[I think I feel a scam collection coming on: compare a previous blog at http://blogs.securiteam.com/index.php/archives/1331]

Thank you very much, Official Notice (also known, apparently, as julie-becker@sbcglobal.net) for letting me know that my email ID has won 1,000,000.00 GBP in the Tobacco Award Promo.

As I noticed that you had actually blind copied me, presumably along with hundreds of other lucky winners (I didn’t realize there was still so much money in nicotine), I thought I’d respond to your request to send details publicly. That way, if any of those other winners are confused about how to respond, this should make it clear.

“Name…Address…Sex” 

As for your first query, yes, I do have a name, but thank you for asking. I also have an address: several in fact, including the one you mailed me on. Or did you mean my actual terrestrial address? Sure, I have one of those. Would you like me to send it to you, along with my key and my bank details? It’ll save us both time that way: we can skip the bit where you tell me that I need to pay you some money so that you can release my million pounds, and you can just get on with stealing my identity and the contents of my house and bank account at your convenience.

Sex? Well, from time to time, but not as much as I used to. Why, is that part of the deal? Nothing personal, but I make it a rule never to sleep with scammers.

Thank you for calling. BZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ…..

David Harley FBCS CITP CISSP
Security Author/Consultant at Small Blue-Green World
Chief Operations Officer, AVIEN
ESET Research Fellow & Director of Malware Intelligence

Also blogging at:
http://avien.net/blog
http://www.eset.com/threat-center/blog
http://blogs.securiteam.com
http://blog.isc2.org/
http://dharley.wordpress.com
http://macviruscom.wordpress.com

Back to ESET White Papers

This is the paper on malware naming I presented at CFET 2009 in Canterbury: http://www.eset.com/download/whitepapers/cfet2009naming.pdf

Abstract

Once upon a time, one infection by specific malware looked much like another infection, to an antivirus scanner if not to the naked eye. Even back then, virus naming wasn’t very consistent between vendors, but at least virus encyclopaedias and third-party resources like vgrep made it generally straightforward to map one vendor’s name for a virus to another vendor’s name for the same malware.

In 2009, though, the threat landscape looks very different. Viruses and other replicative malware, while far from extinct, pose a comparatively manageable problem compared to other threats with the single common characteristic of malicious intent. Proof-of-Concept code with sophisticated self-replicating mechanisms is of less interest to today’s malware authors than shape-shifting Trojans that change their appearance frequently to evade detection and are intended to make money for criminals rather than getting adolescent admiration and bragging rights.

Sheer sample glut makes it impossible to categorize and standardize on naming for each and every unique sample out of tens of thousands processed each day.

Detection techniques such as generic signatures, heuristics and sandboxing have also changed the ways in which malware is detected and therefore how it is classified, confounding the old assumptions of a simple one-to-one relationship between a detection label and a malicious program. This presentation will explain how one-to-many, many-to-one, or many-to-many models are at least as likely as the old one-detection-per-variant model, why “Do you detect Win32/UnpleasantVirus.EG?” is such a difficult question to answer, and explain why exact indication is not a pre-requisite for detection and remediation of malware, and actually militates against the most effective use of analysis and development time and resources. But what is the information that the end-user or end-site really needs to know about an incoming threat?

 

I’m a badass hacker, so of course I wear a black hat

 

 

  

I’m a good guy who is dedicated to fighting black hats, so I get to wear a white hat 

 

 

 

 

I’m a good guy who sometimes plays with the bad guys, so I have to wear a grey hat 

 

 I’m an antivirus guy and I’m always getting dumped on by these other guys, so I wear a hard hat

[To return to ESET white papers page click here: http://www.eset.com/threat-center/blog.]

This is an Elsevier article preprint of an article on the main issues around comparative testing of antivirus/antimalware products, made available here by permission of Elsevier.

The fully formatted, proofed and reviewed version is available at http://dx.doi.org/10.1016/j.istr.2009.03.002.

Abstract:

If there’s a single problem illustrating the gulf between the anti-malware industry and the rest of the online world, it revolves around the difficulties and misunderstandings that plague product testing and evaluation. This article considers these issues and the initiatives taken by the anti-malware and testing sectors to resolve some of them.

[Go back to ESET White Papers page.]
[Go back to ESET blog.]

This is one of my 2009 papers, presented by Randy Abrams and myself on behalf of ESETat the EICAR 2009 Conference in Berlin.

Abstract

Anti-malware testing methodology remains a contentious area because many testers are insufficiently aware of the complexities of malware and anti-malware technology. This results in the frequent publication of comparative test results that are misleading and often totally invalid because they don’t accurately reflect the detection capability of the products under test. Because many tests are based purely on static testing, where products are tested by using them to scan presumed infected objects passively, those products that use more proactive techniques such as active heuristics, emulation and sandboxing are frequently disadvantaged in such tests, even assuming that sample sets are correctly validated.

Recent examples of misleading published statistical data include the ranking of anti-malware products according to reports returned by multi-scanner sample submission sites, even though the better examples of such sites are clear that this is not an appropriate use of their services, and the use of similar reports to generate other statistical data such as the assumed prevalence of specific malware. These problems, especially when combined with other testing problem areas such as accurate sample validation and classification, introduce major statistical anomalies.

In this paper, it is proposed to review the most common mainstream anti-malware detection techniques (search strings and simple signatures, generic signatures, passive heuristics, active heuristics and behaviour analysis) in the context of anti-malware testing for purposes of single product testing, comparative detection testing, and generation of prevalence and global detection data. Specifically, issues around static and dynamic testing will be examined. Issues with additional impact, such as sample classification and false positives, will be considered – not only false identification of innocent applications as malware, but also contentious classification issues such as (1) the trapping of samples, especially corrupted or truncated honeypot and honeynet samples intended maliciously but unable to pose a direct threat to target systems (2) use of such criteria as packing and obfuscation status as a primary heuristic for the identification of malware.

EICAR execution context paper

[Go back to ESET White Papers page.]
[Go back to ESET blog.]

David Harley & Andrew Lee, “Phish Phodder: Is User Education Helping or Hindering?” (davidharleyandrewleevb2007), September 2007, Virus Bulletin. Copyright is held by Virus Bulletin Ltd, but the document is made available on this site for personal use free of charge by permission of Virus Bulletin.

ABSTRACT
Mostly, security professionals can spot a phish a mile off. If they do err, it’s usually on the side of caution, for instance when real organizations fail to observe best practice and generate phish-like marketing messages. Many sites are now addressing the problem with phishing quizzes, intended to teach the everyday user to distinguish phish from phowl (sorry). Academic papers on why people fall for phishing mails and sites are something of a growth industry. Yet phishing attacks continue to increase, and while accurate and up-to-date figures for financial loss are hard to come by, indications are that losses from phishing and other forms of identity theft continue to climb.

This paper:
1. Evaluates current research on how end users are susceptible to phishing attacks and ID theft.
2. Evaluates a range of web-based educational and informational resources in general and summarizes the pros and cons of the quiz approach in particular.
3. Reviews the shared responsibility of phished institutions and phishing mail targets for reducing the impact of phishing scams. What constitutes best practice for finance-related mail-outs and e-commerce transactions? How far can we rely on detection technology?

After only 20 years (well, nearly) of being connected to the Internet, I’ve finally got around to making some music available that I recorded in the 80s (I did sell some copies at the time, so this isn’t completely unheard stuff). Although this is studio recorded stuff, I don’t have access to the master tapes, so these tracks are taken from cassettes. Still, they sound better than I expected through decent headphones.

Three tracks are from an unreleased album made with Bob Theil, Don MacLeod, Bob Cairns, and Pat Orchard. There are also a handful of tracks from “Sheer Bravado” (more to come) and, eventually, there’ll be more  from “Scriptwrecked”. There will also be some more recent stuff eventually: I’ve got some BOSS recording kit that I’m dying to do more work with.

The relevant page on the main Small Blue-Green World site is here.