Outmaneuvered at Their Own Game - 12/31/12 11:35 PM
Re: Outmaneuvered at Their Own Game - 01/01/13 12:27 AM
The issue has been acknowledged around here for years; why has it taken the industry until now to yank its head out of its hole in the sand?
Re: Outmaneuvered at Their Own Game - 01/07/13 03:48 AM
The industry has made billions doing things the way they're currently done. In any industry from computer software to fishing lures, it is very hard to persuade a company "Give up the business model that is making you billions of dollars right now and switch to an unproven, untested business model that might be better."
The conventional way to do antivirus protection--identify malicious software, analyze how it works, create a signature for it, then distribute the signature--is fundamentally broken, especially in a world where malware is written for profit (enormous profit) and organized crime hires teams of dedicated, highly skilled programmers to churn out new variants on the malware literally daily.
The conventional way to do antivirus protection--identify malicious software, analyze how it works, create a signature for it, then distribute the signature--is fundamentally broken, especially in a world where malware is written for profit (enormous profit) and organized crime hires teams of dedicated, highly skilled programmers to churn out new variants on the malware literally daily.
Re: Outmaneuvered at Their Own Game - 01/07/13 02:57 PM
Originally Posted By: Tacit
The industry has made billions doing things the way they're currently done. In any industry from computer software to fishing lures, it is very hard to persuade a company "Give up the business model that is making you billions of dollars right now and switch to an unproven, untested business model that might be better."
Not to mention the fact the industry has millions (billions?) of dollars and countless labor hours invested in their existing software. Their very rational business model (and prices we have been paying) are based on their being able to use that existing product for several years with only minor tweaks and updates to the signature files. The current threat would suggest that no matter what technique the AV industry develops, its practical lifespan is probably measured in months rather than years. In turn, that means the cost to both the commercial and individual consumer for malware protection may increase dramatically, perhaps by as much as an order of magnitude.
Re: Outmaneuvered at Their Own Game - 01/07/13 09:31 PM
I don't think that the consumer is ever going to be protected with the current way of doing things. Endpoint protection--relying on antivirus vendors to make effective programs and relying on consumers to put AV software on their machines--just plain doesn't work. That model is broken.
I do think it is possible to stage effective defense against malware, but doing so will likely not happen soon because it moves the cost from the consumer onto other bodies who don't want to give up profits.
One effective strategy is to call on broadband providers to become more proactive. They can do this in a number of ways: monitoring for malware command and control traffic and disrupting it, monitoring endpoints (consumers) for signs of malware infection and notifying those users, monitoring for rogue servers on their network (a lot of malware will install Web or file servers on infected computers) and cutting them off.
Some broadband providers, like Comcast, already monitor for (some) signs of virus infection. One of my roommates recently had her computer compromised and Comcast sent us an email.
But they generally don't look for signs of malware and botnet command and control traffic flowing over their pipes. If they did, they could disrupt that traffic and paralyze botnets, but it would cost money. Broadband providers already complain about how much it costs for them to do business; Comcast, for example, is struggling along with a measly 900% profit margin in consumer broadband, and doesn't want to spend more money helping to break up botnets. From their perspective, disrupting botnets is all cost, no benefit.
ISPs can also play a role, by doing more to take down malware droppers, secure their networks, and shut down malware C&C servers. But again, the same economics apply. An ISP that shuts down servers loses money. Worse, they have to pay money (in the form of salaries for security and abuse teams) for the privilege of losing money. From the point of view of management, a security or an abuse employee is someone they pay to make the ISP lose money. I have contacted many, many ISPs--including large, profitable, supposedly "reputable" ISPs like GoDaddy, Rackspace, and Softlayer--to notify them of malware droppers, malware forums, and hacked Web sites, only to have them turn a blind eye. They have no economic incentive to stop malware and plenty of economic incentive not to. Bluntly: They profit by having this crap on their networks.
Another key part of the puzzle is merchant banks. Some malware, like fake antivirus scareware and ransomware, works by taking over a computer and then either warning about fake "viruses" or by encrypting files on the user's computer, and then demanding payment to remove the fake "viruses" or to give the user back his files. These malware programs are usually written by Eastern European organized crime, and they demand payment by credit card. Most US banks won't do business with them, but it's usually not too hard to find folks who will. Panda Security estimates that one organized crime gang in Russia averages about $34,000,000 per month in profits from fake AV scams. When their US-based credit card processor finally cut them off, they picked up an overseas credit card processor quickly. What bank wouldn't turn a blind eye in exchange for ten percent of $34 million a month?
Another bit of the puzzle is international law enforcement. Often, we know exactly who the miscreants are; they brag openly on their Web sites about the malware they've written. Russian law does not forbid writing malware, as long as it isn't released in Russia. Why would they? It brings tons of money into the struggling Russian economy. No extradition treaties exist between Russia and the United States. Leo Kuvayev, aka "Badcow," has been wanted on US warrants for malware distribution and computer hacking for YEARS, and has lived freely in Russia, running a huge spam gang and bragging about the malware he'd written, raking in money from bank-password-stealing Trojans and botnets. It wasn't until he got involved with processing payments for child porn operators that the Russians finally arrested him.
So as it stands right now, the criminals operate openly and with complete impunity from Eastern Europe. The banks that the criminals use to process transactions and hide money willingly do business with them, because the amounts of money in malware are staggeringly large. ISPs and broadband providers tolerate a certain amount of malicious activity on their networks, turning a blind eye to malware traffic, malware distributors, and malware command and control servers, because they don't want to bear the brunt of the cost of fighting them. Only if a problem becomes big enough not to ignore do they get involved, and sometimes then only reluctantly. (psychz.net, an American ISP founded by Russian expats, openly hosts spammers and malware droppers, and its peers won't cut it off because it's a lucrative revenue stream.) And through it all, the only thing everyone will say is "Users should run antivirus programs."
I do think it is possible to stage effective defense against malware, but doing so will likely not happen soon because it moves the cost from the consumer onto other bodies who don't want to give up profits.
One effective strategy is to call on broadband providers to become more proactive. They can do this in a number of ways: monitoring for malware command and control traffic and disrupting it, monitoring endpoints (consumers) for signs of malware infection and notifying those users, monitoring for rogue servers on their network (a lot of malware will install Web or file servers on infected computers) and cutting them off.
Some broadband providers, like Comcast, already monitor for (some) signs of virus infection. One of my roommates recently had her computer compromised and Comcast sent us an email.
But they generally don't look for signs of malware and botnet command and control traffic flowing over their pipes. If they did, they could disrupt that traffic and paralyze botnets, but it would cost money. Broadband providers already complain about how much it costs for them to do business; Comcast, for example, is struggling along with a measly 900% profit margin in consumer broadband, and doesn't want to spend more money helping to break up botnets. From their perspective, disrupting botnets is all cost, no benefit.
ISPs can also play a role, by doing more to take down malware droppers, secure their networks, and shut down malware C&C servers. But again, the same economics apply. An ISP that shuts down servers loses money. Worse, they have to pay money (in the form of salaries for security and abuse teams) for the privilege of losing money. From the point of view of management, a security or an abuse employee is someone they pay to make the ISP lose money. I have contacted many, many ISPs--including large, profitable, supposedly "reputable" ISPs like GoDaddy, Rackspace, and Softlayer--to notify them of malware droppers, malware forums, and hacked Web sites, only to have them turn a blind eye. They have no economic incentive to stop malware and plenty of economic incentive not to. Bluntly: They profit by having this crap on their networks.
Another key part of the puzzle is merchant banks. Some malware, like fake antivirus scareware and ransomware, works by taking over a computer and then either warning about fake "viruses" or by encrypting files on the user's computer, and then demanding payment to remove the fake "viruses" or to give the user back his files. These malware programs are usually written by Eastern European organized crime, and they demand payment by credit card. Most US banks won't do business with them, but it's usually not too hard to find folks who will. Panda Security estimates that one organized crime gang in Russia averages about $34,000,000 per month in profits from fake AV scams. When their US-based credit card processor finally cut them off, they picked up an overseas credit card processor quickly. What bank wouldn't turn a blind eye in exchange for ten percent of $34 million a month?
Another bit of the puzzle is international law enforcement. Often, we know exactly who the miscreants are; they brag openly on their Web sites about the malware they've written. Russian law does not forbid writing malware, as long as it isn't released in Russia. Why would they? It brings tons of money into the struggling Russian economy. No extradition treaties exist between Russia and the United States. Leo Kuvayev, aka "Badcow," has been wanted on US warrants for malware distribution and computer hacking for YEARS, and has lived freely in Russia, running a huge spam gang and bragging about the malware he'd written, raking in money from bank-password-stealing Trojans and botnets. It wasn't until he got involved with processing payments for child porn operators that the Russians finally arrested him.
So as it stands right now, the criminals operate openly and with complete impunity from Eastern Europe. The banks that the criminals use to process transactions and hide money willingly do business with them, because the amounts of money in malware are staggeringly large. ISPs and broadband providers tolerate a certain amount of malicious activity on their networks, turning a blind eye to malware traffic, malware distributors, and malware command and control servers, because they don't want to bear the brunt of the cost of fighting them. Only if a problem becomes big enough not to ignore do they get involved, and sometimes then only reluctantly. (psychz.net, an American ISP founded by Russian expats, openly hosts spammers and malware droppers, and its peers won't cut it off because it's a lucrative revenue stream.) And through it all, the only thing everyone will say is "Users should run antivirus programs."
Re: Outmaneuvered at Their Own Game - 01/11/13 09:23 PM
Although this thread is not about Java, the following article is definitely related to security: Zero-day flaw prompts Apple to block Java 7 from OS X.
Re: Outmaneuvered at Their Own Game - 01/13/13 09:46 AM
Oracle's fix for zero-day Java flaw to be available 'shortly' And the check is in the mail?...
Re: Outmaneuvered at Their Own Game - 01/13/13 10:07 AM
I posted it yesterday...from Nigeria. 