From Whonix

Info The integrity of the host is a critical part of the system's Trusted Computing Base [archive]. If the host system is compromised by malware [archive], so is every Whonix virtual machine, Tor process and communication thought to be anonymous.

The Importance of a Malware Free System

Malware has malicious intent and can potentially: [1]

  • View and take snapshots of the desktop.
  • Peruse files and folders.
  • Gain access to protected data when decrypted.
  • Exfiltrate, corrupt or destroy data (particularly financial and personal information).
  • Damage operating system functionality.
  • Encrypt the contents of a drive(s) and demand payment for decryption (ransomware [archive]).
  • Display unwanted advertising.
  • Install unwanted software.
  • Install persistent rootkits [archive] or backdoors [archive].
  • Track browsing and other behaviour.
  • Remotely turn on webcams and microphones.
  • Create "zombie" computers which form part of a botnet for spam email, DDOS attacks [archive] or the hosting of illicit / illegal material.
  • Record everything a user types, sends and receives.

Targeted Malware vs Off-The-Shelf Malware

Targeted malware is the opposite of off-the-shelf malware.

Targeted malware is specifically crafted against a known target to attack a specific system or limited amount of systems only with the goal to avoid detection by avoiding getting installed on too many where qualified people might detect the malware and publish about it.

On other other hand, off-the-shelf malware attempts to spread in bulk against bigger groups or the general public with the goal of taking over as many systems as possible.

The Utility of Antivirus Tools

Antivirus products and personal firewalls [archive] are not drop in solutions for a secure host. Malware can often stay undetected and evade scans, while application level personal firewalls are often circumvented. [2] Polymorphic code [archive] and rootkits [archive] essentially render antivirus products helpless. [3] [4]

Antivirus tools are actually worse than useless. In the case of sophisticated and targeted attacks, the antivirus software can serve as a pathway to exploiting a system's kernel, since they almost always run with administration level privileges. [5] Antivirus software also harms privacy by sending system files back to the company servers for analysis.[6] The software also actively conducts man-in-the-middle attacks on secure SSL connections, enabling very sensitive information to be viewed. [7]

Preventing Malware Infections

The optimal scenario is to avoid infection by malware in the first place. Once malicious code has accessed a system, it is next to impossible to contain. Sensible steps include: hardening the operating system, carefully vetting programs and files that are retrieved from the Internet, and using hypervisors (virtualizers) to isolate software that processes untrusted data.

Detecting Malware Infections

Detecting off-the-shelf (standardized) malware is a very hard problem and conceptually a lost cause. If uncustomized malware is widespread enough, then it has a chance of being detected by a technician. Tailored malware might also get detected by a technician, but the likelihood is low unless they are lucky or gifted.

Non-technical users do not have many good options. They can either:

  • Spend a few years to rapidly increase their knowledge base of operating systems, network protocols, package analysis, programming, disassembly etc., and then try their luck.
  • Pay exorbitant sums to a technician to try and find system malware, even though there is no certainty of success. [8] [9]
  • Or seek the voluntary assistance of a technician to find malware, if they are both a high value target and have a reasonable rationale for why they are likely compromised. [10]
  • [archive]
  • [archive]
  • [archive]
  • A botnet author brags in this thread of writing unbeatable malware and trolling antivirus vendors. [archive]
  • [archive]
  • [archive]
  • [archive]
  • The salary costs for a security researcher / malware analyst over an extended period rule this out for most individuals.
  • [archive]
  • Only a select group of people fall into this group, for instance, whistleblowers targeted and infected by tailored viruses. Experts might be located who are willing to conduct analysis pro bono; later publicizing their findings for the public benefit.