwned; but Avast only looks at the object itself to see if it is acceptable. I get hit more often with No Script than I ever do with Avast enabled. I haven't seen a drive by every since. I do not claim they have it down pat - I just haven't been lucky enough to find an object that can get around Avast. I'm sure they exist. However - I also keep my applications updated fastidiously, so many of the attacks are unsuccessful for the reasons that no vulnerabilities are being exploited by the older malcode. I have simpler utilities that do some good even if the object seems to activate something nefarious - like SpywareBlasters active X blocking registry entries - and the host file it uses, and the bad server IP blocking that MBAM uses in it's real time protection, are other factors worth mentioning in this discussion. The free version of AdAware mysteriously seems to prevent most spyware from installing by blocking communications from them and dispruptive cookie traffic. This causes them to lay in the temp files until I delete them with CCleaner. I've been discussion Lavasoft with many IT types way smarter than I and we really don't know how AdAware's AdWatch works; but it beats the venerable free Spybot Search & Destroy hands down! It also gobbles up over 100Mbs of RAM; but I can't get my browser performance to work acceptably without it, so I'm keepin' it! I can't come up with handly acronyms or one liners to describe these defenses in depth, but this is all I know how to relate. I can't think of any others that are effective, that presently come to mind, under this subject. Rapport is another session blocking utility that protects the SSL browser connection, but I haven't tested it. I do have clients testing it now.

seanferd
seanferd

Of course, doesn't mean no vulnerabilities, just no old vulnerabilities. No, it means you have applied all patches offered. This does not include ignored vulnerabilities (those going on for over ten years included).

j-mart
j-mart

Some clever programers wrote UNIX with proper Admin - User separation, the click happy user does not have the authority to install anything, browser program does not have authority to install anything, better OS design and the problem this complex addition is being used to solve goes away. The best way, the most efficient way to make malware a much lesser problem is an OS designed with multi-collectivity, multi user, a prime component. Until Microsoft builds a proper multi-connected multi-user OS or their OS is not connected to anything else the malware battle is like a dog chasing its own tail, we won't catch up let alone get ahead of malware.

Michael Kassner
Michael Kassner

BLADE is for the times when the user is not asked. I am trying to learn how that works, as drive-by malware is capable of doing that.

Michael Kassner
Michael Kassner

I consider myself fortunate that you and the other regulars keep coming back and providing good insight. Have you tried Thrifty? I travel quite a bit and they almost always are the cheapest. The cars seem to be okay as well.

pgit
pgit

I just posted how to do this, above in my post "wireshark." I guess I inserted my post where you had intended.

AnsuGisalas
AnsuGisalas

It could just be the Forcefield thingy interfering at times, I guess it does site-checking as well as virtualize... so that could generate some legit chatter.

JCitizen
JCitizen

Emisoft seems to make that an easy firewall. But it never fails; after installing and configuring, something doesn't work; actually quite a few things don't work. On some XP PCs it simply BSOD's. If they had been infected, I could see that, but I found no evidence after through cleanup. Also, they don't have a 64bit version yet. I usually attempt to put in on first after a clean install; so I'm sure it isn't conflict with another AV/AM solution.

Michael Kassner
Michael Kassner

You offered good input on everything but BLADE? Any thoughts?

AnsuGisalas
AnsuGisalas

That's very useful. The way software is working these days it's impossible to know if something does what it says it does without extensive testing. For example; I know zonealarm turns off Win7 Firewall, but I have little way of knowing if it's succeeded in passing itself as deeply into the system as it needs to. Doesn't seem to be having a problem though.

santeewelding
santeewelding

That his pieces do not admit of fast and easy reply. They are chewable. What you just did, [b]JCitizen[/b], reinforces my point. You had to have taken more than a few minutes to compose your reply. For which I am grateful, and by which I have learned even more.

Michael Kassner
Michael Kassner

I see that as less of a problem than the fact that millions of computers that could be updated aren't.

mike_patburgess
mike_patburgess

It appears that we are of the same IT vintage. There needs to be a complete divorce between Operating systems and Applications. Circa 1970-1980 and proprietary Operating systems. Any application that tried to do something stupid like step outside the memory boundary as offered by the OS or tried to compromise the OS in any way was shown the EXIT door. UNIX to this day is for the most part very secure (unless some human does something stupid). As it stands now with any MS product, the system has to execute so much code to protect itself from destruction, that it has very little time doing really meaningful work. Has anyone done a study to find out just how much "useful work" a computer system really does, and how much "system protection" work is done?

Michael Kassner
Michael Kassner

Microsoft's UAC is similar, but adjustable (a mistake). I have queried the research team as to how BLADE and UAC work together. Hope to get a response.

AnsuGisalas
AnsuGisalas

like Zonealarm's reactive stealthing of the Ident port... I mean, of course, port stealthing is a different thing entirely, but the reactive stealth relies on checking, whether or not the user has a relationship with the source IP of the Ident attempt. Dunno if anybody else is doing the same though. My info is from Gibson research, and that particular bit of text hasn't been changed in four years (!), but I just recently checked it out again, using grc's method and provided links, and it still confirms that's how zonealarm does it.

pgit
pgit

You bet we are, like none other before. Our younger of 2 sons now has 2 happy little girls, the older one we have met, be it all too briefly The new arrived in September. They currently live in Salt Lake City but move around to Alaska and Hawaii. We live on the east coast. =( They tell me grand daughter #2 has huge hands, was rather light compared to #1 but actually a little bit taller. She's already showing some athletic prowess, perhaps a basketball scholarship in the making. =) There's also something interesting going on in our lineage. My second and third toes (bit toe being first) are fused by skin up to the "knuckle" as it were. Both of the girls have the same, and the new grand daughter apparently takes the prize, being more pronounced on both feet than are mine. So we know for sure they're our son's offspring... not that there was any doubt of course. It's just funny, and we don't know if they'll appreciate it or blame old grand dad for having this oddity. I plan on telling them it's a step forward in the evolutionary chain. They just might buy it. =D Anyway, thanks for the suggestions. What we might do instead is have someone pick them up and drop them off at the airport, and have them rent a car here for the time they are here. We have all the major rental companies here. Not as convenient, but the boy has a slew of friends who'd volunteer to head out to podunk airport and pick them up. This all reminds me why I hate to travel.

Michael Kassner
Michael Kassner

Thrifty works with you when it's over a week and under two. Too bad, they aren't around there. I bet you are looking forward to T-day.

pgit
pgit

The stay is 10 days, they said we have one option, presumably because this is podunk and being no competition we take it or leave it. They said they'd have to charge us for two full weeks... the weekly rate came to approx 320 bucks. They wouldn't quote us a daily rate.

Michael Kassner
Michael Kassner

How long and compact, mid-size or full-size car? Just curious as that seems like a lot or it's a long stay. I can get a compact at Thrifty for about $30-35 per day. Weekly rates are less.

pgit
pgit

Where they are flying in to has Avis and Budget, which both have the same 1-800 number... go figure. Priceline showed the two side by side and they were, as you might expect, identical. ~$587 for the length of their stay.

AnsuGisalas
AnsuGisalas

access memoroids... I'm rarely thrown by glitches... it's the planned event's that give me trouble :P

Michael Kassner
Michael Kassner

I posted that comment in the wrong place, glad you got it though. See what happens when I try to do three things at the same time.

JCitizen
JCitizen

You hit that one on the nail head! One of my most difficult cases was an infected driver CD from Brother. I got lazy and used it instead of the new one online. My gateway caught the probing going on from the bit of malcode that was included. This was a very simple bug that just probed the interior of the LAN looking for holes, and then tried to report outbound. That is when it was caught. I hired consultants to find the bug, but it was so well hidden inside the driver they couldn't pin point it, so I simply uninstalled it and gave warning to Brother support. The thing that made me mad was it was providing a service that I had disabled in the operating system - Vista x64 - sorry, I don't have my notes. You just can't trust the folks in the Pacific Rim industry, that flash the hardware, or burn the utility CDs anymore. They have a lot of inside crooks working all over the world.

Michael Kassner
Michael Kassner

Printers and network devices are becoming popular targets of opportunity.

pgit
pgit

The problem is once you're in, most of the machines on a LAN are blissfully blathering away to one another, SSDP, IPP services, browser elections, updating routing tables... a lot of this stuff is broadcast, so a cracker need only passively listen, at this point of the attack. Win Vista and 7 to a lesser extent ship with a ton of potentially vulnerable services enabled by default, many of which hardly anyone needs, stuff geared more toward a "home entertainment center" than business-oriented. I say "potentially vulnerable" not because there are bugs to be exploited, it's that you may have depended solely on the perimeter to keep these services safe. The services themselves are very trusting, and without the likes of Active Directory a rogue IP on a LAN would be welcomed just as anyone else.

AnsuGisalas
AnsuGisalas

And what you want is something that looks like a wheel, but isn't... What sort of traffic is needed to detect a machine on a net? I guess it's not so easy to detect an attempt to detect, or there'd be weapons against it already. I wonder, networks are made now to facilitate connections, but would it be possible to make a network that doesn't..? Specifically, that every machine added to is has to have from the outset the right settings, not assigned to it by a network server or router, but instead checked for by these, causing an alarm if a mismatch is detected? Then you'd have to have access to the machine to give it the settings manually...

JCitizen
JCitizen

I can't wait to get the money to download and test it! It looks like another good addition to the depth of defense!

JCitizen
JCitizen

but now I'm inside the perimeter, as that is the thing I'm trying to test. The Chinese were trying to crack my firewall/gateway until I made a mistake and deployed Skype without checking my firewall. I'm sure they got into my system. Every since then, I've been working on solutions that are supposed to work on compromised machines. And really, with today's malware, you actually have to assume such anyway. My use of the honeypot may not be accurate, but I purposely visit sites that would be a poor choice if you didn't want your browser cracked. Shopping sites are the worst; that is the target of the new sophisticated cracker; almost as bad are cracker sites, of course. I'm surprised these sites aren't even more dangerous than they are - probably in deference to fellow "customers". I feel like one's own defenses are the thing that needs to be tested, and the interaction between the solution one uses and the attacking malware should be observed and broken down, to see the extent of the damage. I've spent a lot of money in the past to hire consultants to look at my machines and see if, or how they may be infected. So far my methods have looked sound. However, I'm not a coder, so I don't really have a good in depth knowledge on just exactly is going on in the snippets of malcode I capture. I just send them into whichever solution traps it, and let them analyze it and hopefully send me a report through the email. I think the Chinese were interested in me because of my industrial ties, and the ID of my gateway. They probably need a challenge too, and would like to crack a CheckPoint router. Their attacks are harder to ID now, because in 2008, they moved from military industrial sites to universities, to hide their intentions. These don't show up in my reports; so I have to use a Syslog to occasionally see who the latest perimeter pest is.

Michael Kassner
Michael Kassner

I typically use honey pots for automated exploits and malware. I think using one as a decoy/alarm on the internal network is a good idea. Thanks for explaining. I bet J is doing just that.

pgit
pgit

I've used 2 distinct deployments over the years, outside and (just) inside the perimeter. Most often you would expose the honeypot to web traffic, eg a web, exchange or other server. (then there's 2 purposes to consider: education/research or decoy?) A 'pot inside the perimeter would be a monitor, basically, detecting (it is hoped) if/when someone has broken into your local net. One would think in the latter case the black hats would swiftly detect the honeypot and start cracking at it. But one of the authors I read on the subject demonstrated that savvy crackers would suspect it's a decoy, being so blazingly obvious and easy to get into. They'd do all they could to identify any/all systems, and tend to go after the harder to get at types first. This author said to counter that it may require actually compromising at least some usable data, that is to throw a bone at the cracker to keep his attention on the 'pot. Then it's a matter of whether the cracker considers whether the prize is a red herring or actual, sellable fact. Talk about "it's complicated," =P technology and human nature pitted against technology and human nature. More angles in there than in an M. C. Escher collection.

Michael Kassner
Michael Kassner

What do you think about the concept? Also I read your comment about the honey pot.Where do you have that located? I thought you would have that outside the perimeter.

JCitizen
JCitizen

but I can't get it, so I haven't tried it. I can't wait to though! I was just trying to respond rather weakly to Ansu's request for review of all drive by blocker types.

JCitizen
JCitizen

it just needs updating or you'll get cracked just like with anything else. Most folks don't go with paid service on this, of course, or they would get some hand holding on it. I use service because I'm too lazy to remember it is time to update, or check to update the firmware, and I'd be vulnerable for months - with the way my mind has been working lately!

AnsuGisalas
AnsuGisalas

Here are the basic ingredients: A) People are buying old ships from europe, claiming they'll use them as ferries or whatever. Then they hand them through a dozen desk-drawer companies, and run them ashore in india. There, indians who need the money are sent in with blowtorches and sledgehammers to take them apart asbestos and all. This produces low-cost recyclable steel. B)Sometimes there's radioactive materials on board. It is not labeled, and the scrapping workers salvage it with the rest of the stuff. For example; Maybe someone runs a waste disposal business, dealing also in radioactives, expensive to get rid of. Except sometimes this stuff finds its way aboard one of these soon-to-be-scrap ships. The mafia used to just load it onto ships and then sink them. But maybe they figured out a less wasteful way. Anyway, what worries me is, that this stuff is found by chance. So we have no idea how much of it is flowing around our daily lives. It's scary. Like botnets.

Michael Kassner
Michael Kassner

That people would do things like that. How do they make the stuff or are the workers in trouble as well?

AnsuGisalas
AnsuGisalas

No-one can stay on top of everything all the time, so yeah, I can relate. But radioactivity is just so... insidious, and so final at the same time.

Michael Kassner
Michael Kassner

That ignorance is bliss. Santee and I get into this all the time. He feels the need to inform me that I need to prepare. I agree, but when is enough, enough?

Michael Kassner
Michael Kassner

For the most part. I haven't followed it closely lately. But, it is not the code that BrainSlayer developed. So, I get nervous once open-source code gets bought. Kudos to him, bad for us.

AnsuGisalas
AnsuGisalas

I *know* I don't have to tell you about this J, but still... someone may not be aware of the potential gravity of the situation... Elevator buttons... now we know why they glow in the dark!

pgit
pgit

I'd be interested in the specifics, was it a matter of using other than latest or what? Was it a targeted attack as in someone knew what they were after? I should hope so, the thought of a 12 year old somewhere launching a free download script that takes out DD-WRT is discomforting. (I must have 40 of them out there.. so far so good) BTW I have to say the support the developers themselves give is 'RTFM with a stimulus grant behind it meets the soup nazi.' I had a serious question I had not seen addressed, and in my first post I posited the actual solution. But a thread of 6=7 back and forth with the devs was like a public lashing for not having known something.. like their policy is "don't ask." Why couldn't they have just said "you're right, it's blah blah blah" from the outset? I just didn't get the attitude, and supposedly they are like this so as to not "waste time?" sorry, had to get that off my mind.

Michael Kassner
Michael Kassner

CheckPoint is a premier company when it comes to perimeter protection. The fact that they bought ZA, elevated ZA to a completely different level. I guess, I deal with business side more than consumer, so that taints my perspective. Yet, I will say that if it works for a business it will work for a consumer, albeit the setup will be more complicated.

JCitizen
JCitizen

also owns SofaWare, which in turn makes ZoneAlarm software. Correct? Maybe it is the other way around. You can get service routers from Linksys and put DD-WRT on them, but it has been cracked. I'd say for the money the Z100G is pretty cheap. Not many folks in my area, for about 300 miles in every direction, need or have gigabyte Ethernet, and also can't use the N speed either because the ISP is the choke point, or their NAS just isn't that fast. I say that, but now I'm going over to 1Gbs, so I hope my CheckPoint is upgradable. The Safe@Office series was more highend than the ZoneAlarm Z series.

AnsuGisalas
AnsuGisalas

I seem to have more success using the opposite selections. "not selected" cuts out the selected traffic, and "selected" cuts out all the rest. Could be idiosyncratic I guess :p

Michael Kassner
Michael Kassner

I was trying to find the filter I used for my tests of ZoneAlarm, but the electrons must have fizzled out.

pgit
pgit

seanferd is definitely on to something with the black lists needing to be consulted. But I would imagine these are few and far between, and would be mostly INBOUND traffic, after an update query from your client, perhaps consisting of a single packet. First of all, the suggestion to capture for a while then stop the capture to be able to look through the packets is good advice. But one of the best features of wireshark is the ability to filter out traffic you do not want to look at. With a little time and patience you can end up with a capture that contains only ZA related traffic. Start a capture and start looking at output. For every type of traffic you do not want to see, right click on one of the lines as it's whizzing by and select "apply as filter---> selected." On the next unwanted traffic right click it again and select "apply as filter--->AND selected." This keeps the previous filter in place and adds the new one to the list. Do this repeatedly for all unwanted traffic and eventually all you'll be seeing is the ZA stuff. Then let it capture on for as long as you think necessary, no harm in running it for an hour. BTW it would be one step and far easier to select the first ZA packet you see then "apply as filter--->NOT selected." Meaning all OTHER traffic would be filtered out. You don't want to do this because there are no doubt different types of packets (and as you have seen multiple destinations) and doing it this way would block any other form of ZA traffic, ergo you'd never see it. The filters take things quite literally. After you have some ZA recorded, you can highlight any packet and the window below will have the details of it's content. Of particular interest would be the protocols in use, which servers are communicating with you with them and how often. (how much volume) The main window packet line does show the protocol, TCP, POP, DNS etc. But, for instance, "TCP doesn't really tell you about the nature or contents of the package, just how it was sent. You need to look into the individual packet details to try to glean more info. But more interesting would be any odd-ball protocols, and of course any traffic originating FROM you, and how much volume does that entail. I loves me some wireshark. Use it almost every day somewhere. =)

santeewelding
santeewelding

I have to get off my ass and Google all this stuff. I can't rely on you to whisper into my ear, can I? Like people, still, asking that I look up a telephone number for them. "No."

JCitizen
JCitizen

here in the desert! :( Many of the best AV have now dropped their prices to somewhere below 50 dollars in most instances. I've even seen NIS 2010 for about that priceline. However, when you look at the fact that this device is taking the load off you PC's CPU and is using firmware that can't be compromised by the viruses, it is a pretty good deal even if it were more expensive - I suppose. (S)

santeewelding
santeewelding

I spend more a week on booze and lotto. Tell me about this, please.

JCitizen
JCitizen

full of outbound holes and the anti-virus should be called a pro-virus! I do really like their hardware solutions though. For an SMB, the Z100G is a pretty good deal. I got one for my sister's business, and she has been virus clean so long I really wonder if she really needs a software anti-virus for the PC. I think they call the service V-Stream. The little firewall/router has good through-put for doing such heavy duty filtering. I really got to say she got a good deal on the yearly charge; I think it was 69 dollars for maintenance updates and the filtering service. I can't get that good a deal for my Check Point gateway. The services for that one are just too prohibitive for me. But I just pay for yearly maintenance firmware updates; and the outbound protection has saved my bacon many a time, if used with Comodo. Of course, when you play with fire, you're going to get bit once and a while. Such is the risk in running a honeypot.

seanferd
seanferd

Well, if you capture and save the file, you can filter it and look at it without anything whizzing by. kav8.zonealarm.com (Required for updates, possibly licensing. Why it uses the same initials as Kaspersky AntiVirus 8?) CNAME kav8.zonealarm.com.edgesuite.net 72.247.242.10 Reverse: a72-247-242-10.deploy.akamaitechnologies.com 72.247.242.67 Reverse: a72-247-242-67.deploy.akamaitechnologies.com upd.zonealarm.com (Updates) CNAME upd.zonelabs.com.edgesuite.net 72.247.242.24 Reverse: a72-247-242-24.deploy.akamaitechnologies.com 72.247.242.67 Reverse: a72-247-242-67.deploy.akamaitechnologies.com Edit: Does ZA check a scary domains list, like the McAfee thing Google uses, etc., or look up other types of online databases to do its job?

AnsuGisalas
AnsuGisalas

Blame yourself. If it's erratic, then it's probably me ;)

AnsuGisalas
AnsuGisalas

The best ways to look at these things are as ways to make life more of a challenge. Why it needs to be, that's beyond me, but at least it makes it sound like our difficulties are not for naught ;) But yeah, I'm not cryptic all the time, it depends on the company I keep. A certain someone even got me a reprimand just now ;) I of course could refer to my handicap, saying "I just mirrored it". But I really do have to just turn a blind eye on the bad apples, and focus on the good eggs. Life's simply too short.

AnsuGisalas
AnsuGisalas

Not entirely sure how to read all this... I do see traces of browser activity, all the flyby handshakes from adservers and the like. Also some amount of DNS queries and responses to kav8.zonealarm.com and was there a upd.zonealarm.com in there too or did my eyes fail me... lots of lines whizzing by there!

AnsuGisalas
AnsuGisalas

In denmark they don't say "when in rome...", they say "howl with the wolves that surround you". And I do that, and I can't much help it. I don't become more well-spoken of course, but I try to use the same registers and means of communication. It's my way of ensuring also that I understand what I hear.

Michael Kassner
Michael Kassner

Two cryptic friends. That's good, you both make me work for understanding.

AnsuGisalas
AnsuGisalas

I haven't checked. What would be the tool for checking on that? Do my memoroids fail me when they echo something about fileshark? I do know their AV update took forever, but that was on my old system; I don't notice the CPU drain nowadays.

AnsuGisalas
AnsuGisalas

I've downsized the greeks, we use plastic nits now ;)

Michael Kassner
Michael Kassner

"Greeks inside" Does that have something to do with gifts?

Michael Kassner
Michael Kassner

Still phone home all the time. I used it earlier, but did not like all the information it was supplying to the mother ship. That was before CheckPoint bought it, though. Edit: Another thought

AnsuGisalas
AnsuGisalas

on your picking of nits, beware, greeks inside!

santeewelding
santeewelding

"Zonealarm" needs capitalization, the way you did with "Win7 Firewall". Don't nobody get away with nothing here when we lean in and get serious.

JCitizen
JCitizen

And to answer Ansu, we have uranium in our drinking water out here, so I can't get too, excited about such contamination. The natural environment is radio active; many folks get poisoned by Radon in their homes. I just can't get excited about it; but I take common sense precautions. Water filtering(RO), and radon testing and inspection. We are also bombarded with cosmic rays which go clear through us and the Earth everyday. I refuse to wear my lead foil hat (yet).

Michael Kassner
Michael Kassner

I was with you all the way until that. You need a single-malt scotch with a cigar, the older the better.

JCitizen
JCitizen

Slurp smack! :x I used to enjoy one a day at least, with a Pepsi! But had to give them up in 1996 for economical reasons; even though they be cheaper than cigarettes!

Michael Kassner
Michael Kassner

To be good. In 2007, I had a triple bypass and that wakes one up. I even wrote about it for TR. 40 pounds lighter and can't remember when I had a hamburger and fries. But, the alternative is not something I want.

pgit
pgit

My plan is to give up tobacco cold turkey starting Saturday morning. I'd hate to tell ya what my blood pressure was this AM when I checked.. :| In the Idiot department: I never touched any tobacco, not even one puff off someone's butt waiting to head in to homeroom, until I was 36 years old. Friend got me started on cigars... man I love me some fine cigars. >sigh~~~

Michael Kassner
Michael Kassner

That we like seem to be bad for us. Is that ironic or life?

JCitizen
JCitizen

Good thing I got rid of that habit for health reasons, but it was enjoyable none-the-less. :p

JCitizen
JCitizen

I love chewing on Michael's stories! They are just like a good pouch of Red Man chewing tobacco! Just a pinch between the teeth'l do! :-& HA! =D

Michael Kassner
Michael Kassner

Have you read about MS's idea of putting the responsibility on ISPs? If the computer is not up-to-date, it will not get access. Who decides what is up-to-date? Then again, nothing else has worked so far. Tough problem.

seanferd
seanferd

If MS finally patches some of these things, but 80% of Windows users don't apply the patch, it won't do much good, will it?

Michael Kassner
Michael Kassner

Will be free when it is released. check the web site in a bit.

JCitizen
JCitizen

I was just responding to the general request of anyone noticing how security solutions hit performance. I'm already sold on BLADE; but my 3rd Qtr. earnings are pretty abysmal; so I will have to wait till next year to buy anymore test stock.

Michael Kassner
Michael Kassner

Did not use RAM to describe performance hit. J, take a look at the paper (4.2) and let me know what you think.

Michael Kassner
Michael Kassner

I would love to read what you think after reading it. It looks good to me, but I am not an expert.

pgit
pgit

Looks like I'll have some time tomorrow to read (really read) this. Had an appointment apparently with Harry Houdini. Absolutely nobody knows where this fella went. So tomorrow is MINE to get some reading done. For the moment at least. Today I'm fighting with windows updates on a win2k machine the client refuses to give up. No matter what machine I use to download for manual install I get time outs and 'problem with the server' messages. Guess MS really-really doesn't want anyone using NT anymore...

JCitizen
JCitizen

use about 300Mbs of RAM. I am talking about a lot of solutions here, not just one or two. Lavasoft is using a little over 100Mbs all by itself, but it speeds my browsing so significantly, that I refuse to get rid of it. Besides, RAM is cheap now, and I have 6Gbs of it. My CPU idles at around 10% if my DVR is running. I am still running almost all of my utilities on an old 700Mhz Pentium, with 768Mbs or RAM maxed out. Needless to say, I'm not using some of the typical realtime protection on that PC, most of the time it is shutdown.

pgit
pgit

Has anyone done a study to find out just how much "useful work" a computer system really does, and how much "system protection" work is done? I'd like to know that too. But Gordon Moore stated a few years ago that fighting malware was now consuming all or more of the improvements resulting from "Moore's law." Computers are still getting bigger (more transistors) and faster, but the needs of security applications are consuming that increased performance. I looked around for the article, or any mention of that comment but didn't come across it. There's not a few hits whenever "Moore's law" is among the terms :\ If I come across it I'll bookmark it this time. But I too would like to know what % of clock time goes to defense vs what the user actually expects of the machine. Any data on that?

Michael Kassner
Michael Kassner

Granted it is a Windows issue, but not for that reason. There are exploits that do not need admin rights. So your contention is valid in some cases, but not all.

j-mart
j-mart

Your click happy users can be easily controlled as they would not have root access password. Being a proper separation of admin / user unlike the MS pretend model.

Michael Kassner
Michael Kassner

A flag or slap would be a method. I am concerned now that the bad guys don't need permission or side-stepping it somehow. That is what I got out what BLADE is trying to prevent.

wyattharris
wyattharris

At the end of the day I never see the crazy problems and malware attacks that my users do. My systems usually just age out. They on the other hand figure out a new way to infect their computer every day it seems. BLADE sounds promising but a service that slaps the users hand before they click on a bomb would be more effective.

Michael Kassner
Michael Kassner

I will look into it. All said and done, my Win7 is working just fine. Maybe I am lucky.

Michael Kassner
Michael Kassner

The research is relatively new. I have a bunch of questions that I have asked them. I hope to have replies, but they are some busy people.

pgit
pgit

technically loading a web page is "downloading something." Scripts included, no? So does BLADE see java or flash that the user has technically "authorized for download" as something to send off to the safe zone? I would have to think not, lest it violates the last of the stated requirements. (no performance hit) So again there's other prophylaxis required, eg noscript, proving yet again that short of Unix?BSD there's no 'one stop shop' for all your security needs...

Michael Kassner
Michael Kassner

There are all sorts of bad things out there that do not need admin rights to create havoc.

Michael Kassner
Michael Kassner

I think I got what you meant. I plan on checking it out. Thanks for the tip.

AnsuGisalas
AnsuGisalas

I hope I didn't edit that while you were posting... Luckily, there's no major discrepancy.

Michael Kassner
Michael Kassner

I have asked as to how the researchers are able to determine that a authorization request and reply is sneaking by. I suspect that is some technology they want to keep under wraps for now.