• Perfect Ten: Truth and Prognostication
  Tis the season to compile lists. Not just for the security industry of course: anyone whose job includes a PR dimension has learned by now that the reading public loves a top ten.
• Is Facebook Good for your Health?
  Facebook is able to see a customer’s User ID, IP address and operating system if the customer is logged into Facebook at the time they visit a site that uses certain features of Facebook Social Plug-Ins. Does this sharing pose a serious privacy risk?
• Once More ‘Round  the AMTSO Wheel of Pain
  Some thoughts on the latest developments from  the AMTSO and the Anti-Malware Industry.
• Stuxnet Sux or Stuxnet Success Story?
  Win32/Stuxnet might be described as a worm of a slightly different color, though it’s attracted interest from the media that’s comparable in intensity to Conficker, or Code Red, or Blaster.
• Shortcuts to Insecurity: .LNK Exploits
  The vulnerability in Windows Shell’s parsing of .LNK (shortcut) files presents some interesting and novel features in terms of its media lifecycle as well as its evolution from zero-day to patched vulnerability. For most of us, the vulnerability first came to light in the context of Win32/Stuxnet, malware that in itself presents some notable quirks.
• Fake AV, Fake Support
  The anti-malware industry sometimes sees more complicated problems than you might imagine, and they can’t all be fixed by tweaking detection algorithms or giving the marketing team a productivity bonus.
• Anti-Malware Testing – Industry Insight
  Maybe only shareholders care about the financial health of an anti-malware company, but wouldn’t you rather have reliable information about the product you choose to protect your systems?

David Harley
ESET Senior Research Fellow

David Harley, “Anti-Virus: Last Rites, or Rites of Passage?“, February 2013. Copyright is held by Virus Bulletin Ltd., but is made available on this site for personal use free of charge by permission of Virus Bulletin.

Once again, we hear that anti-virus is dead, or at least not worth paying for. And A Certain Competitor used pseudo-testing with VirusTotal to ‘prove’ the same point, back at the beginning of the year. This article was an attempt at a more balanced view of the issue, going as far as to consider what a world without paid AV researchers might actually look like.

“Would the same companies currently dissing AV while piggybacking its research be able to match the expertise of the people currently working in anti-malware labs?”

David Harley CITP FBCS CISSP Small Blue-Green World ESET Senior Research Fellow

David Harley, Martijn Grooten, Steve Burn and Craig Johnston: My PC has 32,539 Errors: how Telephone Support Scams really Work; Virus Bulletin Conference Proceedings, 2012. Copyright is held by Virus Bulletin Ltd, but is made available on this site for personal use free of charge by permission of Virus Bulletin.

ABSTRACT
Fake security products, pushed by variations on black hat SEO and social media spam, constitute a highly adaptive, longstanding and well-documented area of cybercriminal activity. By comparison, lo-tech Windows support scams receive far less attention from the security industry, probably because they’re seen as primarily social engineering and not really susceptible to a technical ‘anti-scammer’ solution. Yet they’ve been a consistent source of fraudulent income for some time, and have quietly increased in sophistication. In this paper, we consider:
1. The evolution of the FUD and Blunder approach to cold-calling support scams, from ‘Microsoft told us you have a virus’ to more technically sophisticated hooks such as deliberate misinterpretation of output from system utilities such as Event Viewer and ASSOC.
2. The developing PR-oriented infrastructure behind the phone calls: the deceptive company websites, the flaky Facebook pages, the scraped informational content and fake testimonials.
3. Meetings with remarkable scammers: scammer and scam victim demographics, and scammer techniques, tools and psychology, as gleaned from conversational exchanges and a step-through remote cleaning and optimization session.
4. The points of contact between the support scam industry, other telephone scams, and mainstream malware and security fakery.
5. A peek into the crystal ball: where the scammers might go next, some legal implications, and some thoughts on making their lives more difficult.

And a teaser for number 14:

Virus Bulletin 2013

With Lysa Myers: “Mac Hacking: the way to better testing?” (To be made available after the Virus Bulletin conference in October 2013.)

David Harley and Larry Bridwell: Daze of Whine and Neuroses (but Testing is FINE); Virus Bulletin Conference Proceedings, 2011. Copyright is held by Virus Bulletin Ltd, but is made available on this site for personal use free of charge by permission of Virus Bulletin.

ABSTRACT
According to Aerosmith (not to mention The Italian Job), FINE is an acronym for (in its politer version) Freaked out, Insecure, Neurotic and Emotional. We could (and probably will) offer alternatives, but there’s no doubting that anti-malware testing inspires all those reactions. Sometimes it seems that AMTSO has become a dumping ground for the rest of the world’s misgivings about the AV industry, even though it originated in a coalition with some of the testers who are monitoring that industry’s performance with the most assiduous professionalism: indeed, that coalition has in itself inspired mistrust. And recently, it’s become plain that even within AMTSO, both testers and vendors sometimes find the alliance problematical.

AMTSO’s purpose is simple to state, but much harder to achieve. It represents a realization by professional testers and security vendors that the quality of anti-malware testing was so variable that it was at best confusing for people who need guidance on how to select the best product for their needs. Perhaps testing has improved more in the past few years than it would have without AMTSO’s presence, and discussions and generation of material in a single forum has accelerated a much needed move away from static testing towards dynamic testing. But it’s time to ask (and attempt to answer) a number of vital questions:

• Looking over the historical evolution of testing before and since AMTSO, is that move enough to set the testing world to rights?
• Are the aims of testers and vendors close enough to allow continued cooperation within AMTSO?
• Has AMTSO already outlived its usefulness?
• If not, what should it do next?
• What is the future of comparative detection testing?

David Harley CITP FBCS CISSP
Small Blue-Green World/Anti-Malware Testing
ESET Senior Research Fellow

Yet another year with two papers.

(1) David Harley and Andrew Lee: Call of the WildList: Last Orders for WildCore-Based Testing?; Virus Bulletin Conference Proceedings, 2010. Copyright is held by Virus Bulletin Ltd, but is made available on this site for personal use free of charge by permission of Virus Bulletin.

ABSTRACT
The well-documented problems with WildList testing derive from difficulties in adjusting to the 21st Century threat landscape. The (obviously overstretched) WildList Organization’s [1] focus on self-replicating malware, which nowadays comprises just a small percentage of the whole range of malware types; the lengthy testing and validation process between the appearance and the inclusion of a specific malicious program on the list, and the availability of the underpinning test set to WildList participants are all cited as objections to the validity of WildList testing, and some vendors and testing organizations have heavily criticized it – some vendors even withdrawing from tests that rely heavily on it.

In line with AMTSO’s preference for dynamic over static testing, most mainstream testers have supplemented or replaced WildList testing with some form of dynamic methodology, which, done correctly, is assumed to be a better refl ection of today’s user experience. So does WildList testing still have a place in testing and certification? Is it still a meaningful differentiator? If it isn’t, does that mean that sample validation is no longer considered a practical objective for testers, or is that a misreading of the AMTSO guidelines on dynamic testing?

This paper summarizes the static/dynamic debate, examining the contemporary relevance of the WildList and WildCore.

(2) With :

Peter Košinár, Juraj Malcho, Richard Marko, David Harley: AV Testing Exposed; Virus Bulletin Conference Proceedings, 2010. Copyright is held by Virus Bulletin Ltd, but is made available on this site for personal use free of charge by permission of Virus Bulletin.

ABSTRACT
As the number of security suites available on the market increases, so does the need for accurate tests to assess their detection capabilities and footprint, but accuracy and appropriate test methodology becomes more difficult to achieve. Good tests help consumers to make better-informed choices and help vendors to improve their software. But who really benefits when vendors tune products to look good in tests instead of maximizing their efficiency on the desktop?

Conducting detection testing may seem as simple as grabbing a set of (presumed) malware and scanning it. But simplicity isn’t always easy. Aspirant detection testers typically have limited testing experience, technical skills and resources. Constantly recurring errors and mistaken assumptions weaken the validity of test results – especially when inappropriate conclusions are drawn, as when likely error margins in the order of whole per cents are ignored, causing exaggerated or even reversed ranking.

We examine (in much more detail than previous analyses) typical problems like inadequate, unrepresentative sizing of sample sets, limited diversity of samples and the inclusion of garbage and non-malicious fi les (false positives), set into the context of 2010’s malware scene.

Performance and resource consumption metrics (e.g. memory usage, CPU overhead) can also be dramatically skewed by incorrect methodology such as separating kernel and user data, and poor choice of ‘common’ file access.

We show how numerous methodological errors and inaccuracies can be amplified by misinterpretation of the results. We analyse historical data from different testing sources to determine their statistical relevance and significance, and demonstrate how easily results can drastically favour one tested product over the others.

David Harley CITP FBCS CISSP
Small Blue-Green World, Anti-Malware Testing
ESET Senior Research Fellow

Another two-paper year.

(1) David Harley and Randy Abrams:  Whatever Happened to the Unlikely Lads? A Hoaxing Metamorphosis; Virus Bulletin Conference Proceedings, 2009. Copyright is held by Virus Bulletin Ltd, but is made available on this site for personal use free of charge by permission of Virus Bulletin.

ABSTRACT
Once upon a time the most problematic chain emails were virus hoaxes, as exemplified by the Good Times hoax: however, perhaps the last really innovative malware-related hoaxes were the SULFNBK and JDBGMGR hoaxes of the early noughties. Since then, most anti-malware companies have virtually lost interest in memetic malware as its links with real, programmatic malware have declined. But does this mean the problem has gone away? Unfortunately, it hasn’t. Somewhere in the no-man’s land between malware and spam,
the chain letter continues to create a range of problems for system administrators and IT support departments, from choked mail servers to choked support lines. However, it has also created both emotional and practical problems for the recipients as hoaxers have learned to apply increased pressure by hanging hoaxes and semi-hoaxes onto real-life tragedies and disasters such as the 2004 tsunami and missing children including Madeleine McCann.

This paper traces the changes in the Meme Machine [1] from the 1990s to 2009, from the Jeffrey Mogul metavirus [2] to the tsunami-related hoaxes that intermittently crippled public sector communication channels in the UK in the present decade, and considers some of the most recent examples, looking at underlying mechanisms as well as topical content. What has changed? What measures should we be taking to steer our users and customers away from the submerged 9/10 of this under-publicized iceberg? And if the security industry doesn’t own the problem, who does?

(2) David Harley and Jeff Debrosse:  Malice Through the Looking Glass: Behaviour Analysis for the Next Decade; Virus Bulletin Conference Proceedings, 2009. Copyright is held by Virus Bulletin Ltd, but is made available on this site for personal use free of charge by permission of Virus Bulletin. 

ABSTRACT
Most VB attendees have a major interest in malicious code. Often they focus on the highly technical issues around the intricacies of malware technology and counter-technology, the programmatic detail of attack and counter-attack. Sometimes they focus instead on the higher level application of defensive technology to corporate or infrastructural environments, even the entire Internet. More rarely, they look at the human side of malware management, mostly from the point of view of involving the potential victim (individual or organization under attack) in the defensive process (education and training, policy enforcement and so on).

However, malware is only part of a complex process of malicious exploitation. Behaviour analysis is a crucial topic in 21st century anti-malware, but rather than focusing purely on programmatic behaviour, should we not be looking at the psychosocial behaviours that underpin the exploitation mechanism? (By this we mean not only the behaviour of the criminal, but that of the victim.) This paper considers steps towards a holistic approach to behaviour analysis that would enable us to treat the disease rather than the symptom, drawing on both social and computer science.

David Harley CITP FBCS CISSP
Small Blue-Green World/ChainMailCheck
ESET Senior Research Fellow

Two papers presented that year… (Both are also available as previously on the ESET site, also by permission of Virus Bulletin.) I believe I also did a sponsor presentation, which was easily the worst presentation of my life, and I resolved never to pick up someone else’s presentation again. Fortunately, these two were fine. I must dig out the slide decks.

(1) David Harley and Pierre-Marc Bureau: A Dose By Any Other Name; Virus Bulletin Conference Proceedings, 2008. Copyright is held by Virus Bulletin Ltd, but is made available on this site for personal use free of charge by permission of Virus Bulletin. 

ABSTRACT
Years ago, when alt.comp.virus was still useful, ‘Name that virus’ was a popular virtual party game, and virus names were, if not standardized, at least easy to cross-reference with tools like VGrep [1]. In 2008, the numbers have escalated exponentially, analysis and detection have become increasingly generic, and naming, even for some WildList malware, has become nearly useless because of the difficulty of mapping samples to names. The CME (Common Malware Enumeration) initiative [2], while attempting to achieve something many people wanted, seems to have foundered on the rocks of the reality. Yet we continue to provide ‘top ten’ threat lists that have virtually no commonality or consistency across different vendors and sites, so that our customers continue to ask whether we detect the media virus du jour, and the slashdotty community point to us and giggle at our incompetence in failing to provide information about what we detect. Are all our solutions going generic? Are there ways to resolve this issue so that our customers can understand what’s happening and regain some faith in the industry without being hung up on the question ‘Do you detect virus X?’ We think so, and will discuss some possible approaches in this paper.

(2) David Harley and Andrew Lee: Who Will Test The Testers? ; Virus Bulletin Conference Proceedings, 2008. Copyright is held by Virus Bulletin Ltd, but is made available on this site for personal use free of charge by permission of Virus Bulletin. 

ABSTRACT
The anti-malware industry has been plagued since its earliest days by one poorly designed comparative test after another. In 2007, some of the best anti-malware researchers, comparative testers and product certification specialists took the first steps towards raising product testing standards with the formation of a group specifically focused on establishing standards and methodologies, educating both consumers and testers in discrimination between good and bad practice, and providing objective analyses of current testing practices. This paper summarizes current initiatives by the Anti-Malware Testing Standards Organization and other groups, but also considers next steps, going beyond objectifying methodology, educational issues and blowing away the fog of misinformation and fallacy, to the next level. Underlying these vital issues is a question: is it possible to make testers and certifying authorities more accountable for the quality of their testing methods and the accuracy of the conclusions they draw based on that testing? This paper attempts to answer that question.

David Harley CITP FBCS CISSP
Anti-Malware Testing
ESET Senior Research Fellow

David Harley and Andrew Lee: Phish Phodder: is User Education Helping or Hindering?; Virus Bulletin Conference Proceedings, 2007. Copyright is held by Virus Bulletin Ltd, but is made available on this site for personal use free of charge by permission of Virus Bulletin. 

(Also available as previously on the ESET site, also by permission of Virus Bulletin.)

ABSTRACT
Mostly, security professionals can spot a phish a mile off. If they do err, it’s usually on the side of caution, for instance when real organizations fail to observe best practice and generate phish-like marketing messages. Many sites are now addressing the problem with phishing quizzes, intended to teach the everyday user to distinguish phish from phowl (sorry). Academic papers on why people fall for phishing mails and sites are something of a growth industry. Yet phishing attacks continue to increase, and while accurate and up-to-date figures for financial loss are hard to come by, indications are that losses from phishing and other forms of identity theft continue to climb.

This paper:
1. Evaluates current research on how end users are susceptible to phishing attacks and ID theft.
2. Evaluates a range of web-based educational and informational resources in general and summarizes the pros and cons of the quiz approach in particular.
3. Reviews the shared responsibility of phished institutions and phishing mail targets for reducing the impact of phishing scams. What constitutes best practice for finance-related mail-outs and e-commerce transactions? How far can we rely on detection technology?

David Harley CITP FBCS CISSP
Small Blue-Green World/ChainMailCheck
ESET Senior Research Fellow

(Also available as previously on the ESET site, also by permission of Virus Bulletin.)

David Harley, Eddy Willems and Judith Harley: Teach Your Children Well: ICT Security and the Younger Generation; Virus Bulletin Conference Proceedings, 2005. Copyright is held by Virus Bulletin Ltd, but is made available on this site for personal use free of charge by permission of Virus Bulletin.

ABSTRACT
An article by Eddy Willems in the August 2004 edition of VB discussed his research into the security awareness of Belgian children. The authors have developed this theme by submitting a similar questionnaire to ICT pupils in the UK and using the results as a basis for an interactive presentation and discussion with several groups in the UK, and an assignment based follow-up with different groups was undertaken early in March 2005.

The paper is not intended as a completed formal study, but considers this presentation and the issues that came up in this preliminary research as a basis for further study and teaching tools. It also considers a range of resources in the area of child safety, learning, attitudes and behaviour as they affect and are affected by the use of information and communications technology, and the influence of the media, government, and the Internet itself. While the preliminary research has largely focused on malware and email abuse, we will also consider how these areas are connected with other technologies and areas of concern among parents and educators.

David Harley CITP FBCS CISSP
Small Blue-Green World
ESET Senior Research Fellow

David Harley; Fact, Fiction and Managed Anti-Malware Services: Vendors, Resellers and Customers Divided by a Common Language; Virus Bulletin Conference Proceedings, 2003. Copyright is held by Virus Bulletin Ltd, but is made available on this site for personal use free of charge by permission of Virus Bulletin.

This paper was on a topic very dear to my heart, at the time: part of my job was liaising with a company to whom part of our security was outsourced, against my advice. That would be the part of the job description section labelled “in-house scapegoat”.

ABSTRACT
Not all of the assumptions on which the malware management ethos is founded have changed since the 1980s. The anti-virus research community is aware of changes in malware technology, and in malware-management technology and methodology, as well as changing patterns of deployment and end-user attitudes to the problem.

However, security software is not always sold or administered by experts. The end-user community (system administrators included) varies widely in expertise and perceptual accuracy, of course. However, many organisations delegate their malware management deployment and maintenance to providers of managed services. However, experience suggests that a wide gap can exist between the expectations of the customer, and the range and quality of actual services provided, especially as project scale and the complexity of the protected environment increase.

Do researchers, customers, and product resellers offering one-fits-all management services share the same perception of what a “complete” management solution is? Is the provider necessarily the best judge of best practice?

In this paper, we examine the full range of malware management functionality, and highlight some of the areas where dissonance arises between the customer’s expectations and those of the supplier.

David Harley CITP FBCS CISSP
Small Blue-Green World
ESET Senior Research Fellow