Posts byDavid Harley

David Harley has worked in security since 1986, notably as security analyst for a major medical research charity, then as manager of the NHS Threat Assessment Centre. Since 2006 he has worked as an independent consultant. He also holds the position of Senior Research Fellow at ESET. His books include Viruses Revealed and the AVIEN Anti-Malware Defense Guide for the Enterprise. He is a frequent speaker at major security conferences, and a prolific writer of blogs and other articles. If he had any free time, he would probably spend most of it playing the guitar.

Comment(ary) Spam…

I’m not sure why I feel the urge to keep writing about comment spam: primarily, I suppose it’s because I get so much amusement from it (just as well considering how much of it I read when I moderate comments on the ESET blog), rather than because the world is full of bloggers waiting for me to tell them how to recognize it, even if it isn’t apparently posted by someone called nike soccer shoes or where to buy a laptop or even my personal favourite of the moment, rolling in the deep adele. (Well, there went my favourite heuristic.)

Still, I liked the cheek of this one:

“Throughout the great scheme of things you’ll get a B- for effort. Where you actually confused me personally was first on your particulars. As people say, the devil is in the details… And it couldn’t be more correct here. Having said that, let me inform you what did deliver the results. Your authoring is pretty powerful which is most likely the reason why I am taking the effort in order to comment. I do not make it a regular habit of doing that. 2nd, even though I can easily see a leaps in reason you make, I am not sure of just how you appear to connect the points which inturn produce the final result. For the moment I shall yield to your point but trust in the foreseeable future you actually link the facts better.”

So much so that I did a quick Google to see how common this particular approach is, and sure enough I found a whole bunch of very similar posts – by similar, I mean the same core text with minor changes such as “the great pattern of things”. Apparently, I’m not the only blogger who tends to assume that if a comment is enthusiastic, it’s probably spam.

Thank you for your constructive criticism, Mr feather extensions online: I like your style. But my absolute favourite at the moment is Fritz, who commented dispiritedly that he is “always a big fan of linking to bloggers that I love but don’t get a lot of link love from”: too bad URLs in comments are stripped automatically, or I might have allowed that one through just to put a smile on your face.

David Harley

Commoditizing Pay-Per-Install

We all know, I guess, about the professionalization of Internet crime and the diversification of the underground economy, but measuring it isn’t so easy.

ESET’s Aleksandr Matrosov and Eugene Rodionov have alluded to it in several papers and presentations with particular reference to TDSS, and we consolidated some of that material into an article (actually the first of a series of three articles on TDSS) that talks about the Dogma Millions and GangstaBucks affiliate models used in that context.

However, a paper on Measuring Pay-per-Install: The Commoditization of Malware Distribution by Juan Caballero, Chris Grier, Christian Kreibich, and Vern Paxson, is based on a measurement study implemented by infiltrating four PPI service providers: LoaderAdv (of which GangstaBucks is one of the brands), GoldInstall, Virut, and Zlob. The authors assert that 12 out of the top 20 malware families tracked by Fire Eye between April and June 2010, twelve were using PPI services to buy infections.

Lots of other interesting data there, too. Hat tip to Aleks for bringing it to my attention.

ESET Senior Research Fellow

Japan Disaster Commentary and Resources

It probably hasn’t escaped your notice that there’s a lot of malware/SEO/scamming whenever a major disaster occurs. A few days ago I started to put together a list of commentary (some of it my own) and resources relating to the Japanese earthquake and tsunami, in anticipation of that sort of activity.

Originally, I was using several of my usual blog venues, but decided eventually to focus on one site. As ESET had no monopoly on useful information, I wanted to use a vendor-agnostic site. Actually, I could have used this one, but for better or worse, I decided to use the AVIEN blog, since I’ve pretty much taken over the care and feeding of that organization. The blog in question is Japan Disaster: Commentary & Resources.

It’s certainly not all-inclusive, but it’s the largest resource of its type that I’m aware of. Eventually, it will be organized more so as to focus again on the stuff that’s directly related to security, but right now, given the impact of the crisis, I’m posting pretty much anything that strikes me as useful, even if its relevance to security is a bit tenuous.

I’m afraid I’m going to post this pointer one or two other places: apologies if you trip over it more often than you really want to!

ESET Senior Research Fellow

Back on the AMTSO wheel

The next AMTSO members’ meeting is at San Mateo, California, on the 10th-11th February, just before RSA.

I’m not sure how many supporters of the Anti-Malware Testing Standards Organization there are reading this blog, as opposed to those who regard AMTSO as a club with which to beat the anti-virus industry. However, I’m pretty sure that even those who find the generation of testing guidelines documents (which constitutes most of the work at AMTSO meetings) excruciatingly boring will find some interesting material coming out of the organization in the next few weeks.

There’s more information on this year’s AMTSO meetings on the AMTSO meetings page at, including a preliminary agenda.

Small Blue-Green World

Stuxnet Guesswork

Aviram said in a recent blog about Stuxnet and SCADA here:

After that, we get to theorize on who’s behind it and who is the target. What’s your guess?

And sure enough, half the security world has done just that, and the rest will be talking about it at Virus Bulletin next week. Good fun, maybe, if you don’t think too hard about some of the political implications, but I’m not sure it’s been productive or useful. Which is why I blogged today here.

I’d love to cover the same ground again here, but frankly I’m just too dispirited…

ESET Senior Research Fellow

Conspiracy Theory

After a while (about 20 years in my case) around the anti-malware industry (the last couple of years actually in it…), you get used to the idea that everyone expects the worst of them… errrr, us:

  • hype and extreme marketing
  • FUD
  • incompetence
  • putting our bottom line above the public well-being
  • bad hygiene

Maybe the last one is a bit paranoid.

Still, we have a bad rep. And the popular myth that AV companies run AMTSO (the Anti-Malware Testing Standards Organization) purely for their own aggrandizement and marketing advantage has some of its origins in that universal mistrust of AV.

If you buy into all that, then you’ll also assume that when five AV researchers, all from different companies, collaborate on a blog that responds to the recent attacks on AMTSO, that’s proof of a conspiracy.

Actually, the AV industry is founded in co-operation: otherwise, your AV product would only ever catch the malware that company had seen in its own honeynets, been sent in by its customers, and so on. But apparently that’s a sign of bad intentions, too.

Whatever. If you’re interested in the blog, here are five places you should be able to find it.

(And for a somewhat related commentary,

Not speaking for AMTSO or the AV industry, and definitely not speaking for the testing industry or the media.

AMTSO Inside and Outside

God bless Twitter.

A day or two ago, I was edified by the sight of two journalists asking each other whether AMTSO (the Anti-Malware Testing Standards Organization) had actually achieved anything yet. Though one of them did suggest that the other might ask me. (Didn’t happen.)

Well, it’s always a privilege to see cutting edge investigative journalism in action. I know the word researcher is in my job title, but I normally charge for doing other people’s research. But since you’re obviously both very busy, and as a member of the AMTSO Board of Directors (NB, that’s a volunteer role) I guess I do have some insight here, so let me help you out, guys.

Since the first formal meeting of AMTSO in May 2008, where a whole bunch of testers, vendors, publishers and individuals sat down to discuss how the general standard of testing could be raised, the organization has approved and published a number of guidelines/best practices documents.

To be more specific:

The “Fundamental Principles of Testing” document is a decent attempt at doing what it says on the tin, and provide a baseline definition for what good testing is at an abstract level.

The Guidelines document provide… errrr, guidelines… in a number of areas:

  • Dynamic Testing
  • Sample Validation
  • In the Cloud Testing
  • Network Based Product Testing
  • Whole Product Testing
  • Performance Testing

Another document looks at the pros and cons of creating malware for testing purposes.

The analysis of reviews document provides a basis for the review analysis process which has so far resulted in two review analyses – well, that was a fairly painful gestation process, and in fact, there was a volatile but necessary period in the first year in particular while various procedures, legal requirements and so on were addressed. There are several other papers in process being worked on

A fairly comprehensive links/files repository for testing-related resources was established here and new resources added, from AMTSO members and others.

Unspectacular, and no doubt journalistically uninteresting. But representing a lot of volunteer work by people who already have full time jobs.

You don’t have to agree with every sentence of every document: the point is that these documents didn’t exist before, and they go some way towards meeting the needs of those people who want to know more about testing, whether as a tester, tester’s audience, producer of products under test, or any other interested party. Perhaps most importantly, the idea has started to spread that perhaps testers should be accountable to their customers (those who read their reviews) for the accuracy and fitness for purpose of their tests, just as security vendors are accountable to their own customers.

[Perhaps I’d better clarify that: I’m not saying that tests have to be or can be perfect, any more than products . (You might want 100% security or 100% accuracy, but that isn’t possible.)

You don’t have to like what AMTSO does. But it would be nice if you’d actually make an effort to find out what we do and maybe even consider joining (AMTSO does not only admit vendors and testers) before you moan into extinction an organization that is trying to do something about a serious problem that no-one else is addressing.

Not speaking for AMTSO

IEEE eCrime Researchers Summit 2010

The fifth IEEE eCrime Researchers Summit 2010 ( will be held in conjunction with the 2010 APWG General Meeting between October 18-20, 2010 at Southern Methodist University in Dallas, TX.

Topics of interest include:

* Phishing, rogue-AV, pharming, click-fraud, crimeware, extortion and emerging attacks.
* Technical, legal, political, social and psychological aspects of fraud and fraud prevention.
* Malware, botnets, ecriminal/phishing gangs and collaboration, or money laundering.
* Techniques to assess the risks and yields of attacks and the success rates of countermeasures.
* Delivery techniques, including spam, voice mail and rank manipulation; and countermeasures.
* Spoofing of different types, and applications to fraud.
* Techniques to avoid detection, tracking and takedown; and ways to block such techniques.
* Honeypot design, data mining, and forensic aspects of fraud prevention.
* Design and evaluation of user interfaces in the context of fraud and network security.
* Best practices related to digital forensics tools and techniques, investigative procedures, and evidence acquisition, handling and preservation.

Important dates: (11:59pm US EDT)
Full paper and RIP (Research in Progress) paper submissions due: June 30, 2010
Paper notification: Aug 1, 2010
Poster submissions due: August 29, 2010
Poster notifications: September 5, 2010
Conference: October 18-20, 2010
Camera ready due: October 27, 2010

For more information on the submission process, visit