Back to Top

Monday, December 01, 2008

What is a perimeter weakening malware?

I've seen this idea floating around the Internet for some time and I thought I document it for future reference:

A perimeter weakening malware is a program (script, macro, etc) which "lowers the defenses" of a computer (stops AV software, disables the firewall, creates an Administrator account with a certain password, etc) after which it deletes itself. The idea is that this creates an opportunity for the attacker to later come in and take over the system with standard tools (RDP, PSExec, etc).

To be clear: as far as I know this is just a concept, it hasn't been used in any malware I've seen. Many of them do try to do something similar, but it is mostly an attempt to disable security software so that they can remain on the system longer. The difference is that PWM doesn't needs to be written to the disk necessarily (the moment when on-access scanners verify the files). It can be part of an exploit, which runs from memory, does its thing and disappears.

The danger: black/white-listing solutions most probably won't pick up on this. After all, the concept of "executable code" is so blurry that most solutions only cover ~95% of it (which doesn't sound bad, but still leaves a lot of possibilities open). Scanning every memory page on every executed instruction is one possibility, however currently nobody does that (AFAIK) because of the performance impact...

The solutions is - you've guessed it - multiple layers of defense (I'm talking about companies here). Have your security suite, but also monitor the traffic, make sure that users don't run as Administrator (sidenote: I was recently on a computer which used AVG 7.5 and was very pleased to find that they didn't allow changing the settings from a limited account). Have policies which describe the accepted configuration of the machines and monitor it (Tenable Security seems to have some version of this built into Nessus - disclaimer: I have no relationship with them whatsoever, I never even used Nessus :-)).


  1. i can see why it's just a concept... it's like opening a door and not stepping through... malware purveyors have to explicitly pass up the opportunity to own the box after stopping the security services, and passing up opportunities doesn't sound like something they're likely to do...

  2. My line of thinking was that there can be still some use to this (from a blackhat viewpoint), especially if the actions are not very intrusive (stopping the security software will probably be observed - creating a new administrative account - less likely).

    Guarding against these changes has also the advantage that you have a better chance of observing when somebody (disgruntled admin?) tries to "backdoor" your systems from the inside.

  3. What we do with Nessus is two things:

    - Anyone with the free Home Feed or the commercial Professional Feed can audit their systems running common anti-virus solutions to see if they are installed, running and up to date.

    - Commercial customers can also leverage the Professional Feed to run "audit" polices that make sure a system is running the exact authorized version of the corporate standard.

    If malware has done something to a system to modify DNS tables, turn of AV services and so on, many of the checks that Nessus can perform will alert on this. We've blogged about this several times and give pretty detailed examples of these sorts of things.