I know, there ain’t no such thing!

Well, we could have a lively debate on that topic, but not right now.

On this occasion, I’m just letting anyone who wonders what happened to the Mac Virus web site (http://www.macvirus.com), which I inherited from Susan Lesch some years ago, what’s happening with it. We have nothing to do with the cobwebby sites at http://www.macvirus.net and http://www.macvirus.org, or with http://macvirus.wordpress.com, whatever that is.

The http://www.macvirus.com URL actually redirects to my own Mac page at Small Blue-Green World site, which now re-redirects to a WordPress page. If you want to go straight to the Mac Virus blog, you can go direct here. It’s still malware-oriented, of course, and, is likely to become more rather than less active in that area.

In fact, most of my Small Blue-Green World content now resides on blog pages. ESET content is still blogged at http://www.eset.com/threat-center/blog/, of course, and AVIEN content is blogged at http://avien.net/blog/.

Confused? Me too…

We now return you to your normal programming. Scheduling, that is, not coding. Unless that’s what you’re doing at the moment. Oh, never mind.

The next time I blog here, it will be about a proper security issue again. I hope.

David Harley FBCS CITP CISSP
Security Author/Consultant at Small Blue-Green World
Chief Operations Officer, AVIEN
ESET Research Fellow & Director of Malware Intelligence

Also blogging at:

http://avien.net/blog

http://www.eset.com/threat-center/blog

http://smallbluegreenblog.wordpress.com/

http://macviruscom.wordpress.com

http://blog.isc2.org/

http://dharley.wordpress.com

Subject: the sum of 1,000,000.00 Pounds
From: British Tobacco Promo

[Most of the address fields spoofed a US educational institution, though the reply-to was an address in China.]

Message Body:

You have won 1,000,000.00 Reply us with  your  details
Name:Occupation:Country:Sex

[This message is actually several weeks old, but I just spotted it while cleaning up one of my mailboxes. Could any potential victim honestly be that naive?]

David Harley FBCS CITP CISSP
Director of Malware Intelligence, ESET

Also blogging at:
http://dharley.wordpress.com/
http://www.eset.com/threat-center/blog
http://avien.net/blog
http://blog.isc2.org/

Withdrawn on legal advice. Sigh…

So I’m going to ask some hypothetical questions instead.

Principle 3 of the AMTSO (Anti-Malware Testing Standards Organization) guidelines document (http://www.amtso.org/amtso—download—amtso-fundamental-principles-of-testing.html) states that “Testing should be reasonably open and transparent.”

The document goes on to explain what information on the test and the test methodology it’s reasonable to ask for.

So is it open and transparent for an anti-malware tester who claims that his tests are compliant with AMTSO guidelines to decline to answer a vendor’s questions or give any information about the reported performance of their product unless they buy a copy of the report or pay a consultancy fee to the tester?

There is, of course, nothing to stop an anti-malware tester soliciting payment from the vendors whose products have been tested both in advance of the test and in response to requests for further information. But is he then entitled to claim to be independent and working without vendor funding? In what respect is this substantially different to the way in which certification testing organizations work, for example?

It seems to me that AMTSO is going to have to consider those questions at its next meeting (in Prague, next week). Purely hypothetically, of course. What do you think?

David Harley CISSP FBCS CITP
Small Blue-Green World

As it’s been a while, here’s a little light-ish relief from my semi-recreational blog….

http://dharley.wordpress.com/2009/09/19/a-myth-laid-to-rest/

Early in this decade, well before I became assimilated by the anti-malware industry, I sat in my office in Birmingham (the one in the UK) and argued vehemently with another independent researcher (now deceased, sadly, but I won’t name him anyway).

He’d had an idea about the Code Red worm problem that was currently very high on the public radar: why not use the same infection mechanism to send a worm out looking for machines that hadn’t been patched to address the IIS vulnerability that Code Red exploited, and force vulnerable machines to patch?

As I remember, I argued that:

It would alienate him from other members of the research community: many of us have signed Codes of Conduct that would expressly forbid that approach

It would make assumptions about the target machines and their owners that he wasn’t entitled to make

It would involve unauthorized access and modification to other systems, which is specifically addressed in criminal legislation in many, many countries. (Including the United Kingdom, where we both lived, but I’ll come back to that.) So actively illegal (in some places) as well as ethically flaky.

It would add legitimacy to those malware authors who add minimal disinfection of other malware to their creations, probably in the forlorn hope of persuading a jury that their intentions were good, if they ever find themselves in dock

If you make a coding error in a non-replicative utility that causes damage to a system, there’s usually some means of fixing it, and at worst the damage is localised. If you make a coding error in a utility that self-replicates, then a lot of people are going to have to live with it, and you won’t be able to do much about it. Unless you want to get into a cycle of send out worm, send out worm to fix bugs in first worm, send out worm to fix bugs in second worm, send out… well, you get the idea. Too many potential bugs travelling by bug.

Well, he seemed convinced by my arguments: though “good” worms that took the same approach were discussed elsewhere and some examples of such code eventually made it into the outside world in some form, I have no reason to suppose that he had any connection with any of them.

Fast forward to 2009. The BBC’s Click program, to be screened on March 14th, “managed to acquire its own low-value botnet…after visiting chatrooms on the internet.” In order to demonstrate its own clevern… – sorry, in order to demonstrate “botnets’ collective power when in the hands of criminals” it set up “its” botnet to send pseudo-spam messages to a couple of email accounts they’d set up specifically for this purpose. Then the presenters used it to carry out a DDoS (Distributed Denial of Service) attack on a server belonging to a security company, with that company’s permission.

Then Click changed the Windows desktop wallpaper on the infected machines to let their owners or users know that their machines had been part of a botnet and advise them on steps to take to secure their machines, and “destroyed its botnet”. (I presume that means they removed or somehow deactivated the bot/agent malware on each infected machine.)

So what does this have to do with my deceased friend? Primarily, the Computer Misuse Act. As Graham Cluley has argued at some length and very convincingly on his blog today, the BBC’s actions may have put it at risk of contravening the UK’s primary legal defense against direct attacks on computer systems. The BBC tell us that they didn’t break the law because they had no criminal intent.

As Ken Bechtel once remarked, AV researchers would make poor lawyers because they’re incapable of passing the bar. Well, I’m not in a bar at the moment, but I’m not a lawyer either, so don’t take this as being in the least authoritative. But I have to wonder whether Click passed this in front of the Beeb’s legal department.before they undertook this exercise.

As I understand it, the defense of criminal intent has been defined in English law as “the decision to bring about a prohibited consequence”. The 1990 Act defines the computer misuse offences as:

1. Unauthorised access to computer material.
2. Unauthorised access with intent to commit or facilitate commission of further offences.
3. Unauthorised modification of computer material.

The Act also defines an individual’s guilt according to whether he uses a computer to “secure access” to a program or data held in any computer, whether the’s authorised to secure that access, and whether he knows that his access is unauthorised. I don’t think there’s any doubt that the BBC were not “authorised” to access or modify programs or data on these machines by their owners.

In some jurisdictions, there’s a potential defence where no measures were taken to protect the victim’s machine, but an amendment to introduce that possibility into the 1990 act was rejected.

Criminal liability is, apparently, normally measured according to whether (a) a criminal act was committed (b) the person who committed the act intended to commit a criminal act. So intent (mens rea, often freely translated as “guilty mind”) is important. But in this case, I suspect that if the incident went to court, the question might be not “did the defendant intend to break the law?” in the general sense of becoming a “real” botherder, but in the sense of committing an offence (actus reus, a criminal act) under the provisions of specific legislation. However benevolent its intentions, did the BBC know it was in breach of the Computer Misuse Act? Did they actually buy a botnet? (If so, they might want to bear in mind the case of virus author Christopher Pile, one of the few people actually convicted under the CMA, who was convicted of knowing inciting others to cause unauthorised modification, as well as doing so himself.

As far as I can tell from the BBC’s article, the program presenters were perfectly aware that they had no authorisation to access any of those 22,000 machines. As far as I can tell from the wording of the Act (but remember that I have no legal training whatsoever!), it doesn’t take into account the fact that it might be broken for benevolent purposes: either your access is authorised, or it isn’t.

On the plus side, little or no “real” harm was done. The BBC sent itself multiple email messages to two accounts specifically created to receive them. Perhaps Prevx’s reputation has suffered slightly from the revelation that the server against which they allowed the BBC to launch a DDoS attack became inaccessible so quickly: according to Click, it took just 60 machines to bring it to its knees. But perhaps it was configured to collapse easily, for a more effective demonstration.

The unprotected machines were presumably (at least temporarily) relieved of the malware which gave the BBC access in the first place, and hopefully some of their owners learned something from the experience. (I have to wonder whether and how the BBC were actually able to check that their action didn’t have any ill effects on all 22,000 of those systems…)

I don’t know if the BBC or the Click presenters are guilty of anything in legal terms: I do think they’ve failed to think things through properly…

David Harley BA CISSP FBCS CITP
Small Blue-Green World
Director of Malware Intelligence ESET

Randy Abrams recently pointed out to me that today is the 20th anniversary of the Morris Worm. For all you kids out there who have no recollection of this event, I’ve just posted a blog at http://www.eset.com/threat-center/blog/?p=165 that recaps on the worm and includes some relevant references, but right now I want to expand on a thought I had while I was writing it.

The Morris worm was very much of its time. It was a proof of concept (actually of several concepts) item of malware that showed a certain interest in and knowledge of some vulnerabilities that were current at that time (mostly a fingerd buffer overflow exploit and a somewhat flaky implementation of sendmail debugging), and was clearly meant to be self-launching. Most current malware, while it may well use drive-by downloads and other exploits, seems to use some form of social engineering. So maybe the earlier CHRISTMA EXEC worm was the real pioneer, with its mass mailing payload and its chainletter appeal to the gullibility of the victim. Well, we can draw dotted lines between old and new malware from now to Christmas, which is the sort of thing that interests saddos like me but doesn’t necessarily gain us much in terms of securing the internet.

Looking through some historical resources, it strikes me that there are some moments in malware history that not only define the time, but in some way draw a line under it, though Morris was followed by a copycat VMS worm the following year). After that, though, we waited quite a while for a real mass mailer epidemic and for the big network worms of this decade. Melissa managed to mark both the beginning of heavy duty mass mailers and the end (or at least the decline) of macro malware. Yet there are no full stops here. In 2008, we’re still seeing new(-ish) stuff cheek-by-jowl with the sort of malware we’ve mostly forgotten about: old-time boot sector viruses and new-age MBR rootkits; macro viruses and office suite exploits; overflows and drive-bys; and an endless loop of social engineering tricks (phishes, 419s, fake admin messages, fake codecs, fake updates…) The only really substantial change is the disappearance of the hobbyist hacker/malware author, promoted into full-blown cyber-criminality.

It seems that what we really need to patch is human nature: the evil gene, the greed gene, the careless gene, the “what’s a patch?” gene, the “I can click on anything because I have anti-virus software” gene…

David Harley CISSP FBCS CITP
ESET LLC

ESET, the anti-malware company for which I work, has just published its half-yearly report on global malware trends, based on data generated by automatic threat-tracking systems. Few people who read this blog will be interested in the marketing aspects of that document, but I thought you might find some of the conclusions interesting.

• We’ve noticed (actually over far longer than six months) a huge number of detections of malware that uses the Windows AutoRun facility to self-install from removable media (USB flash drives, CDs and so on). It may seem slightly surprising that other vendors haven’t flagged this trend particularly, but it doesn’t mean they don’t detect the same things: it’s just that we have a heuristic that highlights that trend. In the same way, another vendor has a detection that highlights a high proportion of iFrame exploits. We’re very aware of the ever-increasing volume of web-hosted threats, but we don’t have an exact equivalent to that heuristic, so that particular trend isn’t so obvious from our (prevalence-based) figures.
• Possibly Unwanted Applications (PUAs) and other adware and spyware detections occupy several places in our top ten. That’s not a complete novelty, but the impact of the Virtumonde Trojan in particular is dramatic. Virtumonde is a real pain: its authors work hard at hiding it from specific anti-malware products, and it can be grim trying to remove it from a system when it’s in memory. Leaving it there isn’t much of an option, either: it has a habit of pounding an infected system with so much advertising that it becomes unusable.
• There’s been a dramatic decline in the use of email to distribute new malicious attachments: of course, it remains a prime vector for the dissemination of malicious URLs. What interested me was the sheer volume of antique mass mailers like Netsky.Q, but my guess is that these are mostly generated by unprotected home machines running obsolescent Windows versions.
• Password stealing attacks on online gamers and haunters of metaverses like Second Life have been around for a while, too, but they’ve overtaken AutoRun exploits in the “top ten” over the past few months. And that’s not even taking into account other attacks like griefing and replicative “grey goo” style attacks.

David Harley
ESET Malware Intelligence Team

Unless you’ve been potholing for the past week or so, you’ll have heard of the Mac Trojan originally reported by Intego, makers of VirusBarrier, at http://www.intego.com/news/ism0705.asp, and later taken up by a number of other sources and resources. Most vendors are referring to as OSX.RSPlug.A or OSX/Puper, and some have referred to its links to the W32/Puper or W32/Zlob families of Windows malware.

Here are some sound links you might find useful.

http://www.f-secure.com/v-descs/trojan_osx_dnschanger.shtml
http://vil.nai.com/vil/content/v_143511.htm
http://www.sophos.com/security/analyses/osxrspluga.html
http://www.avertlabs.com/research/blog/
http://www.avertlabs.com/research/blog/index.php/2007/10/31/crimeware-comes-to-os-x/
http://isc.sans.org/diary.html?storyid=3595
http://sunbeltblog.blogspot.com/
http://www.us-cert.gov/current/#mac_dns_changer_trojan
http://www.sophos.com/pressoffice/news/articles/2007/11/mac-osx-trojan.html
http://www.bleedingthreats.net/index.php/2007/11/01/sig-for-the-new-mac-trojan/ (includes a snort signature).

The significance of this particular threat is not that it’s malware that affects Mac users: there’s lots of that, though most of it predates OS X and won’t work properly in an OS X environment. (NB: there are also macro viruses that might spread through Mac systems even though they don’t have a payload that works in that environment.) Nor is it the first OS X-specific threat: attempted OS X rootkits, Trojans, even the occasional “real” virus, are not common, but have been seen. It’s not a script kiddie “hey, look at me, I wrote a Mac Trojan” effort. It’s not a sophisticated “Proof of Concept” threat that gives the author bragging rights, but isn’t likely to be seen in the real world. Nor is it spreading, AutoStart worm-like, through the entire Mac world. But it is different. It indicates that criminal elements are thinking about the possibilities of infecting or exploiting Macs as well as Windows machines. It’s a basic but viable program from a “professional” source. It uses a similar programmatic and social engineering approach to malware used to exploit Windows machines for frankly criminal purposes. If the bad guys take home the feeling that it has ROI potential, it’s unlikely to be the only example we’ll ever see.

There are positives, here, though. In general, most of the Mac community has reported this soberly and responsibly, rather than going for the kneejerk “Macs don’t have a malware problem” reaction, and that bodes well. If the more security-knowledgeable Mac people are taking the issue seriously, less sophisticated users are less likely to be misled. However, there are still people insisting that this isn’t a major problem, because it’s “only a Trojan, not a virus” and it requires the victim to give it permission to install (and because the anti-malware companies are stressing the low risk factor with this particular malware, rather than its potential as an indicator of future trends. However, those who are over-anxious to dismiss it as unimportant are missing some points.
(1) In the world of Windows, where most malware lives at present, volumes of malware that doesn’t (self-)replicate have exceeded volumes of replicative malware (worms and viruses, primarily) for a while.
(2) Not so long ago, viruses and worms that spread far and fast were the measure of success in malware distribution. Nowadays, with the professionalization of malware writing, the success of malware is better measured by its ability to steal data from any given system than it is by the number of systems infected by a single variant or subvariant.
(3) There’s a persistent myth in the Mac community that Windows malware is primarily “self-launching”: that is, it doesn’t need the victim to execute or install it, because it uses software vulnerabilities, drive-by downloads, buffer overflows and such to force itself onto a system without any action or attention from the computer user. Malware that does do this sort of thing exists, and has for many years (going back to some of the early network worms of the 1980s). But most malware -does- require user interaction.

Roger Grimes (a very sound researcher and writer) recently estimated (http://www.infoworld.com/article/07/10/19/42OPsecadvise-insider-threats_1.html) that “86 percent of all announced vulnerabilities were client-side attacks requiring end-user interaction”. He doesn’t claim that his figure is definitive, and he didn’t cover all platforms or all vulnerabilities, but I suspect he’s in the right ballpark.

If we’re right, it suggests that malware which works by “social engineering” — tricking the victim into running malicious software, in this case — is more “successful” than malware that relies on exploiting software vulnerabilities. There are still those who claim that Mac users are smarter than Windows users, and won’t be fooled by social engineering. I’ve seen no evidence of that: in fact, I’d guess that, at the moment, Mac users with no particular security knowledge are particularly vulnerable in that they believe that their systems are so secure out of the box that they don’t need to know or to do anything about security.

Whatever happens next, and whether or not this is the tipping point where Mac users start, to suffer like Windows users, I’m convinced that this is not the time for partisan bickering from either side of the Mac/Windows divide. This is a time to watch and learn, and seek out fact rather than prejudice.

A number of news resources have already shown interest in Virus Bulletin’s [1] recent comparative test of antivirus scanners for Vista: for instance, the Register. [2] Not surprisingly, the inclusion of Microsoft’s own Live OneCare antivirus package received particular attention, and maybe its failure to achieve the VB100 award attracted more criticism than was strictly fair, simply because of the Microsoft brand name.

This morning, however, my attention was drawn to another item [3] about Microsoft’s plans to expand its security response and research operations into Europe and Asia. No-one – except maybe the company’s competitors – is likely to regard it as a Bad Thing for Microsoft to increase its investment in security, and the acquisition of AV luminaries like Jimmy Kuo and Katrin Tocheva won’t do their credibility any harm. It would be ungracious to stress that OneCare is not, in fact, Microsoft’s first excursion into antivirus scanning – a minimally rebranded version of Central Point Antivirus was supplied with the last versions of MS-DOS – since it seems to have been CNET that overlooked that fact, not Microsoft. MS was, however, probably hoping that no-one else remembers that particular fiasco – sorry, guys.

While the VB review tables show that OneCare missed 37 samples from the In the Wild (ItW) test set, Vinny Gullotto was quoted by CNET as saying that “We missed one virus in their collection. ” In fact, Gullotto seems to be correct: close examination of the original review shows that the product lost out on the VB100 award because it missed “numerous samples” of a W32/Looked variant from the WildList set. Still, the numeric disparity does illustrate once more the complexities of interpreting – let alone conducting – antivirus testing. And with its Forefront business range of security solutions starting to loom, it’s reasonable to assume that MS will indeed be thinking more carefully about meeting the testing criteria for industry standard detection testing…

[1] http://www.virusbtn.com/vb100/archive/2007/02

[2] http://www.theregister.co.uk/2007/02/05/vista_security_criticisms/

[3] http://news.com.com/Microsoft+to+expand+security+research+teams/2100-7355_3-6157331.html?tag=nefd.top

A couple of weeks ago, I co-chaired a workshop on the role of WARPs (Warnings, Advice and Reporting Points) in health and education. Since my job in the UK’s National Health Service has just disappeared, to be replaced in due course by one or more NHS WARPs, there’s a certain irony there. However, I do find the WARP culture rather interesting.

WARPs are an extension of the CERT/CSIRT concept. They’re intended to have some of the functionality of a full-blown CERT, though not generally the full technical response function. The theory is that a WARP will provide:

• An alert service in which the alerts are filtered to suit the specific needs and interests of the community the WARP serves.
• A limited helpdesk service.
• Somewhere to report incidents.

As you might expect with an initiative that arose from the UK Government CERT, there is a fairly stringent formal registration process for approved WARPs. However, other teams performing similar functions might benefit from exposure to a community of trust beyond the borders of their own organization. Certainly we could all benefit from shared experience and incident reporting, and the raising of security awareness and involvement at end-user level. And, since they can be run on a part-time or volunteer basis, WARPs can provide enhanced community security very economically.

It’s old news that Sophos briefly took their corporate eye off the ball and released an IDE (virus identity file) that incorrectly detected Inqtana.B in some application files on OS X Macs. While the incident seriously inconvenienced some users and sites by necessitating reinstallation of some misdiagnosed programs, the vendor did replace the offending file very quickly, apologised, and put in place measures to avoid a recurrence.

Worryingly, however, some have seen this incident as an argument for jettisoning commercial anti-virus in favour of an open source solution. Is there a place for volunteer AV in the workplace, though? As a supplement, sure, as long as the organization and the end-user realise the limitations of the genre. I don’t doubt the motives of the public-spirited purveyors of AV freeware. The AV commercial vendors are not whiter than white, and of course they have a commercial agenda, but they have to meet standards of functionality and support in order to stay in the market place. Perhaps now, when malware authors seem to have rediscovered the Mac platform, is not the best time to put all your worm-free Apples in one basket, or entrust the corporate crown jewels to software that doesn’t detect all known malware on that platform, offers no guarantees of freedom from future FPs, and doesn’t offer professional levels of service and technical support?