Category Archives: Anti-Malware

AVAST takes $113 Million in capital

In what seems to be something of a trend for big investments or buyouts of AV companies, AVAST, the Czech based makers of the popular free AVAST Anti-virus, have sold a minority stake in their company to investment firm “Summit Partners”.

http://www.itnews.com.au/News/229866,avast-takes-113m-equity-injection.aspx

AVAST (formerly ALWIL software) has long been in the ‘free’ anti-virus game, as one of the pioneers of that model, and clearly it seems to be working for them. It should be interesting to see what they do with the cash and how their product line develops over the next few years as they compete with their big neighbour AVG, also Czech based and big in the free AV game.

Andrew Lee
AVIEN CEO / CTO K7 Computing

Also blogging at http://blog.k7computing.com

Virus Bulletin Seminar Announced

Virus Bulletin have announced the first in a new series of Seminars. Aimed towards the corporate IT Admins and security practitioners, the day long seminar will look at protecting organisations in the modern age of Internet enabled crime.

Speakers include

  • Bryan Littlefair, Vodafone Group
  • Bob Burls, Police Central e-Crime Unit
  • Graham Cluley, Sophos
  • Alex Shipp
  • David Evans, Information Commissioner’s Office
  • Andrew Lee, K7 Computing
  • Martin Overton, IBM
  • Richard Martin, UK Payments Administration

http://www.virusbtn.com/seminar/index.xml

There’s an early bird price available, and seats are likely to fill up fast, so get in early!

Andrew Lee CISSP
AVIEN CEO / CTO K7 Computing

The edge of reason(ableness): AV Testing and the new creation scientists

First, let me start out by saying that I am in a bad mood. I probably shouldn’t write when I’m in this mood, because I’m in danger of just ranting, but I’m going to anyway. I’m in a bad mood because I am pretty fed up that some people are so deliberately trying to destroy something I’ve personally (along with many others) worked very hard to build in the last couple of years.

I’m in a bad mood because writing this is distracting me from the many other things that I need to do, and get paid to do.

I’m in a bad mood because I’m fed up with hearing that I, and others like me, have no right to comment on things that fall directly within my realm of expertise (and goodness knows, that’s a narrow enough realm) – and that if I do, it’s simply self-interested nonsense.

Secondly, let me also point out that although I’m now going to reveal that, yes, I’m talking about Anti-Malware Testing, and may mention AMTSO, I’m not speaking on behalf of AMTSO, nor my employer, nor anyone else, but me, myself and I (oh, that there were so many of us).

So, “What’s the rumpus?*” Well, in what has become an almost unbelievable farce, the last few weeks have seen mounting attacks on the AMTSO group and what it does.

For some background – those who are interested can read these articles.

http://kevtownsend.wordpress.com/2010/06/27/anti-malware-testing-standards-organization-a-dissenting-view/

http://krebsonsecurity.com/2010/06/anti-virus-is-a-poor-substitute-for-common-sense/

There are some very good points in the second (Krebs) article, although cantankerous is not something that I would say characterizes AMTSO all that well – as Lysa Myers has pointed out ‘AMTSO is made of people‘, and I think the generally negative tone employed is a shame. The first (Townsend) article is way more problematic; there’s just so much wrong with Mr Townsend’s thinking that I don’t really know where to start. Fortunately, Kurt Wismer has already done a great job of responding here, and David Harley an equally competent job here.

So why my response? Well, probably because I certainly am cantankerous.

I’m also, almost uniquely in this industry (David Harley is another), formerly one of those “users” that Mr Townsend is so adamant should be controlling the process of AMTSO’s output – indeed, the whole of AVIEN was set up in the year 2000 as an organisation of interested, non-vendor employed, users – albeit users who knew something about anti-malware issues. We were users responsible for protecting large enterprises, who wanted to be able to share breaking anti-virus information without the interference of Vendors or the noise of such cesspools as alt.comp.virus. We wanted good, reliable information.

I, like David Harley, later joined the industry as a Vendor, but I still understand what it is to be a user, and that was also a huge consideration in the setup of AMTSO – as so many have said before, and I want to reiterate here, bad testing of anti-virus products hurts everyone, the user most especially.

However, this debate is much more than just one on which we can ‘agree to differ’  – like whether Germany or Spain has the better football team might be – it’s much more fudamental than that.

Indeed, the only real analogy that comes close is that of the battle currently raging between the so called  faith based ‘science’ of creationists (let’s not prevaricate, Intelligent Design is just a euphemism for Creationism), and the research based science of evolutionary biologists and so on.

On the one hand, you have anti-malware researchers, professional testers and so on; people who study malware every day, who constantly deal with the realities of malware exploiting users, and who understand better than anyone the challenges that we face in tackling malware – if you like, the “Richard Dawkinses of anti-malware” (though I certainly would not claim to match his eloquence nor intelligence) –  and on the other hand, we have those outside the industry who say that we’re all wrong, that we’re just a “self-perpetuating cesspool populated by charlatans” (yet none the less, a cesspool at which the media feeds most voraciously), that nobody needs AV, and that everything the AV community does or says is bunk.

What I find so extraordinary (in both cases) is that those who are most in a position to provide trusted commentary on the subject are so ignored, in favour of those who have shrill, but ill-informed voices. Why is it that information from a tester; who may have just woken up one morning and decided to ‘test’ antivirus products; is taken on faith as being correct and true; and yet, when a group of professional people give up their time voluntarily, and work together to try to produce some documentation that sets out the ways in which anti-malware products can be tested effectively (and, no, that has nothing in particular to do with the WildList) and reliably, is it so violently decried as self-interested nonsense. It’s a terrible shame that science is so deliberately ignored in the face of popular opinion. Unfortunately, millions of people CAN be wrong, and often are.

AMTSO is not about dictating truth, but rather pointing out ways in which truth can be reliably found (and importantly, where it cannot).

I refuse to lie down and take it when someone tries to tell me that I’ve no right to point out the truth – and I’m not talking about truth based on some millenia old scripture, but real, hard, repeatable, scientifically verifiable, researched fact. If that makes me as unpopular as Richard Dawkins is to a creationist, then so be it.

If you’re interested in understanding why anti-virus testing is so important (and why so many professional testers participate in AMTSO) then, please, do have a read of the AMTSO scriptures er… documents, here.

Andrew Lee – AVIEN CEO, Cantankerous AV researcher.

* If you’ve not seen the excellent movie “Miller’s Crossing” you won’t know where that quote comes from.

(Thanks to Graham Cluley for pointing out that the first link didn’t go to the correct page.)

Breaking up is never easy…LoveBug, the day after.

The LoveBug/Loveletter/Iloveyou worm (much more geekishly called VBS/Loveletter.a@mm by, well, AV geeks) has become one of those legendary events in malware history. The fact that 10 years on we’re still writing about it. Not only that, but many of us will remember exactly where we were and what we were doing when we first heard about it – in fact many more might remember it than were actually there :).

Still, I remember exactly where I was – I was in Reading, at Microsoft headquarters attending a security seminar and my Blackberry (one of the very early ones, with a greyscale LCD screen), started to go off regularly. I grabbed the next train back to Dorset, got into work, and spent the next ten hours ensuring that nothing bad was going to happen on our network. Many other people have written about their memories of the day – 10 years ago yesterday – including Graham Cluley and Mikko Hypponen, and indeed our own David Harley, and I’ve nothing to add to that. You see – we were using Lotus Notes (~shudder~) and not one single system got infected – although we did get a tremendous amount of email, which very quickly got blocked once we knew the attachment name. No, I remember the Loveletter for what happened 10 years ago TODAY, the 5th of May. And, it is a tale I felt worth sharing, about how even good information about one situation is not necessarily applicable across the board.

Although they were not directly under my responsibility, my team had involvement with the IT systems of all the schools across Dorset, and while none of the systems we were responsible for were affected by Loveletter, this was not true of other systems within the schools, which were under supervision of the school’s own IT personnel. On the morning of the 5th of May, I sent out a message to everyone on our network to the effect that “Our network was not affected by the VBS/Loveletter worm, and no damage resulted from any mails that were opened within our network, but we request that you remain vigilant and avoid opening attachments that are not work related. We also suggest that you install an Anti-virus product at home, and ensure that any mails with the subject “ILOVEYOU” are deleted without being opened” This was the very last time I ever sent out such a message, not because it was incorrect, but because the information ended up being spread outside of our organisation – particularly in schools, where I’m sure people felt they were being helpful by forwarding my email – at which point I got several very angry phonecalls and emails abusing me for my lack of intelligence. The reason? The information was only true of our organisation, and those whose networks DID end up getting affected (Loveletter also deleted .jpg/jpeg images) were angry that I so downplayed the risks of the worm while they were watching it eat through all the images on their servers and workstations. In fact, many of the schools were running Microsoft Exchange and Outlook, and once their systems were infected, many pupils lost work.

This highlights the fact that information is often specific, it isn’t necessarily relevant to all situations. Think of it like fire extinguishers; they have specific uses on specific types of fires – don’t go spraying a water extinguisher onto an electrical or fat fire, you will get burned.

User education is often very difficult, and one of the reasons it is so is that there are so many variables, so many different ways that things can go wrong. In a way the Loveletter worm was one of the first Phishing attacks – it combined clever social engineering with malicious code to steal passwords. David Harley and I have written fairly extensively on Phishing, including examining whether the sort of ‘anti-phishing’ quizzes we’ve seen on some security sites are actually of any use. As far as I’m concerned, the jury is still out – there’s far too little common sense, too much irrelevant information, and it takes (literally) a lifetime to become a security expert; you can’t expect people to learn in five minutes.

As David mentioned yesterday, AVIEN was formed out of the need for non-vendors working in the AV industry to get fast and accurate information about spreading threats – I was glad to find that the instances where such information got so wildly misconstrued as in my Loveletter incident were few and far between. AVIEN also has its 10th birthday this year – more of that later in the year.

As an aside, I later applied for a job at one of the schools that had been affected, imagine how my heart sank when my interviewer turned out to be one of the people who had written me an angry email…no, I didn’t get the job! Anyway, it’s all water under the bridge, and since it is the 5th of May, my greetings to all my Mexican/Southern Californian friends, who will no doubt be regretting their today’s activities tomorrow morning.

Andrew Lee CISSP
AVIEN CEO / CTO K7 Computing

Airport security and Defense in Depth

I know this Blog is devoted primarily to computer security, specifically emphasizing Malware issues. I’d like you to indulge me for a small side trip to another area of security that impacts most of us, and hopefully this will fire some stray neurons and perhaps give ideas and insight to how we do business.

This all started during one of my latest business trips. We’re told flying is a privilege, not a right, or necessity. I, like so many business travelers, get annoyed being treated as a criminal because I have the audacity to travel by air for business needs. So, let me get things right, I pay for the privilege of being treated as a potential terrorist because in the course of conducting commerce, my employer sees a business need for me to fly to my destination? I also have the honor of paying $25 to check a bag so I can have the luxury of clean clothes when I arrive at my destination? Now I have the honor of sitting next to someone whose weight is such that the seat back tray can not come completely down, while he’s overlapping my already too tight seat, forcing me into the aisle/ wall? Now, my noise-canceling ear buds are worth every penny I paid, but where can I get odor blocking nose buds to block the garlic and other odors emanating from my seatmate? Add in maintenance or weather flight delays, running to gates, layovers longer than three hours, and suddenly I’m not feeling so privileged, and am understanding why fewer people are flying.

It was about this point in my flight when I started playing the old game of “what if”. In this case, what if I owned a domestic airline? How would I address security while making the customer feel more comfortable? I think rather naturally, my first thought went to my seat-mate, and I thought, if you need a seatbelt extender, you need to buy a second seat. Sorry if this offends anyone, and I know they’re shrinking seat size to fit more people on already increasingly full flights, and people of average sizes are cramped but I’m thinking he had to be as uncomfortable as I was, and a second seat (while increased expense to him) would have alleviated that issue rather handily. Next and probably the most revealing thing came when I tried opening my baggie of “Mini Pretzels”. That baggie of airline supplied snacks did not want to open, and I was reduced to using my teeth to get a tear started. Now normally I’d reach into my pocket and pull out my Leatherman Brand multi-tool, and use the knife blade to cut open the bag, but due to security, it was in my checked baggage. Here we go I can hear the cries now, “what kind of uncivilized fool carries a knife in this day and age?”, “Typical Yank, needs his knife and gun”, etc. Well, according to my education, it’s uncivilized and unsanitary to use your mouth to open packages. If memory serves right, Miss Manners said something about the practice lacking proper etiquette. I was taught early it was simple tools like the knife that elevated us above animals, and made our behaviors less animalistic.

Proceeding on the line of thought, I thought about why these rules were in place. The answer came down to preventing skyjacking and making the flying public feel more secure in their flight. Well now, here I am in my element, SECURITY. So let’s take a look at the security and vulnerabilities of modern aircraft. As many have written previously, the flight deck is the weakest point of any aircraft. Like others before me I thought of the isolation of the bridge and flight crew, separate entry points, toilet facilities, rest facilities, etc.

Then a light bulb went off. The weak point isn’t the flight deck, but like in most security issues the personnel. The flight crew itself is the weak point. They are the ones who are directly attacked to gain control of the aircraft. So if we remove them (and flight controls) the aircraft is secure against any kind of take-over attack, right? So who flies the planes? Simple, the same people.

The fact is, most modern aircraft already fly from near take-off to landing by computer, add to this the advances on remotely manned aircraft (such as the ‘unmanned’ drones in the warzones), and the U.S. Air Force openly talking about unmanned fighters in the not so distant future, why not in commercial aircraft? I realize some people are not going to be comfortable without a face they can put “in control”, so it maybe necessary for the short term to have a flight trained deck officer with a manual override capability on each flight. However, as people become more accustomed to the technology, this need will go away. The manual override will need to be designed so that the on-board crew can not activate it themselves, unless some critical event occurs and the aircraft loses communications with the ground, or a ground controller agrees making a two-key type system.

Now, with no flight deck, box cutters, guns, or even bomb threats have no value. There’s no one to take control from. That being the case, there is no need for everyone to be treated as a criminal and go through metal detectors, have our bags scanned and searched, or even go through the full body scanners. The only legitimate threat is explosives, and the destruction of the aircraft.

Looking from a skyjacker/ terrorist point of view, they already know that after 9/11, passengers will not allow an aircraft to be taken over and used as a weapon again. That’s why we’re already seeing attacks like the shoe and underwear bombers. This threat can be addressed by a more cost effective low tech manner, namely well trained K-9s. Think of it, no more security lines, one (or more) dog team behind the baggage check to sniff checked baggage, and several roaming the facility and at congestion points and boarding gates.

So a quick recap, less security officers would be needed, less flight crews, pilots could work from central facilities (like the military drone operators do), enabling them to work 8 hour shifts with less pilot fatigue, and errors like overshooting airports due to pilot inattention. Pilots may even be able to monitor multiple simultaneous flights, if not, at least, moving from one flight to the next is under 5 minutes. Giving increased turn around time. Some will question the wisdom of not checking for knives and firearms. I ask you to use logic and not emotions. Most murderers want to get away; they’re not going on a killing binge on an aircraft where they are already a prisoner with no escape route. As for mass murder/ suicide, other passengers will not be defenseless, and will be able to stop an evil doer before it gets out of hand.

What about explosive decompression? The well educated know this is simply Hollywood hype and not a threat to a modern aircraft from a firearm.

I do believe this to be technically feasible. However I don’t think this will ever happen. Simply because it’s a real security solution, not security theater. Governments will lose control of some power over the traveling public. People will lose jobs, Unions will lose members (and the resulting income and power), and this does not play to people’s fears and emotions, nor provide a visual “security blanket”. Finally, like any security solution, it’s not perfect, but for once a real security solution, that would produce solid results at reduced costs and increased liberties.

Now I know this is already long, but to tie it to the computer security world, how many of our efforts are security theater, rather than actually addressing the root security issue? How many times do we have to put in a layer to provide a feeling of security with out being beneficial and inadvertently impacting our customers? Just something to think about next time we’re asked to “do something”, and if anyone from the airline wants to implement my ideas, I’d welcome it.

Ken Bechtel
Team Anti-Virus
Virus Researcher and Security pontificator

Linux malware found in screensaver


http://linux.slashdot.org/article.pl?sid=09/12/09/2215253

I hate to say I told you so…actually, that’s not true. In this case, it was sadly obvious that it would happen, but the general attitude of the whole OS/Free Software crowd is still to claim the earth is flat when it comes to Malware.
Interested readers might like to Google my EICAR paper from 2002 called “The Emperor’s New Clothes: Linux and the myth of a virus free operating system”.

There I discussed that the very thing that makes the OSS model work is also its greatest weakness, there’s little control, little QA, and 99% of the time proletariat downloading a package won’t check it (nor would most be competent to), so it’s very easy to insert malware. It’s very likely there is a lot more malware out there lurking in small fringe packages such as the one mentioned in the OMGUbuntu article.
The fact is that with the rise ofthe netbook, Linux becomes a more desirable platform to attack, and at the moment, it’s way too easy. After all, who needs anti-malware software on Linux?

Possible probabilities

Rich at Securosis (@securityninja on Twitter) made an interesting post yesterday about the fact that, in referring to Mac security, the possibility of a threat doesn’t equate to there being a probability of it. While we can argue the toss about who in the security industry does or doesn’t have a clue about basic probability theory* the point made is none the less worth examining.

There’s definitely something in the fact that, as yet, the Mac OS has not been a great target for malware. This, as most people with any sense will acknowledge, is not due to the fact that Macs are automagically non-virusable, but rather due to the lower market penetration they currently hold, making them a somewhat lower priority for exploitation. Although there are signs that this is changing, particulary with the porting of the Zlob Trojan to Mac, to this point I agree with Rich, the risk is relatively low AS FAR AS GETTING INFECTED with something is concerned.

Where I have a problem with his post is that, in pointing out one logical fallacy, he makes another; that of confusing correlation and causation. The fact that you use a Mac may protect (to whatever limited extent) against certain types of threats, but that does not mean that you are not equally exposed to other threats – in fact, precisely because of your false sense of security, you may be even more so. Phishing, for instance is completely platform agnostic – having a Mac won’t protect you – because the thing being infected is the USER not the SYSTEM – there’s nothing to stop you getting caught out and putting your banking credentials onto a fraudulent website (unless of course you have some security suite that might warn you of the fact…oh, that’s right, you don’t need that on a Mac). To be fair, the fact that security against malware isn’t really all about getting an Anti-Virus program on your system is also something that should be emphasised more often and that’s something that probably is the fault of the industry.

Similarly, many have been predicting the rise of malware for mobile phones, with all sorts of dire prophecies of doom, however, as Mikko Hypponen (@mikkohypponen on Twitter) points out; at the moment the prevalence of mobile malware is falling because most phone OS vendors are tightly controlling the applications that go on their platforms. He goes on to point out something that should be blindingly obvious (even to the most devoted of Mac fanbois), but sadly isn’t – once you get past having the user involved in the infection cycle and start finding a way to exploit the OS itself (or an application running on it) – by discovering and exploiting vulnerabilities – the game changes.

I’ll leave you with a lovely image that demonstrates my general feeling about life, the universe and everything – http://twitpic.com/snklj/full – if there’s one thing I’ve learnt in my years in the Anti-malware industry, it’s that ‘There will be Malware”. And that’s more than just a possibility.

*For a great (and very funny/bitter) introduction to statistics and probability I recommend John A Paulos’ excellent book “Innumeracy: Mathematical Illiteracy and its Consequences”

Andrew Lee CISSP
AVIEN CEO

Security Smörgåsbord

Wow! December already – well, it’s been a fast and furious year, kicking off with the media fest that was the Conficker worm, through various other disasters and debacles all of which have only confirmed to many of us in the industry that our utopian malware free world is not likely to arrive any time soon (sorry David, you’ll have to delay that retirement for a while).

Things haven’t slowed down much, and over the last days a few things have caught my ever roving eye,

Firstly, there was a rather amusing spat caused by software company Prevx firstly accusing Microsoft security patches for causing a ‘black screen of death’, (which of course was fixed by their own patch), and later retracting the statement when it became clear that it wasn’t the security patches, but more likely the actions of malware on the systems that causes the problem. (Link: http://news.bbc.co.uk/2/hi/technology/8388253.stm). One has to wonder how the Prevx patch was supposed to really fix the problem if they had no real idea of the cause – at least, they hadn’t checked whether it really was the fault of MS.

Secondly, there was the rather splendid news that the URL shortening service bit.ly – among the most popular shorteners for users of sites like Twitter – has signed up with three major security vendors (Sohpos, Verisign and Websense) to try to block spam and malicious links on their site. This can only be a “Good Thing” (TM). (Link: http://www.wired.com/epicenter/2009/11/bitly-partners-with-security-firms-to-block-spams-scams-from-twitter/). Some of the other services offer previewing of the links, but this is extra annoyance for users and also pushes the decision on whether to visit the site to the user (not a Good Thing).

Thirdly, there is some heartening news from Facebook in that they’re going to offer more granular control over content privacy. There have been quite a few articles and papers on this subject, (including one by yours truly) so it’s good to see that the issues have been considered. I don’t know that it will solve all of the problems, but it may well highlight the privacy issue to more FB users who perhaps weren’t aware that, say, joining a Network exposes their content to all the members of that network unless they specifically block that (Link: http://blog.facebook.com/blog.php?post=190423927130). Social networks are great things for keeping up with people, particularly if you’re a continent hopping researcher with friends all over the world, but the rapid explosion in their use has led to frequent lapses in security and the discovery that – as is often the case – security and privacy issues have been secondary to service development and uptake.

Lastly, and I hope you’ll forgive me for the quick tune on my own trumpet, I’m happy to announce that K7 Security Solutions are now available in German, and can be found at http://k7.de (Disclosure of interest: I am also the CTO of K7 Computing Ltd).

Andrew Lee CISSP
AVIEN CEO

iPhone worm hits Jailbroken phones

By now the media machine has moved into action and all sorts of nonsense has been spouted about the creation of a worm that spreads on jailbroken iPhones, written by a guy called ‘ikee’. The facts are these,

  1. It ONLY affects jailbroken phones – if your iPhone is not jailbroken then you are not vulnerable
  2. It ONLY affects jailbroken phones that have OpenSSH installed (This involves you having consciously installed OpenSSH)
  3. If you have changed the default passwords for the ‘root‘ and ‘mobile‘ accounts subsequent to installation, you will not be vulnerable to this worm.

It’s tempting to say ‘I told you so’ on this one, as, I actually did state this fact 2 days before the worm was released. On a panel at the AVAR2009 Conference discussing vendor future strategy, someone brought up the idea that the iPhone will be a desirable platform for exploitation. This is true, but as I pointed out, the biggest risk is not so much to users who are using the default OS provided by Apple, because they are in a strictly controlled environment, with Apple as the benevolent dictator, as it is to those users who have jailbroken phones, at which point – you’re on your own.The whole thing does highlight the potential though, there’s no reason why any platform is automagically protected from malware, so it’s no real surprise to anyone that this sort of thing has happened. David Harley (among others) has written more on this subject here, and as always, it’s worth reading.

Andrew Lee CISSP
AVIEN CEO

The Kyoto Protocol

Over the next few days, many of the Anti-malware industry’s researchers will be gathered in Kyoto Japan, for the 12th Annual AVAR conference (http://www.aavar.org/avar2009/). Apart from being a beautiful place, in a wonderful country, I hope it will be an occasion for interesting discussion and the opening of new ideas. There are topics as wide as system virtualisation and cloud computing, packers and obfuscation, social networking and information security policy. Quite a few AVIEN members, including me and David Harley will be speaking at the conference. We’ll blog the best bits here 😉

Andrew Lee CISSP
AVIEN CEO