Category Archives: AVIEN

Anti-malware testing resource

Testing security software has been part of my life for almost as long as I’ve been involved with computing: not only in terms of evaluating the efficiency of products and technologies for the organizations I worked for, but as an independent tester (especially of Mac AV) way back in the 90s. I stopped testing when I began to foresee a time when I simply wouldn’t have the time or resources to do justice to what even then was a difficult job. There was a time around 2006 when I was discussing roles on both sides of the vendor/tester divide, but for better or worse, I went over to the dark side and focused on supplying consultancy services to the AV industry (primarily ESET). However, I didn’t escape the testing controversy, being involved almost from the beginning in in the Anti-Malware Testing Standards Organization (AMTSO) and even serving for nearly three years on its Board of Directors.

While I’m still in sympathy with the ultimate aims of AMTSO, when the organization decided that the blog I set up on behalf of the Board no longer met its needs, I found myself needing a platform where I could continue to provide independent commentary on testing issues. Hence, the Anti-Malware Testing blog. While most of the material there right now consists of articles I originally posted to the AMTSO blog (as an independent commentator, not on behalf of AMTSO) that are no longer available elsewhere, it’s primarily intended for new articles. (I am, however, currently working on a resource page similar to the one on the extinct amtso.wordpress.com blogsite, with links to useful articles, papers and other testing-related resources.)

Right now there are three new articles there:

  • Explaining the Anti-Malware Testing Blog is what the title suggests it is.
  • Imperva-ious to Criticism looks at Imperva’s continued defence of its flawed quasi-test methodology, which inappropriately tried to use VirusTotal as a measure of the detection abilities of anti-virus/anti-malware products.
  • A Little Light Relief is a little lighter in tone. Literally. It points to an entertaining article by Robert Slade. After all, if I had to take testing seriously all the time, I’d get very depressed.

Compliments of the season to all our readers, and very best wishes for the New Year.

David Harley CITP FBCS CISSP
Small Blue-Green World/Mac Virus
ESET Senior Research Fellow

SQL Injection Attack Warning

Well, that’s not particularly unusual in itself, except that it’s been flagged by the Internet Storm Center as (a) happening right now and (b) escalating somewhat dramatically: in fact, it appears to resemble the lizamoon attack which was reported as affecting around a million sites earlier in the year.

According to Mark Hofman, if you’re in a position to block the lilupophilupop.com site referenced in the injection string for your client machines, that should prevent them being infected for the present. But if you are responsible for protecting your site against stuff like this, I’d strongly recommend that you read the whole diary entry, including the comments.

Hat tip to Conny Javerdal for bringing this to our attention on the AVIEN list.

David Harley CITP FBCS CISSP
AVIEN Dogsbody
ESET Senior Research Fellow

Support scams: what can AVIEN do about it?

In the wake of a blog I posted today at ESET, on my perennial warhorse of support scams and cold-calling, I’ve been talking to Martijn Grooten of Virus Bulletin and Steve Burn, both of whom contributed to that article. While we and other people in the industry hack away from time to time at this unpleasant but undramatic variety of fraud, the telephonic equivalent of fake AV, it doesn’t seem to have much impact on the hydra-headed scammer networks of Kolkata and New Delhi. How, we wondered, can we make more headway?

It would be nice to think that people who read those occasional articles from security bloggers get some educational value out of them, that’s a tiny number compared to the potentially exploitable Facebook users, for example, who might be tricked into endorsing a scammer’s FB page. In fact, it’s even worse than that, in that readers of security blogs are generally aware enough not to fall so easily for scams: many people comment on my ESET blogs on the topic, but most of them aren’t themselves victims.

While there’s occasionally a little more movement when the media like the Guardian, or the Register, or SC Magazine picks up the theme (as they all have), they’ll only do that now and again, and only when there’s a particularly dramatic or emotional story to hang it on.

Law enforcement doesn’t seem to be making much of an impact either. And that’s understandable: like the 419 gangs, the scammers are a volatile and scattered target, individual victims tend to lose fairly small sums even compared to some of the big 419 scores, and that lessens the interest from law enforcement in general, even assuming that cooperation betweenthe countries targeted by the scammers (US, UK, Australia, New Zealand, and to a lesser extent parts of Europe and limited regions in the Far East) and the regions of India that seem to be spawning this type of activity. Agencies might, I suspect, be more interested if the security people who work with them directly on other issues such as botnets and phishing were themselves more interested. But while there are quite a few security-oriented individuals who’d like to see more action, I’m not sure how much of a concentrated effort we can get out of the security industry, because the PR value doesn’t really translate directly into product sales.

Again like 419 scams, people are interested in reporting incidents close to home, but as the Met’s own fraudalert page suggests (http://www.met.police.uk/fraudalert/reporting_fraud.htm) there’s no clear single mechanism and precious little feedback. I’m wondering whether it might be worth trying to establish a central information resource and building on that in some or all these directions, with an initial focus on education. If so, perhaps AVIEN would be a suitable venue, since it has a lot of people with security expertise but is essentially vendor neutral, even though many AV companies still participate, or at least subscribe to our mailing lists.

I’d kind of like to put more of a focused effort into fighting this, but it isn’t something I can do all by myself. What do the AVIEN members out there think?

David Harley CITP FBCS CISSP
Small Blue-Green World/AVIEN
ESET Senior Research Fellow

Be Prepared

…and ordinarily, there’d be a witty allusion here to Tom Lehrer, who used the same title for one of his songs, but there’s a very serious edge to this post.

The part of the world I live in is mostly spared (touch wood) the sort of dramatic, extreme disaster that I sometimes discuss here in the context of disaster-related scams, blackhat SEO and so forth. Even flooding in the often-rainsoaked UK lacks drama compared to the impact it has in other parts of the world. But it’s depressing to think how much of my security writing in recent years has related to criminal exploitation of the 2004 and other tsunami, earthquakes and so on, and at the beginning of September I’m addressing the topic again at the CFET 2011 conference in the UK.

Many of my friends, acquaintances and readers are rather more used to the risk and reality of earthquakes, tsunami, forest fire, eruptions and so on, not least those who are situated close to the Pacific “Ring of Fire”, which has 75% of the world’s active and dormant volcanoes and experiences 80% of its largest earthquakes, and includes most of the West coasts of North and South America. However, a glance at the links on the Federal Emergency Management Agency’s page at http://www.fema.gov/ demonstrates that the US population as a whole is at enough risk from national disasters to justify the existence of the National Prepared Month Coalition. AVIEN’s US subscribers may well want to think about supporting the initiative (it’s free, it isn’t restricted to USians, and it gives access to some resources you may find especially useful in the US).

The point I really want to get over here, though, is less this particular initiative (though AVIEN does support it as a member, so you may hear more of this from me) than the importance of training for disaster as a mindset that we can all benefit from, even if we don’t live too close for comfort to a major fault line, like my colleagues in San Diego. Disaster is a beast with many faces, and not all disasters are “natural”.

Tip of the hat to Robert Slade for turning my attention to the issue (not for the first time, of course) .

David Harley CITP FBCS CISSP
Small Blue-Green World/AVIEN
ESET Senior Research Fellow

Not even the end of an era

Well, not entirely, my last post notwithstanding.

Andrew Lee and I have been busily housekeeping and fitting various bits of ideas and web pages together over the last week or so, and have managed to keep more of the old site together than I originally anticipated. So I hope it won’t sound like I’m blowing my own trumpet if I say that that my last post wasn’t quite the Last Post after all. Or, indeed, the Flowers of the Forest.

I’m a little hard-pressed right now, but I’ll get back here with some more details. That doesn’t mean I won’t be making more use of the AVIEN Portal, but that won’t be with quite the same urgency.

David Harley CITP FBCS CISSP
Small Blue-Green World/AVIEN
ESET Senior Research Fellow

(Intellectual) Property is Theft?*

First of all, congratulations to Andrew Lee on his new role as CEO of ESET LLC. It’s as well that my work for AVIEN is unpaid, as otherwise he’d be my boss twice over. 😉 Reading the press release here, it includes substantial references to AVIEN and the AVIEN book, to which many AVIEN members contributed, as did Andrew and myself.

That was a very worthwhile project, but one of the less attractive aspects was the readiness of a great many people to generate and distribute pirated copies: apparently the time and effort it took us all to generate that book doesn’t deserve any recompense. In fact, I had a pirated PDF copy sitting on my desktop before my author’s (hard) copies arrived…. That wasn’t the first of my books to be pirated, let alone the only one. But it seems that the pace has picked up in recent years.

So imagine my joy on reading in the Vancouver Sun that ION Audio are about to market a device that can scan a 200-page book in 15 minutes. (Thanks to Robert Slade, my co-author on Viruses Revealed, for bringing this gem to my attention.) Well, it’s basically just a more ergonomic type of scanner, and hopefully dedicated pirates will find that having to turn all those pages by hand will still have a negative effect on their sex lives.

I don’t think there’s much doubt, though, that for every individual who has a legitimate and possibly legal reason to scan one of their books into machine-readable form (i.e. for iPad, Kindle etc.), there will be many more who will see this as a way to profit from the labour of others without asking the question “why do I have the right to assume that authors should go through the pain of writing and publishing with no right to any sort of return?”

What is really infuriating, though, is that it doesn’t seem to have occurred to ION that it is marketing rather more than a legitimate tool for honest students and educationalists. Or maybe it doesn’t care, because it can’t be used to copy ION hardware.

* http://en.wikipedia.org/wiki/Property_is_theft

David Harley CITP FBCS CISSP
AVIEN COO

The edge of reason(ableness): AV Testing and the new creation scientists

First, let me start out by saying that I am in a bad mood. I probably shouldn’t write when I’m in this mood, because I’m in danger of just ranting, but I’m going to anyway. I’m in a bad mood because I am pretty fed up that some people are so deliberately trying to destroy something I’ve personally (along with many others) worked very hard to build in the last couple of years.

I’m in a bad mood because writing this is distracting me from the many other things that I need to do, and get paid to do.

I’m in a bad mood because I’m fed up with hearing that I, and others like me, have no right to comment on things that fall directly within my realm of expertise (and goodness knows, that’s a narrow enough realm) – and that if I do, it’s simply self-interested nonsense.

Secondly, let me also point out that although I’m now going to reveal that, yes, I’m talking about Anti-Malware Testing, and may mention AMTSO, I’m not speaking on behalf of AMTSO, nor my employer, nor anyone else, but me, myself and I (oh, that there were so many of us).

So, “What’s the rumpus?*” Well, in what has become an almost unbelievable farce, the last few weeks have seen mounting attacks on the AMTSO group and what it does.

For some background – those who are interested can read these articles.

http://kevtownsend.wordpress.com/2010/06/27/anti-malware-testing-standards-organization-a-dissenting-view/

http://krebsonsecurity.com/2010/06/anti-virus-is-a-poor-substitute-for-common-sense/

There are some very good points in the second (Krebs) article, although cantankerous is not something that I would say characterizes AMTSO all that well – as Lysa Myers has pointed out ‘AMTSO is made of people‘, and I think the generally negative tone employed is a shame. The first (Townsend) article is way more problematic; there’s just so much wrong with Mr Townsend’s thinking that I don’t really know where to start. Fortunately, Kurt Wismer has already done a great job of responding here, and David Harley an equally competent job here.

So why my response? Well, probably because I certainly am cantankerous.

I’m also, almost uniquely in this industry (David Harley is another), formerly one of those “users” that Mr Townsend is so adamant should be controlling the process of AMTSO’s output – indeed, the whole of AVIEN was set up in the year 2000 as an organisation of interested, non-vendor employed, users – albeit users who knew something about anti-malware issues. We were users responsible for protecting large enterprises, who wanted to be able to share breaking anti-virus information without the interference of Vendors or the noise of such cesspools as alt.comp.virus. We wanted good, reliable information.

I, like David Harley, later joined the industry as a Vendor, but I still understand what it is to be a user, and that was also a huge consideration in the setup of AMTSO – as so many have said before, and I want to reiterate here, bad testing of anti-virus products hurts everyone, the user most especially.

However, this debate is much more than just one on which we can ‘agree to differ’  – like whether Germany or Spain has the better football team might be – it’s much more fudamental than that.

Indeed, the only real analogy that comes close is that of the battle currently raging between the so called  faith based ‘science’ of creationists (let’s not prevaricate, Intelligent Design is just a euphemism for Creationism), and the research based science of evolutionary biologists and so on.

On the one hand, you have anti-malware researchers, professional testers and so on; people who study malware every day, who constantly deal with the realities of malware exploiting users, and who understand better than anyone the challenges that we face in tackling malware – if you like, the “Richard Dawkinses of anti-malware” (though I certainly would not claim to match his eloquence nor intelligence) –  and on the other hand, we have those outside the industry who say that we’re all wrong, that we’re just a “self-perpetuating cesspool populated by charlatans” (yet none the less, a cesspool at which the media feeds most voraciously), that nobody needs AV, and that everything the AV community does or says is bunk.

What I find so extraordinary (in both cases) is that those who are most in a position to provide trusted commentary on the subject are so ignored, in favour of those who have shrill, but ill-informed voices. Why is it that information from a tester; who may have just woken up one morning and decided to ‘test’ antivirus products; is taken on faith as being correct and true; and yet, when a group of professional people give up their time voluntarily, and work together to try to produce some documentation that sets out the ways in which anti-malware products can be tested effectively (and, no, that has nothing in particular to do with the WildList) and reliably, is it so violently decried as self-interested nonsense. It’s a terrible shame that science is so deliberately ignored in the face of popular opinion. Unfortunately, millions of people CAN be wrong, and often are.

AMTSO is not about dictating truth, but rather pointing out ways in which truth can be reliably found (and importantly, where it cannot).

I refuse to lie down and take it when someone tries to tell me that I’ve no right to point out the truth – and I’m not talking about truth based on some millenia old scripture, but real, hard, repeatable, scientifically verifiable, researched fact. If that makes me as unpopular as Richard Dawkins is to a creationist, then so be it.

If you’re interested in understanding why anti-virus testing is so important (and why so many professional testers participate in AMTSO) then, please, do have a read of the AMTSO scriptures er… documents, here.

Andrew Lee – AVIEN CEO, Cantankerous AV researcher.

* If you’ve not seen the excellent movie “Miller’s Crossing” you won’t know where that quote comes from.

(Thanks to Graham Cluley for pointing out that the first link didn’t go to the correct page.)

Breaking up is never easy…LoveBug, the day after.

The LoveBug/Loveletter/Iloveyou worm (much more geekishly called VBS/Loveletter.a@mm by, well, AV geeks) has become one of those legendary events in malware history. The fact that 10 years on we’re still writing about it. Not only that, but many of us will remember exactly where we were and what we were doing when we first heard about it – in fact many more might remember it than were actually there :).

Still, I remember exactly where I was – I was in Reading, at Microsoft headquarters attending a security seminar and my Blackberry (one of the very early ones, with a greyscale LCD screen), started to go off regularly. I grabbed the next train back to Dorset, got into work, and spent the next ten hours ensuring that nothing bad was going to happen on our network. Many other people have written about their memories of the day – 10 years ago yesterday – including Graham Cluley and Mikko Hypponen, and indeed our own David Harley, and I’ve nothing to add to that. You see – we were using Lotus Notes (~shudder~) and not one single system got infected – although we did get a tremendous amount of email, which very quickly got blocked once we knew the attachment name. No, I remember the Loveletter for what happened 10 years ago TODAY, the 5th of May. And, it is a tale I felt worth sharing, about how even good information about one situation is not necessarily applicable across the board.

Although they were not directly under my responsibility, my team had involvement with the IT systems of all the schools across Dorset, and while none of the systems we were responsible for were affected by Loveletter, this was not true of other systems within the schools, which were under supervision of the school’s own IT personnel. On the morning of the 5th of May, I sent out a message to everyone on our network to the effect that “Our network was not affected by the VBS/Loveletter worm, and no damage resulted from any mails that were opened within our network, but we request that you remain vigilant and avoid opening attachments that are not work related. We also suggest that you install an Anti-virus product at home, and ensure that any mails with the subject “ILOVEYOU” are deleted without being opened” This was the very last time I ever sent out such a message, not because it was incorrect, but because the information ended up being spread outside of our organisation – particularly in schools, where I’m sure people felt they were being helpful by forwarding my email – at which point I got several very angry phonecalls and emails abusing me for my lack of intelligence. The reason? The information was only true of our organisation, and those whose networks DID end up getting affected (Loveletter also deleted .jpg/jpeg images) were angry that I so downplayed the risks of the worm while they were watching it eat through all the images on their servers and workstations. In fact, many of the schools were running Microsoft Exchange and Outlook, and once their systems were infected, many pupils lost work.

This highlights the fact that information is often specific, it isn’t necessarily relevant to all situations. Think of it like fire extinguishers; they have specific uses on specific types of fires – don’t go spraying a water extinguisher onto an electrical or fat fire, you will get burned.

User education is often very difficult, and one of the reasons it is so is that there are so many variables, so many different ways that things can go wrong. In a way the Loveletter worm was one of the first Phishing attacks – it combined clever social engineering with malicious code to steal passwords. David Harley and I have written fairly extensively on Phishing, including examining whether the sort of ‘anti-phishing’ quizzes we’ve seen on some security sites are actually of any use. As far as I’m concerned, the jury is still out – there’s far too little common sense, too much irrelevant information, and it takes (literally) a lifetime to become a security expert; you can’t expect people to learn in five minutes.

As David mentioned yesterday, AVIEN was formed out of the need for non-vendors working in the AV industry to get fast and accurate information about spreading threats – I was glad to find that the instances where such information got so wildly misconstrued as in my Loveletter incident were few and far between. AVIEN also has its 10th birthday this year – more of that later in the year.

As an aside, I later applied for a job at one of the schools that had been affected, imagine how my heart sank when my interviewer turned out to be one of the people who had written me an angry email…no, I didn’t get the job! Anyway, it’s all water under the bridge, and since it is the 5th of May, my greetings to all my Mexican/Southern Californian friends, who will no doubt be regretting their today’s activities tomorrow morning.

Andrew Lee CISSP
AVIEN CEO / CTO K7 Computing

The Real Lovebug

I don’t think I’ve ever seen “Kramer versus Kramer”, but I did actually read the novel by Avery Corman, a long, long time ago. And I have a vague recollection of Ted Kramer saying something to his wife Joanna about the birth of their son, and of her responding that she doesn’t remember Ted having been there. Hold that thought…

Suddenly, there’s a whole rash of anti-malware vendors reminiscing about VBS/Loveletter, which is, in epidemiological terms anyway, ten years old today. There’s a massive amount of information about what it actually did, of course, complete with copious screenshots, so I won’t waste time reproducing that information – I doubt if you’ll be faced with a Lovebug infection at this stage in the game.  There is even a certain amount of discussion about which company “discovered” it.

As someone who works for an anti-malware vendor, I have nothing to say about that: I was certainly very active in the anti-virus field by that time, but I didn’t work for a vendor. In fact, I was working in security systems administration for a medical research charity, so I didn’t get a vendor’s eye view of the drama, but very much the customer view.

I do know how I became introduced to the Love Bug, because I included a note about it in the case study Rob Slade and I included in a book we wrote in 2001 called “Viruses Revealed”. One of our end users reported receiving an attachment containing gibberish – Outlook wasn’t in common use on that site, and other clients couldn’t interpret the code. The Helpdesk analyst who picked up the call realized that “gibberish” might well denote program code, and passed it on to me. And, in fact, the most cursory inspection of the code indicated that it was clearly meant to be infective, so I passed a copy straight to the vendor from whom my company was licensing AV at the time.

No, I’m not claiming to be patient zero: by that time, I was starting to see mail from other corporate AV specialists – that is, people specializing in malware management but not working in the anti-virus industry – seeing the same malcode. What I wasn’t seeing at that time was information from the industry.

That was a little before the birth of AVIEN (the result of a meeting at the 2000 Virus Bulletin conference later that year), but I remember talking to several of the same people who later exchanged information on other malware outbreaks on AVIEN lists. These less formal exchanges of information and opinions during the first phase of the Loveletter epidemic were immensely valuable as we all evolved strategies suited to our particular environments for dealing with the threat (and the waves of copycat malware that quickly followed), while we waited for signatures from our vendors of choice. Unfortunately, I don’t have access to those emails anymore, but I used an AVIEN mailing list to ask some of those who were there at the time what they remembered.

Some remember risking life, limb and speeding tickets trying to get to the office  in order to take hands-on remediative action. Ken Bechtel remembers getting 12 messages on his pager and three phone calls before he’d even left home, and subsequently, he says, “I remember 36 out of 48 hours of work blocking vbs at the PMDF, and creating a custom SMS script to create a special named DIRECTORY to prevent a file from being dropped.”

Mike Blanchard was due at a training session that morning, but was similarly pounded by pager messages and phone calls and had to turn around en route and get to the office. (He actually received a ticket for turning around in someone’s driveway, but successfully fought the case because of the nature of the emergency.)

Thankfully, I was already at work, so there was no risk of my being charged with running too fast on a London Underground station…

So to all those industry professionals I’m now immensely proud to call colleagues, I’d like to say thank you for all your help over the years, and not least for the excellent job you did ten years ago in producing updates for Lovebug and the wave of semi-clones that followed.

But as far as Lovebug is concerned, I don’t remember you being at the birth. 🙂

David Harley FBCS CITP CISSP
AVIEN Chief Operations Officer