Why relying on virus signatures simply doesn't work anymore?

January 19, 2006
As a fan of VirusTotal and Norman's Sandbox being always handy when making analyses or conclusions, and me looking for metrics and data to base my judgments on, besides experience, I feel their "Failures in Detection" of VT deserve more attention then they it's actually getting. 

With over 14, 000 files submitted on a weekly basis, where most of them are supposedly 0day malicious software, it's a great resource to consider. Using these scanners for the basis of its service (saw yours?!), it is still able to conclude the plain truth - signature based anti virus protection is having deep troubles as a concept these days. 

Moreover, vendors covering or enjoying monopolistic competition in specific geographical regions, without having the necessary AV expertise is something that is actually happening. So what made me an impression?

Failures in Detection (Last 7 days)

- 14, 016 failures that is, infected files not detected by at least one antivirus engine
- 372 samples detected by all vendors

What's important to note here is that, response time towards a new piece of malware in the wild is crucial as always. But that's great when it's actually achieved. The independent folks at Av-test.org, have featured a very nice Excel sheet on the "Reaction Times of the latest MS05-039-based Worm Attacks"(2005-08-22) so you can take a look for yourself. 

And as I've once mentioned my opinion on the growing possibility of 0day malware on demand, proactive measures would hopefully get the attention of vendors. Some folks are going as high as stating that AV scanners and AV defense as a concept will eventually end up as product line extension of a security appliance? Though, I feel you will never be able to license a core competency of a vendor that's been there before the concept of DDoS started getting public! And obviously, the number of signatures detected by them doesn't play a major role like it used years ago. Today's competitive factors have to do with, but not only of course :

Heuristic
Policy-Based Security
IPS (Intrusion Prevention Systems)
Behaviour Blockers
Protection against Buffer Overruns

 I also advise you to go though a well written research on the topic of Proactive Antivirus protection, as it highlights the issues to keep in mind in respect to each of these. Is client side sandboxing an alternative as well, could and would a customer agree to act as a sandbox compared to the current(if any!) contribution of forwarding a suspicious sample? Would v2.0 constitute of a collective automated web petrol in a PC's "spare time"? How sound is this and the other concepts in terms of usability and deployment on a large scale?

Signatures are always a necessary evil as I like to say, ensure that at least your anti virus software vendor is not a newly born company with a modest honeyfarm and starting to perceive itself as a vendor, vendor of what? Solutions or signatures?!

Don't get me wrong, my intention behind this post was to make you think, as a customer or decion-maker on the approaches your current vendor uses, and how to make better decisions. At the bottom line, it's still a vendor's sensor network or client side submissions, even exchange of data between them, that provides the fastest response to *known* malware!

Technorati tags :
,,,,,
Continue reading →

FBI's 2005 Computer Crime Survey - what's to consider?

January 19, 2006
Yesterday, the FBI has released their Annual 2005 Computer Crime Survey, and while I bet many other comments will also follow, I have decided to comment on it the way I've been commenting on the U.S 2004’s "Annual Report to Congress on Foreign Economic Collection and Industrial Espionage" in previous posts. This one is compiled based on the 24, 000 participating organizations from 430 cities within the U.S, so look for the averages where possible :)

What are the key summary points, and what you should keep in mind?

- Attacks are on the rise, as always

That's greatly anticipated given the ever growing Internet penetration and the number of new users whose bandwidth power is reaching levels of a middle sized ISP. Taking into consideration the corporate migration towards IP based business infrastructure, and even the military's interest in that, it results in quite a lot of both, visible/invisible targets. My point is that, to a certain extend a new Internet user is exposed to a variety of events that are always static in terms of security breaches, or was it like that several years ago? Less 0day's, lack of client side vulnerabilities(browsers) the way we are seeing it today, and cookies compared to spyware were the "worst" that could happen to you. Things have changed, but malware is still on the top of every survey/research you would come across.

- The threat from within

Insiders dominate the corporate threatscape as always, and the average financial losses due to "Laptop/Desktop/PDA Theft", act as an indicator for intellectual or sensitive property theft that is actively quantified to a certain extend, though it is still mentioned in a separate section. As far as insiders and the responses given in here, "the threat you're currently not aware of, is the threat actually happening" to quote a McAfee's ad I recently came across to. Especially in respect to insiders.

- To report or not to report?

According to the survey "Just 9% said they reported incidents to law enforcement, believing the infractions were not illegal or that there was little law enforcement could or would do. Of those reporting, however, 91% were satisfied with law enforcement's response. And 81% said they'd report future incidents to the FBI or other law enforcement agencies."

The key point here is the lack of understanding of what a threat is, or perhaps what exactly should be reported, or why bother at all? And given that out of the 9% reporting 91% are satisfied I can simply say that, "If you don't take care of your destiny, someone else will".

Overall, you should consider that the lack of quality statistics is the result of both, the "stick to the big picture" research and survey approaches, or because of companies not interested/understanding what a security threat worth reporting actually is? I greatly feel the industry and the Internet as a whole is in need of a commonly accepted approach, and while such exist, someone has to perhaps communicate them in a more effective way. Broad and unstructured definitions of security, result in a great deal of insecurities to a certain extend, or have the potential to, doesn't they?

- Who's attacking them?

Their homeland's infrastructure and the Chinese one, as the top attacks originally came from " The U.S. (26.1%) and China (23.9%) were the source of over half of the intrusion attempts, though masking technologies make it difficult to get an accurate reading", and yes, Russia "of course".

Though, you should keep in mind that whenever someone sparkles a debate on certain country's netblocks attacking another country's one, it's always questionable.

- What measures are actually taken?
Besides actively investing in further solutions, and re-evaluating their current measures, what made me an impression as worth mentioning is :

- patching, whether the patch comes from a third-party or the vendor itself is something else, yes it's the reactive measure that could indeed eliminate "known" vulnerabilities, yet it's proactive approaches companies should aim at achieving

- keeping it quiet, as you can see the 3rd measure taken is to actually not report what has happened, wrong, both in respect to the actual state of security, and the potential consequences in case a sensitive info breach occurred and customers did the job of reporting and linking it.

- tracing back? I think it's a bit unrealistic in today's botnets dominated Internet, namely an enterprise might find out that some of its external port scans are coming from internal infected PCs. When attacked you always want to know where the hell is it coming from, and who's involved, and while entirely based on the attackers techniques put in place, I feel that close cooperation with ISPs in reporting the infected nodes should get the priority compared to tracing the attacks back. That greatly depends on the attack, its severity, and traceability of course.

To sum up, the bottom line is that, antivirus software and perimeter based defenses dominate the perception of security as always, companies are actively investing in security and would continue to do so. It's a very recent survey for you to use, or brainstorm on!

Technorati tags :
,,,,
Continue reading →

China - the biggest black spot on the Internet’s map

January 17, 2006
Chinese Internet users have the potential to outpace the number of the U.S Internet population, yet, the majority of them still remain behind the most sophisticated online censorship systems in the world, the Great Chinese Firewall

I am definitely not buying into the idea of trying to take control of all the information coming in and going out of a country for the sake of my well being, as any individual has the right to decide what's good and bad for them. 

If I, for instance knew there's a virus on the streets of my city, I would take immediate precautions, or at least, see how "my" government reacts on the crisis. Yet, how responsible, moral, or legal according to international human rights standards is to prosecute users who have been spreading the news about the SARS virus from within the Great Firewall is perhaps another point.

Isn’t central planning the panacea of Communism, be it, old-school or modern(an excuse for the old-school) one, and isn’t the obvious fact that the government cannot, but wants to play God, an utopia by itself? It is disturbing how business ethics surpass moral ones for the sake of business continuity, so to say. Though, efforts are made to break the ice, until a collective campaign is not started I doubt anything will change. For the time being, what they don't like, they either hijack(forward to another site), or completely restrict.

With over 100,000 cybercafes, and 30,000 state police enforcing policies on the Internet, the Chinese government is trying to estaliblish a very effective self-censorship atmosphere, namely, prosecuting those somehow violating it. The idea is to, of course, cut the costs of their censorship efforts.

U.S companies don’t have a business choice, but to comply in case they are interested in taking advantages of the business opportunities in the country.

Activists have been expressing their attitude towards assistance like that, while I feel the majority of business leaders still don't have the incentive to take action, besides the human moral obligations, ones that are often neglected when doing business. Sad, but true :)

For me, it's not businesses complying with local laws that bothers me, but the playground for the these vendors that’s fuelling innovation in the wrong direction. That very same innovation is later on to used on Western countries or pretty much anywhere around the world. For the time being, China is still winning against the Web, and the term cyberdissident is getting rather common. For instance, the recently started Cryptome.cn, pointed out a great link to the actual known number of Chinese actions against journalists. That's disturbing.

One of the most resourceful and timely research currently available is ONI's Internet Filtering in China in 2004-2005 : A Country Study. Interested in finding out whether a certain sites is currently blocked in China? Check the Real-Time Testing of Internet Filtering in China, courtesy of Harvard Law School, whose Empirical Analysis of Internet Filtering in China still gives an overview of the situation and what's to consider.

Further research and opinions on the topic can be found at :

Internet Development and Information Control in the People’s Republic of China
Internet censorship in mainland China
The Internet in China: Civilian and Military Uses
Internet in China: Big Mama is Watching You
Internet Filtering in China
The limits of Internet filtering : A moral case for the maximization of information access over the Internet
Controlling Online Information: Censorship & Cultural Protection
Tools for Censorship Resistance
The Filtering Matrix
Tor: An anonymous Internet communication system

Technorati tags :
,,,,
Continue reading →

What are botnet herds up to?

January 17, 2006
Johannes B. Ullrich, with whom I had a chat once, did a great post providing us with real-life botnet herds "know how" or the lack of such. And while I agree that these are newbies, they are exploiting another growing trend. The vertical markers Johannes mentions are the result of abusing the affiliate networks themselves. 

Though, how can an affiliate network distinguish traffic coming from botnets, should it count it as malicious one, can they somehow link everything and see the entire picture? They sure can, but as soon as revenues keep coming in, they simply wouldn't. 

The botmasters' mentioned here are primarily acting as domainers, and the possibilities for abuse here are countless. In case you're interested in knowing more about the use and abuse of such networks, I recommend you to go through Ben Edelman's research on affiliate networks, and how easily they get abused. My point is that, if it takes a newbie to start realizing this, imagine the big players, as there are obviously some, at least in respect to the sizes of their botnets :)

If they make a buck for selling access to their resources, still have the opportunity to do it on their own, and cash again while giving instructions on how to "reinfect" yourself, that's a Ecosystem that I mentioned in my recently released "Malware - Future Trends" research. I feel this particular botnet herd is up to experiments, that obviously didn't go unnoticed.

What are your thoughts on the future of botnets, how would they abuse their power in Web 2.0? Week before I release my original publication, someone started coming up with "solutions" on how to abuse Google's AdSense, there's a lot to come for sure!

In case you want to know more about botnets, consider going through the following :

Bots and Botnets: Risks, Issues and Prevention
The Zombie Roundup: Understanding, Detecting, and Disrupting Botnets
Botnets as a Vehicle for Online Crime
Botnets - the threat to the Critical National Infrastructure
Botnet Detection and Response
Tracking Botnets
Robot Wars – How Botnets Work
Worms, Viruses and Botnets - security awareness video

Technorati tags :
,,, Continue reading →
Subscribe to: Comments (Atom)