Wednesday, January 21, 2009

does conficker have a silver lining?

don weber posted an intriguing thought about the massive conficker worm actually making the internet more secure...

he's got some sound logic - it does shine the spotlight on the problem and give people who know what to do an opportunity to convince decision makers to do the right thing and that could certainly make people more secure...

trouble is i made the mistake of saying something similar in the previous decade... technically it was more along the lines of 'it would be good if X were bigger/more damaging because then people would sit up and take notice'... as you can imagine then along came something that was bigger/more damaging and people did sit up and take notice... where's the trouble with that you say? i got what i wanted, right?

wrong... a lot of people were negatively affected for what turned out to be a temporary lesson... i'm sorry to say but one of the observations i've made over the past 19 years of following the malware problem is that people largely do not retain the lessons of the past and thus wind up repeating history over and over again...

this case is likely not going to be any different - while don suggests that the efforts put forth as a result of this mass infestation are going to make future mass infestations harder he neglects to mention that there have been plenty of mass infestations in the past whose cumulative effects should have made mass infestation darn near impossible by now if the effect had any kind of staying power...

but the effect doesn't have staying power, it's short lived... there certainly is a window of opportunity for people to push through smart policy/technology changes, but the window is not large - take advantage of it now while it's still open...

test branding fail

another fail, but of a different variety... thanks to pedro bustamante for bringing total protection testing to my attention...

total protection is a snake oil term that sends the wrong message to people and makes them believe they can be totally protected (which obviously they can't)... this is something people in the anti-malware industry should know already...

of course, you could say the same thing about mcafee - who i'm surprised don't own the trademark on this particular instance of snake oil, since they've got a product named total protection...

anti-virus usage fail

how do you top a virustotal usage fail? you attempt to commit virustotal usage fail but use samples that aren't even malware in the first place...

that's what john strand did in a video embedded in daniel miessler's post "Metasploit 3.2 Makes AV Look Silly | DiD is the Only Answer"...

the premise may sound ok - you can create executables using metasploit that won't be detected by the (perhaps severely) cut-down versions of anti-virus products that is used by virustotal... supposedly this points to a problem with anti-virus technology in general, but ask yourself this - is it really a problem that you can create executables that virustotal can't detect? and if so, why?

is the output from metasploit malware? if it is then hdmoore is a bad man and should be stopped (and it's not like we can't find him)... i don't see a lot of people calling him a bad man, though, or suggesting he needs to be stopped - that says to me that metasploit and it's output are not malware or at least occupy that gray area between malware and benign software... as such, if these things aren't malware then why are we expecting anti-malware programs to detect them? the av world knows that if it ain't bad then you shouldn't be catching it and if metasploit output is bad then why aren't we doing more about it?...

if it's not malware then stop expecting anti-malware apps to do anything about it... if it is malware then go after the root cause (isn't that bejtlich is always talking about being the more effective strategy dealing with the malware problem?)...

ultimately, the video and the post it's in make a good point - that you shouldn't be relying on av as your sole form of protection - but the argument would be better served by using a legitimate av failure as an example instead... better still would be to take an approach that doesn't seek to tear down a largely successful anti-malware control in the first place - you can promote defense in depth without erroneously trying to make av look like it's useless... tearing av down does not actually promote defense in depth, it promotes the search for the next great anti-malware hope that we can replace av with - and that's not going to help anybody because all preventative measures (even whatever people replace av with) fail...

Wednesday, January 14, 2009

my thoughts on benevolent botnets

pete lindstrom recently penned a post on the idea of benevolent botnet... it's not the first time i've seen this topic come, up - martin mckeay posted about a related idea of battling botnets with botnets (presumably one side of that fight would be benevolent botnets)...

my thoughts run something like this - implicit in the idea of the botnet is that the computers that make up the botnet are being remotely controlled without authorization from their owners and therefore no botnet can be considered benevolent...

if the collection of connected computers are being controlled without authorization then you're stealing cycles at the very least, as well as a certain amount of bandwidth in order to communicate with the command and control server...

if the computers are being controlled WITH authorization from their owners then you have a distributed computing project, not unlike seti@home or distributed.net - and you can't really call either of those botnets...

so much like the very act of self-replication makes supposedly good viruses bad, the very act of unauthorized remote control makes supposedly benevolent botnets malicious...

virustotal usage FAIL

from rich mogull's post There Are No Trusted Sites: Paris Hilton Edition:
The best part? Only 12 of 37 tested AV vendors catch the trojan. All of who that give me crap for hammering on AV can go away now.


yes, boys and girls - in spite of my prior warning on the matter, in spite of didier stevens' thoughtful post on the matter, and in spite of hispasec's own post on the matter, people still don't get that virustotal is for testing suspected malware not anti-malware...

it doesn't matter if your sample size is 1 or 1000, using bad virustotal results to bolster the argument that av sucks (when it's well known that virustotal's results don't/won't match av user experience) is a big fat FAIL...

rich isn't the only one failing here, though, he's just the most recent example... 'incident handlers' at the internet storm center do this on a regular basis, as do quite a few others...

the devil's in the details folks, start paying attention... since the detective capabilities displayed in the context of virustotal do not represent the real detective capabilities of the products used by virustotal, what point can there really be to posting the detection rates (as dancho danchev likes to call them)? that's right, basically none - not only do they bear no relationship to what is conventionally thought of as detection rates, but also they are NOT accurate...

now repeat after me: virustotal is for testing suspected malware, not anti-malware...

Wednesday, January 07, 2009

suggested reading

geez, i need an alarm clock to remind me to do this or something...