ESET Threat Blog

Australia’s Internet Industry Association (IIA) is working on best practices for isolating computers with bots on them (http://iia.net.au/index.php/initiatives/isps-guide.html)
At the same time, the Internet Engineering Task Force (IETF) is also drafting a document about the same thing (http://tools.ietf.org/html/draft-oreirdan-mody-bot-remediation-03)

If these recommendations are adopted then people who have bots on their computers would have to get their computers cleaned up before their ISP would allow them to surf the web. The idea has been around for quite a while, however issues such as cost and privacy have been the main barriers to the plans.

I do think it is likely that eventually your ISP will adopt an approach to identify customers who have bots on their computers and then limit their web access to a site that can help them clean their computer. I think it will be a few years before any major ISPs actually have full implementation of quarantining infected users, but the day may come that you won’t be able to surf the web if your computer is infected.

Randy Abrams
Director of Technical Education

Here at ESET we have just released our Global ThreatTrends report for January 2009.

Not surprisingly, at the top of the list is a family of programs that exploit Microsoft’s longest unpatched vulnerability. That’s right, Autorun.inf, is an evil “feature” that should have been patched out of existence a long time ago. Since it is so effective for malware there are lots of threats that exploit it.

In the number two position we find a family of threats that steal passwords for online games. This is also pretty logical. There is a lot of money in the sale of “virtual” items and characters for real money.

In third place is the new kid on the block… the Conficker worm. Conficker is truly a tragedy as it is indicative of really poor security practices. Failure to patch your OS will leave you vulnerable to this worm. Autorun is another attack vector. If you disable autorun you take away another avenue of attack for Conficker and the most widespread threats we see. I’ll have a blog up in a day or two that will show you how to really kill autorun. It’s the patch that MS should have disclosed a long time ago. Administrative shares are another avenue of attack and weak passwords are still another security fault that Conficker exploits.

If you decrease the number of security holes you have then your goalie, security software, takes less shots on goal. That is a basic defensive strategy. Prevention is always better than cure, and Conficker highlights that much more work is required in the prevention department.

You can read the whole report at http://www.eset.com/threat-center/threat_trends/Global_Threat_Trends_January_2009.pdf

Randy Abrams
Director of Technical Education

I got asked "what is the big trend in security software at the moment".

It seems to me there are several significant threads to the answer, in terms of anti-malware.

• Dynamic and/or behaviour analysis. Dynamic analysis as implemented in mainstream antimalware is basically an automated version of dynamic analysis is used in computer forensics. In general, it’s implemented by running suspect code in a safe environment, to see how it behaves, so it’s sometimes referred to as behaviour analysis. However, strictly speaking, you don’t have to execute code to predict its behaviour, so dynamic analysis and behaviour analysis aren’t quite synonymous. I’ve just drafted a couple of papers related to this topic, so it’s much on my mind: it’s central to a number of initiatives that are about to come out of the Anti-Malware Testing Standards Organization (AMTSO).

• Whitelisting could be said to be a newish spin on an old idea – a sort of cross between reputation services and integrity checking. From time to time, the term Integrity Management has been used to describe something very similar. In very simple terms, it’s the idea that you focus on letting through the things you know you want, and block things that you can’t vouch for, whereas blacklisting means you block what you know is bad (or at least suspicious). In the wider security field, it’s sometimes known as "deny all" – you start by blocking everything and then allow exceptions – or "allow all": you allow everything initially and then build a list of exceptions that won’t be allowed. It’s good practice, but  it’s not always convenient, as Randy Abrams has discussed here before..

• "In-the-cloud" isn’t exactly a definable security trend, though people talk about it as if it is: I see it as the application of distributed processing to more specific technologies. We use a form of it for processing threat data. At least one company is using it primarily to speed up its signature processing, which is a reasonable strategy for a product still focused on that. approach.

Actually, the real story (if there is one) is that mainstream vendors are consolidating a diversity of approaches into single products, which is pretty much what they’ve been doing for decades).

What gives the story interest is that different permutations and implementations work (and may be hyped!) differently.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence