the myth of in-the-wild prevalence

upon reading this article at ghacks.net about scanning linux systems for viruses i became aware that there are some misunderstandings over the meaning of the term 'in the wild'.

the article in question is not the only place i've seen these misunderstandings and i don't want to knock it too hard because it does advise scanning your linux systems, but the statement that

Linux is immune to viruses right? Well…mostly. Even though a proof of concept virus has been discussed, and nothing has actually made it into the wild…you still have email on your system.

fairly clearly indicates both a lack of awareness of the threat linux faces as well as a lack of understanding of what constitutes as 'in the wild'.

so let's get this out of the way early in the discussion. 'In the wild' means literally that the malware in question is active and victimizing someone or some group, somewhere in the real world. that seems like an obvious and natural definition but what isn't obvious is the implication that that has for most people. you see many people equate 'in the wild' with epidemic. they think that if something were really in the wild it would have affected a lot of people and they would have seen it personally or known someone who had seen it. they think that they can use their own experience as a measure of whether something is 'in the wild' or not. the reality is that something being 'in the wild' does not mean that that something is common enough for you to have stumbled across it - there is a wide spectrum of prevalence possibilities for 'in the wild' malware.

to that end, there have of course been linux viruses in the wild. are there still some in the wild? well given that old viruses never really die, i'm going to have to say yes. remember, rare and 'in the wild' are not mutually exclusive concepts - something can be both at the same time. once something goes into the wild it's subsequently very difficult to conclusively show it has left the wild. in fact you could say it's equivalent to proving a negative (which, as we all know, is impossible).

(note: just to be clear, i'm not talking about the wildlist from wildlist.org. things that are on the wildlist are definitely 'in the wild' but not everything 'in the wild' gets to go on the wildlist. the wildlist is a much more narrowly defined set than what's 'in the wild')

what's in a malware name

...that which we call conficker by any other name would taste as sour.

david harley, tom kelchner, and mary landesman have all posted their responses to an infosecurity article questioning the apparent lack of consistency in malware naming.

they all say more or less the same thing about the deluge of modern malware making harmonization of names impossible and to a certain extent they're right, but to a certain extent they're also wrong - not so much in the technical details of their answer but more in the way they're framing the problem that the infosecurity article was underlining.

now the truth is i had actually planned on writing about malware naming some time ago in response to another of david harley's articles in which he basically says malware names are irrelevant. i can see where he's coming from with that, and probably you can too. a malware detector doesn't care what the name of the malware is, only whether it's there or not - and the consumer of the malware detector generally won't care that much about the name either (certainly not whether it's the same name that all the other vendors use). in the consumer's worst case scenario all they really need is some sort of unique identifier, be it a number, a GUID, or some made up nonsense word (oh, wait, that's what they get now) in the event that they need to call up the vendor for support.

but there's a problem with this line of thinking and i'll demonstrate it with a little thought experiment. let's take all the bones in the human body and replace their current identifiers (such as scapula, ulna, radius, etc) with numbers, or GUIDs, or made up nonsense words. now try having an intelligible discussion about bones you've broken over your lifetime with someone. can you imagine how much more difficult that would be? obviously replacing their current names with the made up nonsense words would just pose difficulty in adjusting to new names but GUIDs would be far too unwieldy for people to use, and numbers would have numerical relationship baggage that would confuse the issues. let's take one more step in this thought experiment, however. let's say there are 50 different people, each with their own different set of replacement identifiers for the bones in the human body, and let's say that they collectively are trying to advise people on bone health. how well is that really going to work? not very well, obviously.

while it is true that malware today is far too numerous to harmonize the naming for each and every instance, we can't let the great become the enemy of the good. if the anti-malware world revolved exclusively around the production and consumption of malware detectors then names really would be unimportant and irrelevant, but the fact is in such a world people like david harley and tom kelchner and mary landesman wouldn't be blogging about such things because those blogs would also be irrelevant.

the thought experiment above demonstrates when names are important and why consistent names are important. names are important when you're dealing with people rather than just technology. they are important when you are trying to communicate information about threats, trends, etc. to people. people need names for things, and frankly they need to be fairly simple names - that's why storm, loveletter, and code red catch on while waledac, virut, and sality wallow in obscurity, and why people keep misspelling conficker. heck, it's why meteorologists name significant weather formations like hurricanes using human given names like harry or katrina. people also need for multiple authorities to agree on the names for things or else they can't integrate data from multiple sources and are left disoriented and confused.

again, we can't let the great (harmonizing the naming of all malware instances) become the enemy of the good (harmonizing the naming of the relative handful of malware instances the industry considers significant enough to write about in things like year-end threat reports). it may be impossible to coordinate names for each malware instance in existence and entirely pointless even if it were possible, but the same does not hold true for the small set of malware that vendors write about by name. just so we're clear, i'm not suggesting that such coordination need take place before releasing detection for the aforementioned malware. what i have in mind is something not unlike the now defunct common malware enumeration with the exception of using names instead of numbers - a post hoc harmonized second name (a common name or layman's name) for those few pieces of malware that the industry feels they need to communicate to the masses about.

of course, after all that is said and done, even if naming were consistent i fully realize that different vendors reports would list different sets of malware and to that end people still need to understand that such reports reflect not the actual threat landscape but what the vendor has seen of the threat landscape. to that end there should still be overlap between the sets of malware used by different vendors in their reports, and if there isn't that suggests sampling bias pronounced enough to render those models of the threat landscape irrelevant.

20 years in av

i knew time was coming, i even thought about marking the occasion here, but my attention was elsewhere at the time so there weren't any posts on the subject.

then eddy willems posted about his 20th anniversary in anti-malware and i thought maybe i should post about this after all - so it entered my to-do list and languished there for a while.

and then today david harley posted about his upcoming 20th anniversary in anti-malware so i figure it's time to pop that task off the to-do stack and actually write something.

you see, i also had my 20th year in the anti-malware field this year - though not in the professional sense that eddy and david did. i don't recall the exact date but i know it was in late november of 1989 that i started down the path i'm on today (i gave a basic run down of how it happened in my about me post 3 years ago).

it's interesting to me to discover that some of the other names i know in this field also got started the same year. it didn't really seem like '89 was all that significant a year or anything, but i guess that's about when awareness of the malware problem (or rather the virus problem at the time since that was the principle form of malware being created) was reaching the critical mass necessary to entrench itself firmly in the general public's consciousness - first as an obscure curiosity, but as an increasingly real and oftentimes personal annoyance for people as they had their own run-ins with the problem. as such i'm sure there's quite a few more who got their start that year.

at any rate, happy anniversary eddy and david. i hope it's been as stimulating for you as it has been for me.

why mac fanatics still believe they're virus free

(another post form the draft pile)

i stumbled across this article about why macs are still virus free and it occurred to me that there were a number of false premises that deserved highlighting to illustrate why mac users still think their beloved platform is so safe.

• the first thing i noticed was an ill-conceived notions of what a virus is (eg. "When I say virus I'm referring to a program which self-propagates and self-installs either by exploiting a back door in the operating system or another legitimate application"). by this definition most PC viruses (and i'm not using virus as a catch-all umbrella term here) are not actually viruses.
• next thing i noticed was the comparison of apples to fruit (eg. "So why don't Macs get viruses while Windows PC's seem to be facing a constant tsunami of malware, spyware, worms, trojans and botnets?"). compare mac viruses to pc viruses please, not mac viruses to pc viruses, worms, spyware, trojans, botnets, etc. either that or compare the gamut of mac malware to the gamut of pc malware.
• next on the list of wrong-headed thinking i picked up from that post was thinking malware authors are still just attention seekers (eg. " There are a lot of theories regarding install base and attention-seeking virus writers") when it has been demonstrated over and over again for the past several years that they're financially motivated now - the current trend is to follow the money.
• another bit of nonsense i noticed (which in fairness is bandied around by a lot of otherwise intelligent people) is thinking that going after the biggest group limits them to going after just one group (eg. "wanting to target the biggest market") when it has been demonstrated that professional malware gangs are targeting both platforms at the same time (see zlob gang).
• yet another wrong thought in the article was thinking that unix makes the difference (eg. "The real answer is UNIX") when in fact the first academic treatment of the virus problem (back when the term 'computer virus' was originally coined) had viruses successfully replicating across a user population in a professionally administered unix environment without cooperation from the admin.
• the most damning, however, is thinking in yesterdays terms. the very fact that they're still focusing on viruses rather than malware in general shows just how outdated the thinking really is. most of the malware currently attacking pc's these days is NOT viral (either by normal pc definitions, incorrect mac definitions, or formal definitions). furthermore viral malware isn't really the biggest malware problem these days. huge numbers of non-viral malware are the biggest problem facing pc's and the malware gangs have been targeting both pc's and macs for years now.

mac users have largely ignored the malware problem, which is probably why what little they know of the problem is generally either wrong or out of date. the malware problem isn't ignoring them, however. they have an opportunity to get ahead of the problem, but if they keep living in the past that opportunity will be squandered.

sneakemail is no longer free

well, y'know what they say, all good things must come to an end and the free ride at sneakemail.com appears to be one of those things. as of sometime earlier this month sneakemail.com moved to a paid service and existing accounts were switched over to the one month trial setup.

if you're using sneakemail then this is probably something you want to know about (i found out quite by accident) because when the trial is over your emails won't get forwarded to your real email address anymore.

i've been using sneakemail for years now, and directing others their way. it's a great service and it's helped me keep spam in check so i don't want to say that their service isn't worth the $2 a month fee, but recurring charges are the bane of my existence so i'm not sure what i'm going to do. this is complicated by the fact that i have so many addresses with them (most of which get no traffic, but still). switching to another service would be a pain due to a several years long habit of using sneakemail as well as all the existing addresses i'd have to switch over. plus there's no guarantee that the next one will turn out any better in the long run. paying the fee would also be a pain, and an ongoing one at that.

but enough of my griping - you're now forewarned, go do something about your account if you're a sneakemail user. you have less than 30 days.

malware classification fail

here's one from the drafts pile, hopefully it's not too stale


i'm wondering what the anti-malware world is coming to when the leading vendor classifies something as a trojan even though it clearly discloses what damage it does.

by this logic, every copy of every operating system also ships with a trojan horse program, either in the form of the delete command or the format command.

one of the basic requirements of a trojan is that it tricks the user into executing it - the original trojan horse wouldn't have gotten very far if there was a warning sign on the outside that said it contained enemy soldiers that would sack the city when night fell. so too would suspected malware not get very far if it plainly disclosed what it does.

this game is at worst a potentially unwanted program - in other words, grayware. we can't just go around calling every bad program (or even just every bad non-viral program) a trojan anymore than we can go around calling all malware viruses. not using the proper terminology is a great way to confuse everyone and confusion is something we don't want to sow, right?!?

av vendors are not like drug pushers

one of the erroneous ideas i sometimes come across is that av vendors are a little like drug pushers - that they want to keep you the user addicted or otherwise dependent on signature updates because charging you for regular signature updates is the only way they can make money.

this notion is complete, uninformed bullshit.

the first problem with this idea is the money aspect - if you haven't noticed, the major av vendors come out with a new version of their products (not just new signature updates) every year, not unlike microsoft comes out with a new version of ms office every few years. you have to pay microsoft to upgrade your ms office installation so it shouldn't take a rocket scientist to realize that av vendors make money the same way. they also make money from those who just renew at the end of the year instead of buying the new version because the signature and engine updates cost money to develop.

now you might think that just plays into a more fundamental issue, that they're purposefully adhering to a technology that requires updates/upgrades so that you need to pay each year but that's also nonsense. both the threat landscape and the operating environment itself are constantly changing, there's no protective technology that won't require updating to accommodate that fact. furthermore, there are always improvements that can be made to the way a security product (any security product) does it's job - the only way to get those improvements out to people is in the form of updates/upgrades, and the only way to pay for the research and development behind those improvements is to charge somebody money and it's only fair that the people they charge for the improvements are the people who benefit from those improvements.

still think they're intentionally dragging their feet with regards to non-signature-based technologies for some reason? fine, lets look at our old friend thunderbyte anti-virus. thunderbyte was an anti-virus suite back in the early 90's before av suites were even heard of. it had the signature based scanner, sure, but it also had the most transparent heuristic engine (by which i mean it told you what properties a file had that made it suspicious) i'd ever seen (then or since), it had rudimentary application whitelisting, it had behaviour blocking, it had integrity-based generic detection and cleaning. thunderbyte even marketed av hardware. the folks at thunderbyte were pioneers who in a very real sense built a better mouse trap and believe it or not the world did not beat a path to their door. the product was ultimately a failure in the market (their technology was bought by norman data defense which, with all due respect to the folks at norman, is a much more obscure company), not because it wasn't a superior product (it was), nor because it was too much of a niche product (it was readily available in computer stores where i live despite coming from a different continent and i imagine it was available in stores elsewhere as well), but because the market wasn't ready for it. just because you build it doesn't mean they will come - it might work like that in the movies but not in real life. it would be unreasonable to expect other vendors to waste their money developing technology that the market wasn't already clamouring for - the reason vendors have been slow to develop these alternative technologies is because the market for those technologies has been slow to develop. there weren't enough customers demanding the technology for it's development to make good business sense.

why are ethics so undervalued?

why are ethics so undervalued? i honestly don't know the answer to that question but i'd like to explore the topic and explain what i mean.

first i'd like to dispel any fears that i'm about to go on at length about people not understanding the difference between right and wrong - i think most people do understand the difference. that said, i don't think most people appreciate the difference - which is to say i don't think it holds much meaning for people, i don't think it's important to them.

i'll give you an example. not too long ago anton chuvakin posted an article on FUD - specifically one that is, if not an outright endorsement of FUD, at the very least an argument that sometimes it's a good thing. i'm not going to pick too much on the notion of endorsing the use of manipulation in the workplace, what interests me in this discussion was something he wrote in response to a blog post criticizing his stance:

personally, I think that “trumping with ethics” is a low card in intellectual arguments! IMHO it is one step above name calling

i don't think there can be any question that this statement represents a remarkably low valuation of the topic of right and wrong.

by way of contrast, i would place ethical right/wrong one step below technical right/wrong - and those of you who know me know how highly i value technical accuracy (hint: i make enemies simply by correcting people).

so where does such a huge difference in values come from? and what does it mean for the security community that anton is not only not an outlier but in all likelihood far closer to the norm than i am. have we become an "ends justify the means" sort of society? is security as a goal something we need to promote at all costs?

i suppose i need to better understand why it means as much as it does to me, so i guess i've got some soul searching ahead of me, but nowhere in that search do i expect to find why it's so much easier for others to put aside. i don't get many comments on my posts (since normally i know the answer to the question i'm asking) but in this case i'm hoping to hear what others think so please feel free to comment.

some new snake oil from kaspersky

i found this out thanks to a thread at wilders - apparently kaspersky is taking a page out of the mcafee snake oil playbook. mcafee has total protection and now kaspersky has total security.

i've been over this time and time again - this kind of branding is snake oil. the obvious implication that the average person would draw is that they simply have to use kaspersky total security and then they can be totally secure. that's a false sense of security and the folks at kaspersky know it.

obviously someone cares more about market share and getting to make commercials with jackie chan than about intellectual honesty.

oh crap - looks like bitdefender did same thing.

being a whitehat means taking sides

you wouldn't think this needs to be said, but apparently it does - being a whitehat means taking sides. more than that, it means taking the side aligned (more or less) with the general public's interests - doing things for their direct or indirect benefit.

and so it is that i always seem to find myself surprised by people who call themselves whitehats but who sacrifice the public's interests for their own agendas. those people are just lying - to others and perhaps even to themselves - about how good of a 'good guy' they really are. these are greyhats at best or, perhaps more likely, blackhats.

one such case that came up recently was that of peter kleissner (another post on the subject here), an ex-employee of the av vendor ikarus software who released proof of concept attack code and then, after being ousted from his position within the av industry, came up with a service to help malware authors evade the av industry.

i suspect mr. kleissner doesn't actually think of himself as a whitehat anymore, even though he would have generally been considered one at the time his descent started. the thing that stands out most to me, however, and the thing i think needs underlining is the following quote:

I won't make a difference between black hats and AV companies. To me it's not good or bad, it's just technology.

which seems to suggest he doesn't care to draw a distinction between good and bad. there's a word for that boys and girs, and that word is amoral. while it is true that he is still quite young, he is 18 and he was part of the av industry for over a year. i'm curious how one at such an impressionable age could manage to be part of the av industry and still manage to avoid having his moral compass align with that industry and community.

i'm still here

i know it's been a while - i'm still alive, just preoccupied with other things. i'm going to try to clear out some of the backlog of things i intended to write about. expect some old subjects for the next little while.