ESET Threat Blog

We're now getting into preparations for the next meeting of AMTSO (Anti-Malware Testing Standards Organization), on 25th-26th February in Santa Clara.

In the meantime, I wrote an article for Virus Bulletin called "AMTSOlutely Fabulous" about "the story so far". It's just appeared in the January edition of the magazine. Of course, it's only available to subscribers at the moment.

Now I have to go and look for some more puns on "absolute". I mean, AMTSO…

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch (or @ESETblog)
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

Also blogging at:
http://smallbluegreenblog.wordpress.com/
http://avien.net/blog
http://blogs.securiteam.com
http://blog.isc2.org/
http://macviruscom.wordpress.com/

I don't suppose anyone remembers my mentioning this before, or cares much anyway, but the 19th of December marks what I consider to be the 20th official anniversary of my entry into the anti-virus/security field.

Nowadays, viruses (and, in general, worms) have declined in importance and now constitute a fairly small proportion of the totality of current malicious software. By contrast, in 1989 Trojans were an occasional blip, a smaller percentage of the problem than viruses are now.

So you might see Dr. Popp's AIDS Trojan as something of a groundbreaker, given its high profile and the nature of the threat.

A company called PC Cyborg sent out approximately 10,000 copies of a 5.25" diskette. (Remember those? Indeed, do you remember diskettes of any size?) The diskette was supposed to contain "AIDS Information". These came as quite a professional-looking package with an accompanying letter that described it as a sample or review copy, and the disk contained an installation program for a basic AIDS information and assessment package. (I still have one in my office somewhere, but at this point, no 5 1/4" drive to load it into, so I hope I'm remembering all this detail correctly.)

One of the interesting features of the package, though, was the licence agreement, which stated:

"In case of breach of license, PC Cyborg Corporation reserves the right to use program mechanisms to ensure termination of the use of these programs. These program mechanisms will adversely affect other programs on microcomputers. You are hereby advised of the most serious consequences of your failure to abide by the terms of this license agreement.*

*Warning: do not use these programs unless you are prepared to pay for them."

There was (literally) a sting in this tale. When people ran the installation program, a hidden file was installed onto the target PC which, after a specific number of reboots, encrypted the hard disk, and a message was displayed demanding that the user paid the licence fee in return for the decryption key. One of the people who fell into that trap was a medical researcher in a hospital where I'd been working until a few weeks before, and on 19th December I got a phone call from that department asking for advice on how to deal with it. Fortunately, while I hadn't seen the thing myself, I knew of someone who had already cracked the encryption and produced a fix, and was able to steer them in his direction.

Ransomware, misleading EULAs and attempts to wrap extortion in legal language are, like non-replicating Trojans, all too common nowadays, but this was something of a novelty back then. However, the use of a real Panamanian address made it quite easy to track the principals behind the scheme. Dr. Popp's trial in the UK was suspended because of his bizarre behaviour: it was decided that he was unfit to plead.

You can find more detail in Chapter 12 of "Viruses Revealed", among other sources (including articles in 1989 and 1990 editions of Virus Bulletin and Virus News International). And if you're interested in exactly why I'm so sure of the exact date, you can find out why in an article published in January 2007 in Virus Bulletin  (which also entered the field in 1989) called "From Immunology to Heuristics". Ironically, that article actually predates my entry into full time research in the AV industry by a year: I joined ESET as a Research Author in 2008.

Acknowledgements are due to Jim Bates, Robert Slade and Dr. Alan Solomon, among others, for making available enough background information on the AIDS Trojan to make me look as if I knew what I was talking about, long before I actually did.

And there is a story here about the further adventures of Dr. Popp: http://blogs.villagevoice.com/runninscared/archives/2009/04/dr_popp_the_fir.php Which is interesting, even if it's not completely accurate in all respects. In particular, while there have been viruses on more than one platform called AIDS, the Cyborg malware was a Trojan, not a virus.

References
http://www.virusbtn.com/pdf/magazine/1990/199001.pdf.
Harley, D.; Slade, R.; Gattiker, U. Viruses Revealed. McGraw-Hill, 2001.
http://www.virusbtn.com/virusbulletin/archive/2007/01/vb200701-insight

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch (or @ESETblog)
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

Also blogging at:
http://blog.isc2.org/
http://avien.net/blog
http://blogs.securiteam.com
http://dharley.wordpress.com/

 I notice that our own Jeff Debrosse, having joined the ranks of ESET presenters at Virus Bulletin conferences this year with our paper on "Behaviour Analysis for the Next Decade"  (http://www.eset.com/threat-center/blog/2009/12/02/malice-through-the-looking-glass-conference-paper), has also swelled the ranks of ESET contributors to the magazine this month, with an opinion piece on “Cybersecurity awareness for the next generation.”.

Nice one, JD.

I'd mention our umpteenth 59th VB100 award, too, but that would be immodest.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch (or @ESETblog)
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

Also blogging at:
http://blog.isc2.org/
http://avien.net/blog
http://blogs.securiteam.com
http://dharley.wordpress.com/

Now that the end-of-year security conference season is winding down, we're able to start making available some of the presentations and papers that we've been building up in the past few months, but haven't been able to make publicly available ahead of the events for which they were written.

We've already made available a slide deck by Juraj Malcho, Head of our Virus Lab in Slovakia, based on his paper "Is there a lawyer in the lab?" for this year's Virus Bulletin conference. Now, by kind permission of Virus Bulletin, who hold the copyright, we've put up the paper itself, as published in the conference proceedings.

In this industry, we see many applications are being developed that have hidden or fraudulent intentions, or which are at best of doubtful usefulness. . Many of these applications are not the typical malware used in cybercrime nowadays (like bots or spyware trojans), but rather what we call potentially unsafe or unwanted applications. However, this dubious software is often associated with groups responsible for malware dissemination, and is often distributed using unfair practices such as spam campaigns or push-installations performed by malware. When such programs are detected by security software, it's not unusual for their authors to engage us in legal battles that consume significant human and financial resources.

This paper explores the topics mentioned above and considers the boundary between legitimate and illegitimate applications. The problems are explained with reference to several case studies documenting our experiences with such software.

More papers soon!

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

Since I’ve just spent several days at a major conference, you might have expected a flurry of blogs about it. And indeed, there’s a lot more I hope to say about VB 2009, but I’ve been beset by a number of other issues that have demanded my attention, in and out of the blogosphere. 

I did rather hope to comment on the excellent paper and presentation by my colleague Juraj Malcho on "Is there a lawyer in the lab?" on a topic that hits this industry pretty hard. You might think that there’s malware and there’s legitimate software. Unfortunately, that’s become less and less true in recent years. Between the two there’s a range of software from rogue antivirus to what ESET calls Possibly Unwanted Applications, and even stuff we regard as frankly malicious does, increasingly, generate unpleasant legal complications. So  I looked forward to the presentation and wasn’t disappointed.

However, the ground has been cut from under my feet, because one of our competitors produced a very comprehensive review of the paper.

The copyright assignment terms mean we can’t put up the paper itself yet onto the white papers page at http://www.eset.com/download/whitepapers.php. However, we hope to put up a PDF of the presentation in the near future. Of course, we’ll let you know here when we do.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

Virus Bulletin 2009 is now in full swing, though meetings and other issues have kept me from seeing as much as I’d like. Still, excellent opening and keynote speeches, and a very interesting talk on cyber-insurance from Pascal Lointier. (A bit of a first for me: though I’ve been attending VB most years since 1996 and have presented papers most years, I’ve never chaired a session before. It’s a lot less nerve-racking than presenting.)

Our own Juraj Malcho presented his paper on "Is there a lawyer in the lab?" on some legal issues that arise nowadays with certain kinds of malware. Though I’d already seen the paper, the presentation was still pretty riveting.

Jeff Debrosse presented our joint paper on "Malice through the looking glass": cunningly, I’d concentrated on the reserve paper that no-one has asked for yet, so I was able to enjoy his presentation and just popped onto the stage for the questions at the end, So my nerves have had a good old holiday so far. As long as no-one else drops out so I have to present after all…

Unfortunately I had to miss the vendor presentations, as I had to deal with some email issues that I’m still working on, but I’m sure Randy has done his usual excellent job on ESET’s vendor presentation.

Having a wonderful time

Wish you were here

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

Bonjour mes amis!

Well, I am in Switzerland, and very close to the French border, for the Virus Bulletin conference – perhaps the most eagerly anticipated event in the anti-malware researcher’s calendar. How sad is that?

I also thought you might like to further extend your French skills on an article here, about a presentation Pierre-Marc made at our offices in Bratislava: http://www.globalsecuritymag.fr/Voyage-au-coeur-du-Cyber-crime,20090918,12795.html.

I think that means "A voyage to the heart of cyber-crime", but my French is about forty years rusty. If you’re here (or will be when the conference proper starts tomorrow), come and say hello!

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

Update. August 5th 1:30 PM PDT.  I received an email from Mr. Carl Haugen, the president of BluePenguin Software who develop SPYzooka. According to Mr. Haugen the offending post was made by a former employee and has now been removed. I have verified that the post was removed. This is an encouraging sign. I will also note that BluePenguin is an accreditted member of the Better Business Bureau and has a good track record of resolving customer complaints.

A friend of mine from the respected Indian antivirus company Quick Heal Technologies recently brought two posts on the web to my attention.

http://www.articlesbase.com/security-articles/do-not-trust-quick-heal-antivirus-plus-2009-987981.html is an article written by someone who does not wish to disclose who they are. The article is pure fiction. Remember, articlebase.com does not validate content so I would assume everything there is wrong unless I independently verified the facts elsewhere.

The second link, and in my opinion the likely source of the fictitious article is http://bluepenguinsoftware.com/spyzooka/blog/removal-instructions-for-quickhealantivirusplus2009/

The author of the “blog”, Carl Haugen, claims:

“Like other rogues, it claims to be beneficial but in actuality it is malevolent. Instead of helping remove threats, it will download spyware, Trojan horse apps, adware, and other malware.”

I’m not a lawyer, but I have advised my friend that if Quick Heal chooses to sue BluePenguin Software for libel, I would be happy to testify on behalf of Quick Heal. It sure looks like a slam-dunk libel case to me.

It is possible that the folks at BluePenguin downloaded a pirated, cracked version of the program, but if they had downloaded the program from the developer’s web site they would have a legitimate antivirus product.

If you do your research on Quick Heal, you will find that they are tested by Virus Bulletin, have 27 VB 100 awards, 10 failures, and 28 no entries. Spyzooka does not participate in VB testing.

Quick Heal is certified by Westcoast labs Checkmark certification for both antivirus and spyware. Spyzooka is not certified.

Quick Heal is a corporate member of AVAR, the Association of Asia Antivirus Researchers, where I sit on the board of directors with my friend Sanjay Katkar of Quick Heal.

I don’t see any industry related, professional organizations that BluePenguin participates in. They aren’t even members of the Anti-Spyware Coalition (ASC), which you would expect from a legitimate anti-spyware focused company. Currently Quick Heal is not a member of the ASC either, but I have recommended they join.

I won’t comment on the quality of Spyzooka, as I have not tested it or seen any legitimate tests of it, but the blatant dishonesty of their President would not lead me to consider the product.

Yeah, Quick Heal is a competitor of ESET’s, but that is no reason to let a wrong stand un-righted. We’ll go toe to toe with Quick Heal based upon the merits of our product, but we wouldn’t stoop so low as to call a legitimate antivirus product a rogue.

Randy Abrams
Director of Technical Education

Further to yesterday’s blog at http://www.eset.com/threat-center/blog/2009/08/03/slideshare-used-to-spread-malware, I hear from  Sebastián Bortnik that the account holder that posted those malicious slides to Slideshare has been banned, and the slide decks are no longer available.

However, he (the black hat, not Sebastián!) had managed to post 2,473 slides with malicious links before he was stepped on: see the screenshot at http://blogs.eset-la.com/laboratorio/wp-content/uploads/2009/08/slideshare3.png.

Totally off the topic, but congratulations to the Research and Development team in Slovakia for achieving yet another VB100 award in Virus Bulletin’s latest test, this month on Vista Business Edition SP2 X32 platform. Not to mention a very respectable RAP (Reactive and Proactive) score of nearly 80%.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/