Why wouldn’t an exploit be caught by my anti-malware tools?

It's possible that even with your anti-malware tools running and everything up to date to still fall victim to malware. Unfortunately not everyone keeps their tools running on their system up to date.

//

Why would an exploit, even targeted at a software program (it’s listed under ”programs” in my Win XP), not be caught or detected by my antivirus program (Avast) or Malwarebytes (running in the background)? If not detectable, how much “damage” can the exploit actually do if users follow prudent operating precautions? Would System Restore be usable if infected? I have also followed your advice and routinely image my Dell laptop.

We do need to clear up a little terminology, but your question is a very good one: how can malware get past anti-malware programs to infect the software installed on your machine?

And more importantly, what can you do to protect yourself?

Let’s define some terms with what I’m thinking is my silliest metaphor ever, and then talk about how to stay safe.

Vulnerabilities and Exploits

A “vulnerability” in software isn’t really a bad thing in and of itself. It’s kind of like a hole in a bathroom wall – as long as no one’s looking through the hole there’s no damage done.

Naturally you’d like to have the problem fixed and the hole repaired (i.e. you’d like your software to be updated so that the vulnerability is removed), but as long as the hole hasn’t been found by anyone, it’s not really putting you at imminent risk. It shouldn’t be there, of course, but as long as no one knows about it all is well.

An exploit is kind of like someone finding the hole and looking in at whatever’s happening in your bathroom. If the hole’s big enough, perhaps they can even reach in and steal personal things like your toothbrush or flush your toilet when you’re not looking.

A software exploit could do things like look at the information on your computer, steal personal things like your passwords, or use your computer to send spam when you’re not looking.

And yes, I just compared spam to the whatever you might flush down your toilet.

Anti-malware tools

So if we extend this “I-can’t-believe-I’m-writing-this” metaphor further, we need to factor in anti-malware tools.

Someone's Peeking!Anti-spyware tools are kind of like security cops who know not about the holes, but instead have a list of about all the other places from which you could be spied upon. They monitor the doors and windows and make sure no one has installed a video camera in the medicine cabinet. As soon as they see suspicious activity in those locations they alert you and attempt to remove the threat.

Anti-virus tools are more like security cops with a big book of mugshots of all the people who are known to look in holes in bathroom walls. As soon as they see someone from that book, they kick them out – or at least let you know that they’re lurking about.

The problem, of course, is that these cops are only as good as the information they carry. If the anti-spyware cop is unaware of the fact that video cameras can also be placed in the light fixture, they won’t know to check that. If the anti-virus cop doesn’t have the photo of the peeping-Tom that was discovered elsewhere this morning, he won’t recognize him.

That’s why I so often insist that you not only have up-to-date anti-malware software (cops that know all the important tricks of the trade), but that you make sure that they’re keeping their databases of malware (the list of places to look and malcontents to look for) as up to date as possible.

The metaphor can be extended even further: not all cops are the same; some are better at seeing certain kinds of things that others, others get better data from their head office, and so on.

And some are just incompetent.

Ultimately, though, not having up-to-date tools with up-to-date information is one way that malware makes it into your system.

Finding Holes

Unlike a bathroom wall, the vulnerabilities or “holes” in software are often not obvious or easy to discover. It’s not uncommon for a vulnerability to exist for years before someone stumbles across it and develops a way of exploiting it.

To continue the “computer software is like a bathroom” story even further, the holes in your wall are very, very difficult to find. Depending on the quality of the original builder there may be many easier to find holes, but those are often found and fixed relatively quickly.

And here’s the scary part: hackers are like someone who spends all day and night looking at your bathroom wall from the outside, hoping to find a hole that no one else has found before. It’s not a “new” hole – it was there all along – but it is a new discovery, and often termed a “new” vulnerability.

Or sometimes they’ll find a new way to use a previously known hole that hasn’t been patched yet.

Either way, as soon as they’re successful they create malware which exploits the fact that your bathroom wall (the software on your computer) has an unpatched hole.

Fixing Holes

“So just plug the holes!” I hear you yelling.

Exactly. The problem is, as I mentioned above, that the holes are extremely hard to find.

But once they’re found the hole is patched – by updating the software on your machine to versions that no longer have the holes that have been found.

Usually. Some holes are fixed more quickly than others, and some may not be fixed at all.

One issue is that some holes are worse than others. A hole that allows someone to see your toothbrush might be less important than a hole that allows someone to actually steal it.

Some holes are harder to patch than others.

Another issue is that fixing a hole often damages the wall; sometimes to the extent that a new hole is created elsewhere. By that I mean fixing a bug in software can unintentionally introduces other bugs. Thus the benefit of fixing a known hole has to be weighed against the risk that doing so might create another hole that we don’t know about.

The bottom line here, though, is that having out-of-date software – software with known holes in it that have been fixed by updates you haven’t taken yet - is another way that malware can find its way onto your machine.

Avoiding Holes: Extreme Version

The recent experience with Java is a great example for several reasons.

To continue our now tortured comparison:

  • Many, many people had this model of “bathroom”. (Many people had Java installed.)
  • In recent years, many holes have been found and repaired in this bathroom’s walls. (Java has a history of having vunerabilities.)
  • A new hole was discovered, and new people were found looking in, before the security cop’s mugbook could be updated. (A new “zero day” exploit of a vulnerability in Java was found in the wild.)
  • Until the hole was patched, everyone using this bathroom was vulnerable to having their toothbrush stolen, or worse. (Everyone with Java on their machine was at risk.)

Zero-day


The term Zero-day is typically used in conjunction with terms such as “vulnerability” or “exploit”. A zero-day exploit refers to a vulnerability discovered in software, for which:
... continue reading »

The common advice was to remove the bathroom completely (uninstall Java), use a different bathroom to do what you need to do (use alternate tools that don’t use Java), or avoid using a bathroom altogether (don’t do whatever it was you were doing that needed Java).

The metaphor breaks down at this point because while most of us may not need Java, we all do need to eventually use the bathroom.

Avoiding Holes: More Common Version

The advice for avoiding software exploits is the same as it’s always
been:

  • Keep your computer software up to date. (Keeps the holes that we know about patched.)
  • Keep your anti-malware tools up to date, and keep their databases up to date. (Keeps the security cops sharp and with current information of what to look for.)
  • In some cases, uninstall software that is known to have issues. (Keeps you from doing things that a peeping-Tom might see or use against you.)
  • And of course, don’t invite a crowd of peeping-Tom’s onto your computer by opening attachments that you’re not certain are safe, running questionable downloads or visiting questionable sites.

In other words, keep your bathroom clean, and don’t invite strangers in.

And, yes, even after doing all that, there’s still the possibility of a hole you don’t know about being found and exploited before all the defenses are updated.

If Infected…

To answer your second question: how much can malware do? Pretty much anything. Naturally the specifics depend on the size of the hole that’s being exploited, and what’s available on your computer, but it’s safest to assume that once a vulnerability on your machine is exploited and an infection occurs all bets are off.

That’s one reason that I so strongly recommend regular backups. If your machine is infected today, restore to yesterday’s backup makes the infection go away. Period.1

System Restore can sometimes help, but there are two problems with it:

  • In my experience it’s unreliable. There’s nothing worse than counting on System Restore to save you, only to have it respond with things like “No Restore Points Found” or the like.
  • You’re still not sure that the malware is gone. System Restore doesn’t restore everything, and those things that it does not restore remain infected if they were, in fact, infected to begin with.

Try system restore if you like – be sure to run full updated anti-malware scans thereafter – but it’s not something I feel at all confident relying on.

As for me … I’m moving my toothbrush. Smile

Footnotes and references

1: This is where the metaphor breaks down completely. I mean, who keeps a daily backup of their bathroom? :-)

Posted: January 24, 2013 In: Malware

There are 23 comments:

  1. Gilles Reply

    Great article,if any people do not understand after this article they should flush their pc down the bowl.You would have made tons of money as a writer Leo.
    Thank you so much,Gilles.

  2. Yeppers Reply

    Leo, you said “System Restore doesn’t restore everything”. Does it restore your old set of restore points, some of which may contain a malware? And if there is a malware in a restore point, is that malware essentially quarantined? In other words, can that malware do any harm just sitting there, even if I never use the restore point(s) in which the malware resides? Thanks…

  3. Keith E Reply

    Great article, Leo. Thank you for explaining it in such an accessible way!

  4. Lee Guptill Reply

    There is something about laughing while reading an article that makes learning and understanding much easier:)

  5. MikeInPennsylvania Reply

    I use PhishTank.com to report phishing websites, but I would like to know where I can report malicious websites and know that something is being done with the info.

    Anyone know of any?

  6. Gabe Reply

    Very funny! If I didn’t know any better, I’d say you did all you could to keep that metaphor alive as you were clearly having fun! I’m looking forward to your next article where we explore spam and it’s originators (aka, the sewer).

    Thanks for what you do.

  7. Dan Reply

    Yep – pretty soon the bad guys will figure out how to put bots in our water supply. Most bathroom sinks have filtersscreens (built into the aerators) that will keep them out, but bathtub faucets don’t usually have them, so they will sneak into your bathroom through that avenue. ;-) – thanks for that article. I am going to give it to my wife since it explains tech stuff in a way she would easily understand.

  8. Mark J Reply

    @Charlie the spelling cop
    Thanks for the heads up. Thanks to you the hole was patched :)

  9. Arlin Bryant Reply

    Leo I have tried for almost three yrs to understand what all that meant. Thank you for putting in a way us older, new computer user’s can understand.

  10. Dave Reply

    Hi Leo. Dont feel quirky about this post. You have just ventured into one of the most effective and powerful teachings tools – use of everyday things in simple illustrations to expalin more complicated things. The greatest teacher who ever ealked the planet used them to great effect, they are still in our everyday speech over 2,000 years later! Keep it up you’ll reach a whole lot more people and they’ll love you for it. Don’t worry about the “techos” amd “geeks”, they’ll realise later to get on board or get run over.

  11. Dorene Reply

    Hi Leo,

    Thank you so very much. You are a wealth of information and I totally agree with what “Dave” said.

    And please, do not take your job lightly, you are very much appreciated.

    Now where did I put that plunger?

    Thanks again,

    Dorene

  12. Lynda Reply

    Oh my gosh, that was perfect. I know many non-geeks who would -with this article-finally “get it”. Huge help-and funny LOL. THANKS!

  13. bob price Reply

    Great explanation! Many thanks. At my first computer class decades ago, the instructor compared RAM, cache hard drives, processors, etc as cars with various sized trunk capacities, engines, speeds, gas tank size etc. I still use those descriptions today for newbies.

  14. Matt Stern Reply

    Leo:

    I’m an IT professional with even more time in than you, and I must say, that was the best description of malware and the various protections that I’ve ever heard! I’m going to point several users to this wonderful posting!

    Keep up the good work.

    PS – I just stole your toilet seat – and I bet you don’t have a thing to go on!

  15. Lucy Reply

    Thanks Leo

    You really made this confusing topic easy to understand … and fun to read.

  16. Tony Reply

    Leo are you saying to just keep Java updated, rather than the recent rush to remove or disable it??

  17. JOSE CARLOS SANTOS Reply

    My Dear Leo, your comparison between malwares and the holes in the toilet room was great. Unfortunately there are still a lot of people who don’t flush after using it. Hugs.

  18. rod w Reply

    thanks to you I back up regularly,and it could not be simpler or more convenient,I hate to admit it,but I use backup when I screw something up,unrelated to malware. that drum you keep pounding caused me to not only back up regularly,but to donate because it has saved me time and again.thank you, thank you,ad infinitum.

Leave a reply:

Before commenting please:

  • Read the article. Seriously. You'd be shocked at how many people make comments that prove they didn't.
  • Comment only on the article. If you have a new, unrelated question start with the search box at the top of the page.
  • Don't post personal information. Email addresses, phone numbers and such will be removed.
  • Don't spam. Comments that look the least bit like spam will be removed.

Thanks!