Testing Anti Virus Software Against Packed Malware

Very interesting idea as packed malware is something rather common these days, and as we've seen the recent use of commercial packers in the "skype trojan" malware authors are definitely aware of the concept. What the authors did was to pack the following malware using 21 different packers/software protectors - Backdoor.Win32.BO_Installer, Email-Worm.Win32.Bagle, Email-Worm.Win32.Menger, Email-Worm.Win32.Naked, Email-Worm.Win32.Swen, Worm.Win32.AimVen, Trojan-PSW.Win32.Avisa, Trojan-Clicker.Win32.Getfound, and scan them with various anti virus software to measure which ones excel at detecting packed malware. What some vendors are best at detecting others doesn't have a clue about, but the more data to back up your personal experience, the better for your decision-making.

Threats of Using Outsourced Software

Self-efficiency in (quality) software programming for security reasons -- yeah, sure :

"The possibility that programmers might hide Trojan horses, trapdoors and other malware inside the code they write is hardly a new concern. But the DSB will say in its report that three forces — the greater complexity of systems, their increased connectivity and the globalization of the software industry — have combined to make the malware threat increasingly acute for the DOD. "This is a very big deal," said Paul Strassmann, a professor at George Mason University in Fairfax, Va., and a former CIO at the Pentagon. "The fundamental issue is that one day, under conditions where we will badly need communications, we will have a denial of service and have billion-dollar weapons unable to function."

The billion-dollar weapons system will be unable to function in case of an ELINT attack, not a software backdoor taking the statistical approach.

There's an important point to keep in mind, during WWII, the U.S attacted Europe's brightest minds who later on set the foundations for the U.S becoming a super power. Still, you cannot expect to produce everything on your own, and even hope of being more efficient in producing a certain product in the way someone who specialized into doing this, can. Start from the basics, what type of OS does your Intelligence angency use in order not to have to build a new one and train everyone to use it efficiently? Say it with me.. Moreover, the sound module in your OS has as a matter of fact already been outsourced to somewhere else, if you try to control the process with security in mind, vendors will cut profit margin sales, as they will have to pay more for the module, will increase prices slowing down innovation. But of course it will give someone a very false feeling of security.

Fears due to outsourced software? Try budgeting with the secondary audits "back home" if truly paranoid and want to remain cost-effective. While it may be logically more suitable to assume "coded back home means greater security and less risk", you'll be totally wrong. All organizations across the world connect using standart protocols, and similar operating systems, making them all vulnerable to a single threats of what represent today's network specific attacks. And no one is re-inventing the OSI model either.

You can also consider another task force, one that will come up with layered disinformation channel tactics when they find out such a backdoor, as detecting one and simply removing it on such systems would be too impulsive to mention.

Who's Who on Information and Network Security in Europe

A very handy summary of Europe's infosec entities and contact details that come as a roadmap for possible partnerships or analyst's research :

"This Directory serves as the “Yellow pages” of Network and Information Security in Europe. As such, it is a powerful tool in everyday life of all European stakeholders and actors in Network and Information Security (NIS). By having access to all contact data and entry points for all European actors in one booklet, available on your desk, the “arm length’s rule” of access to information is becoming concrete. I am confident that this device of compiled Network and Information Security stakeholders, contacts, websites, areas of responsibility/activity of national and European Authorities, including organisations acting in Network Security and Information, serves our mission to enhance the NIS security levels in Europe well."

Compared to China's information security market on which I've blogged in a previous post, Europe's R&D efforts are still largely de-centralized on a country level, but hopefully, with the ongoing initiatives among member states innovation will prevail over bureaucracy.

The Zero Day Vulnerabilities Cash Bubble

The WMF was reportedly sold for $4000, a Vista zero day was available for sale at $50,000, and now private vulnerability brokers claim that they beat both the underground and the current incentive programs, while selling vulnerabilities in between $75,000 - $120,000.

"The co-founder of security group Secure Network Operations Software (SNOSoft), Desautels has claimed to have brokered a number of deals between researchers and private firms--as well as the odd government agency--for information on critical flaws in software. Last week, he bluntly told members of SecurityFocus's BugTraq mailing list and the Full-Disclosure mailing list that he could sell significant flaw research, in many cases, for more than $75,000. "I've seen these exploits sell for as much as $120,000," Desautels told SecurityFocus in an online interview."

But the cash bubble is rather interesting. Zero day vulnerabilities are an over-hyped commodity and paying to get yourself protected from one, means you'll be still exposed to the next one while you could have been dealing with far more risky aspects of protecting your network, or customers. The (legitimate) business model breaks when every vendor starts offering a "bounty" for vulnerabilities while disintermediating the current infomediaries. It would be definitely more cost-effective for them, than improving someone's profit margins. Or they could really reboot their position in this situation by applying some fuzz logic on their own software at the first place.