Archive for the ‘Malware’ Category

So, today McAfee went on record with a very strange message. Specifically, they tell us that:

1) Malware is increasingly using Facebook as a vehicle for propagation; and
2) Malware is increasingly targeting virtual commnities (e.g., World of Warcraft, SecondLife) for password stealing

Interesting, but frankly I’m at a loss. This article interested me enough to actually go to the Avert site to try to download the research that this is coming from (which I couldn’t find, by the way), but it leaves me wondering what malware authors are smoking. Take WoW for example. The AV folks tell us the motivator is profit. If you hack a WoW account, you get the following:

1 Credit Card number
1 Address
1 Phone Number
1 Username
1 Limited-lifetime account to use for in-game spamming purposes
1000-2000 in virtual currency (say, for the sake of argument, that’s worth about 25 dollars to an in-game currency reseller like peonsforhire)

Compare that to the potential for exploitation if your malware targeted bank account information or passwords for online trading accounts. In that case you get:

1 Account number
1 Address
1 Phone Number
Upwards of 1000 dollars in real currency (that can be collected by the malware author for their own nefarious purposes)

If the motivation is profit, I’m just not getting why they would go down this road rather than the bank account road. Am I missing something here? If Avert’s numbers are right (and I don’t see why they wouldn’t be), what’s the deal?

So, I read the other day on the Register that those guys are pretty fed up with all the mobile phone malware hype. They’re irked that analysts like Gartner keep predicting it, and it keeps not coming to pass.

So, in the spirit of Cyber Security Awareness Month allow me to point out an alternative theory. Which is, that we’re currently under seige – that our phones have already started to rise up against us like the machines in Maximum Overdrive. For realz…

It could be that mobile malware is out there already… hiding so that it can continue its killing spree unabated. Since these phones control the communications, isn’t it plausible that they’ just silence those who would bring the reality to light? The reality… that mobile phones are already conducting a systematic malware-based extermination campaign.

Analysts predicted that the phone malware threat would come; Gartner said it would come in 2007. And by their reckoning, we’re right in the thick of it. McAfee predicted “The Year of Phone Malware” in 2006 – maybe it was. Maybe the phones are just too clever for us and they’re keeping it under the radar. They’re there – eavesdropping on our conversations and tracking us with their GPS.

My phone is smart. Like when I use the typeahead feature and it suggests words that never in my wildest dreams would I have thought to use (who knew I really meant “Hohn” when I started out to type “going”?)

It’s smart – and it’s angry. Like when it mysteriously puts me on mute when I’m on a conference call or when it hangs up on my boss in the middle of a discussion.

Smart and mean… like a miniature Dick Cheney that comes with me everywhere I go.

So put that in your pipe and smoke it, sarcastic people over at the Register. You can mock the phone malware pundits all you want. But in the meantime, I’m going to be plotting how to escape from the slave pens that our phones will set up once they have assumed command in the wake of their takeover.

Image Source: Slate.com

I found this to be particularly interesting when I read it this morning. In case you didn’t see the story, the rundown is the following:

Her story:

- A school has content filtering software installed, but they don’t maintain the license, so it stops working
- A schoolmarm visits a hair-styling website which has advertising content
- Schoolmarm’s machine receives a piece of spyware that downloads arbitrary ads
- Advertisements for pornographic websites are displayed on the screen
- Children see pornographics ads

Their story:

- She’s an evil schoolmarm; a particularly nasty breed that gets their sick jollies by showing kids pictures of naked people

Clearly showing little kids pictures of couples copulating is totally unacceptable. Now, I have to admit that I’m biased in that I happen to believe her story; of course, there could always be facts that aren’t in the press that establish her guilt beyond question. In other words, there could be more to it and it could be that she is a sicko. Either way, though, I’m astonished that this conviction took place. Specifically, even if the woman is a sicko, I don’t understand how a jury could hear both the above stories (phrased differently, of course) and come to the conclusion that she is culpable for this. Part of establishing that she is culpable is expert testimony on the part of the prosecution that her active involvement was required to bring up the images. Now, most of us with a familiarity with spyware could debate the veracity of this, but again we don’t have the facts in this case. Maybe her involvement was required. Without information about what expert testimony (if any) was on the defense side or what the details of the forensic evidence (if any) there was, it’s all up in the air from our point of view. But what if… What if her story is the real one? What if the defense was underprepared and couldn’t refute the expert testimony of the prosecution? What if she really didn’t do it on purpose?

So this is all titillating and stuff, but there’s really a reason that I’m bringing it up. Specifically, I’ve made the point in the past that the legal community and the information security community are being drawn more and more closely together. The FRCP, Zubulake, breach disclosure laws, and so on are all making it so that information security professionals have to understand something about the law and lawyers have to understand something about information security. And if they don’t? Then you get cases like this… or maybe this teacher’s just a sicko. Could go either way.

I came across a great post by Kurt Wismer this morning over at his Anti-Virus Rants blog: it’s a timely and interesting response to all the brouhaha surrounding academic malware. Now, he and I don’t entirely agree on this topic (I won’t go through it all again since we did over a thousand words on it last week), but Kurt argues the other side of this issue extremely well; I highly recommend it as a must-read counterbalance for folks wishing to understand the issue. Anyway, definitely worth checking out.

Other resources I’d recommend for folks wishing to understand the issue in depth are Tony Sampson’s take on M/C Journal as well as John Aycock’s publications that are relevant (though tangential) to the topic – for example, his views on creating a “safe” AV testing facility…

When I was a kid, I was afraid of sharks. I’ll admit it: I saw Jaws in 3D (I think it was the third one) back in the eighties and for years going to the beach would make me think about people being swallowed whole – I’d go to the shore and start fixating on the sadistic creatures lurking just below the surface and how they could attack at any time. Whew, scary.

To a kid (at least to this kid), shark attack was both common and likely. From my perspective it wasn’t a far-fetched train of thought – in fact, it makes perfect sense in light of what I knew: sharks were publicly observed attacking people, people tended to fear them, and they certainly look vicious enough. In other words, there was a confluence of evidence: anecdotal evidence (i.e. JAWS, the occasional attack on a beach-goer) supported shark attack, rational examination of the shark’s body (i.e. they’re built for a-killin’) supported shark attack, and “social proof” supported it (everybody else was afraid, shouldn’t I be too?) Given all that evidence, it’s a perfectly rational conclusion that shark attacks are common.

Of course, they’re not really common. We know that because somebody counted up the number of shark attacks per year and published the results. As it turns out, shark attacks are pretty uncommon. Gee, who knew? Sharks look mean, right? There are stories of people getting attacked, right? Everybody’s scared, right? But none of these things make something likely – they’re just happenstance.

So how does that relate to security? This morning, I came across an interesting take on the future of malware in the Martin McKeay Computerworld weblog. If you haven’t seen it, take a minute to check it out. I took away the following:

- Phone-borne malware is on the rise and will continue to increase over time
- IM-borne malware is on the rise because of the increased popularity of MMORPG’s
- Zero-day exploits are on the rise because of increased professionalism of attackers and motivation by profit

Now, I only have time to pick on one of these things, so I’ll choose the first one. Everytime somebody tells me about phone-borne malware, I always say “What phone malware?” to which they invariably reply by relating tons of anecdotes about how prevalent phone-borne malware is in Asia and Europe. The describe how popular phones are for micro-payments over there (and correspondingly how attractive they are for thieves.) They tell me about “SMish”-ing, Trojans, bluetooth worms – all things that have been observed in the wild. In short, they give me tons of anecdotal evidence – stories about sad users weeping over their broken phones and of legions of disaffected Asian youth carrying around phones rife with malware.

But, I’ve learned my lesson about anecdotal evidence; because anecdotes can be the same as folklore and because anecdotes are not always representative of the norm – I tend to disregard them. To prove this, consider your typical urban legend. It’s always a story about “a guy my friend knew” or “a friend of a friend” right? Urban legends are true-seeming anecdotes that appear possible (even probable) on the surface, but are pure confabulation underneath. So anecdotes, without scrutiny, may not even be true. But even if true, there’s the broader question of how useful the anecdote is for making a generalization; how representative of the norm is it? Like shark attacks, too many things could be going on to rely on it without further investigation. It certainly seems reasonable that there would be phone borne malware. And I have heard about it happening. But just because it seems a certain way doesn’t necessarily mean that it is.

Fortunately for us, there are numbers that we can look to to help determine how true (or untrue) the phone-borne malware thing is (or isn’t.) If we take a look, for example, at the estimates from SANS released earlier this month. According to them, we’re looking at an estimated 100,000 infections in 2007. 100,000? This from the folks saying it is (or will be) a problem… Now, this isn’t 100000 infections today, mind you – this is an estimated forecast for 2007 (after it ramps up from where it is today.)

So, to analyze that, let’s put that number in perspective. Depending on whose estimates we use, anywhere from 50 to 70 percent of all PC’s are infected with some kind of malware, right? Now, I happen to think those published numbers are astronomically high; so to be ultra-conservative, let’s cut it by a factor of ten and assume 5% of total machines are infected. As of 1996, one estimate put the number of PC’s in the world at 234200000 (trust me, the number is much higher a decade later.) And 5% of that number is 11,710,000. So based on the number of PC’s in 1996 (ridiculously conservative) and one 10th of the published percentage of infected machines (way too conservative), the number of phone-borne infections is .8 percent of the total infections. Of course, the percentage will really be much, much, much lower than that – factor in 10 years of PC growth, and use the “real” percentages for malware infections and you’re talking about thousandths of a percent.

But maybe comparing it to PC’s isn’t useful. Maybe it’s its own thing that needs to be analyzed separately from PC malware. Let’s look at what that 100,000 number is in light of the total cell phone population. In 2005, for example, there were 120 million new cellular phones sold (or thereabouts), right? Let’s assume (ridiculously) that’s the total number of vulnerable cell phones in the world (which it isn’t clearly, but let’s give the pro-cellphone-malware people a break and use this crazy low number.) 100000 is .08 percent of the total. By that rekoning, one phone in 1,250 will become infected. Include the number to include phones sold in 2004 (150 million) and 2006 (estimated to be 780 million according to Gartner), and you’re talking about .009 percent. One phone in just over 10000.

To put that in perspective, it’s roughly the same chance of someone being hit by a Delta II launch vehicle as it re-enters the atmosphere and falls to earth or that someone has of experiencing significant vision loss as a result of LASIK surgery. In other words, it happens – but it’s not damned likely.

Consumer Reports has apparently decided to test the capability of antivirus software to detect and respond to new and arising threats. In order to do this, they have contracted with an outside firm to create new malware which will then be scanned by the AV software. This sounded like a good idea to me, but then I read the reaction from the AV community:

[Sophos:] When I read about what ConsumerReports has done I want to bash my head against a brick wall. With over 185,000 viruses in existence was it really necessary for this magazine to create 5,000 more? It’s a bit like Fire Monthly Magazine testing fire stations by lighting umpteen fires around the country and seeing who is the fastest at putting them out. It’s irresponsible behaviour, and will be frowned upon by the anti-virus industry. Leave anti-virus testing to the independent testing bodies with expertise in the field. 

[Kaspersky:] After all there are many many thousands of viruses in existence already and we’re adding around 200 new signatures to our database every day, why the need for someone to create new ones? 

And so on. Everybody’s all in a tizzy about it. The AV folks claim that creating malware is wrong – no matter what the circumstances. The argument is that there is so much malware already that adding new malware to the list – no matter what the reason – is unethical. Now, maybe I’m an irresponsible lout, but
I think that’s USDA prime "bull".  Why?  Because #1 I don’t
accept that AV companies are the last stop when it comes to malware ethics and
#2 I think Consumer Reports is performing a useful service to the
community.  In other words, I think it’s useful for customers to be able to quantify the efficacy of claims made by AV software vendors
with respect to detection of new malware – and believe me the claims in this
area are pretty big:

• Norton AntiVirus (NAV) has the ability to detect unknown viruses of
  various types using heuristic algorithms known as Bloodhound. [Symantec]
• With advanced heuristics and generic detection it finds even new,
  unknown viruses, even hidden in compressed files. [McAfee]
• Sophos AV does incorporate heuristic scanning for unknown viruses in
  the wild. [Sophos]

 And so on.  They all make the claim.  How can we know which
work and which don’t.  In order to test the reality of these claims,
consumer reports decided to create some new malware for these products to find. Why is that so wrong?
Let’s break down the objections one by one:  

• Objection #1: It’s wrong because the malware could get into the wrong
  hands and tear a swath of destruction across the land.  So, it
  seems to me like we don’t know from what CR has said if the malware they
  created had functional propagation capability or payload; we also don’t know
  if it was created inside a safe and controlled environment.  Is it OK
  if there is no destruction, or possibility of destruction?
• Objection #2: Because it means that AV companies need to write new
  signatures.  Um…  No offense, but "cry me a
  river".  Look, AV companies are not a public service.  As
  part of their risk/reward analysis, these companies have decided that it’s
  more cost-effective at this time to write new signatures when new malware
  comes out vs. advancing the heuristic capability to the point where they
  don’t have to.  They went into it with their eyes open, and I’m not
  about to agree that legitimate, useful research should stop because it hits
  Symantec’s bottom line.  Not in this lifetime anyway.
• Objection #3: It’s wrong "no matter what the circumstances"
  and "for any purpose".  This is what I call the "lalala"
  argument – remember when you were a kid and you’d put your hands over your
  ears and go "lalala"? Yeah, that’s this.  Basically, in this
  view, it doesn’t matter why you’re writing it, what the payload/propagation
  is, or what the effect will be – it’s just wrong.  Since this argument
  isn’t predicated on anything concrete or specific (i.e. "it’s wrong
  because I say it is"), it’s somewhat hard to refute.  However, I
  think it’s useful to point out that since in this scenario it’s equally
  unethical no matter how inert the malware is, that this means the minute
  that you call something a virus it becomes problematic (for example if I
  started calling Microsoft Word "Win32.OfficeProductivity.A" it
  would then be unethical for me to have it.) 

Well, I guess I went on about this one…  It’s just one of those things
that gets me fired up.

Today, HackInTheBox published a Yankee Group webcast How to Detect and Remove Malicious Software Without Signatures or Scanning”. Anyway, it happened to catch my eye, so I (despite my better judgement) registered with the webcast sponsor (Sana) and watched the broadcast in its entirety. And it turns out that Yankee was right on target about the future of malware scanning – although there’s more to the story than they go into.

Yankee’s point seems to be that malware scanning can’t continue to rely on signature-based techniques because of the fact that zero-day vulnerabilities are on the increase and that signatures can’t keep up. According to their analysis, zero-day threats will continue to get more and more prevalent until signature-based scanning isn’t feasible as a countermeasure. That’s certainly possible, although they don’t really give much in the way of hard numbers or empirical evidence to back this up. All in all, it’s likely by not certain. They then go on to describe that the rate of threats is increasing and that, looking forward, one can project a time where the signature volume will be voluminous to the point of being unmanageable. They speculate that the future will bring about a time when signatures just can’t be done… because of delays in publication of signatures, vendors just can’t keep up.

So they’re right – partially. But it’s not speculation; the death of signature-based scanning is predicted precisely by well-understood laws of computer science; we can tell EXACTLY when it will happen and why. I’ve made this point before, so if you’ve heard it, sorry for the repetition. However, I think it’s an important point, so allow me to state it again. So let’s all put on our uber-dork hats and take a trip down memory lane to our “Algorithms” class… It’ll take a while to get there, so bear with me.

So, computer scientists analyze performance of a given search algorithm by representing the performance mathematically as a function of total operations required to complete the search. For example, if you were going to search the phone book linearly for a particular person’s last name, you would start at the beginning of the phone book and look at each name until you found the one you want (maybe there’s a mis-print and they put the entry you’re looking for somewhere that’s non-alphabetic.) This is an example of a “worst case n” search – the total time it takes to do the search would take – in the worst case – the number of items in the list multiplied by the constant amount of time that it takes you to complete an individual examination. To say that in an extra-fancy way, you might say that the search time is O(n) [big-Oh n] – “big O” technically means “asymptotic upper bound”, but that’s just a fancy way of saying “worst case”.

If you were going to search the phone book to find all the entries of a particular item (all the people with the last name “Smith”, for example), it changes the performance equation since now you have to examine all the entries in teh book to find all the occurances. In that case, the performance is an “asymptotically tight bound” with the number of entires – that’s a fancy way of saying “exactly”: you have to search exactly the number of entries – no more, no less. Formally, that’d be Θ(n). Doesn’t it seem like checking for a virus signature against every file on your hard drive is like looking for a given name in the phone book? Algorithmically, it’s the same thing: a Θ(n) search.

Now, say you were looking in the phone book for all the people that had either the last name “Smith” or the last name “Jones”. This time your search is more complicated because you have to check each name twice – you have to check it once to see if it’s “Jones” and you have to check it once to see if it’s “Smith” – in effect, you’re doing the same search twice. In this search, it’s not Θ(n) but insead it’s Θ(2n). If you have more names, you have to do the search once per item per name. Using q as an arbitrary letter to represent the number of entries, it’d be something like Θ(qn). Algorithmically, that’s the same as current malware-scanning products. Really, it is – double-check me if you don’t believe it.

So, the reason that signatures are dead (and right soon) is that both the q and the n values for malware are increasing exponentially over time – everybody’s research seems to agree on this; the number of malware signatures is increasing exponentially and so is the number of files on a given disk. Since the seach time is a product of the two, performance will appear to be acceptable for a given period of time (the flat part of the exponent curve) and then will go from “zero” to “nigh on impossible” in a heartbeat – one day your AV scanner seems “a bit slow” and a week later it takes the age of the universe to complete a scan – at least until the search parameters are changed. That’s the way exponential curves work. Now, the reality is a bit more complicated since there are things you can do to try to “cheat” the curve (not search every file or not look for every signature) – in fact, some vendors have already started “cheating” to combat the exponentially increasing scan times. But cheating won’t work long-term: since the numbers are exponential, it only shaves a bit off the curve.

So can you beat the curve? Not with signatures you can’t. As long as search times stay constant (or increase arithmetically according to Moore’s law), the fact that the two relevant search variables are exponential means the handwriting is on the wall. Or you could listen to Yankee and use Sana.

I’ve been reading this book, recommended by a colleague, called Crimes Against Logic – it’s a very readable catalog of logical flaws and nonsenical conclusions; I highly recommend the book, by the way. Anyway, I was reminded of this when I came across the recent malware numbers published by McAfee after seeing it in the press. Now, as many of you know, I am de facto critical of industry-wide research put out by AV firms – more often than not because the results are reflective of the methods they use to gather the data rather than anything having to do with the industry at large. And guess what? These are no exception.

In case you haven’t read it, the research basically says that in the last two years, the same number of “threats” have been discovered in the last two years than in the previous two decades (you’ll see why threats is quoted in a minute). Check out their findings:

It is alarming that we reach this milestone so soon after September 2004 when the count reached 100,000. Eighteen years to reach 100,000. Less than two years to double. Looking ahead, our researchers expect yet another doubling in a similar timeframe. So, 100,000 new threats in the past two years, 200,000 new threats to come in the next two years!

So what’s wrong with this? The first problem is in how they define the word “threat”; now, they don’t spell out precisely what is or is not a threat in their article. They do, however, refer to motivation by financial gain so clearly they DO mean spyware; perhaps they also mean certain types of spam. Look, Gator is spyware that may or may not collect some aggregated data about me to send back to the mothership while the casino virus deletes my hard disk; are they the same? I would argue not. But guess what? There was spyware before McAfee added the capability to scan for it. So, once again, the growth numbers are reflective of changes to the McAfee software rather than actual growth of malware. Not useful.

The second problem lies in the conclusions drawn from the results:

Another area of concern is the growth of malware targeting mobile telephony… it will grow… When the phone becomes the standard means to transfer money, malware targeting telephony will truly explode, much as bots and other means to steal money over the Internet have consumed our energies these past two years.

“When the phone is the standard means to transfer money?” Did I miss the new RAZR feature that lets you open a checking account? Look, you can’t just “slip that in there” – if you are going to predicate results on a major paradigm shift, you need to give some evidence for that shift. It’s like me saying, “once I’ve replaced my eyes with webcams, I’ll be able to broadcast my life to the web” without also prognosticating some sort of advance in cybernetics.

Anyway, just my humble two cents.

Interestingly, McAfee has decided to warn us all about the probability of malware appearing for OS X in the near future. McAfee has apparently put out a whitepaper called “The New Apple of Malware’s Eye.” The Register implies that the McAfee’s whitepaper is pretty much a hollow justification for their new VirusScan product for Mac on Intel, but there’s actually some good data about the growth of Mac vulnerabilities in the paper. Anyway, it’s 6 pages, so it’s minimal time invested, and it’s a very interesting read.

Remember when we went through the McAfee “Rootkit Report” and pointed out that their “statistics” were merely reflective of their product rather than actually reflective of what’s going on in the real world? Well, today I stumbled across the headline Virus emails drop to record low informing us that virus-laden emails are at the “record low” figure of 1.5%:

…total number of virus-laden emails fell by 56 per cent compared to March’s figures, with infected mail now making up just 0.79 per cent of inbound emails…

Bull. Why is it bull? Because this number (and others like them) don’t reflect the reality, they only reflect a particular vendor’s product – essentially the same point that I raised with McAfee’s the rootkit numbers. These numbers reflect the unique nuances of the instrument used to take the measurements – they do not necessarily tell us much about what’s going on outside of that. How do we know? Because the .79 percent figure is from the Blackspider statistics; but they’re not the only people publishing this stuff.

According to some of their “peers”, the April virus numbers were: Messagelabs – 1.5%, MX Logic – 3.8% (7 day window, not all of April), Sophos – 0.7%, EmailSystems – 0.42%, and so on. Look, these may sound like small percentages at first, but when we’re talking about 60 billion emails a day, the difference between .8 percent and 3.8% is 180 million emails per day. Over the month, that’s a range of error for these numbers +/- 5.5 billion. See what I mean? In my opinion, we would need to see all these different vendor numbers plotted out against each other over time in order to really make guesses about what’s really going on under the hood.