Wednesday, September 27, 2017
It's time for a new emphasis on testing styles, kids.
So, anyway, I've been looking at a particular piece of malware for the last four or five days, and I've noticed something interesting.
They change it _every_ day. It's not server-side polymorphism, but they deliberately change it every day.
It still does about the same thing, which is to take you to some place to try to get you to install a fake Flash player, or tells you that your computer has a virus, and you must call this 800 number immediately, etc. Nothing fancy.
The first time I search its MD5 on VirusTotal, I get ten or twelve detections. I tend to do that late in the day, and I suspect that if I checked when it was first released, I'd get even fewer detections. The next day, if I search the same MD5, I get twenty to twenty-five detections, and the next day, I get forty or forty-five detections. This makes sense, as this is a natural consequence of samples being shared among vendors, but, guess what? That sample doesn't exist any more, but every day, there is a new one, with low detections, doing the same thing.
Oh, and with just a little looking around, I found a different sample doing the same thing. This probably means there are lots more.
Put another way, when you have something of the order of a million new and unique samples each day, there are probably lots of samples being missed by signature scanners, some because of deliberate tricky stuff, and others, just because of the sheer numbers.
Given a few days, or a couple of weeks, most will be added, but in the mean time, the world is exposed, and if the malware is a worm, or Nation-state stuff, you don't want to be missing these things.
The good news is that all antimalware products have multiple ways of detecting bad things, aside from signature scanners, but someone has to test them, to see how effective, or otherwise, they are.
What I propose to do is to find new, or poorly detected malware, and test them by executing them against products, and see if they are caught... or not.
To start with, I just have half a dozen of the main products, and not many brand new samples, but I expect both will grow.
Watch this space.
Tuesday, September 19, 2017
What can we learn from Equifax?
So, anyway, this year the world has taken a couple of pretty big hits, between Equifax and RansomWorms like WannaCry. It's time to see what we can learn from them.
Let's think about Equifax first. Although it left a bigger mark, it's a simpler solution. Patch, damnit! Patch! It's got nothing to do with some poor soul's music degree, or lack of degree. The patch was released months ago, and it was simply a grievous mistake to not patch, but people are human, and, unlike my dear readers, very few of us never make a mistake.
It's also worth remembering that, just as humans are only human, all software has a weak underbelly if you look hard enough.
One of my favorite security truisms is that security and functionality tend to exist in an inverse relationship. What this means is that the more functional you make something, the less secure it tends to be, and the world demands that we build for functionality.
What this means is that someone will always be discovering a problem with something we care about, and if there's a patch available, patch it. Job done. Well, _that_ job's done, but there are other issues...
You might be spear phished.
You might get a malware infection. There are plenty of those to go around.
You might have un-patchable IoT devices on your network. This is all still emerging.
We will talk about these things at other times, but remember this ... there is no panacea.
Remember that the best security is like layers of swiss cheese. Any one layer has lots of holes, but if you layer another slice on top, they cover up each other's holes. Put enough layers on top of each other, and you are much stronger. Never invulnerable, but _much_ stronger.
This, unfortunately, is a part of the fabric of the Internet, and is simply a cost of doing business.
It hurts, but it is what it is.
Take care out there, folks. Www stands for World War Web.