Virus Bulletin 2009
Another two-paper year.
(1) David Harley and Randy Abrams: Whatever Happened to the Unlikely Lads? A Hoaxing Metamorphosis; Virus Bulletin Conference Proceedings, 2009. Copyright is held by Virus Bulletin Ltd, but is made available on this site for personal use free of charge by permission of Virus Bulletin.
Once upon a time the most problematic chain emails were virus hoaxes, as exemplified by the Good Times hoax: however, perhaps the last really innovative malware-related hoaxes were the SULFNBK and JDBGMGR hoaxes of the early noughties. Since then, most anti-malware companies have virtually lost interest in memetic malware as its links with real, programmatic malware have declined. But does this mean the problem has gone away? Unfortunately, it hasn’t. Somewhere in the no-man’s land between malware and spam,
the chain letter continues to create a range of problems for system administrators and IT support departments, from choked mail servers to choked support lines. However, it has also created both emotional and practical problems for the recipients as hoaxers have learned to apply increased pressure by hanging hoaxes and semi-hoaxes onto real-life tragedies and disasters such as the 2004 tsunami and missing children including Madeleine McCann.
This paper traces the changes in the Meme Machine  from the 1990s to 2009, from the Jeffrey Mogul metavirus  to the tsunami-related hoaxes that intermittently crippled public sector communication channels in the UK in the present decade, and considers some of the most recent examples, looking at underlying mechanisms as well as topical content. What has changed? What measures should we be taking to steer our users and customers away from the submerged 9/10 of this under-publicized iceberg? And if the security industry doesn’t own the problem, who does?
(2) David Harley and Jeff Debrosse: Malice Through the Looking Glass: Behaviour Analysis for the Next Decade; Virus Bulletin Conference Proceedings, 2009. Copyright is held by Virus Bulletin Ltd, but is made available on this site for personal use free of charge by permission of Virus Bulletin.
Most VB attendees have a major interest in malicious code. Often they focus on the highly technical issues around the intricacies of malware technology and counter-technology, the programmatic detail of attack and counter-attack. Sometimes they focus instead on the higher level application of defensive technology to corporate or infrastructural environments, even the entire Internet. More rarely, they look at the human side of malware management, mostly from the point of view of involving the potential victim (individual or organization under attack) in the defensive process (education and training, policy enforcement and so on).
However, malware is only part of a complex process of malicious exploitation. Behaviour analysis is a crucial topic in 21st century anti-malware, but rather than focusing purely on programmatic behaviour, should we not be looking at the psychosocial behaviours that underpin the exploitation mechanism? (By this we mean not only the behaviour of the criminal, but that of the victim.) This paper considers steps towards a holistic approach to behaviour analysis that would enable us to treat the disease rather than the symptom, drawing on both social and computer science.
David Harley CITP FBCS CISSP
Small Blue-Green World/ChainMailCheck
ESET Senior Research Fellow