ESET Threat Blog

Since I’ve just spent several days at a major conference, you might have expected a flurry of blogs about it. And indeed, there’s a lot more I hope to say about VB 2009, but I’ve been beset by a number of other issues that have demanded my attention, in and out of the blogosphere. 

I did rather hope to comment on the excellent paper and presentation by my colleague Juraj Malcho on "Is there a lawyer in the lab?" on a topic that hits this industry pretty hard. You might think that there’s malware and there’s legitimate software. Unfortunately, that’s become less and less true in recent years. Between the two there’s a range of software from rogue antivirus to what ESET calls Possibly Unwanted Applications, and even stuff we regard as frankly malicious does, increasingly, generate unpleasant legal complications. So  I looked forward to the presentation and wasn’t disappointed.

However, the ground has been cut from under my feet, because one of our competitors produced a very comprehensive review of the paper.

The copyright assignment terms mean we can’t put up the paper itself yet onto the white papers page at http://www.eset.com/download/whitepapers.php. However, we hope to put up a PDF of the presentation in the near future. Of course, we’ll let you know here when we do.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

People keep asking me about Microsoft’s newly released Security Essentials free anti-malware (formerly known as Morro). Randy and I both blogged about it at some length back in June – see http://www.eset.com/threat-center/blog/category/microsoft-security-essentials and http://www.eset.com/threat-center/blog/2009/08/03/more-free-lunches, for instance – but there’s still a lot of interest in the impact that the product is likely to have on ESET and other mainstream antimalware vendors, so I thought I’d re-summarize.

As Seth Rosenblatt pointed out in a CNET article at http://download.cnet.com/8301-2007_4-10362227-12.html, "Rather than taking aim at full-featured security suites made by Symantec or Eset, the features available in Security Essentials indicate that Microsoft is aiming to compete with basic-but-free security apps." There’s also a lively discussion in the comments to that article about what additional features an end user is likely to get in full-blown commercial software rather than for-free,

Free protection is in some senses better than no protection, as long as people don’t expect more from it than it can actually offer. So, if more people who aren’t prepared  to spend money on security software choose to install MSE, it will have some impact on the malware problem without impacting on those of us who don’t market a fully free version, and we’re very much in favour of that.

There is a long history of products (often well-intended) that towards the end of their lives have done more harm than good because people didn’t realize they weren’t up to the job. And there have certainly been products that were certainly free, but were of no value whatsoever. However, MSE is certainly not in either of those categories.

Of course,there are already lots of free products, and they don’t impact on our market particularly: in fact, MSE is more likely to affect companies who do offer a an unlimited-life free product as a taster, rather than a fixed-period evaluation copy, because if fewer people install light-but-free versions, there’ll be fewer people upgrading to the commercial product.

ESET do, in fact, make available a free (no strings) web scanner that does detect the same range of threats as our for-fee products: obviously, it doesn’t have the same range of functionality. If people want to experience the difference between a full-featured product and a “lite” product, they can download an evaluation copy of our products.

Clearly, Microsoft’s product doesn’t offer full functionality either: if it did, it would eat into the profit potential of their corporate security services, which are far from free. They’ve simply written off the consumer sector as a profit centre, as other vendors also do, in one way or another. For example, by setting a base price so high that home users are unlikely to make that investment. Support of consumer products is a major cost centre for anti-malware companies, and while I don’t know exactly what level of support MS are offering it’s unlikely to match a comprehensive support package like ESET’s.

MSE certainly offers reasonable detection, but our user-base tends to be looking for higher performance and low impact on the desktop, integration with other types of functionality rather than baseline AV and spyware detection, plus more sophisticated and more flexible detection. Corporate buyers will generally be looking for even more than that, but that’s really a topic for another blog.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/
 

McAfee Avert Labs has been advertising a "Malware Experience" session for the "Focus 09" security conference, which offers attendees the chance to "to work with a Trojan horse, commandeer a botnet, install a rootkit and experience first hand how easy it is to modify websites to serve up malware."

Actually, this text has been modified: it originally said to "create" a Trojan horse. It would appear that this was a matter of poor choice of expression rather than a sign of the company’s veering into real malware creation, which has always been a "no-no" among established AV companies. I’m guessing that after Michael St. Neitzel’s thoughtful blog generated some animated discussion (yes, I did join in…), someone with a clue at McAfee administered some corrective action. Yes, there really are people with a clue there.

An apparently official comment clarifies their position, reassuringly.

The interesting thing, though, is that the comments to Michael’s blog have illustrated once more the gulf between the views of the mainstream vendors and others both in and out of the security community as to whether it’s useful, ethical, misleading, inappropriate etc. to create malware, either for testing or for educational purposes.

Of course, the McAfee session isn’t directly associated with the use of malware creation for testing purposes, which is a discussion that the Anti-Malware Testing Standards Organization (AMTSO) will have high on the agenda at our Prague meeting in October. But it is a perfect illustration of how sadly the anti-malware industry has failed to make clear its objections (which are well-founded, in my humble opinion, but the important thing is to actually voice them) to the rest of the world.

The AMTSO paper up for discussion in Prague is the industry’s opportunity to fix that shortcoming once and for all: I sincerely hope we make the best of it.

(Thanks to Andreas Clementi, Michael St. Neitzel and Alex Eckelberry for drawing my attention to this issue.)

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

The next presentation here at Virus Bulletin is called “Tales from Cloud Nine” and is presented by Mihai Chiriac, the head of research from BitDefender.

While using the word “cloud”, Mihai continued to explain what the technology is that is being used, how and why it used. This was an exceptionally well balanced presentation that acknowledged that sometimes you need to be on the local system and in some cases you can offload the work to the internet (the cloud).

One of the big problems with using “the cloud” is that at times the product may actually upload a file from your computer to the internet. This has very serious privacy implications. Virus scanners make mistakes at times. In this case a file that is proprietary or contains sensitive information may be uploaded and the customer may not want that file to leave their network.

Mihai had a really good point on one of his slides. He was talking about how his system works and the bullet point said “Send the data to the cloud”. What this means is upload the data to a server on the internet. Why not just say “send the information to a server on the internet”?
 
In Mihai’s case he was simply using the jargon and the technical audience understands he means sending data to a server on the internet. When marketing gets a hold of the term “cloud” they mean “our beer will make you sexier” ?

Mihai has some valid examples of how using the internet can be advantageous, but also pointed out that there are some significant technical difficulties and privacy issues. To some extent, all AV vendors use “the cloud” in their products. ESET’s Threatsense.Net was using “the cloud” before it became the darling term of marketing.

As is the case in most all areas of computing, there is a lot that can still be leveraged using the internet, but there are still a lot of obstacles to overcome.

Randy Abrams
Director of Technical Education

I’m sitting in a presentation at the Virus Bulletin conference in Geneva. The topic is “Why in the Cloud scanning is not a solution. The presentation is done by Andreas Marx and Maik Morgenstern from AV-Test.org.

What they found in extensive testing is that “Cloud” scanners do not have a detection advantage over traditional solutions. In one example they showed where a product had no normal or cloud detection, but did have detection in tradition beta signatures.  In some cases cloud based products added detection much later than a traditional solutions.

AV-Test found that the size of the data bases on the desktop did not decrease and memory use on the local PC was not improved be the use of “Cloud” based systems.

At times, due to a variety of factors, the “Cloud” based systems are unavailable due to connectivity problems.

“Cloud” is a marketing term. If you think that drinking the right brand of beer makes you sexier you’re going to love “Cloud” marketing. If you think for yourself you look at the technologies and ask “Does a ‘cloud’ based solution actually perform better?”

When you see “Cloud computing”, remember, this is a hype based approach to marketing when they don’t want to tell you the technical merits of the products, they want you to think that the right beer makes you sexier!

Adding Internet components (that’s what cloud really means) can enhance a product, but does not automatically do so.

 
Randy Abrams
Director of Technical Education

Virus Bulletin 2009 is now in full swing, though meetings and other issues have kept me from seeing as much as I’d like. Still, excellent opening and keynote speeches, and a very interesting talk on cyber-insurance from Pascal Lointier. (A bit of a first for me: though I’ve been attending VB most years since 1996 and have presented papers most years, I’ve never chaired a session before. It’s a lot less nerve-racking than presenting.)

Our own Juraj Malcho presented his paper on "Is there a lawyer in the lab?" on some legal issues that arise nowadays with certain kinds of malware. Though I’d already seen the paper, the presentation was still pretty riveting.

Jeff Debrosse presented our joint paper on "Malice through the looking glass": cunningly, I’d concentrated on the reserve paper that no-one has asked for yet, so I was able to enjoy his presentation and just popped onto the stage for the questions at the end, So my nerves have had a good old holiday so far. As long as no-one else drops out so I have to present after all…

Unfortunately I had to miss the vendor presentations, as I had to deal with some email issues that I’m still working on, but I’m sure Randy has done his usual excellent job on ESET’s vendor presentation.

Having a wonderful time

Wish you were here

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

Bonjour mes amis!

Well, I am in Switzerland, and very close to the French border, for the Virus Bulletin conference – perhaps the most eagerly anticipated event in the anti-malware researcher’s calendar. How sad is that?

I also thought you might like to further extend your French skills on an article here, about a presentation Pierre-Marc made at our offices in Bratislava: http://www.globalsecuritymag.fr/Voyage-au-coeur-du-Cyber-crime,20090918,12795.html.

I think that means "A voyage to the heart of cyber-crime", but my French is about forty years rusty. If you’re here (or will be when the conference proper starts tomorrow), come and say hello!

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

A few days ago, I mentioned an email chain letter that’s going round in the UK about a scam where where "the bad guy poses as a telephone company operative and threatens to cut off service unless the panicked recipient of the call immediately pays an allegedly unpaid bill. Faced with a sceptical potential victim, the caller "proves" that he can cut off service immediately by telling them to try putting down the receiver and then trying to make another call."

The Register’s John Leyden has today picked up on the same story, having been alerted by a reader called Alex, who told El Reg that it happened to a friend of his. Well, that may well be, but the story sounds very like the chain letter that’s being circulated, even to the fact that the friend is apparently a subscriber to Virgin Media. Nevertheless, the Register article is well worth reading: BT seem to have confirmed that this type of scam is not only possible, but actually being carried out against subscribers to a number of telephone services*, and Leyden has quoted a statement at length from the company. He also noted a similar scam being carried out by criminals claiming to represent Ofcom, the UK telecom regulator (since when did they handle digital upgrades?), and also using the temporary disconnection trick I described in my earlier post.

*I don’t know if this means that people are getting these calls irrespective of which service they subscribe to, or that scammers are claiming to represent providers other than BT. I suspect the former, though, since other providers don’t usually provide infrastructure to each other.

Anyway…

• While non-BT telephone services in the UK are often carried over BT cable, BT do not charge subscribers to those services directly for the use of their infrastructure.
• BT staff do not use the "disconnection" trick, engineers do not normally handle financial transactions, and sales staff, helpdesk staff and so on don’t normally have direct access to engineering functionality.
• If you find yourself at the other end of a dubious BT phone call, you can ask the engineer for his ID number. He can also give you an 0800 number to dial to check, but you might prefer to use the  BT general enquiries number (0800 800 150) that BT themselves quote.
• Ofcom have quoted a couple of contact numbers too. To contact Ofcom’s Advisory Team call 0300 123 3333; to contact Consumer Direct call 08454 04 05 06.
• I’m only seeing reports of the scam (and the chain letter) in the UK. However, I wouldn’t be surprised to start seeing reports from other countries in due course. The disconnection trick isn’t restricted to the UK.

Finally, here’s a copy of the chain letter (thanks, Genna!), with comments in italics.

Subject: URGENT – New BT phone scam – BEWARE

— PLEASE PASS ON TO YOUR FRIENDS & FAMILY…

I detest chain letters in principle, but it does seem to be genuine, although not particularly common at the moment.  I suspect that the proliferation of the chain letter will actually encourage other scammers to try variations on the same scam (which is why I didn’t publish the full message before), but I guess that cat is out of the bag.

This new telephone ’scam’ has arrived.

I received a call from a ‘representative’ of BT, informing me that he was dis-connecting me because of an unpaid bill. He demanded payment immediately of £31.00 , or it would be £ 118.00 to re-connect at a later date.

The guy wasn’t even fazed when I told him I was with Virgin Media, allegedly VM have to pay BT a percentage for line rental!

I presume this is true, but BT are not going to ask subscribers to pay directly because of an alleged shortfall (and I suspect that the payment model is less account-specific anyway).

I asked the guy’s name – the very ‘English’ John Peacock with a very ‘African’ accent – & phone number -              0800 0800 152         0800 0800 152.

That’s very close to BT’s general enquiries freephone number, but I can confirm that it isn’t a recognized service number. (See end of quoted email.)

Obviously the fella realized I wasn’t believing his story, so offered to demonstrate that he was from BT. I asked how & he told me to hang up & try phoning someone – he would dis-connect my phone to prevent this.

AND HE DID !! My phone was dead – no engaged tone, nothing – until he phoned me again.

Very pleased with himself, he asked if that was enough proof that he was with BT. I asked how the payment was to be made & he said credit card, there & then.

I said that I didn’t know how he’d done it, but I had absolutely no intention of paying him , I didn’t believe his name or that he worked for BT.

As we’ve previously discussed, you don’t need to be a BT engineer to fake a temporary disconnection, though it won’t work as dependably as it did over analogue lines.

He hung u p.

Did 1471 & phoned his fictitious 0800 number – not recognised.

1471 is a UK service number that gives you the number of your last caller, if Caller ID wasn’t blocked. Unfortunately, it’s not difficult to spoof a Caller ID, and in fact, it may be done legitimately (by organizations that use VoIP, for example).

I phoned the police to let them know , I wasn’t the first!  It’s only just started apparently but it is escalating.

Their advice was to let as many people know by word of mouth of this scam. The fact that the phone does go off would probably convince some people it’s real, so please let as many friends & family aware of this.

I’d like to think that the police are not really advocating the use of chain letters for passing on alerts, but who knows? I would strongly recommend that if you feel it’s necessary to warn people about this scam (and I can see why you might) that you send them links to this blog and the Register article, rather than forward the chain letter.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

Modern cars are designed with crumple zones. These crumple zones help to decrease the risk of death in a severe car accident. Modern cars also have airbags. The airbags reduce your risk of death or injury in the case of an accident. If you don’t use a seatbelt your airbag and crumple zone are unlikely to offer you much protection at all.

There was a day that antivirus software could protect you against almost all of the viruses in the world, but that day was significantly more than a decade ago. In today’s environment the bad guys will not release some of their malware until they have tested it and are certain that it will not be detected when it is released.

Various reports rate the effectiveness of antivirus software as low as about 25% detection. I don’t know how accurate the numbers are, but I can tell you this. If you approach security from the mindset of defense-in-depth and then say “antivirus” is a part of my defense and that part is reducing my risk by 25%, then you can see that even with far less than 100% detection, antivirus is still making a significant contribution to your security.

Education and wisdom are the most significant parts of defense in depth. If you know that Hotmail will never ask you for your password, then you are protected from phishing attacks that claim you will lose your Hotmail account if you don’t provide your password. If you know that pirated software is far more likely to have a virus or trojan in it, it won’t help if you are not wise enough to not download pirated software. The combination of knowledge and wisdom afford a lot of protection though.

Personal firewalls help with security, add-ons, like NoScript for Firefox can help with security. Each layer of defense in depth makes you incrementally more secure. None of the technologies alone can do the whole job, or even most of the job though.

So, when you see reports that antivirus software misses X% of the malware out there, remember, it is not possible for antivirus to detect 100%. The purpose of antivirus is to contribute to security and it does make a significant contribution to defense in depth.

The more educated you are, the less likely you will need your antivirus software. The less educated you are, the more you need the protection, but you still have far greater risk. Like a goalie, if your AV takes enough shots on goal then something will get by.

Randy Abrams
Director of Technical Education

Australia’s Internet Industry Association (IIA) is working on best practices for isolating computers with bots on them (http://iia.net.au/index.php/initiatives/isps-guide.html)
At the same time, the Internet Engineering Task Force (IETF) is also drafting a document about the same thing (http://tools.ietf.org/html/draft-oreirdan-mody-bot-remediation-03)

If these recommendations are adopted then people who have bots on their computers would have to get their computers cleaned up before their ISP would allow them to surf the web. The idea has been around for quite a while, however issues such as cost and privacy have been the main barriers to the plans.

I do think it is likely that eventually your ISP will adopt an approach to identify customers who have bots on their computers and then limit their web access to a site that can help them clean their computer. I think it will be a few years before any major ISPs actually have full implementation of quarantining infected users, but the day may come that you won’t be able to surf the web if your computer is infected.

Randy Abrams
Director of Technical Education