By Juraj Malcho, Head of ESET VirusLab
It has been quite a long time since the first personal computers hit the market, during which time many serious vulnerabilities and design faults have been discovered, and many things have changed. Mankind has slowly got used to the fact that every new technology can be misused, or rather, we can be fairly sure that someone will try to misuse it, whether merely to prove the concept of misuse, or to initiate a serious threat against people and/or the infrastructure. The design of new devices and technology must therefore take into account the securing of the data, dataflow, and any communication in general.
However, the systems that are being developed today are more and more complex, so even though huge effort is invested in security, faults are quite often introduced during either the design or the implementation stage. The growing number of technologies and devices broadens the attack surface available to the attackers who try to make profits by exploiting existing security flaws. And that’s exactly the domain of computer infiltrations. Nowadays a vast amount of malicious or unwanted code is financially motivated. We could even say that there are only trace amounts of infiltration which exist only to demonstrate the presumed ability of the author (whether maliciously motivated or not). Proof-of-Concept (PoC) virus writing is not as popular as it used to be. In fact, if a security researcher nowadays hears the term PoC the first image that comes to a mind is a chronic, even pathological search for security vulnerabilities and exploits programming. And yet often the underlying motivation is far from altruistic service or efforts to improve software reliability and security. On the contrary, new security vulnerabilities are now very much in demand on the black market, and present great opportunities for illegal income. That is the reason why PoC code and vulnerabilities tend to gravitate more easily towards malware authors than to the respective software developers. And that’s how we get to the typical malware of today, which takes advantage of some type of vulnerability – whether a technical or a human one. The decision about whether malice is intended and threat classification is very straightforward and unambiguous in this case. For an AV company the main problem here is implementing detection. The protection schemes in modern malware tend to be complicated, new variants are coming out in huge volumes and the professional groups on the other side work deliberately on evading detection. The income of these criminal groups is mostly derived from trading stolen credentials or any data stolen from compromised computers, or by renting botnet services, such as adware push-installations, advertisement and spam delivery or DDoS attacks.
THE GREY ZONE – ADWARE, SPYWARE, POTENTIALLY UNWANTED APPLICATIONS
Let’s leave the clearly defined malicious code aside and focus more on greyware – the software from the grey zone. The complications with these applications are not usually inherent in code complexity, code protection/obfuscation, or in implementing detection. The problem lies in the decision as to whether the software is or is not malicious, or if it’s actually useful somehow. Of course, one will automatically assume that the decision criteria have to be subjective and possibly ambiguous to some extent – every user could have a different opinion or different desires. So the boundary between good and evil, usefulness and uselessness is unclear. Even different AV companies might have different views on various issues and the philosophy might differ somewhat, leading to disagreements even among the experts. Naturally, these companies cooperate closely (and not only in order to evade similarly conflicting situations).
Over the years several projects and organizations have been established in order to introduce generally respected rules and best practices that have been developed and discussed within the community.
One of the goals is to create a stable reference point which can be used in discussions of controversial issues. Let’s mention a few of the initiatives that are most related to the topic of this article: the Anti-Virus Product Developers Consortium (AVPD), the Anti-Spyware Coalition (ASC) and the Anti- Malware Testing Standards Organization (AMTSO). AVPD was formed to provide an open forum in which developers could work toward common goals such as product testing, product certification, surveys, studies and market research. ASC is a group dedicated to building a consensus about definitions and best practices in the debate surrounding spyware and other potentially unwanted technologies. And finally, AMTSO was founded in May 2008 as an international non-profit association that focuses on addressing the global need for improvement in objectivity, quality and relevance of anti-malware testing ethodologies. More information about these organizations and initiatives can be found on their web pages.
SPECIFICS OF THE GREY ZONE SOFTWARE
Let’s have a closer look at the previously mentioned problematic software where the decision-making process about its malicious intent or legitimacy is complicated and tricky. What kind of software is it? Well, put very simply – it’s the software that is, in fact, completely useless and doesn’t provide any real value. Or, in other words, if the software is actually paid for, then the only party that gets any genuine benefit from it is the author/company that develops it. That’s a very simple and elegant definition, right? But in the real world, endless discussions could be held regarding the usefulness or legitimacy of these kinds of software.
What is worse, sometimes it even leads to lawsuits. It happens more and more often that after a lengthy analysis an AV company decides to detect some application and a few months later the developers complain about unjustified detection and request that the false positive (FP) be fixed. The rounds of decisions and considerations that follow are usually very uneasy due to the collision of interests. There are many factors that need to be taken into account – not only the software itself, but also the user base, and it is necessary to verify the company’s credibility and to analyse the distribution channels that are used. The distribution channels themselves can easily turn a legitimate application into an unwanted one.
Basically we have two reasons to flag an application as potentially unsafe or unwanted: the application is being misused by some malware, or the distribution model constitutes direct incitements to illegal profit. In the first case you could think of countless system tools that are often misused by malware to enhance its features. Some examples are the system tools from SysInternals/Microsoft, various password crackers/ password recovery tools, using remote administrator tools to implement backdoors, and so on. In the second case (the use of dubious distribution channels) we’re talking about a payper- install business model where the distributor earns a small cut of the profit for every successful installation of the software. This effectively means that the software is often spread by malware and automatically installed on a victim’s PC, or offered in spam campaigns.
A very important piece of information is the incentive for detection itself. Often it comes in the form of a request from the customers who notice strange and unexpected behavior on the part of their PCs. Rogue companies and their products (rogue anti-virus, rogue anti-spyware) have their fraud fine-tuned to every little detail – the product and their website has a professional look, and often they are inspired by real anti-virus software. The websites are full of fake FAQ lists, along with lots of forged positive reactions and testimonies from non-existent users, etc.
Even if we base our decisions on relatively clear rules and recommendations such as those made by the ASC, the decision is difficult and time consuming to make. An in-depth analysis can take hours and days before a good reason for detection is found. That’s where the AV companies expend a lot of resources nowadays. It is beyond the scope of this article to talk in detail about the ASC rules and best practices: the relevant documents are available on the ASC website.
Eset Spol.s R.O is exhibiting at Infosecurity Europe 2010, the No. 1 industry event in Europe held on 27th – 29th April in its new venue Earl’s Court, London. The event provides an unrivalled free education programme, exhibitors showcasing new and emerging technologies and offering practical and professional expertise. For further information please visit www.infosec.co.uk
Courtesy: Eskenzi PR
Seed Newsvine