Tuesday, October 24, 2006

the myth of AV's failure

i'm sure you've heard it said before that the idea of conventional anti-virus techniques are broken or obsolete, that av is failing... i've touched on the topic before here and here but i think it's time to tackle this myth head on...

people say and believe that conventional av is outdated because of all the reports of it's failure... there are lots of examples where program X failed to stop malware Y from infesting computer Z so could forgive some of the greener minds for concluding that those reports are representative of reality, that anti-virus products don't do a good job...

what anyone with any degree of training in statistics will notice, however, is the obvious selection bias in those reports - you hear about av products failing but you don't hear much in the way of success stories, not because there are no successes but because there's no reason to report them... the failure reports give an entirely lopsided view of the efficacy of conventional anti-virus techniques, leading to the negative perceptual bias the security community now suffers from...

conventional anti-virus (known virus, or known malware scanning) does fail, there's no denying that... specifically it fails to detect new/unknown malware, and that is an accepted and acceptable limitation... acceptable because no single technique can ever be effective against everything (thus necessitating other, complementary techniques) and new/unknown malware, though good for capturing media attention, is not quite as big a deal as it's made out to be... known malware vastly outnumbers new/unknown malware and new/unknown malware (especially that which affects many people, thereby posing a significant threat) generally does not stay new/unknown for long...

now, if known malware scanning really was as broken a model as some people like to think it is, why does a piece of malware's population growth start decreasing once it becomes known malware? it doesn't magically stop trying to spread (or in the case of non-replicating malware, the malware spreader doesn't automatically stop trying to spread it)... the population growth starts decreasing because it begins to fail to spread (or be spread)... the fading out of a particular piece of malware can take years, a decade or more in some cases (usually for reasons unrelated to a scanner's efficacy), all the while it's trying and usually failing to spread... potentially failing orders of magnitude more times than it ever succeeded - and those failures represent successes for known malware scanning...

if people thought seriously for a moment about the life-cycle of malware, about the relative deployment of various anti-malware technologies, and the implications they have for the notion that scanners are failing, falling behind, or just not working they'd realize that in fact scanners must be working far more than they're failing otherwise the population of a given piece of malware wouldn't go down... this is still very much an av world, most people use nothing more than scanners (if they even use that much), there aren't enough deployments of alternative technologies to stem the tide of the malware's spread...

scanning isn't broken or outdated or failing - malware would be a much bigger problem if it were... the notion that it is failing is just an erroneous perception based on an interpretation of incomplete facts...

sunbeltblog on patchguard

this is going to be another one of those totally out of character posts where i actually say nice things so get your protective gear on because the world might just end while you read it...

i was playing around with the idea of doing my own post on patchguard, inspired by some of the crazy notions i've seen bandied about on various security blogs (mostly those without any anti-malware specialization), but now i don't have to because alex eckelberry has absolutely nailed it...

he touched on all the right things, from the inevitability of failure of any given preventative measure, to the importance of flexibility when trying to deal with new threats... he even incorporated concepts of anti-malware strategy and tactics the likes of which i rarely see discussed but often aspire to myself...

bravo, alex...

Wednesday, October 18, 2006

ipod viruses

lots of people have been posting about the fact that apple let a virus slip into it's video ipod product line... a lot of them were rightly ticked off at apple's disingenuous attempt at passing the buck to microsoft for not making their OS "more hardy", and i could certainly parrot that sentiment if i wanted to be a parrot (it certainly wouldn't be the first time i held apple's feet to the fire over malware issues)...

but there's a small kernel of info that was shaken loose that doesn't really seem to have gotten the attention it deserves... see, as much as i enjoy finger pointing, i think this incident (and the similar cock-up by mcdonalds in japan) is an excellent object lesson for the average user about an old malware issue that has been all but forgotten in this day and age - that being that removable media represents a potential infection vector...

oh sure, nobody's making bootsector viruses anymore, and floppy disks are becoming extinct so the traditional threat we used to think of with regards to removable storage media is a non-issue, but removable storage media has evolved and the malware risk has evolved with it and in some ways gotten worse (autorun anyone)... the more things change, the more they stay the same...

if it can store data (like songs or video or whatever) then you should think of it as being as dangerous as a floppy disk used to be... whether it's an actual floppy disk or cd or dvd or flash/pen/thumb/usb drive or mp3 player or media player, so long as it's new to your system it needs to be scanned for malware before anything on it can be used or executed (and that means you should probably disable autorun - as inconvenient as that sounds)... otherwise you have to deal with things like worms infecting your pc as soon as you connect your shiney new ipod to it...

what is a boot sector virus

a boot sector virus (or boot sector infector, or BSI) is a is a virus that infects a special kind of program called a bootstrap loader...

pure boot sector viruses spread by way of shared floppy disks - when one person gave another person a disk with a BSI on it and the second person booted their computer from that disk (sometimes accidentally) the BSI would execute and infect the hard disk (if one was available - early computers didn't always have hard disks) and/or any flopply disks that were subsequently inserted into the computer during that session...

some viruses were able to infect not only boot sectors but also conventional programs like *.EXE files - these were called multi-partite viruses...

on PC's, contrary to a popular misconception at the time, BSI's were never able to infect the machine simply be inserting an infected disk, a virus always has to be executed or run in some way before it can do anything and boot sectors (infected or otherwise) only get executed during bootup... other mitigating factors for BSI spread were the introduction of BIOS options to prevent booting from floppy disks (generally by way of changing the boot priority to attempt booting from the hard drive first or exclusively) and to monitor changes to the master boot record and give the user the opportunity to prevent those changes... one of the final nails in the coffin of BSI's was windows 95 (and later) which prevented BSI's from being able to spread after the operating system had loaded (giving the viruses too small a window of opportunity to spread)...

back to index

Tuesday, October 17, 2006

the virus problem is solved... NOT!

years ago (in 1988 if i'm not mistaken) peter norton (of norton utilities fame) famously stated that computer viruses were an urban myth, like aligators in the sewers of new york... even though he didn't really have much to do with it's development, it's still quite ironic that an anti-virus product bearing his name (norton anti-virus) and at one point his likeness has become one of the dominant forces in the anti-virus industry...

now, john thompson (ceo of symantec, maker of norton anti-virus) is being quoted as saying that the virus problem is solved... if you're wondering - that would be the sound of my irony meter being blown to smitherines from an overload because after 18 years norton-related irony has come full circle...

i don't know what world john thompson is living in or what his special definition of solved is but it seems to me that if people are still having problems with viruses then the virus problem isn't solved...

the virus problem is fairly clearly not solved, so how are we to interpret claims that it is? well, one conclusion that we can draw is that if symantec thinks the problem is solved then they can't have any vision for future innovation in the anti-virus domain - after all, you wouldn't call something solved if you were still in the process of coming up with better solutions, would you?...

if they were just changing their focus to more socially engineered attacks like phishing and fraud instead of traditional malware as has been suggested (in spite of the fact that malware remains a great enabling technology for those other kinds of attacks), then why try so hard to divert attention away from the virus problem? why say something they know isn't true (and i'm pretty sure they know the virus problem isn't solved - they aren't dummies) unless there's something they're trying to hide (like a lack of vision, or perhaps a belief that they aren't going to be able to be nearly as successful in the av industry in the future as they are now)...

whatever's going on, saying the virus problem is solved is a statement that should engender mistrust, not just because it's blatantly false but because it's likely some kind of deception (like a magician or street hustler employing the art of misdirection so that you don't notice the trick)... something just doesn't feel right about it...

Monday, October 16, 2006

second life's 'grey goo'

i don't play second life myself (i don't know how people find the time) but i caught wind of an interesting story last week by way of boingboing.net about self-replicating objects inside the second life game...

pat yourself on the back if you think this is going to wind up with me labelling them viruses - but not too hard (you might break your spine) since this is a virus related blog...

yup, it appears that users can make their own objects in second life and code behaviours into those objects with a scripting language... that makes them, essentially, programs... and those second life objects that self-replicate? well they're self-replicating programs, which fits the academic definition of virus like a glove... apparently there are a number of different grey goo incarnations (since counter measures were developed and deployed) but i haven't found any descriptions yet that could be interpreted as a program infecting another program, so i would probably classify the grey goo as a kind of worm (more specifically i suspect it might qualify as a rabbit)...

one of the things about this that is interesting to me is that this is a departure from the other stories one often hears about regarding internet gaming malware... generally the malware one hears about is a password stealer or some other kind of spyware meant to enable the attacker to steal something of value... they're held up as examples of how malware today has become financially motivated (so-called crimeware)... as near as i can figure, however, there's no direct financial benefits to grey goo attacks - if anything they seem more like the vandalism stage of malware we used to have and perhaps it's good to remember that technically that hasn't really gone away yet (obviously)...

some folks may disagree with the vandalism charactization - after all, in the real world grey goo would qualify as a weapon of mass destruction... second life isn't the real world, however... the grey goo in second life doesn't consume other in-game resources like real world grey goo would (which makes it both more benign and in some senses harder to control) - the only resources second life grey goo consumes are the computing resources of the game servers, effectively executing a DoS attack on the game... nobody dies and nobody's in-game character dies; at most it really just brings the servers down and interferes with in-game commerce (which has apparently branched out into real-world commerce but interfering with that wouldn't really qualify as mass destruction)...

another interesting aspect are the counter measures that have been developed to combat the grey goo, particularly because they were developed in-house at linden labs (creators of second life) rather than by the anti-virus community and because they seemed have come up with familiar solutions in spite of not being part of the anti-virus industry and probably not even thinking of it as a viral problem... one blog commentor shudders at the thought of writing an anti-virus to address the problem and yet that's exactly what linden labs did with their grey goo fence... of course it's not what the average person would consider an anti-virus, it's not a signature based known virus scanner (perhaps because the anti-virus industry has done such a poor job of image control that the idea of creating a conventional scanner for this problem was anathema to the developers), it's a behaviour based system that triggers on excessive instantiation (rezzing) within a family of objects (too many children in too short a time is bad)...

one key thing to point out is that behaviour based systems (like all preventative measures) are not perfect and the grey goo fence is no exception... apparently second life requires objects to be able to instantiate other objects so some level of self-replication is always going to be able to get in under the grey goo fence's threshold... additionally it might be possible fool family membership evaluation (perhaps by socially engineered player intervention)... at any rate, the grey goo fence has failed and a new counter measure being suggested is limiting some of the scripting functionality required for self-replication so that only trusted individuals can make use of it - which is essentially a kind of whitelist... whitelists won't be a silver bullet either, of course, because there is a limit to the accuracy and scope to which one can objectively define trust...

it'll be interesting to me to see where this kind of in-game malware proceeds - whether truely infectious self-replication emerges, whether other types of malware-related techniques are employed... it almost makes me want to play the game and see it first hand... almost...

Tuesday, October 10, 2006

complete / total / full protection is snake oil

it's been a while since i last held a vendor's feet to the fire over advertising meant to instill a false sense of security - otherwise known as snake oil... well, i'm about to make up for that...

now, i want to make it clear that i generally don't go looking for anti-virus ad copy or marketing material, i grew out of that complete and utter bullshit a long time ago and as a result rarely ever see actual anti-virus advertisements (actually, i do my best to avoid advertisements in general because really it's all bullshit, but anyways)... i knew that misleading claims occasionally slipped into a vendors marketing material from time to time but clay (of claymania fame) brought to my attention the disturbing fact that snake-oil in the anti-virus industry is actually much more common than i had been aware or wanted to believe... on further investigation it seems to be fairly ubiquitous...

but before i really lay into them, let's start with the title of this post... we've know for a long time that 100% protection was snake oil, it was an impossible claim that obvious snake oil peddlars pushed on an unsuspecting public years ago until the community woke up and said we weren't going to accept that anymore... so then ask yourself does complete, total, or full protection represent a significantly different meaning than 100% protection? not as far as i can tell - they're the same thing just with different words in order to avoid the old snake oil alarm bells... it's not like we're talking about almost full, nearly complete, or just about total protection; these folks aren't saying that if you use their product you'll be 99 and 44 100ths percent protected, no it's complete/total/full/100 percent protection all the way...

so when mcafee creates a product whose very name is mcafee total protection they're lying to the public and their brochure that states "It offers comprehensive security that’s always on and always up to date—and the confidence that you are completely protected." is promoting a false sense of security - you are never completely or totally protected...

when sophos claims that "Sophos Anti-Virus Small Business Edition detects and disinfects viruses, spyware, Trojans and worms at every potential point of infection, ensuring networks and remote users are fully protected." they're telling you 'porkies' - you're never fully protected either...

when computer associates tells you they are "Providing Complete PC Protection from Internet Threats" they are full of hot air (or maybe something else - once again, you can't have complete protection...

when eset informs you "That means you’re purchasing more than antispyware software, you’re purchasing total-protection software. And peace of mind." they're totally full of it - because they certainly aren't giving you total protection...

when grisoft pronounces that they provide "Complete security protection against all of the most serious Internet threats, including viruses, worms, trojans, spyware, adware, hackers and spam." it is complete bunk - once again, there can be no complete protection...

when f-secure states that "F-Secure® Internet Security 2007TM provides a complete and easy-to-use protection against all Internet threats, whether they are known or previously unidentified." they're going completely overboard - complete protection against known and unidentified/unknown threats is nothing short of fantasy...

when panda software asserts that "The new Panda Internet Security 2007 offers the most complete protection so you can use the Internet with absolute peace of mind." they're actually setting you up with a double-whammy - complete protection is impossible so absolute peace of mind is entirely unwarranted... that brings up another type of misleading claim - the worry free protection... panda software really likes 'worry free' ("Browse the Internet, download any file you want, play online for hours... without any worries")...

they aren't the only ones, as trend micro clearly shows with "Trend Micro Antivirus can effectively remove viruses, email worms and Trojans that can destroy your data and files. You can use the Internet worry-free, knowing you’re protected from viruses in email messages, Internet downloads, instant messages, and removable disks."...

and norman gets into the act too with "This product combines the award winning Norman Virus Control and Norman Personal Firewall in one package to offer customers complete peace of mind while using the Internet." - no security program catches everything therefore no security program should be giving you complete peace of mind...

worry free protection that gives you peace of mind just another form of the install and forget snake oil that we've seen before and that bitdefender is proudly displaying here when they say "Ease of use and automatic updating make BitDefender Client Standard an "install and forget" antivirus product." - isn't it great how they even knew to highlight the offending phrase with quotation marks?

this isn't even all of them... i'm sure if i looked harder/longer i'd find even more vendors doing these (and similar) things... it's bad enough that the words protect and protection all by themselves suggest they're complete - you normally have to qualify their use in order to suggest anything less that complete protection - but to so blatantly do the opposite, making false claims and giving the public a false sense of security, and on such a large scale . . . . . words fail me... it makes me ashamed to admit to knowing anyone in the industry, and very glad i'm not one of them...

[edit - thanks for pointing out that the last paragraph was borked, clay... hopefully it no longer looks like the product of someone who was up way too late...]

Saturday, October 07, 2006

corrections for cytrap labs blog

here we go again... ok, this particular blog didn't accept my comment at all so instead of getting the text out of historical feed items for a comment aggregator feed i got them out of a backup i saved in google notebook (i backup my comments before submitting because i occasionally encounter problems during comment submission and need to resubmit)...

the article in question is Do not believe everything you read but you should reflect on it - anti-virus software tests which was about (you guessed it) the consumer reports controversy... my comment was as follows:
"This is more scientific than the test method used by Independent Security Evaluatiors (ISE) used by Consumer Reports to conduct these tests on its behalft?"

yes, retrospective testing is more scientific than testing with lab-made viruses... retrospective testing uses viruses from the real world while ISE's test used viruses meant to approximate those from the real world (ie. it simulated the processes by which viruses are created in the real world based on a variety assumptions which may or may not be valid)...

"A 40% detection rate in a retrospective test is seen as being pretty good for most anti-virus software because it means that it detects all the new malware appearing during 3 months by heuristics and generic detections."

??? 40% detection rate means it detected 40% of the viruses, not all of them... it's considered pretty good because most do much worse than 40%...

"Using currently-known viruses to measure the performance of older AV engines is based on the assumption that the viruses we know about today will be the same kind as those that we will see in the near future. Hence, what was unkown three months ago should be representative of new viruses in general?"

the only assumption here is your own that retrospective test results are supposed to be generalizable... the reason retrospective tests (and other tests for that matter) are performed over and over again is precisely because they are not individually generalizable and a general sense of how well a product does can only be gained from looking at trends across multiple tests...

"Just for the record, zoo viruses are commonly defined as “existing only in lab environments” and thus not ITW (in the wild) until leaked. If they only exist in lab environments, what might their origin be?"

just for the record this is an oversimplification of what zoo viruses are... they do not exist only in labs, they are simply believed to not be actively spreading in the wild... they can still exist all over the place, in vendor labs, in private collections, or in the hot little hands of those who simply haven't gotten around to trying to spread them yet...

"Further, where is the line to be drawn at “vendor created”? Vendors get viruses in various ways but sometimes provide compensation to people providing them (e.g., also called vulnerability research). Examples of this can be found in the Perrun JPEG virus proof of concept and the Commwarrior.a SymbianOS virus."

if those are supposed to be examples of viruses whose creators were compensated by the vendors then i think you need to provide some proof... although a certain famous name in the av industry is believed to have paid for viruses, that was a long time ago and those efforts helped him become a pariah in the av industry and community...

"The AVIEN open letter:
>Public letter concerning the Writing of Viruses & How it Does Not Teach about Virus Prevention (May 30, 2003)
is not necessarily very helpful. I even wonder why some of these well known av industry representatives let their name stand on this letter."

consider reading the signatures more closely - they are not just av industry representatives, there are lots of people on the list that are outside of the av industry...

" > “…it is not necessary and it is not useful to write computer viruses to learn how to protect against them.”
One could interpret this statement as saying something similar to: trust us we know best and do not need to explain ourselves to people like you."

or you could interpret it as simply the result of a great deal of online discussion that occurred elsewhere (in multiple venues)... petitions generally don't include all the conversations and arguments that lead up to their creation...


and that pretty much covers all the corrections i have saved up... for now...

corrections for the virus alert blog

i'm always on the lookout for good new sources of malware and/or security information, especially blogs (growing a security blogroll as big as mine doesn't just happen, y'know)...

now sometimes i find a good one and sometimes i find one that could use a little work... the virus alert blog is one that that i thought could use a little work so i offered some corrections to a couple of articles that i felt held the most misinformation... i don't think the comments i left were overly critical, more just corrective... certainly not something anyone should take offense to - but apparently offensive enough for them to be taken down without explanation or correction to the articles in question...

well, isn't that just dandy then... y'know, i respect the right of a blog owner to decide whether or not s/he wants to accept feedback from others... look at me, i've disabled comments here in part to avoid comment spam but also to avoid being engaged in complex debates in a medium that frankly just wasn't designed for it (which is why i point people to alt.comp.virus and alt.comp.anti-virus)... i still accept feedback, mind you, and even make corrections from time to time based on that feedback, just not in the form of blog comments... but if you're going to allow comments then allow comments, don't disappear them...

whatever... thanks to my use of comment aggregation (via co.mments.com) and a feed reader that keeps track historical feed items i have the full text of my comments to share with you...

the first article was Computer Virus Myth #5 which basically said getting infected by viewing a web page was a myth and not possible... my response was as follows:
By kurt wismer. October 5th, 2006 at 7:59 am

while it would ideally be true that you cannot become infected just by browsing to a web page, the reality isn't so simple…

there are multiple examples of malware getting executed on a host machine simply because a user browsed to a malicious website - adware and spyware do this all the time so there's no reason why a virus can't do the same… if the virus can get executed (and the spyware example you yourself acknowledge proves that software can get executed under this scenario) then the virus can infect the machine…

in fact, one type of instant messaging worm spreads itself by sending messages to your IM contacts containing nothing more than a link to a malicious website which, when visited by your contacts launches the viral on their machines…

so long as there is java, javascript, activex, flash, shockwave, and any number of other active content web technologies out there (not to mention vulnerabilities that allow arbitrary code execution), any kind of malware can get executed by browsing to a malicious page - and for viruses that means they get the opportunity to infect…
("launches the viral on their machines"? looks like i missed a word - should have been "launches the viral code on their machines")

the second article was The 3 Main Types Of Computer Viruses which lists trojans, worms, and email viruses as the 3 main types of (ahem) viruses... my response was as follows:
By kurt wismer. October 5th, 2006 at 8:35 am

this really begs some corrections…

first and foremost - a trojan isn't any kind of virus… although viruses can often be considered a kind of trojan, the reverse does not hold true… the fundamental requirement for a virus is that it self-replicates and there's nothing in the definition of trojan horse programs dealing with self-replication…

worms can be considered viruses but generally only in the academic sense (whereby the mathematical definition of virus used in formulating proofs includes all self-replicating programs)…

email viruses are more accurately referred to as email worms… the tradition with viruses is that they are classified by what and/or how they infect (what: boot sector viruses, file infectors, macro viruses, etc - how: overwriting infectors, appending infectors, companion infectors, cavity infectors, etc)… "email" is neither a 'how', nor a 'what' (since email is not any kind of program it cannot be infected, it can only serve as a container), it is a transport medium (which is how worms are generally classified; email worms, IM worms, IRC worms, P2P worms, etc)…

Tuesday, October 03, 2006

google search malware warning

a while ago (2 months?) google added a malware warning feature to their search engine that utilizes the stopbadware.org project and looks a little like this


i only saw it first hand for the first time today (despite being an avid google user) and i already have concerns...

the first is that you don't see the warning until you click on the result from their results page... why not save the user some hassle and just mark up the results page like siteadvisor does? i mean, really, it shouldn't be that hard (it might make siteadvisor redundant, however)...

the second is worse, however... of the options it gives the user for continuing from the warning page, the easiest one for the user to choose is to go on to the bad site... this is backwards - if google really wants to help people they should make the safest option the easiest one to choose - that means it needs a backlink, a box to enter a new query, and something that makes it more difficult to click on the mal-link like a checkbox that says "i understand that the site contains badware and want to visit it anyways" that must be checked before the mal-link can be click on...

come on, folks... this is basic secure UI design, surely all those big brains in the googleplex understand such a basic principle as making the right choice the easiest choice...