Recently I returned from the Association of anti-Virus Asia Researchers Conference (known as AVAR 2008)  in New Delhi, India. Microsoft was a Gold Sponsor of the conference, at which there were a number of interesting presentations. This was also a great opportunity to meet other researchers in the anti-malware industry. Subratam from MMPC Redmond also attended.

As I’d not visited India before, I took some annual leave before the conference so I could visit more of the surrounding area. (And here’s where I make a tenuous, yet still clichéd, analogy, as an excuse to talk about my holiday and show some pictures.)

One place I visited was the Red Fort of Agra, a red sandstone fortified palace complex that was largely rebuilt by the Emperor Akbar, and took on its current configuration during the reign of his grandson, Shah Jahan.

Red Fort of Agra entrance

 

Shah Jahan is perhaps most well known for this building, across the river from the fort.

Taj Majal

 

Enemies attempting to attack the fort were confronted with several layers of defense. Surrounding the fort was a moat filled with crocodiles. Those successfully crossing the moat to the strip of land between it and the wall were then forced to contend with the tigers inhabiting the area.

Red Fort of Agra moat

 

Should an attacker manage to negotiate the moat, the crocodiles and tigers and then scale the wall, they would then enter a narrow, sloping pathway. Defenders of the fort could repel the attacks by rolling large boulders along the pathway.

Red Fort of Agra slope

 

(And if you have trouble dealing with rather stretched analogies, look away now.)

Similarly, a number of different layers of defense contribute to ensuring your computer system remains safe from attackers, including keeping all of your software updated, running up-to-date antivirus software, and enabling a firewall. Several presentations at AVAR (such as those by Mikko Hypponen, and Vincent Weafer, and parts of the presentation by Eugene Kaspersky) focused on the international online organized crime communities that are responsible for many of the attacks these defenses are designed to prevent. These groups are motivated by “three things: money, more money, and even more money,” and will often trade information and services with one another in order to achieve their nefarious aims. These services might include credit card information, customized trojans, spam runs, malware distribution, and use of botnets.

Furthermore, the nature of online crime means that perpetrators are difficult to track down and arrest. Also, the high technical complexity of the evidence brings about further difficulties in obtaining convictions, and on the rare occasions where convictions have occurred, sentences have generally been short, with some offenders not receiving any jail time.

There was also some discussion of malware development as a social problem, being attractive to those who do not have legitimate opportunities to use their skills. With employment markets tightening around the world, perhaps we will see an increase in the number of people who turn to online crime. With all of these factors, it is little wonder that computer crime has been said to be “the fastest growing segment of the IT  industry.” Several presenters called for a type of “Internetpol” for prosecuting online crimes that occur across international borders.

Other themes that arose during the conference included:

  • The proliferation of malicious scripts, compromised websites, and manipulated search results for propagating malware, and some of the tricks these use to avoid detection.
  • The use of statistical methods for both classifying malware into families, and identifying a location within a malware file that is suitable for generating a signature.
  • Suitable practices for testing of anti-malware products.
  • The workings of various components of the Win32/Rustock family, a multi-component rootkit-based family of trojans, often installed with other malware such as spam tools and rogue security programs.
  • Some malware will attempt to frustrate analysis and detection by trying to test whether it is running on a virtual machine, then refusing to run if so. One presentation by Andrew Lee suggested that normal systems respond to some of these tests in the same manner as a virtual machine would, in order to prevent this malware from running. Some whitelisting of files would be needed, as some legitimate software uses similar tests in an attempt to prevent the software from being cracked.

In the end, all the defenses of the Red Fort were not enough to prevent Shah Jahan from being overthrown and imprisoned by his son Aurangzeb, who took control of the fort after cutting off its water supply. This shows that the best defenses can be severely compromised if you don’t choose wisely who to trust, and this is also true of malware and online scams.

A couple of presentations from Randy Abrams and David Harley spoke of the importance of user education in reducing the impact of these threats. While technology can sometimes greatly diminish particular types of threats, it can’t cure social problems, and can’t always prevent users from being socially engineered into voluntarily running malicious files, lowering security settings, or providing sensitive information. Because of this, users need to be provided with appropriate education to help them identify and avoid these types of attacks. The presenters believe that education has not kept up with the pace of technological change, and has rarely been well designed for its target audience. Education needs to be accessible, understandable, relevant and entertaining to users who do not want or need to become Internet security experts, as well as containing plenty of examples and context. One of the presentations demonstrated how to educate users about botnets (a term which 71% of users have not heard of), using remotely programmable robotic vacuum cleaners as an analogy.

A number of the presentations touched on the topic of the convergence of the online world and terrorism. This includes both the use of the Internet in real world terrorism (for communication, organization or funding purposes), or by using online attacks to attempt to damage or hijack real world infrastructure, or simply spread fear, for example, by using email to spread rumors of terrorist attacks in popular tourist locations. Terrorism was a pertinent topic for all of the attendees, in light of the recent Mumbai attacks. Among those who attended, it was generally felt that staying away from the conference would be helping to achieve the terrorists’ aims, and that there was a far greater danger of being injured in a traffic accident than by any terrorist activities. But it can still be a difficult decision to attend when loved ones are worried about you. There were still a number of attendees and speakers that did withdraw from the conference and the organizers did an excellent job in making sure it was of such a high standard despite these setbacks.

David

MMPC Melbourne