ESET Threat Blog

Even in Europe, we have a rough idea of what Thanksgiving is about, though we don't celebrate it at the same time or in the same way. However, Black Friday and Cyber Monday are rather less well known outside the US.

Since Randy has already blogged on Cyber Monday and its security implications at http://www.eset.com/threat-center/blog/2009/11/19/is-cyber-monday-the-end-of-shopping-as-we-know-it, I took the opportunity to air a slightly more Eurocentric view at http://blog.isc2.org/isc2_blog/2009/11/they-call-it-cyber-monday-but-tuesdays-just-as-bad.html.

While you're away from this blog site, you might also be amused, in a cynical sort of way, by the fact that Qinetiq and New Scientist have solved the virus problem once and for all: http://avien.net/blog/?p=92. I believe they'll be starting on solving the Millennium Bug issue any year or now.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

Also blogging at:
http://blog.isc2.org/
http://avien.net/blog
http://blogs.securiteam.com
http://dharley.wordpress.com/

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/
 

I learned a new word today. "Glurge", according to snopes.com, an essential resource when checking the validity of dubious chain letters, glurge is the sending of

inspirational (and supposedly true) tales … that often … undermine their messages by fabricating and distorting historical fact in the guise of offering a "true story".

I came across this definition while checking on the provenance of a number of chain letters that have crossed my path in the past week or two and that I've already described elsewhere. (I'll be returning to them in more detail shortly here, though, probably as a paper rather than as a blog.)

The particular example of glurge listed by snopes.com at http://www.snopes.com/glurge/daughter.asp is one of several chain letters I've seen that require me to forward chain letters in order to prove that I care about the fate of English troops in Afghanistan. (Since I do, in fact, have a close relative serving in the military, I find that somewhat offensive, and I think he would too.)

And thereby hangs a tale. Randy Abrams and I wrote a paper for this year's Virus Bulletin conference called "Whatever happened to the unlikely lads? A hoaxing metamorphosis" that traces the evolution of hoaxes from virus scare stories to emotional blackmail as the social engineering mechanism for persuading people to disseminate hoaxes and semi-hoaxes. If you think that chain letters stopped being an issue when people finally realized that there is no "Good Times" virus and that the SULFNBK hysteria was just that, it might just change your mind. You can find it on the ESET white papers page at http://www.eset.com/download/whitepapers/Harley-Abrams-VB2009.pdf.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

Also blogging at:
http://blog.isc2.org/
http://avien.net/blog
http://blogs.securiteam.com
http://dharley.wordpress.com/

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

(Much) earlier this year, Randy posted a blog on some email he received about his inclusion into the 2009/2010 Princeton Premier Honors Edition Registry (http://www.eset.com/threat-center/blog/2009/01/09/what-an-honor).

I was reminded of it (yes, Randy, someone does read your blogs ) when I got a couple of emails telling me I'd been nominated for an entry into the Marquis Who's Who In America. In fact, I assumed the first one was spam at best and ignored it, but when I got a reminder, I checked back to Randy's blog to see if it was the same publisher, which it apparently isn't. In fact, although there are indeed lots of "Who's Who" vanity scans, Who's Who In America seems to have some legitimacy, according to Wikipedia (http://en.wikipedia.org/wiki/Marquis_Who's_Who), though since some of the information in that article seems to be quoting the Marquis web site, the usual caveats about wikipedia accuracy apply, only more so.

Anyway, since I'm not a "living" American, don't live in America, and some days I'm not even sure I'm a "living" Englishman, I don't think I'll be filling in the form (and I'm afraid I don't have Sting's email address). I'd love to know, though, who nominated me (or is that just a standard distractor from the fact that they're just raiding spammers' address lists, like everyone else?)

If it was one of the dozen or so people who buy my books (or maybe one of the slightly larger volumes of people who download them illegally!) , thanks anyway.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

http://blog.isc2.org/
http://avien.net/blog
http://blogs.securiteam.com
http://dharley.wordpress.com/

Verizon has just done something rather brave. The company has issued a report on "ICSA Labs Product Assurance Report" (http://www.icsalabs.com/sites/default/files/WP14117.20Yrs-ICSA%20Labs.pdf) that talks about the difficulties that most products have in meeting the requirements of ICSA Labs certification.

Why is it brave? Because those companies provide ICSALabs with a healthy income, and might therefore be a little upset to have it suggested that some of them need to be nursed through the certification process?  Well, I don't think security companies see it that way, though you might think that was the whole point, on a superficial reading of some of the news items inspired by this item.

John Leyden says in The Register that "Most security products not up to scratch. But most of all, you've let yourself down" (http://www.theregister.co.uk/2009/11/17/security_kit_testing_fail/)

Dan Raywood says in SC Magazine that "Over three quarters of security products fail an initial test and do not adequately perform." (http://www.scmagazineuk.com/over-three-quarters-of-security-products-fail-an-initial-test-and-do-not-adequately-perform/article/157883/)

Thomas Claburn says in InformationWeek that "Most Security Products Fail Initial Certification Tests. A study based on the testing of thousands of security products over 20 years finds that most require several rounds of testing before achieving certification." And I think that's closer to the real process
http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?articleID=221800223&cid=alert_art_sec_d_m

To look at it the issue in terms of short term failure would be to miss the point, though. There has been a certain amount of criticism of ICSA Labs, among others, in the past,  because it gives companies with products under test latitude when it comes to re-testing and re-certification. (And that's where the bravery comes in…) That latitude runs contrary to the way that some testers work, stress-testing the product under test by "tricking" it into demonstrating its weaknesses rather than coaxing it into demonstrating its capability. [1] But that's precisely why it's a Good Thing.

ICSA Labs certification isn't just about saying whether a product is "good" or "bad": I'd argue that any detection-oriented test that is entirely focused on that is probably not fully aware of the implementational difficulties and margin for error in even the best detection testing in the current threatscape. The value of the ICSA Labs certification process lies not just in the fact that it's tough (and it is: apparently, only 4% of tested products pass during the first testing cycle) but in the fact that it's a collaborative process that allows and encourages the vendor to work on the product until it passes, and then requires us to maintain those standards over time.

Read the report: it's about a lot more than product failure, and I can think of other testing and certification labs could learn from it….

[1] "Antimalware Evaluation and Testing" (Harley and Lee) in "AVIEN Malware Defense Guide" (Ed. Harley, Syngress, 2007)

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

After a few years in the security business, it's easy to get a bit too used to the background noise, and forget that not everyone is familiar with concepts like phishing (see Randy's recent blog at http://www.eset.com/threat-center/blog/2009/11/16/once-upon-a-cybercrime%e2%80%a6), or botnets ("whatever they are", as my brother said to me quite recently), or money mules. I've written about muledriving quite a few times in the past ten years, so it comes as a bit of a shock to realize that according to a survey by GetSafeOnline.org, nine out of ten people don't know what a money mule is. Well, less of a shock now that I've seen the CERC survey that Randy's blog cites.

According to the song by Johnny Burke and Jimmy Van Heusen, a mule is an animal with long funny ears, a brawny back, and a weak brain. In the twilight world of drugs, phishing and money-laundering, the term has more sinister connotations. 

A money mule may be a courier, like the mules we hear of in drug-trafficking, but in the phishing world, is likelier to be someone whose bank account is used to launder money. When a phisher steals money from an account in another country, it can be difficult for them to transfer it across international borders. It’s much easier for them to recruit “mules” in the same country (and even using the same bank) as the victim. The money is transferred to the mule’s account, and he in turn forwards the money overseas using a wire transfer service, having deducted his commission. Not only does this make the transfer easier, it can make it harder for police forces to trace the gangs. A mule may also receive goods ordered with a misappropriated credit card and sell them or forward them.

Muledrivers (the guys who recruit and direct money-mules) sometimes go to considerable trouble to make their recruitment emails and sites look genuine, and indeed sometimes go through genuine job-sites, so it's quite likely that some mules aren't aware that they're engaged in criminal activity. Unfortunately for them, when the police come knocking, it's more likely to be on a mule's door than the muledriver's.

None of this is particularly new – it's at least as old as phishing as we now understand it. But that doesn't mean it's not a major problem. According to Get Safe Online (The Blog), "At any given time, there are approximately 100 known mule recruitment sites targeting the UK, each of which may have lured in around 50 active mules. The risk is that by allowing their bank accounts to be used to receive and transfer illegal funds, mules are breaking the law – even if they don’t realise it."

I'm currently revisiting muledriving for a white paper. In the meantime, any recruiter who mails you apparently at random (the way that phishers do) is just using a spammer mailing list. Unpersonalized recruitment mails are bad karma. And anyone who's interested in recruiting you for your bank account is almost certainly a badhat. Impressive job titles like "finance manager" or "shipping manager" notwithstanding.

[1] "Stalkers on your desktop", in AVIEN Malware Defense Guide (ed. Harley, Syngress 2007): http://www.amazon.com/AVIEN-Malware-Defense-Guide-Enterprise/dp/1597491640

[2] "The Spam-ish Inquisition" (Harley & Lee, 2007): http://www.eset.com/download/whitepapers/Spamish_Inquisition.pdf

[3] "A Pretty Kettle of Phish" (Harley & Lee, 2007): http://www.eset.com/download/whitepapers/Pretty_Kettle_of_Phish.pdf

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

 We came across an interesting test report at http://www.passmark.com/ftp/antivirus_10-performance-testing-ed2.pdf. Symantec commissioned a comparative performance test from Passmark. That is, a test measuring performance in terms of speed and resource usage rather than looking at detection rates.

Not surprisingly, Symantec came out very well overall, and deserves congratulations for demonstrating how far it's gone in addressing its reputation for slow and bloated software. Given that ESET Smart Security also came out rather well, it may seem churlish to raise objections: however, we did wonder about one of the test results. In the "Memory Usage While Idle" table, ESET's RAM usage is quoted as 31.7Mb, which is well below average and  less than 1/3 of the memory used by the most voracious RAM-eating product out of all the products tested. But Norton Internet Security 2010 apparently used only an impressive 10.85Mb, measuring with Process Explorer and Perflog++.

However, when we tried an alternative approach measuring commit charge, which we consider a more accurate measurement of a product's impact on the system, we found that Norton Internet Security 2010 increased the total system commit charge by 93 MB, whereas ESET Smart Security increased the total system commit charge by just 48 MB. The difference between the two methods is that commit charge measures the total amount of memory used by the system and how it increases when an application is running. Viewing the individual process memory consumption in Process Explorer does not expose all memory used by the application.

Which kind of proves that in performance testing,  there’s more than one way to skin a cat. Which skinning method you choose might depend on how sharp your knife is.

Andrea Kokavcova
Senior Marketing Research Analyst
 

Gadi Evron drew my attention in an article for Dark Reading to a piece in IT Pro by Asavin Wattanajantra. The piece quotes Dr. Steve Marsh, of the UK's Cabinet Office (the Office of Cyber Security, to be precise) as saying that botnet operators are interested in money-generating attacks on the private sector, not causing damage to "national networks".

You might recall that I made a not dissimilar point in this blog with regard to Conficker, when we were all wondering what April 1st would bring: basically, I maintained that the Conficker gang was unlikely to attack the Internet infrastructure, as some journalists and others were fearing.

However, I don't feel, for a number of reasons, that the UK government (or any government) should be complacent about the risk from botnet-directed attacks for purposes of espionage or cyberwarfare (whatever you may understand by that particularl buzzword). I've explained my reasons for that in a blog for (ISC)2 ( International Information Systems Security Certification Consortium) at http://blog.isc2.org/isc2_blog/2009/11/botnets-not-a-problem.html.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

Strangely enough, I'm actually encouraged to contribute to other blog pages, perhaps in the hope that I'll stop cluttering this page with rubbish about iPhones.

Today I've finally remembered that I'm supposed to contribute regularly to the AVIEN blog page at http://avien.net/blog/. You might find these a little lighter in tone than I tend to be here, but still security related (AVIEN is the Anti-Virus Information Exchange Network).:

Lawyers in Love: http://avien.net/blog/?p=35

Now we are 60-something: http://avien.net/blog/?p=40

(Grannyx is a version of Linux safe enough for your Granny to use: it's a bit hypothetical at the moment but Alan Solomon has been advocating it for years.)

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

Now that the end-of-year security conference season is winding down, we're able to start making available some of the presentations and papers that we've been building up in the past few months, but haven't been able to make publicly available ahead of the events for which they were written.

We've already made available a slide deck by Juraj Malcho, Head of our Virus Lab in Slovakia, based on his paper "Is there a lawyer in the lab?" for this year's Virus Bulletin conference. Now, by kind permission of Virus Bulletin, who hold the copyright, we've put up the paper itself, as published in the conference proceedings.

In this industry, we see many applications are being developed that have hidden or fraudulent intentions, or which are at best of doubtful usefulness. . Many of these applications are not the typical malware used in cybercrime nowadays (like bots or spyware trojans), but rather what we call potentially unsafe or unwanted applications. However, this dubious software is often associated with groups responsible for malware dissemination, and is often distributed using unfair practices such as spam campaigns or push-installations performed by malware. When such programs are detected by security software, it's not unusual for their authors to engage us in legal battles that consume significant human and financial resources.

This paper explores the topics mentioned above and considers the boundary between legitimate and illegitimate applications. The problems are explained with reference to several case studies documenting our experiences with such software.

More papers soon!

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

Will No-One Rid Me Of This Turbulent Hacker Tool? (http://en.wikipedia.org/wiki/Thomas_Becket)

I was kind of hoping to have moved on from the iPhone data stealing hacker tool by now. While I do think it's a significant development (see http://www.eset.com/threat-center/blog/2009/11/12/iphone-hack-tool-a-postscript), there comes a point where the sheer volume of discussion of the subject gives it more importance than it really deserves.

However, I can't help but notice that there have been frequent references, based on both the Intego post and on my blogs, to a virus or a worm. Well, of course, I'm fully aware that many people talk about viruses when they mean all sorts of other malware, and if I'm not exactly resigned to it, I don't usually spend much time complaining about it.

In this case, however, it actually matters. The source code I have in front of me has no replicative code, so it's not a virus and it's not a worm. It isn't even a Trojan: if you run this code, you're not in any doubt as to what it does. It announces itself quite clearly as a program for stealing data, and keeps you informed as to what data it's trying to steal and whether it succeeds.

It is, in fact, a (very) basic tool that could be used by a badhat, in much the same way that he might use a sniffer or password cracker: it would require modification just to scan a different network.

I don't know if Intego are looking at exactly the same code. The article by Peter James suggests functionality that isn't present in the script I have, but he may just be indicating functions that the script could have in addition to those already present. Intego have confirmed to me, though, that what they have is a hacker tool with no self-replicating code.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/