Monthly Archives: November 2009

The Zombie Perspective

Nice article by Dennis Fisher on “The Root of the Botnet Epidemic” at

http://threatpost.com/en_us/blogs/root-botnet-epidemic-113009.

Starting from a historical overview of the situation around the turn of the century, with the first DDoS attacks, Mafiaboy, trinoo, stachedraht and all that, with copious quotes from Joe Stewart and Jose Nazario.

Should be an interesting series.

David Harley FBCS CITP CISSP
Chief Operations Officer, AVIEN
Director of Malware Intelligence, ESET

Also blogging at:
http://www.eset.com/threat-center/blog
http://dharley.wordpress.com/
http://blogs.securiteam.com
http://blog.isc2.org/

A few links

We hear a lot about identity fraud, but here’s a page that looks at it from the point of view of the small (UK) business. 

http://www.businesslink.gov.uk/bdotg/action/detail?site=210&r.s=sl&r.lc=en&type=ONEOFFPAGE&itemId=5001406645

Also interesting from a UK point of view, despite the awkward title,  is Cath Everett’s Infosecurity article on “Securing the defence – information security and the defence”:

http://www.infosecurity-magazine.com/view/5559/securing-the-defence-information-security-and-the-defence/

And here’s a very useful link tweeted by Mikko Hypponen:

 http://longurl.org/ lets you see the expanded version of a shortened URL before you go there. TinyURL will let you do this for tinyURLs, but this site can expand a long list of other shortened URLs – see http://longurl.org/services.

David Harley FBCS CITP CISSP
Chief Operations Officer, AVIEN
Director of Malware Intelligence, ESET

Also blogging at:
http://www.eset.com/threat-center/blog
http://dharley.wordpress.com/
http://blogs.securiteam.com
http://blog.isc2.org/

Human Factors in Information Security

Not sure I can get funding to go to the inaugural conference (22-24 February in London) and it may, in any case, be too close to another meeting that isn’t set in stone yet. Nonetheless, it looks like being a more than usually interesting conference. Or is that just because my academic background is awkwardly poised between social sciences and computer science?

http://www.humanfactorsinsecurity.com/index.asp

David Harley FBCS CITP CISSP
Chief Operations Officer, AVIEN
Director of Malware Intelligence, ESET

Also blogging at:
http://www.eset.com/threat-center/blog
http://dharley.wordpress.com/
http://blogs.securiteam.com
http://blog.isc2.org/

Paedophilia and the Trojan (or SODDI) Defence

I just had a look at the tricky issue of the “Some Other Dude Did It” defence against conviction for downloading/possessing child pornography. Not an issue on which I want to expend two lengthy blog articles in one day, so I’ll just give you the pointer to the ESET blog.

http://www.eset.com/threat-center/blog/2009/11/26/paedophilia-and-the-trojan-defence
David Harley FBCS CITP CISSP
Chief Operations Officer, AVIEN
Director of Malware Intelligence, ESET

Also blogging at:
http://www.eset.com/threat-center/blog
http://dharley.wordpress.com/
http://blogs.securiteam.com
http://blog.isc2.org/

Congratulations, Graham

Congrats to Graham Cluley of Sophos, who walked away from the Computer Weekly blog awards with not just one, but three awards:

IT Security blog of the year – http://www.sophos.com/blogs/gc/

Twitter user of the year – @gcluley

Overall Best blog – yes, same blog.

As a part-time blogger (on several sites!) myself, I have a fair idea of how much work it takes to produce a consistently high-quality blog, and I can only say that these awards were richly deserved.

However, this will not stop me making rude remarks here and on the ESET blog about his karaoke performances.

David Harley FBCS CITP CISSP
Chief Operations Officer, AVIEN
Director of Malware Intelligence, ESET

Also blogging at:
http://www.eset.com/threat-center/blog
http://dharley.wordpress.com/
http://blogs.securiteam.com
http://blog.isc2.org/

A Few Interesting Links

Nice commentary by Lysa Myers in SC Magazine. “Facebook’s new wrinkles must be understood”: 

 

 

Since this post is likely to find its way onto several twitter accounts and at least one Facebook page in the next few minutes, point taken. 🙂

Also, a paper drawn to my attention by Jose Nazario, with whom I’ve had animated discussions in the past about whether there’s any value in user education.

http://research.microsoft.com/en-us/um/people/cormac/papers/2009/SoLongAndNoThanks.pdf

Incidentally, I happen to think the answer  is yes, there is some value, and Randy Abrams and I put our point of view into an AVAR paper last year:

http://www.eset.com/download/whitepapers/People_Patching.pdf 

And a paper on botnets I hadn’t noticed before.  “ITU Botnet Mitigation Toolkit”: 

David Harley FBCS CITP CISSP
Chief Operations Officer, AVIEN
Director of Malware Intelligence, ESET

 

 

 

 

AVIEN tiptoes into Web 2.0

First the blog, then the twitter account, now the Facebook group. I don’t have a clear agenda for the group: to some extent it’s an exercise designed to force me to make more use of Facebook. It’s certainly an opportunity for AVIEN members to leap in at an early stage if they have ideas on how we could make good use of the group. However, it’s open to non-members, too, as I’d like to see more engagement with the public and media, which we’ve pretty much lost lately. Of course, if there’s a feeling that we’d benefit from a group for internal use, we could do that too.

I’ve also put up an AVIEN FB page, but there’s nothing to see there right now.

David Harley FBCS CITP CISSP
Chief Operations Officer, AVIEN
Director of Malware Intelligence, ESET

Also blogging at:
http://www.eset.com/threat-center/blog
http://dharley.wordpress.com/
http://blogs.securiteam.com
http://blog.isc2.org/

The Name Game – Duh…

[Update: well, Sophos have, it seems, gone official on the name iPh/Duh, which I find quite unreasonably irritating. However, Paul’s latest blog (link below) includes some very useful info.]

http://www.sophos.com/blogs/duck/g/2009/11/24/clean-up-iphone-worm/

Paul Ducklin, what have you done?

Well, it’s not exactly Paul’s fault, as much as the industry’s: he referred at http://www.sophos.com/blogs/duck/g/2009/11/23/iphone-worm-password/ to the iBot thingie (yes, that again…) as Duh, since there’s no standardized name for it, and “because that is the name which the virus itself gives to the component which strongly differentiates it from the earlier Ikee worm”.

And so, already we have various media sources referring to the Duh worm or Ikee.B. Well, if naming really mattered, I suppose we’d have all the various iPhone malware bits and pieces properly categorized and named by now. Historically, every vendor would have used a different name, of course, but there would have been some minimal cross-referencing and a semi-standard CARO-ish alternative. And probably the latest example (I really don’t like to describe it as a variant) would not have been called Duh because we tend to avoid using the form of name the malware author might have wanted.

Well, I haven’t changed my mind about naming, in general. In most cases, it’s largely irrelevant and often misleading, certainly in the Windows context. When you have many tens of thousands of unique binary samples coming in on a daily basis, accurately cross-referencing and naming them doesn’t seem much of a priority. (See  one of these papers for a more complete picture of why I say that.)

http://www.eset.com/download/whitepapers/cfet2009naming.pdf 
http://www.eset.com/download/whitepapers/Harley-Bureau-VB2008.pdf

So most companies don’t seem to have bothered to name these  at all, even though iPhone malware was obviously going to excite some media interest. Well, exact naming for fairly low-impact threats wasn’t an issue I could raise much interest in either. But the fact is, that journalists and their audiences need a name to hang a malware story on, and they don’t care about the complexities of CARO-like naming (why should they?). So Duh will do, I suppose, especially since Paul as good as endorsed it. (“Perhaps, in fact, Duh is a good name for this virus.”)

What worries me is that at some point, someone is going to point to this as another example of how the AV industry can’t get its act together on naming, even on a platform with few enough threats to count on one hand. Well, we could have sorted this one out easily enough (and still could, in principle), but it will always be Duh now, so we probably won’t bother.

David Harley FBCS CITP CISSP
Chief Operations Officer, AVIEN
Definitely not speaking for the AV industry…

Also blogging at:
http://www.eset.com/threat-center/blog
http://dharley.wordpress.com/
http://blogs.securiteam.com
http://blog.isc2.org/

iBotnet updates

Some updated information posted at http://www.eset.com/threat-center/blog/2009/11/22/ibot-mark-2-go-straight-to-jail-do-not-pass-go and  http://www.eset.com/threat-center/blog/2009/11/23/ibot-revisited-briefly.

Thanks to Mikko, Graham, Duck, and Henk for keeping the information flow going.

Is there still anyone out there with an iPhone or iPod Touch who hasn’t taken remedial action? I suppose so…

David Harley FBCS CITP CISSP
Chief Operations Officer, AVIEN
Director of Malware Intelligence, ESET

Also blogging at:
http://www.eset.com/threat-center/blog
http://dharley.wordpress.com/
http://blogs.securiteam.com
http://blog.isc2.org/

Qinetiq and the Art of the Patently Obvious

I just revisited New Scientist’s report on the Qinetiq patent for modifying files to stop them executing.

As John Leyden cited my previous blog on the topic here referring to my job at ESET, I thought it best to continue the discussion there. Having spent some time looking at the patent application, I don’t think the idea is as dumb as the New Scientist article suggested, but there are still significant problems.

http://www.eset.com/threat-center/blog/2009/11/22/qinetiq-energy

David Harley FBCS CITP CISSP
Chief Operations Officer, AVIEN
Director of Malware Intelligence, ESET

Also blogging at:
http://www.eset.com/threat-center/blog
http://dharley.wordpress.com/
http://blogs.securiteam.com
http://blog.isc2.org/