Déjà vu all over again

2007-01-01

Ryan Hicks

Earthlink, USA
Editor: Helen Martin

Abstract

'The malware research community [is] the authority with regard to assisting newcomers in the adoption of safe practices.' Ryan Hicks, Earthlink.


Since the turn of the century the malware landscape has been changing steadily. Previously, most attention and effort was focused on the problems created by malicious self-replicating code. Even though trojans had existed and caused problems for some time, viruses and worms were considered the only threats worthy of attention. However, the situation has since changed.

Initially, there was debate in the research community as to whether or not early trojans (e.g. simple keyloggers, autodialers, etc.) constituted enough of a threat to warrant detection and cleaning. But as vendors started adding trojans to their definition sets, another problem arose. Certain companies were producing software, allegedly within legal bounds and/or with user consent, but which could otherwise be considered malware. The combination of the AV industry’s reluctance to detect trojans and the legal wrangling left a gap that was later filled by the anti-spyware industry.

But the separation in focus didn’t last long. Anti-virus (AV) vendors created their own anti-spyware products through acquisition, in-house development, or both, and anti-spyware vendors began adding anti-virus capability through partnerships or in-house development. The two sides of the industry have come closer together and will likely soon become indistinguishable.

The rise of the anti-spyware industry was not limited simply to technological or product development. Difficult policy and law enforcement issues also needed to be resolved. While viruses and worms can be said always to be unwanted, spyware is not as easily classified.

At the forefront of addressing these issues is the Anti-Spyware Coalition (ASC). Among the myriad issues with which the ASC is concerned are issues of which the AV industry and research community already has a vast amount of knowledge and experience: sample sharing and safe handling, participant vetting, and control of information dissemination.

The transition of the AV community from focusing on self-replicating malware to the inclusion of non-replicable malware is still under way, and already yet another threat has become a significant problem: phishing. The Anti-Phishing Working Group (APWG) brings together policy makers, law enforcement bodies, customers and vendors to decide the issues related to phishing. Like the anti-spyware community, anti-phishing efforts are faced with issues that are well known to the AV industry: sample sharing and safe handling, participant vetting, and control of information dissemination.

It is apparent that this represents a massive duplication of effort. Organizations at the forefront of the latest software security issues are spending time and effort developing policies and procedures that the AV vendor and research community already has in place. Even though the AV industry is well represented in the ASC and the APWG, the technical and procedural efforts should be more visibly led by the AV research community.

For nearly two decades, the AV research community has developed proven procedures for every aspect of malware research. The newer threats of spyware and phishing will require new policies, best practices, and new laws as to the investigation and prosecution of offenders. However, the concerns regarding the sharing of samples with trusted community members, the safe handling of those samples, vetting and acceptance of new members in the research community, and the dissemination of sensitive information, remain the same.

New organizations such as the ASC and APWG are being created to address the greater issues of how to deal with new threats. While the malware research community may not be expert in the creation of policy or law enforcement, we are the authority with regard to assisting newcomers in the adoption of safe practices. As such, it is incumbent on the malware research community to take the lead and establish a means by which newcomers can benefit from our knowledge and experience.

twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest articles:

Nexus Android banking botnet – compromising C&C panels and dissecting mobile AppInjects

Aditya Sood & Rohit Bansal provide details of a security vulnerability in the Nexus Android botnet C&C panel that was exploited to compromise the C&C panel in order to gather threat intelligence, and present a model of mobile AppInjects.

Cryptojacking on the fly: TeamTNT using NVIDIA drivers to mine cryptocurrency

TeamTNT is known for attacking insecure and vulnerable Kubernetes deployments in order to infiltrate organizations’ dedicated environments and transform them into attack launchpads. In this article Aditya Sood presents a new module introduced by…

Collector-stealer: a Russian origin credential and information extractor

Collector-stealer, a piece of malware of Russian origin, is heavily used on the Internet to exfiltrate sensitive data from end-user systems and store it in its C&C panels. In this article, researchers Aditya K Sood and Rohit Chaturvedi present a 360…

Fighting Fire with Fire

In 1989, Joe Wells encountered his first virus: Jerusalem. He disassembled the virus, and from that moment onward, was intrigued by the properties of these small pieces of self-replicating code. Joe Wells was an expert on computer viruses, was partly…

Run your malicious VBA macros anywhere!

Kurt Natvig wanted to understand whether it’s possible to recompile VBA macros to another language, which could then easily be ‘run’ on any gateway, thus revealing a sample’s true nature in a safe manner. In this article he explains how he recompiled…


Bulletin Archive

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.