[Full-disclosure] detecting targetted malware
kevin.fielder at gmail.com
Mon Jan 22 14:21:47 GMT 2007
What you are referring to is a 'white-list' of applications, e.g. you
have an application that runs at a low level and only allows a list of
approved or allowed applications to run. These do not necessarily
need to scan you system as they can work at run-time - each time an
application of any sort tries to run the monitoring application checks
it against it's list off approved applications and decides whether it
can start or not (this obviously needs to be more than just the
application name some sort of checksum and / or other intelligence is
required to ensure a malicious application cannot masquerade as an
Various tools can offer this service with varying degrees of
complexity / intelligence, AppSense springs to mind as one that
specializes in this service, but many desktop protection tools that
offer AV/ firewall / IDS etc also offer white / black list application
On 1/22/07, lsi <stuart at cyberdelix.net> wrote:
> This is probably patented and implemented already but nonetheless its
> a new idea for me, so I mention it...
> While mass-produced malware remains an issue for a most users, an
> significant threat is also posed by malware customised for a specific
> victim (so called 'targetted malware'). This threat is potentially
> worse as an organisation cannot rely on traditional AV or anti-
> spyware scanners to detect the targetted malware; as the malicious
> code is customised it does not have an entry in AV/AS signature
> Despite this, detecting customised code should be easy. All that's
> needed is a scanner. It simply finds every piece of executable code
> on a system. It then compares each piece with its list of known-good
> executables. Any executable that is found but is not on the list is
> an intruder.
> This approach takes advantage of the fact that, unlike spam, we can
> make a list of all our known-good items.
> Stuart Udall
> stuart at at cyberdelix.dot net - http://www.cyberdelix.net/
> * Origin: lsi: revolution through evolution (192:168/0.2)
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
Full-Disclosure is hosted and sponsored by Secunia.