How to catch what is not. Part one. Terms and Definitions
The reason for writing this article was the article “Tales of the Antivirus Forest” . Honestly, at first I just wanted to comment on the contents, but after reading the comments I decided that it was better to start with the basics, and leave the debriefing of beliefs for a snack.
To begin with, we’ll try to decide what exactly to call, what we should defend ourselves against. Why it is so important - we will show on examples below.
From a variety of sources, I selected several definitions:
• Malicious program - software designed to gain unauthorized access to the computing resources of the computer itself or to information stored on the computer, for the purpose of unauthorized use of computer resources or harm (damage) to the information owner and / or computer owner and / or the owner of a computer network by copying, distorting, deleting or replacing information (Wikipedia).
• Malicious computer program - a computer program or other computer information that is obviously intended for unauthorized destruction, blocking, modification, copying of computer information or the neutralization of computer information protection tools (Article 273 of the Criminal Code).
• Malicious code - a computer program designed to be implemented in automated systems, software, computer equipment, telecommunications equipment of a credit institution and its customers - users of remote banking services, leading to the destruction, creation, copying, blocking, modification and (or) transfer information (including that protected in accordance with clause 2.1 of Regulation N 382-P), as well as the creation of conditions for such destruction, creation, copying, blocking, mod identification and (or) transfer (Letter of the Bank of Russia dated March 24, 2014 No. 49-T “On Recommendations on the Organization of Using Anti-Malware Means in Carrying Out Banking Activities”).
• Software specifically designed to harm an individual computer, server, or computer network, regardless of whether it is a virus, spyware, etc. (Microsoft definition).
• A program designed to provide unauthorized access to information and (or) impact on the information or resource of an information system (GOST R 50922-2006).
• Software support that purposefully leads to a violation of the legitimate rights of the subscriber and (or) user, including the collection, processing or transmission of information from the subscriber terminal without the consent of the subscriber and (or) user, or to deterioration of the functioning of the subscriber terminal or communication network ( PP No. 575).
• malware, also known as malicious code and malicious software, refers to a program that is inserted into a system, usually covertly, with the intent of compromising the confidentiality, integrity, or availability of the victim.s data, applications, or operating system (OS) or of otherwise annoying or disrupting the victim. (NIST SP 800-83).
These are far from all definitions, but, perhaps, the sample is quite characteristic. In fact, it shows that there is no consensus among what the antivirus protects against - among theorists. Moreover, there is not even unity about the word “malicious” - a number of translated documents use the concept of “Protection against malicious codes” (for example, but not only GOST R ISO / IEC TO 13335-4-2007 Information technology. Methods and security tools , ISO / IEC 27002 Information technology - Code of practice for the management of information security).
Is there any one among the above that is correct?
All of the above definitions (with the exception of the definition from NIST, but about it below) are distinguished by either a clear listing of specific functions (which excludes appropriate countermeasures) or ambiguity of concepts, which does not allow to formulate anti-virus protection requirements on their basis. Here, for example, is an interesting analysis of the definition from the Criminal Code :
• “Knowingly” For which subject, the consequences of using the program should be “notorious”: for the creator of this program; for the user of this program, that is, for the person launching it; for the owner of the computer or device on which this program is running; for the owner of the copied, modifiable, destroyed information; for the copyright holder of the respective work.
• “Information” The definition of information is given in the law “On Information ...”: “Information - information (messages, data) regardless of the form of their presentation”. Should this definition be applied here, or else a broader or narrower one? Is any information meant or only “external” to the program in question? Are temporary technological copies of the processed information covered, or is it meant only information available to humans?
• “Unauthorized” Who exactly should authorize these actions on information so that they are not considered unauthorized ?: user of the program; owner of a computer, device or storage medium; owner of the processed information; holder of exclusive rights to intellectual property represented by the processed information.
Literature? Not at all. For example, remote control programs can be covertly installed by system administrators and attackers (in due time, the closure of incoming traffic, according to representatives of Sberbank, significantly reduced the number of incidents related to remote banking). How can an antivirus program determine who installs the program? Theoretically, there is a behavioral analyzer that should respond to attempts to install any programs and issue requests that the user must confirm. But:
• The work of admins on network computers usually takes place secretly for users - notifications should not be shown to the user (a frequent requirement of customers is to hide the antivirus icon in the tray)
• For the most part, users are not information security experts and are not aware of what and why works on their computer. What do you think users click on pop-up requests? And is a new malware capable, until it is recognized by the antivirus, to form a window similar to the request of a behavioral analyzer?
But we will talk about the shortcomings of the behavioral analyzer later, but for now let's return to the terminology.
It is equally dangerous when the definition describes all the actions that a malicious program performs. Based on such definitions, it turns out that you need to protect yourself only from these actions. But the attackers are constantly coming up with more and more new methods of weaning money, penetration, etc. To fix the present means to remain in the past. Moreover, the famous four-book book also relied on the description of specific types of malware and their actions when calculating risks. But in the end - are you personally sure that you are tracking the emergence of all new threats and can implement real-time protection measures against them (without even looking at the need to knock out funds and time for tenders)?
An example of what leads to excessive detailing divorced from the methodology for calculating threats is, before our eyes, the protection of personal data. We will not talk about the impossibility of protection and gaps in the law. But a huge list of measures (each of which individually is generally justified) of protection makes its creation impossible for financial reasons.
Everyone would be happy with the definition from NIST, but in addition to the concept of malware, NIST simultaneously introduces the concept of spyware. Which leads to the legalization of software such as antispyware, anti-rootkit, etc.
Software that is secretly or surreptitiously installed into an information system to gather information on individuals or organizations without their knowledge; a type of malicious code (NIST Special Publication 800-53 rev. 4)
Formally, spuvar is described as one of the types of malware, but why then not describe all other types of malware? As a result of this emphasis, even reputable magazines quite seriously recommend installing an anti-rootkit with anti-spuvar in addition to the antivirus.
Due to official duties, personal interest, or for other reasons, the user or administrator of the computer constantly installs or updates software. In automatic mode, updates of already installed programs can be installed. But all these are programs for the installation of which permission is given and the presence of which on the computers the user or administrator at least suspects - even if they are not used. In addition, a number of programs are launched without notifying the user (more precisely, without notifying the user if the corresponding settings have not been made). Such programs may include scripts running in the browser, macros of programs included in the office suite, and many others.
Naturally, any of the above actions can lead to the introduction of a malicious program - including in connection with the substitution of program sources or a man-in-the-middle attack - but for now we are not talking about this.
Legally (or almost legally) installed programs have documentation or at least a license in which they list their functions - and it is these functions that the user or administrator expects from them.
Also, as a result of user or administrator actions (unfortunately this also happens), the presence of vulnerabilities, programs installed on your computer of your permission (and it may happen that such programs are also preinstalled) can get to your computer or devices. As a result, the system (or the program - in the case of the introduction of the virus) begins to perform actions, not at all those that were expected from it.
Thus, from the point of view of the user or administrator, undesirable programs are those programs that are installed without permission or perform actions not indicated in the relevant documentation or license (we will not consider cases of Easter eggs / bonus functionality, but from the point of view of security, any unknown functionality - not good). It is easy to see that all of the above definitions are a special case of the given in this paragraph. Accordingly, since all unwanted programs are harmful in one way or another (working with information, consuming resources, or otherwise), the exact term for them will be the definition of “malware.”
Closest to the correct definition of the term “malware” (along with the definition from NIST), the definition from the Bank of Russia Regulation No. 382-P dated June 9, 2012 (as amended by Bank of Russia Directives 3007-U dated 06/05/2013, 3361-U) is suitable dated 08/14/2014) “On requirements for ensuring the protection of information when making money transfers and on the procedure for the Bank of Russia to monitor compliance with the requirements for ensuring information protection when making money transfers”:
- program codes that lead to a violation of staff fu operation of computer equipment (hereinafter - malicious code).
The definition of 382-P is in principle even more correct than that given by us, but it is not feasible from the point of view of implementation, since it involves the analysis of program code - the detection of malicious code in it.
2.7.4 If technically possible, the money transfer operator, bank payment agent (subagent), and the payment infrastructure services operator ensure that:
• preliminary checks are made for the presence of malicious software code installed or changed on computer equipment, including ATMs and payment terminals ;
• checks for the absence of malicious code of computer equipment, including ATMs and payment terminals, performed after installing or changing software.
It is impossible for the final organization to carry out such a check (in fact certification for technical specifications and NDV) due to the huge amount of code, its closeness and the lack of the required number of specialists. And indeed (as will be shown) the measures proposed by 382-P are aimed at protecting against programs in general, and not against codes. The implementation of paragraph 2.7.4 de facto, even if implemented, will be purely formal - an anti-virus scan - which is completely indifferent in the case of malicious programs that are not yet determined by the protection tool (we will also talk about the need for this).
It is possible that the emphasis on malicious code is associated with attention to a type of malware such as viruses - a type that injects its code into other programs. But from this point of view, the definition of 382-P is incorrect, since at the moment most of the malicious programs are trojans.
The most interesting thing is that in the late nineties of the last century in the Republic of Dagestan. Means of antivirus protection. The security indicators and requirements for protection against viruses were given the definitions that are most suitable for relying on them when creating anti-virus protection systems (naturally, we give a discount to the fact that at that time viruses were the main type of malware):
• Active virus - a virus whose program code or part of the program code is located in RAM or virtual memory and is periodically executed.
• Known virus - a virus, information about which is contained in the ABC.
• Unknown virus - a virus, information about which is not contained in ABC.
• Viral exposure (BB) - a change in the state of the AS caused by both the penetration of virus program code elements into the system and the result of its execution (virus activation).
• Viral infection (VZ) - a change in the state of the AS or its individual elements caused by the spread of the virus.
• Virus-like effect (destructive programmatic effect, RPV) - a change in the state of the AS caused by the execution of the code of a specially created software entity or a combination of such entities that do not have the property of replication.
As a seed for the next article, I suggest that the Habrazhiteli (based on their own experience or on standards, letters, orders, etc.) answer three simple children's questions in the comments:
• How many malicious programs are created by attackers on average per day?
• What percentage of malware can antivirus skip to be considered a suitable means of protection and why can antivirus skip them?
• What is an antivirus for? What tasks does it perform in a protection system? The answer “must catch viruses” does not count.
Hint - the first question is not strongly related to the rest.
I promise there will be a lot of unexpected things further.
PS Any additions to the article indicating links to sources are welcome. Any opinions that refute the provisions of the article are welcomed even more, but also with an indication of the source of knowledge (personal experience, research, comparison, orders, etc. - there is a plan to write about this).
To begin with, we’ll try to decide what exactly to call, what we should defend ourselves against. Why it is so important - we will show on examples below.
From a variety of sources, I selected several definitions:
• Malicious program - software designed to gain unauthorized access to the computing resources of the computer itself or to information stored on the computer, for the purpose of unauthorized use of computer resources or harm (damage) to the information owner and / or computer owner and / or the owner of a computer network by copying, distorting, deleting or replacing information (Wikipedia).
• Malicious computer program - a computer program or other computer information that is obviously intended for unauthorized destruction, blocking, modification, copying of computer information or the neutralization of computer information protection tools (Article 273 of the Criminal Code).
• Malicious code - a computer program designed to be implemented in automated systems, software, computer equipment, telecommunications equipment of a credit institution and its customers - users of remote banking services, leading to the destruction, creation, copying, blocking, modification and (or) transfer information (including that protected in accordance with clause 2.1 of Regulation N 382-P), as well as the creation of conditions for such destruction, creation, copying, blocking, mod identification and (or) transfer (Letter of the Bank of Russia dated March 24, 2014 No. 49-T “On Recommendations on the Organization of Using Anti-Malware Means in Carrying Out Banking Activities”).
• Software specifically designed to harm an individual computer, server, or computer network, regardless of whether it is a virus, spyware, etc. (Microsoft definition).
• A program designed to provide unauthorized access to information and (or) impact on the information or resource of an information system (GOST R 50922-2006).
• Software support that purposefully leads to a violation of the legitimate rights of the subscriber and (or) user, including the collection, processing or transmission of information from the subscriber terminal without the consent of the subscriber and (or) user, or to deterioration of the functioning of the subscriber terminal or communication network ( PP No. 575).
• malware, also known as malicious code and malicious software, refers to a program that is inserted into a system, usually covertly, with the intent of compromising the confidentiality, integrity, or availability of the victim.s data, applications, or operating system (OS) or of otherwise annoying or disrupting the victim. (NIST SP 800-83).
These are far from all definitions, but, perhaps, the sample is quite characteristic. In fact, it shows that there is no consensus among what the antivirus protects against - among theorists. Moreover, there is not even unity about the word “malicious” - a number of translated documents use the concept of “Protection against malicious codes” (for example, but not only GOST R ISO / IEC TO 13335-4-2007 Information technology. Methods and security tools , ISO / IEC 27002 Information technology - Code of practice for the management of information security).
Is there any one among the above that is correct?
All of the above definitions (with the exception of the definition from NIST, but about it below) are distinguished by either a clear listing of specific functions (which excludes appropriate countermeasures) or ambiguity of concepts, which does not allow to formulate anti-virus protection requirements on their basis. Here, for example, is an interesting analysis of the definition from the Criminal Code :
• “Knowingly” For which subject, the consequences of using the program should be “notorious”: for the creator of this program; for the user of this program, that is, for the person launching it; for the owner of the computer or device on which this program is running; for the owner of the copied, modifiable, destroyed information; for the copyright holder of the respective work.
• “Information” The definition of information is given in the law “On Information ...”: “Information - information (messages, data) regardless of the form of their presentation”. Should this definition be applied here, or else a broader or narrower one? Is any information meant or only “external” to the program in question? Are temporary technological copies of the processed information covered, or is it meant only information available to humans?
• “Unauthorized” Who exactly should authorize these actions on information so that they are not considered unauthorized ?: user of the program; owner of a computer, device or storage medium; owner of the processed information; holder of exclusive rights to intellectual property represented by the processed information.
Literature? Not at all. For example, remote control programs can be covertly installed by system administrators and attackers (in due time, the closure of incoming traffic, according to representatives of Sberbank, significantly reduced the number of incidents related to remote banking). How can an antivirus program determine who installs the program? Theoretically, there is a behavioral analyzer that should respond to attempts to install any programs and issue requests that the user must confirm. But:
• The work of admins on network computers usually takes place secretly for users - notifications should not be shown to the user (a frequent requirement of customers is to hide the antivirus icon in the tray)
• For the most part, users are not information security experts and are not aware of what and why works on their computer. What do you think users click on pop-up requests? And is a new malware capable, until it is recognized by the antivirus, to form a window similar to the request of a behavioral analyzer?
But we will talk about the shortcomings of the behavioral analyzer later, but for now let's return to the terminology.
It is equally dangerous when the definition describes all the actions that a malicious program performs. Based on such definitions, it turns out that you need to protect yourself only from these actions. But the attackers are constantly coming up with more and more new methods of weaning money, penetration, etc. To fix the present means to remain in the past. Moreover, the famous four-book book also relied on the description of specific types of malware and their actions when calculating risks. But in the end - are you personally sure that you are tracking the emergence of all new threats and can implement real-time protection measures against them (without even looking at the need to knock out funds and time for tenders)?
An example of what leads to excessive detailing divorced from the methodology for calculating threats is, before our eyes, the protection of personal data. We will not talk about the impossibility of protection and gaps in the law. But a huge list of measures (each of which individually is generally justified) of protection makes its creation impossible for financial reasons.
Everyone would be happy with the definition from NIST, but in addition to the concept of malware, NIST simultaneously introduces the concept of spyware. Which leads to the legalization of software such as antispyware, anti-rootkit, etc.
Software that is secretly or surreptitiously installed into an information system to gather information on individuals or organizations without their knowledge; a type of malicious code (NIST Special Publication 800-53 rev. 4)
Formally, spuvar is described as one of the types of malware, but why then not describe all other types of malware? As a result of this emphasis, even reputable magazines quite seriously recommend installing an anti-rootkit with anti-spuvar in addition to the antivirus.
Due to official duties, personal interest, or for other reasons, the user or administrator of the computer constantly installs or updates software. In automatic mode, updates of already installed programs can be installed. But all these are programs for the installation of which permission is given and the presence of which on the computers the user or administrator at least suspects - even if they are not used. In addition, a number of programs are launched without notifying the user (more precisely, without notifying the user if the corresponding settings have not been made). Such programs may include scripts running in the browser, macros of programs included in the office suite, and many others.
Naturally, any of the above actions can lead to the introduction of a malicious program - including in connection with the substitution of program sources or a man-in-the-middle attack - but for now we are not talking about this.
Legally (or almost legally) installed programs have documentation or at least a license in which they list their functions - and it is these functions that the user or administrator expects from them.
Also, as a result of user or administrator actions (unfortunately this also happens), the presence of vulnerabilities, programs installed on your computer of your permission (and it may happen that such programs are also preinstalled) can get to your computer or devices. As a result, the system (or the program - in the case of the introduction of the virus) begins to perform actions, not at all those that were expected from it.
Thus, from the point of view of the user or administrator, undesirable programs are those programs that are installed without permission or perform actions not indicated in the relevant documentation or license (we will not consider cases of Easter eggs / bonus functionality, but from the point of view of security, any unknown functionality - not good). It is easy to see that all of the above definitions are a special case of the given in this paragraph. Accordingly, since all unwanted programs are harmful in one way or another (working with information, consuming resources, or otherwise), the exact term for them will be the definition of “malware.”
Closest to the correct definition of the term “malware” (along with the definition from NIST), the definition from the Bank of Russia Regulation No. 382-P dated June 9, 2012 (as amended by Bank of Russia Directives 3007-U dated 06/05/2013, 3361-U) is suitable dated 08/14/2014) “On requirements for ensuring the protection of information when making money transfers and on the procedure for the Bank of Russia to monitor compliance with the requirements for ensuring information protection when making money transfers”:
- program codes that lead to a violation of staff fu operation of computer equipment (hereinafter - malicious code).
The definition of 382-P is in principle even more correct than that given by us, but it is not feasible from the point of view of implementation, since it involves the analysis of program code - the detection of malicious code in it.
2.7.4 If technically possible, the money transfer operator, bank payment agent (subagent), and the payment infrastructure services operator ensure that:
• preliminary checks are made for the presence of malicious software code installed or changed on computer equipment, including ATMs and payment terminals ;
• checks for the absence of malicious code of computer equipment, including ATMs and payment terminals, performed after installing or changing software.
It is impossible for the final organization to carry out such a check (in fact certification for technical specifications and NDV) due to the huge amount of code, its closeness and the lack of the required number of specialists. And indeed (as will be shown) the measures proposed by 382-P are aimed at protecting against programs in general, and not against codes. The implementation of paragraph 2.7.4 de facto, even if implemented, will be purely formal - an anti-virus scan - which is completely indifferent in the case of malicious programs that are not yet determined by the protection tool (we will also talk about the need for this).
It is possible that the emphasis on malicious code is associated with attention to a type of malware such as viruses - a type that injects its code into other programs. But from this point of view, the definition of 382-P is incorrect, since at the moment most of the malicious programs are trojans.
The most interesting thing is that in the late nineties of the last century in the Republic of Dagestan. Means of antivirus protection. The security indicators and requirements for protection against viruses were given the definitions that are most suitable for relying on them when creating anti-virus protection systems (naturally, we give a discount to the fact that at that time viruses were the main type of malware):
• Active virus - a virus whose program code or part of the program code is located in RAM or virtual memory and is periodically executed.
• Known virus - a virus, information about which is contained in the ABC.
• Unknown virus - a virus, information about which is not contained in ABC.
• Viral exposure (BB) - a change in the state of the AS caused by both the penetration of virus program code elements into the system and the result of its execution (virus activation).
• Viral infection (VZ) - a change in the state of the AS or its individual elements caused by the spread of the virus.
• Virus-like effect (destructive programmatic effect, RPV) - a change in the state of the AS caused by the execution of the code of a specially created software entity or a combination of such entities that do not have the property of replication.
As a seed for the next article, I suggest that the Habrazhiteli (based on their own experience or on standards, letters, orders, etc.) answer three simple children's questions in the comments:
• How many malicious programs are created by attackers on average per day?
• What percentage of malware can antivirus skip to be considered a suitable means of protection and why can antivirus skip them?
• What is an antivirus for? What tasks does it perform in a protection system? The answer “must catch viruses” does not count.
Hint - the first question is not strongly related to the rest.
I promise there will be a lot of unexpected things further.
PS Any additions to the article indicating links to sources are welcome. Any opinions that refute the provisions of the article are welcomed even more, but also with an indication of the source of knowledge (personal experience, research, comparison, orders, etc. - there is a plan to write about this).