Monthly Archives: October 2009


I missed this when it was originally published, but it’s an interesting interview (if you can get around Joanna’s rather childish bias against the AV industry) about rootkit technology, and the escalating fight to secure operating systems. I totally agree on many points, including the idea of separating function as far as possible (having a separate VM only ever used for banking is a good idea). It’s a long article, and covers some basics too, but it’s worth persevering through the 9 pages.,2356.html

Andrew Lee CISSP

Twarfing: the not so sweet tweet…

There has been a lot of interest recently in the methods used by malicious actors to compromise Social Networking sites for malicious purposes. Indeed, Lysa Myers from WestCoast Labs and I wrote a paper together discussing various issues with SN sites, particularly focussed on Faceboook. However, one very interesting issue has become a hot topic in recent weeks, the posting of malicious URL’s via twitter. The issue here is that often URL shortening services are used (as Tweets are restricted to 140 characters to be compatible with SMS on mobile phones), so the true destination of a URL is easily obscured. Two eminent Anti-malware researchers, Costin Raiu and Morton Swimmer have been particularly involved in examining this threat, and their presentation at Virus Bulletin 2009 in Geneva lasst month was definitely worth seeing, for those who weren’t able to be there, or who missed it, the slides presented by Morton Swimmer of TrendMicro and Costin Raiu of Kaspersky to the conference are available online here

Andrew Lee CISSP

AMTSO – The herding of the cats continues

I’ve spent the last couple of days in Prague (never a real hardship) at the AMTSO (Anti-Malware Testing Standards Organization) conference. The subject of Testing is one that I, and many others in the industry, have been interested in for a long time. Indeed, my main contribution to the AVIEN Malware Defense Guide was a chapter discussing testing. The whole reason for AMTSO forming was to try to create some clarity around the increasingly complex issues of testing. It may seem to some – particularly those who may never have attended an event involving large numbers of people with (slightly or wildly) differing opinions – that the wheels of AMTSO grind very slowly. However, this is not the case, these are complex issues, and the important thing is to ensure that if a document is published, that it should meet the aims and principles of the organisation. To that end all documents must be fully discussed and formally voted upon by the membership. The meetings are a productive time where final adjustments to the documents that have been put together over the past months can be made, and these documents voted upon.

There are already signs that AMTSO is having a positive effect, many testers have joined in the effort – as clearly, bad testing also has a negative effect on their reputations, and many mentions of the group have been seen in the press and in security circles. I hope that the increased awareness will encourage people to get involved, and that the progress will continue. The conference was interesting for all, with some good discussion on controversial topics. Keep an eye out for a press release over the next couple of weeks, and the appearance of some news on the AMTSO site.

Anti-malware testing is something that really does affect anyone who has a computer, so it’s great to know that there is a group dedicated to promoting ethical practice and laying out guidelines for good testing that can showcase the abilities of modern products.

As a member of AMTSO (but not an official representative of it), I’m happy to say that I fully support the efforts, and while it may seem slow, and often progress does involve a level of complexity akin to herding cats, it’s a worthwhile effort, and it is to be hoped that it will continue to go from strength to strength

Andrew Lee CISSP

Phishing attacks strike popular webmail sites

Nothing really new, apart perhaps from the scale of the attacks. This one talks about Gmail, but there have also been recent attacks against Yahoo, AOL and Hotmail.

If nothing else, this reminds that we still have a very long way to go on educating the users to phishing. We also have a big problem with SSL – as David pointed out a couple of days ago, SSL is a privacy preserver, not a security measure – and it certainly won’t protect against phishing.

Blog reviews

On the subject of testing (or at least of reviews), Tom Kelchner in the Sunbelt blog pointed out upcoming FTC rules that make (some) bloggers who review products more accountable by declaring . That’s products in general, of course, but there are obvious implications for this industry: the Untangled tests, for instance, were largely publicised through their blog (and secondary sources such as other bloggers and other media, of course).

Sunbelt: New FTC rules: bloggers must reveal pay and perks they get for reviews

MSNBC story:




Testing, testing

OK, we’ve used that as a title before. However, it seems quite apposite as this is my first published blog here, and it’s related to anti-malware testing. (See what I did there? :-D)

This is actually a retread of my heavily re-edited blog at securiteam. But since it concerns (obliquely, for legal reasons) an issue that some of us discussed at VB 2009, I’m quite happy to repurpose some of it here.

Principle 3 of the AMTSO (Anti-Malware Testing Standards Organization) guidelines document (—download—amtso-fundamental-principles-of-testing.html) states that “Testing should be reasonably open and transparent.”

The document goes on to explain what information on the test and the test methodology it’s reasonable to ask for.

So my first question is, is it open and transparent for an anti-malware tester who claims that his tests are compliant with AMTSO guidelines to decline to answer a vendor’s questions or give any information about the reported performance of their product unless they buy a copy of the report or pay a consultancy fee to the tester?

Secondly, there is, of course, nothing to stop an anti-malware tester soliciting payment from the vendors whose products have been tested both in advance of the test and in response to requests for further information. But is he then entitled to claim to be independent and working without vendor funding? In what respect is this substantially different to the way in which certification testing organizations work, for example?

AMTSO will be considering those questions at its next meeting (in Prague, next week).  But there are a lot of people inside and outside AVIEN who are seriously concerned with testing standards, as an aid to evaluating products for use in their own organizations, or because they have a vocational interest in making or supporting products that are impacted by fair/unfair or good/bad testing, and I’d be more than a little interested in hearing your views.

Chief Operations Officer, AVIEN

Squaring the circle

There are a few interesting ideas in this article, but the author is about ten years out of date on his knowlege of how modern malware works. It’s true that in a regional network scenario you may indeed see some pattern emerging from the relationship between locality and installation behaviour, but on a global scale this is pretty much unworkable.

However, what he’s essentially describiing is a way of using the meta-information that surrounds infection events, which is interesting particularly as more and more power is given to systems operating in the ‘cloud’.

Welcome to the AVIEN blog

This is the new collaborative AVIEN blog kept by AVIEN members. Here you’ll find links and comments on malware and security issues that we’ve found interesting. If you’re an AVIEN member and want to get involved, let us know via the lists.