I love malware, I really do.
And let’s face it, malware gets a really bad rap! After all, it’s evil, it’s vicious, and no
one wants it, right? Hmmm…that’s funny,
cuz I download as much of it as I can! It
fascinates me, almost to the point of getting me in trouble with one of my
Supervisors. Yup. As it was so delicately explained to me,
“Mary Ellen, malware to you is like a needle to an addict. I can remove the drug but the needle is still
stuck in your vein.” There’s a
back-story to that which I won’t bore you with, but it was all in good fun mind
you, he was absolutely right-on with his assessment and here's why. I was way too focused on commodity malware,
meanwhile behavioral hunt-work such as lateral movement and looking for good-tools
(#Goodware) being used for bad was taking too much of a backseat. But, I digress.
So why do I enjoy looking at malware so much anyway? Well, it’s smart enough to sneak through a
ton of sensors (like a good pen-tester), and occasionally it’s very well written. OK, so where am I going with all of this?
I was recently discussing a custom piece of “malware” that a
co-worker had written, and as he was describing it to me, my mind was racing to
a million different places. What a cool
piece of code! Most of the a/v engines were
calling it malware, but it was really just a cleverly crafted program that
wasn’t evil at all. Yes, it stopped a process to inject something then started
it back up again, but it didn't do anything malicious per se.
OK, OK, so the hardcore malware entomologists amongst the
group could argue that in fact that’s actually not malware to begin with, it’s
#goodware…but the end-point solutions are all whacking it due to its “malcode”,
so doesn’t that make it malware? If
malware was strictly defined by heuristics, maybe, but that could lead to too
many false positives.
What’s my point?
Whatever you want it to be. If
your take-away is simply to think about “good code” vs. “malcode” then maybe
that’s beneficial to you. If you’re now
wondering about or reevaluating your current security controls and why those solutions
are allowing grayware or adware into your enterprise, then maybe that’s helpful
also. And BTW, what files does your
organization currently allow or block?
Do you allow zips? If so, do you
block zips if they're encrypted? Or,
maybe you filter zips by file-type content, like .exe, .js or .scr inside of a
zip (of course one could manually change the file extensions
to bypass)? Additionally, are there
files that you block as attachments straight-up such as .doc, .docm, .rtf or
.xls?
I wrote the above blurb earlier in the week but didn't have
a chance to post it, and just today a friend sent me a link to a FAR BETTER post, so check that one out too!
No comments:
Post a Comment