ESET Threat Blog

As usual, ESET has released its monthly Global Threat Trends Report, which will be available in due course at http://www.eset.com/threat-center/index.php.

There are no surprises in the top five malicious programs, which have the same rankings as in the September report. Clearly, not enough people are taking our accumulated advice on reducing the risk from Conficker, INF/Autorun and so on.

Something I didn't anticipate though is the dramatic upsurge in Win32/Flystudio detections. This class of threat has been around for a while. It did feature strongly in our July report, when it came in from nowhere to number 5, and then hovered around the lower reaches for a while. Well, this month it shot back from 46 to 6. Here's the description from the latest report.

6. Win32/FlyStudio
Previous Ranking: 46

The Win32/FlyStudio threat is designed to modify information inside the victim's Internet browser. This threat will modify search queries, with the intention of delivering advertisements to the user. Win32/FlyStudio seems to be targeting users located in China.

What does this mean for the End User?

FlyStudio is a popular scripting language, much used as a development tool in China. However, the malicious code is being reported in other regions too, including North America. This may mean that it has been deployed by other malware.

Win32/TrojanDownloader.Swizzor, however, has dropped out of the top ten.

Other items discussed include:

• The AMTSO workshop in Prague, which inspired lively debate about when, if ever, it's acceptable to create samples for testing, and the thorny issue of AMTSO compliance – what is it, and who can legimately claim it?
• An interesting exercise conducted by Christopher and Samir at the First International Workshop on Aggressive Alternative Computing and Security, in which they installed a number of scanners (including NOD32) then logged in as administrator and tried to disable them. We're pleased to note that our product was one of those fairly resistant to such tampering, but we're not convinced that this is a very useful way to test the efficacy of a product. I'll return to that shortly in a separate blog.
• The Halloween Search Engine Optimization (SEO) poisoning issue already blogged here.

Perhaps the most interesting, though, is the first sight of some statistics garnered from a cybercrime survey conducted by Competitive Edge Research and Communication Inc. on behalf of the Security Our eCity initiative, which ESET sponsors. We'll be talking more here about some of the data points from that report in the near future, but an issue that the October report focused on was the find that 63% of adults seem to think cyber criminals are mostly individual computer hackers, whereas only 21% regard organized crime as primarily responsible for cybercrime.

As the report suggests, In the last quarter of 2009, that’s a pretty frightening statistic. It may not matter to the individual computer user who is responsible for specific threats, as long as he takes the right countermeasures. But if people don't understand the nature of the threat properly (and the security industry is apparently failing to convey that information), it seems likely that they don’t understand what constitutes an appropriate countermeasure, either.

Someone asked me today to hazard a guess at the ratio of individuals to organized crime in the current threatscape. I don't really have information that specific, and automatically mistrust it when other companies offer it, unless I know it comes from someone who spends a lot of time interacting with people I wouldn't want to meet in a dark alley.

It depends on your definition of organized crime, I guess. There are plenty of horror stories about various flavours of mafia, but there are certainly also one-man-band criminals out there, not to mention the amateurs still  throwing out Proof of Concept malware and probing systems for the hell of it, or the kudos of discovering a poorly protected site.

However, most attacks are profit-driven, and most profit-driven attacks appear to be made by gangs.  On the other hand, a lot of what crosses my radar is freelancers offering specific services to anyone who’ll pay for banking Trojans, or 0-day exploits, or credit cards, or whatever. So the market is certainly “organized” but some of the players aren’t necessarily aligned with one group in particular: Having said that, though, if their services are “good” enough, I’d assume that they’ll catch the attention of the major gangs. 

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

The AMTSO (Anti-Malware Testing Standards Organization) meeting in Prague, which took place at the beginning of this week, proved to be rather more exciting than you might expect from a group with the word "Standards" in its name.

One of the issues that caused particularly lively debate centred around the question of what constitutes AMTSO compliance, whatever you might understand by that term. When a tester claims to be AMTSO compliant – and many have started to do that – or uses phrasing that implies compliance, such as "following AMTSO principles", what does that mean?

Well, up to now, such phrasing has meant less than you might think it does, because AMTSO hasn’t formally defined what "AMTSO compliance" actually is. This has led to a certain amount of confusion, not only as regards tester’s claims to be compliant, but because AMTSO’s stance has been misinterpreted as meaning that dynamic testing is automatically compliant, while static testing is automatically non-compliant. (I don’t think this is at all the case, but I’ll come back to the static versus dynamic versus hybrid testing topic another time.)

What concerns me right now is that bitter experience suggests that if a tester makes a point of claiming that his methodology is conformant with the AMTSO guidelines, quite a few people will accept that claim uncritically.It seems to me that there’s a need for AMTSO to take ownership of the term "AMTSO compliant" before someone else (or, even worse, everyone else) does. In fact, some recent events have forced the organization to start thinking about specific steps in that direction. While nothing is finalized, it’s likely that in order to minimize the possibility of abuse and a definitional free-for-all, these steps will be based on the idea of self-assessment that the organization was already considering.

This doesn’t, of course, mean that anyone is going to be able to say "Yes, of course we’re compliant." Rather, I’d envisage that testers wishing to use the term or something similar will have to complete a self-assessment form, which will have been received and acknowledged by AMTSO, and make them accountable to AMTSO for the use (or misuse) of claims of compliance.

In the meantime, I’d strongly recommend that if you come across claims of "compliance", you take them to be as a declaration of intent to comply: it doesn’t mean that they are proven to comply or have the blessing of AMTSO.

I’d guess (or hope) that eventually you’ll be able to check on the AMTSO web site as to whether a given tester has completed the self-assessment process (when it actually exists). Even then, since AMTSO is not a certification body (not yet, anyway – who knows what will happen further down the line?), it probably won’t mean that any specific test from that tester or organization is compliant. Unless, of course, an analysis from the Review Analysis Board has determined that it is.

Even if the tester is a member of AMTSO, that doesn’t mean at all that they have the automatic endorsement of the organization for their testing. Indeed, they’re at least as liable as anyone else to have their adherence to the AMTSO principles scrutinized by the Review Analysis Board.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

Some readers will be aware of my long-standing connection with the Anti-Virus Information Exchange Network (AVIEN) at http://www.avien.net (I hold the title of Chief Operations Officer there). AVIEN has now instigated a member’s blog at http://www.avien.net/blog, and I’ve put up a couple of blogs today on testing to help kick it off (Andrew Lee, my former colleague at ESET, is also doing some blogging there).

Testing, Testing (yes, Andrew and I did use that as the title of an ESET conference paper!) asks whether an anti-malware testing organization can claim that its testing is "open and transparent" (i.e. in accordance with principle three of the AMTSO fundamental principles of testing document) if that information is only made available for a fee to the company that makes a tested product, and whether making such a charge before the test really qualifies as "vendor independent". (These are issues that are likely to come up for heated discussion at the AMTSO Workshop in Prague next month.)

Blog Reviews points to some resources addressing the FTC ’s (Federal Trade Commission) attempt to make bloggers who review products (not just AV products, of course) more accountable by making them declare financial interest/bias. This is, of course, an example of AMTSO’s principle two in action: it deals with bias, financial incentives and so on.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

McAfee Avert Labs has been advertising a "Malware Experience" session for the "Focus 09" security conference, which offers attendees the chance to "to work with a Trojan horse, commandeer a botnet, install a rootkit and experience first hand how easy it is to modify websites to serve up malware."

Actually, this text has been modified: it originally said to "create" a Trojan horse. It would appear that this was a matter of poor choice of expression rather than a sign of the company’s veering into real malware creation, which has always been a "no-no" among established AV companies. I’m guessing that after Michael St. Neitzel’s thoughtful blog generated some animated discussion (yes, I did join in…), someone with a clue at McAfee administered some corrective action. Yes, there really are people with a clue there.

An apparently official comment clarifies their position, reassuringly.

The interesting thing, though, is that the comments to Michael’s blog have illustrated once more the gulf between the views of the mainstream vendors and others both in and out of the security community as to whether it’s useful, ethical, misleading, inappropriate etc. to create malware, either for testing or for educational purposes.

Of course, the McAfee session isn’t directly associated with the use of malware creation for testing purposes, which is a discussion that the Anti-Malware Testing Standards Organization (AMTSO) will have high on the agenda at our Prague meeting in October. But it is a perfect illustration of how sadly the anti-malware industry has failed to make clear its objections (which are well-founded, in my humble opinion, but the important thing is to actually voice them) to the rest of the world.

The AMTSO paper up for discussion in Prague is the industry’s opportunity to fix that shortcoming once and for all: I sincerely hope we make the best of it.

(Thanks to Andreas Clementi, Michael St. Neitzel and Alex Eckelberry for drawing my attention to this issue.)

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

One of the more interesting things to happen to me in the past few months – well, that I’m going to talk about in public – is that I was elected to the Board of Directors of AMTSO (The Anti-Malware Testing Standards Organization). Interesting and scary: the first couple of months have seen me at three face-to-face meetings (fortunately for me, two of them were one after the other at the same venue in the UK), and my conference calls and email volumes have definitely escalated.

But that’s OK. If you’ve been following my blogs over the past 18 months or so, or seen any of my presentations on testing, you’ll have noticed that I’m pretty enthusiastic about AMTSO and its aims: I believe that it’s the best chance we have right now of closing the enormous gap between the unrealistic assumptions, expectations and methodologies adopted by so many testers, and the realities of the threatscape and the security technologies that this industry currently works with. I’m well aware that many people are cynical about the purity of intent of anti-malware companies, but there are some of us who believe that fairer testing would benefit the better security vendors as well as their customers.

Right now I’m trying to catch up with the papers that have been circulated following the last member’s meeting in Budapest a few months ago, in preparation for the next meeting, which takes place in Prague next month (hard on the heels of next week’s Virus Bulletin conference in Geneva).

 I expect a lot of exciting stuff to find its way onto the agenda: there are quite a few more papers on their way through the compiling/editing/approval process, some on such controversial topics as malware creation.

I also expect some lively discussion around the topics discussed at the strategy meeting at the end of August, where the Board of Directors and the Advisory Board. The Advisory Board is a group of respected individuals who are well acquainted with the malware field, but not aligned with the industry: as there are quite a few security vendors participating as members, the AB’s impartial advice is invaluable in helping to correct any tendency to focus on the interests of the security and testing industries at the expense of the wider community.

There’s been a lot of interest in the Review Analysis Board in recent months, and one of the topics likely to be discussed in depth is the possibility of streamlining that process and supplementing it with other measures of compliance with AMTSO testing principles. That may lead to some heated debate, but I think it’s a necessary discussion: AMTSO compliance, whatever you (or I) may understand by that term, is something that a lot of people are anxious to see.

If you’re affiliated with a company that’s already a member, maybe I’ll see you in Prague. If you’re not, but you’re going to be in Geneva for VB 2009, you may find Righard Zwienenberg’s AMTSO  presentation on Thursday 24th of interest. Either way, i hope to see some of you at one event or the other, or both. I’m more than happy to talk about ESET, AMTSO, AVIEN or anything else. Though not necessarily officially…

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

I’ve just returned from Canterbury in the UK. One of the reasons I was there was to present a paper on malware naming at CFET 2009 (3rd International Conference on Cybercrime Forensics Education & Training). It was an excellent conference, and I’ll have more to say about that later (and the paper will be available shortly on our white papers page).

Earlier on, though, I was a couple of AMTSO meetings. As I’ve mentioned here quite a few times before, ESET is highly committed to the aims of AMTSO (the Anti-Malware Testing Standards Organization): not only are we highly active members, but I recently joined the Board of Directors, and one of the meetings I attended in Canterbury was between the BoD and the AMTSO Advisory Board.

I have plenty to say about that, too, when I’ve finished a paper that has to be submitted by Friday, but Neil Rubenking, author, journalist and reviewer, and a valued member of the AB, has already covered some of that ground pretty well, so for the moment I’ll refer you to some blogs he’s published on the subject:

http://blogs.pcmag.com/securitywatch/2009/08/meet_the_amtso_board.php
http://blogs.pcmag.com/securitywatch/2009/08/what_is_the_amtso.php
http://blogs.pcmag.com/securitywatch/2009/09/going_forward_with_amtso.php
http://blogs.pcmag.com/securitywatch/2009/09/who_cares_about_amtso.php

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/ 

Regular readers will be aware that, unlike many people in the security industry, people in this research team tend to be enthusiastic supporters of security education for end users, both inside and outside business: not as The Answer To Everything, not in terms of turning everyone who uses the Internet into a security expert, but as an essential part of any business, social or political strategy for making cyberspace a safer experience for everyone.

In fact, Randy and I wrote a paper for last year’s AVAR (Association of anti Virus Asia Researchers) conference ("People Patching: Is User Education Of Any Use At All?") that covers some of those issues in some depth, and ESET strongly supports and is very active in a number of initiatives such as Securing Our eCity, which is very much focused on "educational programs, tools and technologies", and AMTSO (Anti-Malware Testing Standards Organization), which is far more narrowly focused in its topic matter, but also regards education and the sharing of information as fundamental to its mission.

So it was very interesting to see an article on SC Magazine’s UK web site based on an interview with our own Juraj Malcho, head of the Virus Lab in Bratislava, in which he presented his views on user education, highlighting a crucial issue: the fact that user education is an ongoing process, not a one-off.

The sad fact is that education is conceptually simple but in practice quite difficult, at least in the long term. Many educational mechanisms are based on alerts and warnings about specific threats, and we’ve seen many times that such alerts can seriously mitigate the impact of a threat in the short term: for example, when we were able to provide some early warning about the Waledac July 4th spam run. And as long as the bad guys are lazy about using infection mechanisms delivered with stereotypical messages, some people will remember the last time and be more cautious the next time a similar social engineering hook is used. (Sadly, some people will fall time and time again for the same con, and they represent a particular educational challenge…)

However, not all Black Hats are so obligingly lazy: some show startling creativity, not only in technical terms, but in generating new social engineering traps for the unwary. (My colleague Cristian Borghello, at ESET Latin America, has an interesting paper that addresses some aspects of the social engineering problem here.) Unfortunately, many potential victims are less adaptable, and find it difficult to extrapolate fromone threat to another.

So while education remains an important, even essential supplement to other, more technical solutions, it can’t usually replace them. It’s just part of a wider defensive strategy. Though if we could find an effective way of teaching scepticism, that would make the bad guys’ job a lot harder. E.M. Forster said something like "the confidence trick is the work of man, but the want-of-confidence trick is the work of the devil." The fact is, though, that a little paranoia can save a lot of heartache, and some very bad men rely on the gullibility of others.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/
 

Our July ThreatSense.Net® report has been released today, and will eventually be available from the Threat Center page here. Most of the top ten entries are old friends: well, familiar names might be a better way of putting it. One of the disadvantages of having a scanner that makes heavy use of advanced heuristics is that many of the most common detections don’t really map to single malware families the way that they do for companies that are more signature-oriented.

There are advantages, though, as we’ve discussed before, apart from the obvious (and important) advantage of proactive detection: it gives us more time to concentrate on processing detections rather than fussing with crossmatching samples to malware families, and it gives us a better picture of major threat trends, which we consider to be more useful. Unfortunately, some sectors of the media are still hung up on the minutiae of malware naming, which I don’t consider so important at a time when some sources are talking about collections of (much) more than 20 million individual samples. Hopefully they’ll catch up with the rest of us eventually…

Pierre-Marc and I presented a paper on the naming problem at Virus Bulletin last year, and I’ve developed the theme further in another conference paper that will be available on the white papers page in September.

As it happens, there aren’t a lot of surprises: the first few positions remain unchanged from June. However, Win32/TrojanDownloader.Bredolab.AA, despite a strong local showing in some countries, has dropped out of the worldwide top ten, while W32/FlyStudio is in at Number 5. FlyStudio is kind of interesting: it’s not exactly a malware family, but a development platform (a scripting language, to be more precise) much used in China. Unsurprisingly, the FlyStudio malware we’re seeing also seems to be targeting computer users in China, but is also being reported elsewhere, including North America. This may mean that it’s being deployed by another malware family.

 Elsewhere in the top ten section, we’ve updated some of the descriptions. Over the lifetime of a threat family, there are often substantial changes in the way the malware works, or in our understanding of it as more variants appear and more information becomes available. And, as usual, we’ve included some notes on other issues that have been addressed recently by the labs and/or the Research team, including:

• Adobe and Microsoft patching issues
• Twitter and Facebook problems
• A little about AMTSO
• Some white papers that are about to appear
• Waledec and the Dewey Effect
• ESET in Europe’s initiative on safe wi-fi.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

In previous blogs, I mentioned that some of the presentations from the CARO workshop a couple of weeks ago were likely to be made available publicly.

Unfortunately for non-attendees, most of the presentations are only available to people who were there: however, some can be downloaded by the public from here.

In case I didn’t mention it before, the papers approved at the AMTSO (Anti-Malware Testing Standards Organization) workshop that followed it are now available here.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

Greetings, friends, fans and foes. I know it’s been a while, but I’ve been travelling, with intermittent connectivity: first the Infosecurity expo in London, then the CARO and AMTSO workshops in Budapest, then the EICAR conference in Berlin. This week I’ve been at the Channel Expo in Birmingham (the one in the UK, that is) – I get to all the glamorous places, expecially the ones that begin with a "B".

Channel sales isn’t something I know a lot about: while anti-malware people are generally acknowledged to be greedy, unscrupulous low-life bottom-feeders profiting from the misfortunes of others, I’ve spent most of my career in AV research as a customer, and am still acquiring the taste for human blood that is apparently a prerequisite for working in this industry. That doesn’t mean, though, that I don’t appreciate the hard work of the people in sales and marketing whose labours bring in the cash that allows me to live in the lap of luxury here in the home counties (that’s the South of England, for our USian readers).

Seriously, guys, I learned a lot about the business side of this industryfrom ESET UK’s presentations on the services they offer to resellers, and I’d have considered signing up myself if I wasn’t such a hopeless sales person.  (This might also be a good point at which to thank our partners in Budapest for an interesting and useful discussion during my recent visit.)

That wasn’t what I was there for, though. I was there to deliver a presentation in the Technology Threatre on comparative testing. (Bet you didn’t expect that!) Which was interesting in itself: afterwards, I found myself exchanging views with a couple of people who were already resellers, and someone who’s in the process of setting up a testing lab in the UK at the moment. Which takes me neatly on to the subject of AMTSO (the Anti-Malware Testing Standards Organization). Yes, again…

As I’ve mentioned before, one of the most interesting (well, to me…) aspects of AMTSO’s current work has been the setting up of a Review Analysis Board. In brief, the principle is that the Board can consider requests to have a test/review evaluated by a group of suitably qualified individuals within AMTSO: basically. we’ll analyse tests to see whether it’s conformed with the good practice guidelines already published on the web site. It’s taken a while to select suitable participants and establish the basic mechanisms for requesting and carrying out a review – this is definitely a job that needs to be done right, and that does take time. However, those mechanisms were agreed by the membership at the Budapest meeting, and it’s likely that the first review swill be made public sooner rather than later.

It’s probably inevitable that some testers will see this as a threat: however, I’d rather see it as a positive step towards improving testing practice globally, and it looks like testers are starting to think proactively about getting their methodologies reviewed independently. Speaking purely personally, I’d much rather be involved with helping testers that way than with "going after" bad testers with a big stick shouting "You didn’t do it right!". But I guess we’ll have to see how it all plays out.

Meanwhile, the documents approved at Budapest are now up on the AMTSO web page for public viewing, including the Review Analysis Process documentation..

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence