Milos wrote:Yes it would have to be a malware, but problem is thanks to the general nature of exploit knowing how the exploit work would make it very easy to write millions of version of the malware that would all have different signatures effectively making it impossible for anti-malware developers to catch up to it.
AV devs have advanced a bit since the 90ies, there are emulators (heuristics) and behavioral engines, so no matter how you wrap the present, it still behaves the same
- of course nothing is perfect and this only works IF it doesn't generate many false positives and if the behavior is interesting enough to be detected this way.
Signature/heuristics works before the malware runs but behavioral engines detect after it runs so clean up/stopping is a bit more difficult, but if it works it can detect many flavors of the same thing.
There are more subtle things like vaccination (making a virus think it already infected the computer) and of course much more.
The best protection still is to avoid running untrusted SW.
Milos wrote:Yes it would have to be a malware, but problem is thanks to the general nature of exploit knowing how the exploit work would make it very easy to write millions of version of the malware that would all have different signatures effectively making it impossible for anti-malware developers to catch up to it.
AV devs have advanced a bit since the 90ies, there are emulators (heuristics) and behavioral engines, so no matter how you wrap the present, it still behaves the same
I'm not so sure about that. The Meltdown and Spectre vulnerabilities can be exploited without making any systems calls, so there is not so much behaviour to detect.
syzygy wrote:I'm not so sure about that. The Meltdown and Spectre vulnerabilities can be exploited without making any systems calls, so there is not so much behaviour to detect.
I was thinking along the lines that as a potential attacker, reading sensitive data is not enough - you have to transport it out somehow (this is what might be exploited),
that is unless you have direct access to the hardware
I'd personally worry more about Intel Management Engine, which is a potential huge backdoor.
Milos wrote:Yes it would have to be a malware, but problem is thanks to the general nature of exploit knowing how the exploit work would make it very easy to write millions of version of the malware that would all have different signatures effectively making it impossible for anti-malware developers to catch up to it.
AV devs have advanced a bit since the 90ies, there are emulators (heuristics) and behavioral engines, so no matter how you wrap the present, it still behaves the same
I'm not so sure about that. The Meltdown and Spectre vulnerabilities can be exploited without making any systems calls, so there is not so much behaviour to detect.
syzygy wrote:I'm not so sure about that. The Meltdown and Spectre vulnerabilities can be exploited without making any systems calls, so there is not so much behaviour to detect.
I was thinking along the lines that as a potential attacker, reading sensitive data is not enough - you have to transport it out somehow (this is what might be exploited),
That is true and it is probably how the exploits will be detected. But for a lot of programs it is normal to communicate with some server.