ESET Threat Blog

We’ve added some features to ESET Smart Security. The beta for version 4.0 is now open to the public. Visit http://beta.eset.com to try out the new version.

As always with beta software, it is not recommended to be used on production systems.

New features include:

• support for Microsoft Windows Live Mail and Mozilla Thunderbird mail user agents
• scanning of SSL-encrypted HTTPS and POP3S traffic
• scanning of messages downloaded via the IMAP protocol
• integrated SysRescue module for creating bootable discs and USB flash drives
• integrated SysInspector module for analyzing runnings processes on computer
• device driver-based cleaning module to remove malware which runs at boot time
• Watch Activity pane graphs File and Network Activity with second, minute or hour precision
• text mode interface for compatibility with screen-readers and other assistive technologies

Randy Abrams

Director of Technical Education

Microsoft announced that they will be dropping OneCare and providing a free consumer anti-virus product. Much like when Microsoft announced they would enter the anti-virus market, this has caused quite a bit of media buzz. Much like when Microsoft announced they would enter the anti-virus market, this is not a big deal.

To start with, OneCare has been almost free from the beginning. Although retail price is $49 for 3 PCs for a year, online prices have been much lower. The Microsoft product will offer another choice to consumers who choose free antivirus software. For companies such as ESET, competing against free products has been part of the business for many years. This really isn’t a big deal.

According to Microsoft, the reason for the change is to try to get more consumers who currently do not use anti-virus to start using anti-virus software. This is definitely in keeping with the reasoning behind Microsoft’s decision to enter the space when they did. I wrote about that in my Virus Bulletin presentation in 2006. Microsoft is interested in protecting the Windows brand, and that, rather than revenue from anti-virus software has been the primary motivation for making a Microsoft AV solution available.

I would guess that the decision to go with the free product also is a cost saving measure for Microsoft. The pricing for OneCare is such that a single support call can eliminate any profits from the purchase of the product. OneCare includes non-security related features that require support as well. By eliminating these features support is limited to the security product itself, and Microsoft already provides free anti-virus assistance to all Windows consumers, regardless of whose product they use.

I find it quite funny that some competitors are saying that Microsoft has conceded defeat. This is really a silly thing to say. Microsoft is changing its strategy to attempt to increase the number of computers that use antivirus software. That isn’t what I would call “conceding defeat”.

Companies such as ESET will continue to offer products that are priced fairly and sold for their performance and value. The strategy has worked well for ESET for many years and another free offering is not likely to make any real difference.

So, I’ll go back to reading the news reports and laughing at the 2008 version of “Much Ado About Nothing”.

Randy Abrams
Director of Technical Education

I’m still in Washington, but have just picked up some news that reminds me not only of home, but of my job of a few years ago, when I worked as a security manager for the UK’s National Health Service. It’s been announced that the Barts and The London NHS Trust, which includes several of the best-known hospitals in London (St. Bartholomew’s, the Royal London, and the London Chest Hospital), has been hit by a virus (apparently a version of the venerable Mytob email worm). It’s been commented that an urgent review of the Trust’s security policy is needed. That couldn’t do any harm - how come so many systems were apparently compromised? - but the problem may go a little deeper than that.

Unless the infrastructure has changed dramatically in the last 2 1/2 years, much NHS email (and there is a lot of it - well over a million people work for for the National Health Service) goes through a mail service currently called NHSmail. NHSmail (which is at least the third incarnation of this particular service) was intended to replace the relay services that carried the bulk of NHS email at the beginning of this decade. The current service is defended by "cutting edge" anti-virus and anti-spam, and that protection was supposed to have been extended to the relay services several years ago. So, there is certainly a question to be asked about the state of the Trust’s own email defences. I have to wonder, though, how email-borne malware can apparently still get through to an NHS site as easily as it could earlier in the decade, when email services were far more fragmented and decentralized?

David Harley CISSP FBCS CITP
Director of Malware Intelligence

I’m in Washington right now, at the CSI conference. It won’t surprise regular readers to know I’m here to talk about testing anti-malware products (again!) So it may not surprise you to know also that I’m particularly interested to see an article by Larry Seltzer that looks at the documents just approved by AMTSO (the Anti-Malware Testing Standards Organization) in some detail.

Larry has a fair amount of experience of the anti-malware industry and has conducted quite a few tests. He’s certainly a guy who thinks for himself, and isn’t necessarily the biggest fan of the anti-malware industry. So the fact that he’s so positive about the "Fundamental Principles of Testing" and "Best Practices for Dynamic Testing" documents seems to me to be very good news. Not  only is his commentary thoughtful and insightful (read it, please!), it opens up areas for discussion in which the documents might be improved.

As he rightly suggests, these documents are not going to change the overall state of testing overnight: what commentary like Larry’s demonstrates, though, is that critical thinking doesn’t have to be destructive, and that the anti-malware industry, the testing industry, and the community in general have a lot to gain from unprejudiced discussion.

David Harley CISSP FCBS CITP
Director of Malware Intelligence

Some people are talking about a technique called “white listing” as if it were the silver bullet that is going to save the world. It is… in the fantasy worlds. I think I can lay claim to a certain amount of expertise when it comes to white listing. White listing was fundamentally my job at Microsoft for over seven years. My job was to make sure that MS didn’t release or digitally sign any infected code. How did I do that? I used a heck of a lot of………. ok… you guessed it…. antivirus software. Recognizing the shortcomings of signature based detection, I relied upon products, such as NOD32, Norman Virus control, and others to provide heuristics to detect threats that signatures alone cannot protect against. Virtually every Microsoft product went through my labs, and I had to “white list” them before they could be digitally signed or released.

The marketing arm of current white listing companies tout anti-virus as dead and white list as the solution. What they try to hide is that white listing companies would be out of business without antivirus. White listing companies are mega-power users of antivirus software, they can’t get enough of the stuff.

White listing does not *only* allow good programs to run, it allows any program you claim is good to run. If you put a bad program on a white list it will run and do bad things, regardless of whether or not anti-virus products can detect it heuristically or with signatures. If you white list a program with a remotely exploitable vulnerability, it will be allowed to run. This happens all of the time with white listing. The problem is that you can’t patch the vulnerability until the patch and the patched programs are also white listed.

White listing is applied to web sites also. The idea is that you are only allowed to go to good web sites. This falls apart completely when a good web site is hacked, as was the Miami Dolphin’s Super Bowl web around January 2007. Hackers placed an exploit on the site that would download a Trojan horse program to compromise user’s computers. ESET had never seen this Trojan before, but NOD32 users who went to the web site found the malicious file was blocked because it was detected it heuristically. There have been thousands of good web sites that have been compromised. MSN, Tomshardware.com, and Monster.com all come to mind as high traffic, high profile, “good” web sites that would certainly appear on such a white list. More recently Download.com hosted some fake anti-virus programs for download.

White listing is expensive to do well. Think of the TSA. These are the people at American airports who allegedly do security screening. In practice they are white listing passengers. As a result, there are long lines to get to your gate and it costs a lot of money. In practice the TSA (which means “Take Something Away”) has confiscated mostly harmless items, increased the cost of transportation, and added a bunch of time to travel with little discernable impact on security. Proponents of white listing could of course correctly claim that the TSA uses a pretty dumb approach to white listing and that software white listing uses much more intelligence. This is of course quite true, however there is a significant time and cost overhead to white listing.

I’m actually not at all against white listing. White listing can be an exceptionally good level of defense in some organizations. I am preparing to consult with a company that I will strongly recommend white listing to. For this organization, despite the overhead, white listing is cost effective, but it does not reduce the need for antivirus software.
 
White listing can be a valuable addition to a defense-in-depth strategy, but it is not a complete defense. Can you imagine telling someone that since airbags add safety to cars you don’t need to wear your seat belt any more?

Well, the person who tells you that white listing means antivirus isn’t needed is the airbag that calls the seatbelt obsolete.

Randy Abrams
Director of Technical Education
ESET LLC

I write this blog from Jakarta, Indonesia where yesterday I had a meeting with employees of the Koran Tempo. The Koran Tempo is a major magazine and news publication here. In the English edition of Tempo magazine there are several stories about Obama and the election in the US. One story that caught my eye is titled “The End of Racist Politics?”

It occurred to me that this is also the first time America has had a president who has been exposed to PCs for most of his adult life. As Bush leaves office we have probably seen the last president who will not have spent at least half of their life exposed to the PC and other modern technologies.

It is clear that as new blood enters the US congress there will also be an increasing number of representatives and senators who have grown up with technology. The key question is “Will these people be able to make better decisions concerning technology?”

It is clear that to fight cybercrime government is going to have an increasing role. The dismal failure called the “Canned Spam Act” was enacted by a largely technology ignorant congress and was a catastrophic battle loss in the fight against spam.

It will be interesting to see if and how a younger generation entering leadership affects technology policy and legislation. While Obama’s election is important from a racial standpoint in America, I am hopeful, but skeptical as to any positive changes to technology legislation and policy.

Randy Abrams
Director of Technical Education

…and it’s still hybrid. Or multi-layered, if you prefer. What anti-malware companies (and malware authors, if it comes to that) are constantly doing is revisiting concepts that have worked before so that they fit the current environment better: there’s nothing wrong with an evolutionary approach, but changing the terminology doesn’t make it revolutionary. So what Larry Seltzer is describing in a recent eWeek article isn’t exactly groundbreaking technology, it’s what all anti-malware companies originating in traditional AV are doing, to a greater or lesser extent. "File reputation" is pretty much what we used to call integrity checking, and is close to a limited application of whitelisting that’s been in common use since the 1990s. The main difference is that whereas earlier incarnations of anti-virus tended to bundle an integrity checker as a separate application along with a known-virus (signature) scanner, it’s now common to whitelisting or a near equivalent into the main application. And in those days, no-one described their own server networks as a cloud.

What’s more interesting is Larry’s critique of various "classic methods" of malware scanning.

• Clearly, we aren’t about to argue that it’s feasible to have a signature for "every new variant": that’s a model we moved away from many years ago.
• I would argue, though, that "true heuristics" is an odd term to use for what we describe as "passive heuristics", where an object is scanned for malicious characteristics statically - that is, looking at the code without executing it. (We have a fairly comprehensive, vendor-agnostic review of heuristic analysis on our white papers page, by the way.) The term heuristics has a far wider range of applications than that, even within the anti-malware industry, which uses it in quite a specialized sense. Clearly, there is still a place for this analogue to static analysis, as the term is used in forensics, but it isn’t nearly as effective as it used to be, because the bad guys use a variety of obfuscatory techniques to hide malicious code from signature and basic heuristic detection. There’s nothing "untrue" about heuristic analysis when it analyses code when it’s actually running (an analogue to dynamic analysis): the point Larry seems to have missed is that when products like ours run that code, it’s in a protected environment, so (assuming a sound implementation of the product) the code being run shouldn’t present a risk to the system. (By the way, this is the second time in two days I’ve talked about static versus dynamic…)

What interests me most, however, is his yearning for "a simple solution like absolute whitelisting." It does seem that we’re always looking for the 100% solution that will render current anti-malware solutions unnecessary. The way that firewalls, IDS, IPS, reputation services, NAC and a dozen other panaceas du jour were once seen as The Answer. But the fact is that whitelisting itself is hybrid (by which I mean that you can’t whitelist an application without using other technologies to confirm that it’s what AMTSO like to call "innocent". And it works best as one layer of a defensive strategy, at any rate in the version of the internet in which we currently find ourselves.

David Harley CISSP FBCS CITP
Director of Malware Intelligence

AMTSO, the Anti-Malware Testing Standards Organization, have just issue a press release about the guidelines documents just published on their web site after ratification by everyone present at the AMTSO meeting in Oxford at the end of October.

You may have noticed that we’re quite optimistic about the beneficial future impact of AMTSO on testing practices worldwide, and in fact, I was quoted in the press release as saying:

 "I believe AMTSO’s "Fundamental Principles of Testing" and "Best Practices for Dynamic Testing" to represent an important milestone in the maturation of the anti-malware industry. Historically, the industry has tended to be purely and negatively reactive in terms of tests it didn’t like. Testers have sometimes felt, not unsurprisingly, that we were always ready to criticize, but reluctant to offer real help."

"These documents represent a real step forward: they offer genuine high-level guidance on what we mean by good testing practice. The next step will, I hope, be to widen the range of informational and educational resources the organization will offer not only to testers, but to the general public."

David Harley CISSP FBCS CITP
Director of Malware Intelligence

While you guys in the US were enjoying the swings and roundabouts of the presidential election, the government here in the UK was playing its usual role as fairground Aunt Sally to the UK media, on this occasion attracting criticism because of the ongoing leakage of sensitive information from government or government-related resources. The UK government briefly closed down its Gateway site, where people register tax information, after the loss of a memory stick containing the user names and passwords of eleven people. Not a big issue compared to the volumes of data apparently lost in other incidents, but embarrassing nonetheless.

So I was fascinated to see that Ziff-Davis have made available a video in which Atos Origin, discuss  "lessons learned from handling security at the Beijing Olympics". Let’s hope they’re also learning lessons about security from events in Cannock, Staffordshire, where one of their employees apparently lost the aforementioned memory stick in the car park.

As  it happens, I was invited to comment on the Prime Minister’s statement to a UK TV news service to the effect that the government can’t promise that all information will always be safe, because it isn’t possible to legislate for human error, and was quoted at length here. That article is a fair representation of what I actually said, except that I was talking about government in general, rather than this government. Nevertheless, I thought it might be worth briefly revisiting the issue here. Having spent most of my working life (at any rate, the IT/security phase of it) in the public sector, I have some strongly held views on the topic.

Up to a point, I doubt if many IT professionals would disagree with Gordon Brown . There is no way of eliminating the risk of data loss completely because systems, however good they are, are implemented, administered and used by human beings. There is a common aphorism that says something like "to err is human, but to really screw up you need a computer", which is amusing, but largely incorrect. Computer systems are very good at doing exactly what they’re asked to do. But you can’t expect an automated or semi-automated system or process to compensate for an inadequate specification or implementation, or inadequate training, education and enforcement of guidelines or policies. These are people problems, not technology issues, and you can’t, to coin a phrase, fix social problems with technical solutions. (Which has a distinct bearing, by the way, on a paper on education that Randy and I are presenting at AVAR in December.) So there always risks. (I don’t take seriously the attempts by other political parties to gain political advantage from ongoing problems, because I don’t think they’d do any better. I know, cynical of me…)

However, that doesn’t mean that there isn’t a problem. Government doesn’t exactly see itself as being responsible for directly managing risk (when I worked for the NHS, it was described as being "risk averse"). That doesn’t mean they’re not aware of risk, though it sometimes appears that way. Much of the time, though, it’s more characteristic of government agencies to focus on the wrong risks than to ignore risk altogether!

When you’ve performed risk analysis and assessment, there are a number of approaches you can take to risk management, though in real life, the approach will be hybrid rather than a single approach. (SC referred to these as "tips", but they’re actually just standard methodology.)

CNET, who hosts Download.com, has enjoyed a reputation for being a safe place to download software from. The program you download may be great or may be useless, but it had been “Tested Spyware Free.” At least that is what Download.com says about their downloads.

Today it has come to my attention that the site is hosting two notorious spyware/adware programs. One of the programs is called “Anti-spyware 2008” and the other is called “Anti-virus Defender 1.01”

According to Download.com these programs have been tested free of spyware, viruses, and other malware. Unfortunately, many security products have a very different opinion. These fake security products will infect your computer, rather than protect your computer.

As always, do some research before deciding on a security product to evaluate. For anti-virus/anti-spyware look for testing at Virus Bulletin (http://www.virusbulletin.com), and/or certification at West Coast Labs (http://www.westcoastlabs.org/) and ICSA Labs (http://www.icsalabs.org/icsa/icsahome.php). For West Coast Labs you’ll want to look at the Checkmark Certification tab. Virus Bulletin does not test anti-spyware, however both the ICSA and West Coast (Checkmark) certify products for spyware detection and removal.

It is not clear at this time if CNET’s Download.com was hacked, or the malicious software found its way there by other means. Certainly a label “Spyware free” should be viewed with a high degree of skepticism. Any one can say it.

Randy Abrams
Director of Technical Education