Man, Myth, Malware and Multi-Scanning is the 4th of my CFET papers, co-written with Julio Canto of VirusTotal. Almost uniquely (for me), the paper was written some time after the presentation at the conference.
[My other presentation at that conference – The Virtual Tsunami: Global Disasters and Security Disasters – never got to being a paper. (Submission of an actual paper at CFET is optional.) I may make the slide deck available, but some of the material should not be made publicly available, so it will require some editing. However, the abstract is below.]
Man, Myth, Malware and Multi-Scanning is about the use and misuse of public multi-scanner web pages that check suspicious files for possible malicious content, and why they’re no substitute for comparative testing. Document is hosted at ESET, but there’s also a local copy here: CFET2011_multiscanning_paper
Presented at the 5th Cybercrime Forensics Education & Training (CFET 2011) Conference in September 2011.
Here’s the abstract.
Malware multi-scanning: everybody’s doing it. AV companies use batteries of competitor products for comparative analysis and other laboratory procedures. Blackhats are increasingly likely to use internal or third-party “black” laboratory resources for the testing of malware tweaked to increase resistance to anti-malware analysis and forensics, as the blackhat economy strengthens and parallels conventional business models. Public multi-scanner sites intended for the evaluation of the risk from individual files are also used and misused for many purposes, such as:
- Indirect distribution and gathering of samples
- The estimation and guesstimation of malware prevalence and of public exposure to risk from “undetected” malware
- The “ranking” of products by detection performance, and the subsequent generation of marketing collateral
- Pseudo-validation and classification of samples by testers.
Public sites have evolved and matured to meet the different needs of anti-malware vendors, a wide range of home and end users, other security researchers, and the media. However the range of myths and misconceptions around what is and isn’t appropriate use has outpaced those developments. This paper and presentation will look at the history and range of multi-scanner usage in all these contexts, but will focus primarily on the inappropriate substitution of multi-scanning for (a) performance ranking and pseudo-testing, and (b) sound sample validation and classification.
This paper will consider five key points:
- Firstly, what’s out there? We consider the multiplicity of public multi-scanner sites, in-house AV resources, specialist AV community resources and blackhat resources that are currently known to be in use as an anti-forensic measure.
- Secondly, we consider the sane and sensible uses for multi-scanning, including pre-validation sample processing, in-house comparative analysis, and risk assessment of individual files at public sites.
- Thirdly, we consider the misuse of public and private multiscanner facilities for pseudo-testing: is it a good idea to use multi-scanners for product ranking by detection performance?
- Fourthly, we look at pseudo-validation, addressing the issue of automation versus avoidance in sample validation and classification
- Finally, we address the implications for the anti-malware and product testing industries.
This was the abstract for the other presentation, for which no paper was written.
The Virtual Tsunami: Global Disasters and Security Disasters
There’s something about a disaster (global or personal, real or fabricated) that brings out both the best and the worst in people. While much of the world is eager to lend its support to afflicted regions, another eager subset of (in)humanity is taking to its keyboards, looking forward to profiting from the misery of others in a variety of ways: from fraud to malware, from spam to Black Hat Search Engine Optimization (BHSEO), from product misrepresentation to out and out hoaxes.
This presentation considers the evolution and classification of some of the species of maggot that emerge in times of tragedy to feed off the misery of those affected, and to profit (financially or otherwise) from the curiosity and sympathy of others. It looks at the ways in which we currently try to counter this exploitation, both within the anti-malware industry and outside it. And finally, we consider whether the cooperative models explored in other security contexts can be applied successfully to disaster management, or whether there’s a way of doing it better.
The presentation is divided roughly into the following segments:
1. Phish and Foul Play: Charity/aid scams and spams, 419s, Londoning and ID theft, the evolution and divergence of misinformation and hoaxes;
2. Technical attacks, social engineering, and anti-social engineering: BHSEO, fake AV and other malware, and the misuse of social media and the escalating interconnectivity of social data;
3. What’s been did and what’s been hid: successes and mistakes in post-disaster security management: is there a more effective, more holistic approach to cybercrime and cybernuisance management during and following disasters.
Small Blue-Green World
ESET Senior Research Fellow