security - is malware prevention missing a basic tool ?

[Steven Avery]

Hi Folks,

 A lot of times when there is a malware problem (on your puter or fixing somebody elses) you have an idea where it came from, a lot of times you don't.  If you don't, you have a recipe for a future disaster.

 Malwarebytes is probably the leader in finding out info these days, SuperAntiSpyware second.  Kewl.

  One thing they (any company) never seem to want to study is the DATES of the files of the problems. They are not shown to you, they are not in the log, they are nowhere to be found (afaik, there could be exceptions).  And once you delete the problems, all trace is gone except in backups.

  Now Windows does a pretty good job documenting the date and time of when a file appears (granted the malware could try to adjust that, similarly you could have a guardian to prevent the 'adjustment'.  The malware could also fudge the issue some if it is the type that replicates and deletes, however what I am sharing will apply in MOST cases.)

  So if you had two things :

1) The ORIGINAL PUTER DATE of the problem issues (I'm not sure if that extends to registry entries, whether they log .. or could be easily logged .. in that manner).  On files Windows keeps a couple of dates, sometimes the names are confusing, but the original "onboard" date is one of them.

2) A decent log .. not just the event viewer, but a real log-file of web-pages, downloads, java loads, .exe and .dll file creations, stuff like that.

You would be able to backtrack and get a good fix on the original source.  And log files are "no big deal" .. 100 or 1000 entries a day or so is simply nothing in terms of computer processing.  

And note: until there is more .. actually the windows file dates gives you a pretty decent defacto log today, simply by searching on the date and time.

Then #3

And most of this could checking be automated !  Then a little program could fish out what happened right before the file install.  So it is a lot easier than even looking at the famous "event viewer".  A lot of time you would then look at the data and have an "aha" moment, or at least find a likely culprit or benign cause.

Why do I mention this ?  I fished out the data for a false positive from Emsi very easily in that way (I could link to the threads).  First I checked the suspect file date itself, then I searched on Locate32 (I think that is what I used, maybe Total Commander did not have that date search handy, or maybe vica versa) by the file dates to see what was new at the time of the suspect.  And I found out that a potential "keylogger" was simply part of a respected task manager package that I had installed that gave me the .dll.  And a phone call to the developer put all the dots together, very simple.  (Emsi showed no interest at all in this method of discovery .. none .. zilch. ) Yet if I did not have the dates available, very unlikely that I would have found anything.  

(Well, later I discovered McAfee also had a second lead, far less exacting, one that helped confirm my research. The file was documented as coming from the task manager package -- on a page where they show what was involved in the installs, surprisingly nice from McAfee).    For the afficianados, the Convar "PC Inspectpor Task Manager" program used a Dart library component .. one that had been used in an earlier version a decade ago by a parental-control keylogger .. such is the sad state of modern malware analysis. In fact Emsi had previously been informed about this false positive of this .dll on an earlier thread, but their bureaucrcatic methodology was in the way.  

The malware industry does not like to revamp their thinking very easily .. heuristics and all ...  they are an entrenched and somewhat stagnant crew, at least in some ways.  

Your thoughts on this 'new paradigm' possibility for discovering the malware sources ?  It is actually all quite trivial on a technical level, mostly it simply needs a bit of coordinated action.  Basically, it seems like an important component, a very simple and strong weapon, is simply ignored in the malware prevention world. (When was the last time you heard a security vendor, or even a Wilder's techie, recommending to check the file date and match it against the files on your system ? )

The simplest aspect of this could be implemented very simply.  Here is the file(s) in question .. here are any installs at that time.  At the very least, you would start with things like .. this .dll or this .sys links to this .exe and these files, they were installed at the same time.  The more overarching log defense structure is the higher level recommendation.

Shalom,
Steven Avery

[barney]

Steven,
Your post reminds me very much of something I advocated during much of my last tenure in the corporate world.

While working at MCI, I constantly - after the first three years, I had gained some credibility - importuned the IT folk of whatever LAN I was on at the time to create a master date log on the server(s) that was built from activity on each of the boxes connected to that server.  Almost all of the individual IT folk agreed that it would be extremely useful when trying to diagnose problems that seemed otherwise untraceable.  However, the admins of the various LANs proclaimed it to be too labor-intensive a project.

They didn't want to get off their fat [mental] asses and actually peruse/analyze the log files.  Instead, they proclaimed that such logs would eat too much HD space <groan />.

I suspect you'll find similar resistance to your idea when dealing with various vendors, even the so-called security vendors.  And for roughly the same reasons.  It's not a difficult thing to do, but it can be very time-consuming to review.  And building a smart app to do the review might actually take some of their precious brain power - ?!? - and time.

However, in validation of your concept - not that you need it - I've used processes very similar to what you've described to solve some pretty perplexing problems in the past, particularly with my [not so] knowledgeable friends who call in the middle of the night because they can't get their favorite porn site/application/Web game to work.

Strikes me that this is closer to nirvana than to reality.

Alaikum

[Steven Avery]

Hi Folks,

Barney, I agree with you 100%.  Keep in mind that the limited functions, such as showing any installs before the file date and time, would be easy programming, even with the information already available in Windows.  Maybe its an autohotkey or autoit app ?

Then if you added additional logging, such as web-sites visited, you would have some additional programming.  (That is where you run into the issues of where to do the logging from, and the various browsers and firewalls that are used, stuff like that.)  

So there could be a modular implementation, however in the long run you may use up .07 cents of disk space, so the malware autocrats and beaureaucrats would prefer to sit in their "anti-virus laboratories" pontificating about what their heuristics and behaviorists declare.  They don't really want you thinking too clearly about your computer system.

Shalom,
Steven

[cmpm]

Hm, I don't know - spyware of a sort for yourself.
This would include browsing history and apps run.
If it just reported to you and not to whoever created the thing.
Otherwise I see not much difference then the problem.

Cause most problems need some outside assistance to figure out what it is.
Whether it's automatic or manual, there are updates.
These updates come from what people are finding, I think anyway.

Adaware gives the option to report to mama.
Not sure about many of the rest, what they do.
At this point all the extra info, that could be of use to us personally,
 is not sent to any one, as to where you got the trouble.
Just what is the found , adware, spyware, virus, trojan...etc...

Real Time protection, seems the only answer now.
What and where were you when you got that virus or adware popup notice.
I can pretty much track it like that.
Although there is no details as you request Steven.
How would we guard that info if it was handed to us?

[Steven Avery]

Hi Folks,

I am really talking only about "on-board" logging and analysis.  The logging of file date original access is already a built-in Windows feature, simply a part of the file attributes.  If you go further, such as website visiting logging, then you decide how much you want to retain.  The last 2 weeks ? Ok, then do not complain about it if you get a malware that shows a date from 3 weeks ago. You will simply have less of a chance to determine what was the website that was visited right before the install.

Since this is all on your system, I do not see any real security problems. You are making the decisions, and it is potentially helping your malware analysis.

Shalom,
Steven