Monday, July 24, 2006

cutting through the mobile malware mess

techdirt, renowned for it's technical acumen (in other words it's signal to noise ratio is just slightly better than the garbage heap of the internet known as slashdot), has a post today that basically roasts f-secure for spreading mobile malware FUD... small problem - i couldn't find the FUD even after following all their links to supposed examples...

let's take a closer look, shall we?

from silicon.com:
Sal Viveros, wireless security evangelist at McAfee, said F-Secure's figures are largely in line with industry figures in terms of the total number of mobile viruses but added such viruses have largely been "proof of concept" to date and pose little threat to users.
ok, so we've got independant verification of f-secure's figures on the total number of mobile malware instances - score 1 for f-secure...

from a different article on silicon.com:
"The number of proof of concept viruses is increasing but that's not to say there has been an increase in the risk of infestation or that there is any need for panic or worry."
the person making this statement (david wood of symbian, the company holding the largest stake in the mobile phone market - aka the microsoft of the mobile phone market) clearly doesn't understand the nature of risk... the more instances of malware out there the greater the chance of a particular user encountering one of them, and therefore the greater the risk...

from the same article:
He added that these viruses will only spread with user permission and conceded that in very rare instances a user could contrive to infect their phone.
which shows that he clearly doesn't understand what's really going on in a mobile infection scenario... the no option doesn't work - you choose no and the prompt just comes back... press no again and the same thing happens... cabir and similar worms will just keep trying and effectively DoS the phone until the user chooses yes... user interaction is a non-issue if the user isn't given a real choice...

(see the video evidence here, it starts about 26 minutes in)

[edit - there's a better view of the video evidence here, starting at about 1 hour and 26 minutes]

from an article at vnunet.com:
"Phone viruses so far have been spreading over Bluetooth, so they only affect phones that are within a few metres. A MMS virus can potentially go global in minutes, just like an email worm," warned F-Secure's antivirus laboratory.
now that is a little troubling that it says minutes - because mikko hypponen, in the video referenced above, says 24 hours (both for mobile phone viruses and for email viruses) and he explains why... it's correct that it has the same potential speed as email worms but minutes seems like an error, either on the f-secure rep's side or (more likely, since they're known for botching these sorts of things) the reporter's side...

at any rate, saying a type of virus has the potential to do X is quite a bit different than saying a particular virus will do X or is likely to do X (which is the implication techdirt makes here)...

and from the a zdnet.co.uk article that triggered the current threat at techdirt:
"F-Secure is saying there's a huge risk of malcode spreading, but they've built this up," said Simon Perry, European vice president of security for CA. "If you look at their behaviour, they've consistently pushed this message. But it's a theoretical, not a real threat," he added.
i don't know where mr. perry is getting this - mikko hypponen (again in the video referenced above) made it seem pretty clear to me that mobile viruses are not anywhere near as problematic as their pc counterparts... susceptible phones are comparatively quite rare, and most of the malware can only spread to other phones that are physically nearby... that doesn't sound like a huge risk to me... he does mention some big total numbers (in the tens of thousands) but considering the law of large numbers as it applies to this situation that doesn't really raise eyebrows...

furthermore, in the same zdnet article an f-secure representative is quoted:
"I have difficulty understanding how this can be bad for [the antivirus] business. This is not a mass problem for all consumers, but our solution is available to those who need it, and there are people who need it today," Impivaara added.
it seems hard to imagine how f-secure could be making mobile malware out to be a huge risk when they're quoted in the media as saying the opposite...

still, techdirt has persisted in laying the FUD spreader charge against f-secure for some time now, not unlike many other community sources (slashdot and digg are the 2 glaring examples) have done to many other vendors... it bears a striking similarity to the reaction you get whenever you suggest there are genuine security risks in mac osx or linux... i thought at first it might just be one site or 2 sites, but the pattern that is emerging seems more widespread - it seems to have something to do with the wisdom of mobs where the wisdom of crowds fails due to the signal to noise ratio being too low... the reality is is that he who yells loudest has the most individual impact on the whole and without sufficient real wisdom to counteract that impact the whole becomes an ignorant mob...

Sunday, July 23, 2006

the REAL reason anti-virus programs don't work

by now a lot of people have seen one or both of the pair of zdnet articles on anti-virus apps not being worth a damn... i've already argued that the logic of their argument is bogus but then along comes a different article with an entirely different observation...

readers of this blog probably know by now that i tend to be a little on the critical side - i tend not to say anything when i agree with someone, usually only when i disagree, so brace yourselves for a departure from the norm because martin overton has done an excellent job of capturing the REAL reason why anti-virus programs aren't working and i just thought it was so good i had to try and draw more attention to it...

he's done a much better job than i probably would have done because i wouldn't have tip-toed around the thorny issue of blaming the victims and just come out and said that the anti-virus programs are failing because they're being used by morons who move their lips when they click and click on everything except the update button...

why? why are people so dense? ok, i get that the average person isn't going to be a technical marvel, but the simple behaviour we've been trying to teach them for a decade or 2 now is to use anti-virus software AND keep it up to date... is that second part really so much harder than the first?

come on folks, buying a new computer in order to solve a malware problem is not the answer - there comes a time when you have to look with a critical eye at the sequence of events that lead to the malware contamination and ask yourself "what could i have done differently that would have helped to avoid this problem?"... if you don't get a better handle on this then you're new computer will soon be infested by malware as well and then what will you do? unfortunately musical chairs does not represent an effective anti-malware strategy...

if you're going to use anti-virus (and you should) you're going to also have to keep it up to date... why? because there are about 60-70 new pieces of malware created each day... malware scanners mostly only detect what they know so each day that your scanner goes without being updated represents an additional 60-70 pieces of malware it doesn't know about and therefore won't be able to help you avoid... if it's been months (or years) since you last updated, do the math and figure out how many potential threats your security software isn't helping to protect you from... pretty scary, huh?

if that just woke you up out of your stupor and you've started to ask yourself "but what if i am completely up to date and i still encounter malware my anti-virus app doesn't know about?" then congratulations, you've just ascended to a new level of malware awareness... to you i say that your anti-virus is just one layer of defense and nobody ever said you were limited to only using one...

Wednesday, July 19, 2006

80% of new malware does what to antivirus?

here's the backstory - apparently graham ingram, general manager of the australian computer emergency response team (AusCERT) has revealed that 80% of new malware defeats antivirus software...

now, i haven't seen enough of the full text of his talk to know for sure what he was on about (the media are notorious for twisting perfectly valid statements into horrendously misleading sound-bytes) but saying that the anti-virus products aren't working does not inspire confidence...

in fact, framing it the way he does, talking about new malware and an 80% miss rate is rather misleading too...

let's put things into proper perspective, shall we? when malware is new it is unknown to the anti-malware vendors - that's the nature of things... when it's been around for a while it will no longer be new and no longer be unknown... further, the mainstream anti-virus products are essentially known malware scanners...

now ask yourself, are you at all surprised that known malware scanners don't do a very good job of detecting unknown malware? of course not... now ask yourself, is it really a problem or all that big a deal? no again, known malware scanners aren't supposed to be good at dealing with unknown malware, they aren't meant to deal with that part of the malware problem... unknown malware doesn't stay unknown for long so it will be caught by the anti-virus products eventually, but during that initial window of opportunity you need to employ other techniques and technologies to protect yourself... anti-virus products aren't a panacea, they aren't a cure-all, don't depend on them exclusively but rather practice defense-in-depth - use a multi-layered approach to protection...

the only people who should be seeing a problem here are those naive enough to think that anti-virus products should be all they really need... and doesn't that make you wonder what graham ingram, general manager of AusCERT, was thinking giving quotes that made it sound like the sky was falling?

Friday, July 14, 2006

symantec, viruses, and the mac

i've written about viruses and the mac before but of course people don't read what i write or don't listen to what i say or maybe just don't think i'm right and so continue to make silly gaffes... sometimes those people are even in a position where you'd expect them to know what they're talking about...

take for example the recent pronouncement from symantec that there are no file infecting viruses for the mac osx platform... todd woodward is a symantec employee so of course people are going to assume what he says about viruses and the mac must be true... he makes a pretty convincing argument too, except for one tiny problem - in trying to convince us that osx/leap.a wasn't a file infecting virus he points to a symantec virus analyst's write-up that actually says osx/leap.a does infect files...

ooops...

but lets not be too hard on poor todd, after all he's not a virus analyst himself, rather he's a product support analyst for symantec... still, that embarrassing gaffe could have been avoided if he'd simply read the page he was linking to...

so just to clear up the confusion (and to repeat something i've said a bunch of times already) osx/leap.a is an overwriting file infector (that would have been a companion infector if not for a bug in the code) and an instant messaging worm at the same time... that's right, is a worm/virus hybrid and therefore there IS a virus for the mac osx platform... i get the feeling that perhaps todd is not aware that something can be both a virus and worm at the same time but it can and there are plenty of examples in the windows world so that part of his post about the differences between worms and viruses is poorly conceived..

what is an overwriting virus?

an overwriting virus is a virus that infects it's host program by replacing the host with itself...

overwriting infectors are probably the most unsophisticated of all viruses as it requires no complex programming skills whatsoever, they are needlessly destructive and incapable of hiding their presence because the host program is lost...

back to index

Wednesday, July 12, 2006

what is a virus writer?

a virus writer is a person who writes/programs viruses, nothing more, nothing less...

while many virus writers do more than just write viruses, those other things are not technically part of being a virus writer - being a virus writer does not imply sharing viruses, spreading viruses, publishing viruses, or letting viruses escape... the act of writing a virus does not require or imply the communication of the virus with the rest of the world, and if the virus isn't communicated to the rest of the world it cannot be a problem - thus we shouldn't try to solve the supposed problem with totalitarian laws about what we can or cannot write on our own computers as it addresses the wrong problem...

people often forget/ignore/gloss over the distinction between virus writing and the related activities but i think martin overton said it best when he said "I don't give a flying fig that you write viruses (as long as you keep them to yourself)"...

back to index

what is a virus spreader?

a virus spreader is a person who tries to cause other people's computers to become infected by viruses either directly by executing infected programs on those computers or indirectly by sending infected programs to users of those computers with an appropriate social engineering attack to trick those users into executing the infected programs themselves...

intentionally spreading viruses is perhaps the most malicious of all pro-virus behaviours as it is an explicit attempt to inflict viral infection on others... some try to justify it with excuses like 'scientific curiosity' (ie. wanting to know if it will really spread in the wild) even though history has shown that viral success in the wild has more to do with luck than it does any technical quality of the virus (ie. technically impressive viruses can be complete failures while unsophisticated and often buggy viruses become widespread)...

there are other less benign justifications as well, such as revenge for some perceived wrong-doing, spreading social or political messages that may be contained within the viruses, financial gain, or even plain old ordinary malice...

back to index

Saturday, July 08, 2006

the flip side of sophos' mac advice

as many have reported already, sophos is suggesting that home computer users purchase mac computers in the future in order to avoid the huge amount of windows malware out there...

while that's all well and fine, there's a bit of context that is conspicuously absent from the various news accounts - sophos doesn't really deal with the home user market... they're focused on the enterprise market and don't really have a product geared for the home user market... they aren't giving this advice to corporations or anyone they actually do business with...

now, don't get me wrong, i'm not a sophos basher, i think there's plenty of good things to be said about them, but their advice seems a little like patting the home users on the head and saying "there, there"... 'buy a mac' is just about the most hands-off answer you could give to the home computer users looking for a helping hand with their malware problems... at the very least switching to linux or freebsd would be cheaper and more expedient than waiting until one has enough money to go out and buy a whole new computer...

also, if everyone switched to macs, that would include the malware writers... after all, the new generation of malware writers are profit oriented, and if everyone is using a mac then the mac platform is where the malware-related profits will be found...

at best, jumping ship would just be a temporary solution to a persistent problem... it would probably help in the interim, but only for a while and then what happens when it stops working?

i can't help but see their advice, not as the professional endorsement of the mac platform that some consider it, but rather as a glib response to a problem they don't really want any part of...

Friday, July 07, 2006

"mine's bigger"

yeah, i know it's a pretty provocative statement, but that's pretty much what authentium are saying in this blog post...

mcafee lets everyone know their product is about to reach the 200,000 threats detected milestone and authentium pipes and and says 'well we're about to reach 300,000'... classic - no really, i'm surprised there are anti-virus companies still playing this particular numbers game... i thought it went out of style years ago...

now let me ask you something, do you really think there are 100,000 pieces of malware being missed by mcafee's product? you can't trust the raw numbers reported by vendors, unfortunately, and not just because some of them have apparent inferiority complexes...

this is old news for some of us but for those who don't know yet, here's how it works... say you have 2 malware samples that are related to each other (they belong to the same malware family) - scanner-A detects both pieces of malware using 2 separate signatures and scanner-B detects both pieces of malware using only 1 signature... now both detect the same number of real world threats, but the way they count is by counting the number of distinct malware definitions in the scanner's database so scanner-A will say it detects 2 pieces of malware where scanner-B will only say it detects 1 piece of malware because they're similar enough that they look the same to scanner-B...

now whether a scanner needs 1 or 2 signatures in the scenario above doesn't really have any bearing on which scanner is better, there are benefits and drawbacks for on both sides and it's not always scanner-A that requires more signatures... that said, you should be able to easily see how one scanner's numbers can be very different from those of another... now a 50% difference is considerable and i find that very suspicious, especially when f-secure pegged the number at 185,000 earlier this year which is much more in line with mcafee's 200,000 figure...

regardless, the numbers that vendors report just do not mean what they otherwise seem to mean... comparing the number of signatures between different products is a pointless exercise and it ultimately misleads the reader into thinking that one product is better than another when it may not be true... and if you're detecting the scent of snake oil in that practise, well me too...

what is a logic bomb?

a logic bomb is a piece of malware that waits for some logical condition to be met on the affected computer before carrying out it's malicious behaviour...

the condition a logic bomb waits for could be anything measurable/detectable within the computer - a specific key or combination of keys being pressed, the existence of a file, the free space on the drive being equal to some predetermined value...

the most well known condition used in logic bombs, however, is the system time being equal to (or greater than, sometimes) a specific date/time... logic bombs that trigger on system time are a subcategory known as time bombs and are the most well known because time-based triggers are quite reliable (more so than waiting for a key combination that may never be typed) and relatively easy to implement so they have historically gotten used the most by malware writers when implementing logic bomb functionality (or payloads as they're often called when attached to some other class of malware)...

back to index

Thursday, July 06, 2006

about me

ugg - what a boring topic... well if you're like me and the question of who writes this stuff is uninteresting to you then you can stop reading this right now because that's basically what this entry is going to be about...

my name is at the end of each post, you're free to google it or click on it and send me email... i'm a computer scientist - i got my bsc in computer science from university of toronto in 2000... computer science was a natural path to take as i was already quite familiar with computers before i started - i'd been a coder since the age of 10 and had taught myself a variety of programming languages by the time i entered university (c was probably the most helpful)... i'd also developed an almost instant interest in computer security back when i was still puttering around on my vic20 when i was 10-11 (though obviously not out of any actual necessity as all my data was just games and coding experiments)...

in late 1989, the 2nd hand compaq luggable i had been using for about a year developed a very strange problem where characters would appear on the screen without ever having been typed... around the same time i had heard through the media about these things called computer viruses and i got to wondering if maybe my computer had one and set out to learn more about the subject because the problem was quite annoying and i wanted it solved...

of course in retrospect that all seems silly - it was clearly a problem with the keyboard, which i did deduce after a while and did manage to repair but not before having developed an interest in computer viruses...

so there ther i was, 14, with a couple of years of programming under my belt, and i'd just developed an interest in computer viruses - i think we all know where that leads....... hah! don't trust stereotypes, that's not where it lead - not because my moral compass was anymore more developed than other teenagers, it definitely wasn't... when i did finally find forums for talking about viruses (which i find are generally much more useful than books) in the early 90's ('91 or '92 i think - if anyone can remember when edwin cleton stepped down as moderator of the VIRUS echo in fidonet, let me know) i found the analytical approach used by the anti-virus community to be more appealing than the less rigorous approach used by the vx at the time...

so there you have it - i've been learning about computer viruses (and by extension, malware and related security problems) since 1989, trying to discern the underlying principles, trying to put it into a nice, neat, easily understood package, and for much of that time sharing what i've learned with others... i'm not an expert, at least i don't consider myself one - i've interacted with those i consider experts (like frisk or dr. solly) in various forums and they're far more knowledgable than i... i'm also not a member of the anti-virus industry, basically because there aren't any av shops in my area and i don't want to move, but i also gather prior knowledge of/interest in viruses can actually be a barrier to getting hired (av companies don't want to risk hiring someone who might have a virus writing past they aren't disclosing) so it's not something i've really investigated too much... i'm just a long time member of the anti-virus community...

if you really must know more, well, i can only suggest visiting my other blog to see a different side of me...

what is the VX?

the vx is a community of people involved in the creation and distribution of viruses and viral materials... the term 'vx' is an acronym that stands for Virus eXchange - it was originally the name of a virus trading BBS (bulletin board system) back in the 90's...

members of the vx community (also known as the virus underground), are known as vx'ers... many in this group of people create, share, publish and in some cases even spread computer viruses...

while some people outside the community like to claim that it's members are anti-social, the fact that they formed a social group suggests otherwise... just because one social group does things that the rest of us don't like doesn't make them anti-social, it makes them a counter-culture... furthermore, studying the group reveals that they are motivated by the desire for many of the same social rewards that motivate everyone else - respect, social status, notoriety, influence, friendship, collaboration, etc. all within their social group... that's not to say that those are the only reasons people create/distribute/release viruses, but those that participate in the vx community do so because they are motivated at least in part by the same things that make any set of people form a social group...

back to index