If you listen to IT Security experts, they will regularly tell you to make your passwords difficult to guess. They will also tell you ensure it is not short, and has a mixture of alphabetic, numeric & special characters in it – and certainly don't use a word that is found in the dictionary.

Why do we do that? Because it is important that your password cannot be easily be guessed, especially using brute force. What does that mean? It means the bad guys can automate a system to make repeated attempts to log in with your username, trying one combination of characters to form your password after another until they stumble across your password & get into your account. This may take hundreds of thousands (or millions) of attempts before the right password is submitted. But depending on the attacking system and and their target, they could make hundreds (or more) attempts at the password per second.

So the theory is – the longer the password, the more obscure the word (or combination of words) used, the use of both lower & upper case, along with special characters, the more difficult it is for a bad guy to generate the right combination to match your password. And this is all good good advice. It certainly makes it much more difficult for the bad guys.

But I can't help wonder why we allow brute force attacks to work at all. Instead of a system instantly returning with a negative response if the password is incorrect, why not build a delay into the response of say, a tenth of a second? Then, when another log in attempt is name on that same username, the response comes back after a tenth of a second delay. The next failed log in attempt on the username would result in a two tenths delay, then three tenths, etcetera. After one hundred attempts, there would be a ten second delay between responses. By the one thousandth attempt, the delay would be one hundred seconds. This would render a brute force attack useless. But a legitimate user who happened to enter the wrong password would not notice a tenth of a second delay. Even a two thenths or three tenths of a second delay.

So why aren't delays like this built into log in screens? I don't know why.

OK, OK. I'm sure some people will come back to me & say that it's not technically possible to do something like that on some systems. And I'm sure that's probably true. But I'm also sure there are plenty of systems out there that could be modified to do something like this. It seems logical to me.

Now, even if this was done wherever possible, you still need to use strong passwords. Words that are found in a dictionary are not a good idea, and using family or pet names is certainly not good practice. So you would still need to use strong passwords, but the bad guys would have less chance of cracking your password through repeated, rapid brute force attacks.

 
Craig Johnston
Senior Cybercrime Research Analyst

Back in 2009, at RSA, Secunia proposed an approach to addressing this problem by building a "common application that handles all third-party application updates and patching" to address consumer application patch difficulties. While I'm not convinced it's feasible to handle all updates – some of the small companies will slip through the net, and I suspect that some of the big ones will only extend limited cooperation, for proprietary reasons – this does indeed sound like an approach that will reduce the impact on the consumer of driveby downloads and other Bad Things, and, as Brian Krebs has pointed out, reduce the amount of time some of us put in as unpaid support to family and friends afflicted by such problems, and I look forward to seeing the software.

However, it's not just home users who have patching problems. And there's more crossover than you might think. At a session at RSA this year on "How to expedite patching in the enterprise?" with Rich Mogull (Securosis), Doug Dexter (Cisco), Robert Duran (TIME), Wolfgang Kandek (Qualys), Regis Rogers (GE Corp), a number of interesting questions were posed. Apart from the fact that so few attendees seem to feel they have real control over the patching problem, it was noticeable that Oracle, Adobe and Java seem to be seen as particular troublespots. It's unlikely that many home users are using Oracle to catalogue their CD collections, but Adobe is another issue entirely. Yes, the company has made a lot of progress, but it still doesn't show the same awareness that Microsoft (usually) does nowadays.

And Adobe Reader still infuriates me. First it silently re-enabled Javascript. And since I re-disabled it, it continues to prompt me to re-enable it every time I open a PDF, irrespective of whether it really includes javascripts (which it hardly ever does). It may seem trivial, but this still sounds like a company that hasn't thought a security issue through properly.

David Harley CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter:
http://twitter.com/esetresearch; http://twitter.com/ESETblog
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

Also blogging at:
http://smallbluegreenblog.wordpress.com/
http://avien.net/blog
http://blogs.securiteam.com
http://blog.isc2.org/
http://macvirus.com/

Question 1- When it is critical to give a malware specific name?

[David Harley answers…]
For detection/remediation purposes, it isn't really necessary for anti-malware vendors: while classification is important, exact naming for hundreds of thousands of unique samples a day or week is not only unnecessary, it's unfeasible. In fact, in most cases harmonization between vendor detection names is only possible on a sample-by-sample basis: otherwise, it tends to mislead more than it helps, because two vendors can legitimately claim to detect a given malicious program yet may or may not detect a specific sample (for instance, where a malicious site keeps serving repacked or re-obfuscated versions of the same base code). ESET has made available a couple of papers on the subject that you might find interesting and/or useful (we hope): http://www.eset.com/download/whitepapers/cfet2009naming.pdf, http://www.eset.com/download/whitepapers/Harley-Bureau-VB2008.pdf.

[Randy Abrams answers]
It generally is most critical that people are using a specific name if they are discussing a specific sample and attributes of it.  In most cases a specific name is not required if the threat is blocked to begin with.

Question 2- Is it necessary to unify the "malware names" between all vendors?

[David Harley answers]
It's generally unnecessary and mostly impossible. There is an argument for limited harmonization on names in specific cases of high-profile malware, and I have some ideas on how that might be implemented better than it was by CME, for example, but the feasibility would still require significant cooperation and commitment across the security community.

[Randy Abrams answers]
As desirable as it would be for some people, it really is not necessary, and as David pointed out, it is virtually impossible. Different researchers may obtain samples independently at about the same time. Once they name it there is a cost associated with renaming the threat in the signatures and though it may seem trivial, if you multiply the time required by 200 samples per day, which is an extremely small fraction of what AV companies are seeing, it becomes a full time job at each AV company just to synch up sample names. It isn’t worth the expense. The name does not affect detection, prevention, or removal so it is one of the least important attributes of malware.

 
Question 3- Sometimes I see vendor names a malware as a trojan, at the same time the other vendor names it as a worm! So, can the two vendors be right in identification that malware? And if yes, how that malware is a trojan and a worm simultaneously?

[David Harley answers]
The defining characteristic of a worm is replication. But it can still have Trojan characteristics (i.e. it pretends to be something it's not, put simply).
[Randy Abrams answers]
Sometimes vendors get it wrong. As David pointed out, a worm can have trojan characteristics, but not all worms are trojans, and most Trojans are not worms. There is an AV company that named a JavaScript worm a VBS worm.

Question 4- Is the equation (More identified malwares names = More cleaning capability of the AV scanner) is accurate?

[David Harley answers]
Absolutely not. Generic disinfection is actually more feasible in the present era of malware glut than specific disinfection for every sub-variant or unique sample. However, pre-execution identification and blocking is still better than post-execution cleaning.

[Randy Abrams answers]
More identified malware names does not mean more identified malware. Simply identifying malware does not mean successful cleaning either. More importantly, cleaning means that one accepts a lower level of security. If security is important, then in most cases the infected machine will be rebuilt from scratch. Detection of a threat does not mean that all threats were detected. When I worked at Microsoft, this fundamental truth was well understood. If an employee’s PC got infected it was completely rebuilt.

Question 4 continued… Are the AV scanners that rely heavily on heuristics 'like ESET' less capable of 'successful cleaning' than those ones rely heavily on signatures detections?

[David Harley answers]
That depends on your definition of "successful cleaning". I've seen some tests where scanners have been marked down on disinfection for leaving traces that couldn't actually result in any malicious effect. A meaningful definition really requires no post-disinfection problems. There might be instances where a generic disinfection might not be as successful in that sense as a malware/sub-variant-specific disinfection, but by the same token, a very specific disinfection might cause problems with a different sub-variant or sample where a signature scanner doesn't "notice" the difference. The question kind of misses the point, though. The main point of advanced heuristics and other forms of behaviour analysis is to identify malware that doesn't have a "signature" yet before it can infect. As we get more information on a specific threat, our detection/disinfection may evolve into something more specific to match. Heuristics isn't a technique we use to _replace_ signature detection: it's something we do that lessens our _reliance_ on signatures.

[Randy Abrams answers]
As David pointed out, there are different definitions of “cleaning”.  I am not aware of any cleaning tests that have been performed with very large and diverse sets of malware. I don’t think there is any scientific data to prove or disprove a theory that scanners that are more signature reliant clean more effectively. Remember, detection capability, be it signature or heuristic is not the same thing as cleaning capability.

Question 5- What is the different between 'Trojan dropper' and 'Trojan downloader'?

[David Harley answers]
Put simply, a dropper generally installs and launches another program (not necessarily malicious, but yes, often a Trojan). A Trojan downloader, by definition, downloads something for malicious purposes, but doesn't necessarily install and/or launch it. So there's some overlap, and the same program might be described either way. In fact, there aren't many absolute definitions in anti-malware circles that are accepted by _all_ researchers, and marketing departments sometimes use such terms differently to the ways in which researchers in the same company use them. Security research is a difficult, complex field, and it's inevitable that there are disagreements over classification and definitions.

[Randy Abrams answers]
A dropper will contain another program inside of it. The word “Trojan” refers to the nature of the dropper, and generally to the nature of the program that is dropped. The very first known Access macro virus was a dysfunctional dropper. It tried to create an executable file as well, but due to a stupid syntax error it failed! Downloaders, rather than containing other programs, pull them down from the internet or a network location.
 

Randy Abrams and David Harley

"What do you get when you kiss a girl?
You get enough germs to catch pneumonia
After you do, she'll never phone ya
I'll never fall in love again"

OK, it's confession time. I am single and I've been a member of a couple of Internet dating sites in the past. And you know what I've found? There seems to be a hell of a lot of single scammers on the Internet, too!

By far the most interest I get in my profile comes from "women" – I use the term loosely because I can't be sure they actually are women – who are supposedly temporarily living in Ghana for various reasons. They seem to operate using the same instructional manual on how to spin a tale to their victim in order to win the victim's trust and eventually steal their money.

The ones that show an interest in me all claim to be about 30 years of age, Caucasian and very attractive. They even have photos to prove it! They all claim to live in cities such as New York, Manchester, Sydney, Auckland, etc. And they all say that they are temporarily in Ghana for various reasons – university study being the most common, but also to support their poor single parent, or even working for a charity. They are prepared to spend weeks, even months, chatting to their victim and offering them their undying love. They all claim that they will be leaving Ghana soon and want to be by their victim's side. They try to convince their victim to send money to them so that they can buy a plane ticket to be with their "love". Or they may ask their "love" to send them some money to pay a debt. Another popular ruse is to make an urgent call in a panic, claiming that their parent has suddenly become seriously ill and needs a life saving operation. Of course, they cannot afford the cost of the operation themselves and need their victim to send money urgently to save their dear old Mother or Father's life. Almost always, they will ask the victim to send the money via a Western Union transfer, which they can receive at their end without being traced later on.

Interestingly, until about a year or so ago, they all claimed to live in Nigeria, with the exact same stories. Then, all of a sudden they moved to Ghana! I don't know why this happened.

The name of the game, as far as the scammer is concerned, is to gain the victim's trust and then scam them out of as much money as possible. And these guys are aiming to scam thousands of dollars out of each victim. Interestingly, it seems that women are targeted more than men, with a split of about 60/40 percent. Maybe because women might be seen to be more romantic and susceptible to falling for someone who supposedly loves them with all their heart.

Recently I have seen another method the bad guys use to take advantage of people looking for love (or lust) online. They prey on the night owls, who are up late with nothing better to do than search for someone online. They engage in conversation for a while, and show that they are very keen to take things further, but then ask their victim to go to a website and vote for them on the site. Now, I haven't gone to any of these sites, but I have a very strong suspicion that the reason they want someone to go to the website is so that the website can infect the victim's computer with malware, simply by visiting it.

And this is a very big business. Many thousands of people have been scammed, and continue to be scammed in this manner. If you would like to learn more about it, or get some idea of the amount of scamming going on, have a look at www.romancescam.com. There you will get some idea of how these bad guys operate and what damage they have done in the past (and continue to do).

Once again, it comes back to the old saying regarding the Internet: "If it seems too good to be true, then it probably is". And this includes romance. I'm not saying you can't find love on the Internet, but be very wary and DON'T send any money to anyone whose identity you cannot verify with certainty. Or clink on any links that someone wants you to, unless you are sure it is legitimate.

"What do you get when you fall in love?
Nothing but pain, lies and sorrow
So for at least, until tomorrow
I'll never fall in love again"

Craig Johnston
Senior Cybercrime Research Analyst

In the latter part of the session, members of the audience asked some very relevant questions, and I'd like to address a few of them here, though I'm in "IMHO (In My Humble Opinion)" mode here, not speaking for AMTSO as a whole or even for the rest of the Board of Directors.

Stop me if you've heard this before (or at any rate something rather like it), but VirusTotal is not, isn't intended to be, and cannot be a measure of detection performance. It does give you a feel for the likelihood that a single submitted file is malicious (and that's a Really Useful thing), but it doesn't tell you definitively, and it doesn't tell you for sure that a given product does or doesn't detect that file, and it doesn't take accurate account of false positives. This imposes strict limitations on its usefulness statistically, so a statement like "only X products detected" or "only X% of malware is detected…" is hard to justify on the basis of Virus Total reports.

Trying to compare one test to another, even tests by a single testing organization, is of limited use. Even if you have the visibility into details of methodology (and methodology is not all you need to know to evaluate a test fully), there's so much variance in methodological approach, sample sets, validation and so on, that realistic metametrics of that sort are not practical, and I don't see that as a likely target for AMTSO in the foreseeable future. By the way, I'm not saying at all that variation in methodology is a bad thing. AMTSO isn't about standardizing test procedures: it's about raising test standards, which is a very different thing. IMHO…

AMTSO does not develop tests: rather, it develops criteria for evaluating tests, generates documentation intended to facilitate the development of better tests, and on occasion assesses a review's compliance to AMTSO's principles.

Proactive/frozen testing has served us pretty well for quite a while as a measure of proactive detection, but its usefulness is declining as the threatscape changes, being somewhat tied to static testing. (Mind you, I'd still rather see a good static test than a bad dynamic test…)

Inevitably, the question of certification came up. Clearly, AMTSO is not in a position to certify products/companies, even if we saw that as our job, which we don't: we don't have the resources. Similarly, certifying individuals or organizations would also require resources and partnerships that aren't in place right now, though allowing testers a degree of self-assessment will take us in that direction.

However, AMTSO can't offer a way to certify that Mrs Miggins Patented Test Labs will always offer good tests, because inevitably, some tests from a busy lab will be better than others. So it's a pity if the review analysis procedure is regarded as a punishment for "bad testers": in fact, some testers are now starting to see it as a possible way of pre-validating a test that hasn't taken place yet, and (still speaking personally) I see that as hugely positive.

Towards the end of the session, I found myself putting together some thoughts on what I thought about the testing/evaluation process when I was a tester and also as part of the corporate procurement process.

 And yes, those are two very (generally) different roles: I told you I'd had a chequered past!). Interestingly, Larry Bridwell summed up at the end of the session with some thoughts along similar lines.

But those are thoughts, I guess, that can probably wait for a future blog.

David Harley CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter:
http://twitter.com/esetresearch; http://twitter.com/ESETblog
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

Also blogging at:
http://smallbluegreenblog.wordpress.com/
http://avien.net/blog
http://blogs.securiteam.com
http://blog.isc2.org/
http://macvirus.com/

ESET recently commissioned a survey of 551 residents of Austin, Texas.  24% of the people interviewed reported that they or someone they knew had been a victim of cybercrime. 38% of those who had been a victim or knew someone who had been a victim of cyber crime estimated that the loss was in excess of $1,000. When ESET commissioned a similar poll for the US a few months ago we found that only 5.3% of the people reported estimated losses at over $1,000. In our national survey, 57% of users reported using online banking. In Austin 71% of users reported using online banking or bill paying. Nationally we saw reported use of antivirus at 89.4% and in Austin the percentage reported was 91%. Given the margins of error in surveys this would tend to indicate that Austin is on par with the national average for antivirus use, but losses to cybercrime were reportedly significantly higher than the national average.

We did find that in Austin 40.1% of users reported using their PCs for both email and electronic tax filing. A common phishing attack involves bogus claims about tax returns and it is primetime for IRS related phishing scams right now. 

In Austin 24% of users reported that they believe the internet has become less safe over the past 12 months and 22% report that they believe the internet will become less safe over the next 12 months. At the same time 11.6% of the Austin users reported that they use their computers for all of the following: email, online shopping, online banking or bill paying, buying and selling on auction sites, and filing tax returns. Of these users only 1 in four believe the internet will become safer over the next 12 months. That’s a lot of risk to be taking on a system you believe will become less safe in the next year.

So Austin, we’re looking forward to meeting you and we hope to see you at some of our free cyber security education classes! We will be at Fry’s Electronics 12707 N. Mopac Expressway, Austin, TX on Saturday March 6th at noon and again at 5 PM.

Randy Abrams
Director of Technical Education

The largest botnet in the world is comprised of computers running Microsoft Update and Microsoft controls this botnet. Yes, this really is a botnet. Don’t confuse the term botnet with the requirement that it send spam, steal information, or attack other computers. A bot is an automated program and a botnet is a group of computer with an automated program that is controlled by the same entity. Microsoft controls what Microsoft Update does.  If Microsoft wants to install a piece of software that is completely useless to all customers with legal software, they simply call an anti-piracy program a critical update and all of the Microsoft Update bots obediently download and run the program. If Microsoft wanted to it could make all computers running Microsoft Update send spam, attack other computers, upload documents, and so forth.

Here is where it really gets interesting to me. A day ago at RSA, Microsoft’s Scott Charney, the Corporate Vice President for Trustworthy Computing, suggested a net tax to help clean up the net. In his talk, Charney is quoted as saying “When a computer user allows malware to run on his computer, "you're not just accepting it for yourself, you're contaminating everyone around you,”.

Oftentimes it isn’t the user who allowed malware to run, it is Windows autorun that prevented the user from having a chance to say no to malware. The most prevalent threats we see, including conficker, make use of autorun because it is known to be such an effective infection vector. With Windows 7 Microsoft changed autorun so that it no longer works with most USB devices. Even though the change does not go far enough, it is not insignificant. The problem is that most people don’t know that there are patches available for Windows Vista and Windows XP. These operating systems have a much larger market share than does Windows 7.

Come on Mr. Charney, Windows Genuine Advantage and Windows Activation Technologies do nothing to protect the average user, but disabling autorun would help neuter many of the prevalent threats and shut down an automated infection vector. It is long past time for Microsoft to put that botnet they control to effective use in eliminating the vulnerable-by-design autorun functionality present in Windows 95, Windows Me, Windows NT, Windows 2000, Windows XP and Windows Vista.

As long as Microsoft is the deliberate enabler of malware that a user does not choose to run, I really don’t think Microsoft can credibly accuse users of “allowing malware to run on their computer.”

I appreciate the remarkable and laudable security progress Microsoft has made, but before you, Mr. Charney, ask users to swallow a tax or fee for bot clean up, bite the bullet and clean up the autorun infection vector.

Update… I checked with our virus lab, and it appears that close to 30% of the malware out there is using autorun as one potential infection vector. There recently discovered Zimuse worm only spreads via autorun. My friend and colleague blogged about Zimuse at http://www.eset.com/threat-center/blog/2010/01/22/bemused-by-zimuse-dis-is-not-one-half and http://www.eset.com/threat-center/blog/2010/01/22/we-are-not-zimused-a-few-updates.

Randy Abrams
Director of Technical Education

I've been uncharacteristically quiet for the past couple of weeks, due to the AMTSO workshop last week in Santa Clara. There was, as usual, some lively discussion: though no papers were approved at the meeting, some are close enough to finished to be voted on shortly. (See also the AMTSO blog for more updates, in particular on yesterday's AMTSO panel session.)

At the moment I'm at RSA, as Randy mentioned in a previous blog. I'm not working the ESET stand, but Randy and Jeff are around there much of the time, if you'd like to say hello, and if anyone wants to talk to me specifically, someone at the stand can put you in touch with me.

David Harley CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter:
http://twitter.com/esetresearch; http://twitter.com/ESETblog
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

Also blogging at:
http://smallbluegreenblog.wordpress.com/
http://avien.net/blog
http://blogs.securiteam.com
http://blog.isc2.org/
http://macvirus.com/

The interview started off with an introduction which revealed a background that, by comparison, would seem only possible if you lived two lifetimes. I knew of some of Schmidt's background, but the list of accomplishments was inspiring. By the way, this is a decent starting-point if you're interested in reading about Schmidt: http://en.wikipedia.org/wiki/Howard_Schmidt. 

Schmidt opened with a pointed remark to remind everyone that the cybersecurity challenge is not simply one the the U.S. must solve, it is a global one. He went on to remind us that there are significant gaps and vulnerabilities outside the U.S.

Below are several of the objectives and priorities that were outlined (Schmidt stated that it tracks with the Cybersecurity Policy Review):

• Resilience – "securing the federal government and enterprise"
• Securing the private sector – Schmidt specifically point out that "the government is not going to secure the private sector"
• Incident response – which starts with simply providing points of contact for organizations and individuals to know where to go when an incident occurs.

I'll quickly highlight a few other points that were touched or were parts of the Q&A session:

• Mentioned was the release of part of the Comprehensive National Cybersecurity Initiative (CNCI) – available at whitehouse.gov: (http://www.whitehouse.gov/sites/default/files/Cybersecurity.pdf)
• The government is increasingly looking at way to leverage "the cloud". There, of course, has to be coordination on how it uses cloud-based solutions as well as the myriad security challenges and risks involved.
• There was a question regarding the Hilary Equipment case, which Brian Krebs reported on in January (http://bit.ly/bBcBn4). Unfortunately Howard wasn't aware of this case, but the question was most-likely asked because the outcome of the case could have a severe impact on the future outcome of incidents such as this one.
• When asked about FISMA, Schmidt replied, "FISMA is not doing what it was designed to do". Schmidt went on to say that "changes are long overdue."
• Organizations are not legally "enticed" to develop secure software

I'm optimistic that Schmidt will be able to carry out most (if not all) of his plans. We need good, and experienced leadership at the helm of such a critical role –  especially at this critical juncture in the maturation of the Internet and the rate of growth of cybercrime and cyberattacks. 

Jeff Debrosse

Sr. Research Director

In general, the statistics we are seeing in through our online scanner logs are consistent with our observation from last September.  We are seeing an average of 3 different malware families per infected computers.  This means that on average, when a computer is infected, we find three different malware families installed ont it.  An interesting point is that this average seems to be slowly but steadily going down each month.  This might indicate that malware operators are consolidating their operations.  There might starting to perform more actions with one program instead of installing different malware after an intrusion.

The average of different malware families per infected hosts in the United States is close to the global average.  On the other hand, this number reaches 4.5 in China where it has one of the highest value.  This indicates that malware operations are not conducted the same way around the world.  We usually see less bank information stealers in Asia but more online game password stealers.  Online game password stealers are usually installed by other malware families and don’t propagate by themselves, explaining why we see an higher average in China than in the United States.
 
On a daily basis, ESET is collecting more than 200 000 new and unique binary malicious files, this number is higher than the statistics published last year.  This means that by the time you are finished reading this blog post, at least 70 unique pieces of malware will be produced!

Pierre-Marc Bureau
Sr. Malware Researcher