Are signatures the new mp3? How to fight the misuse of intellectual property
description
Transcript of Are signatures the new mp3? How to fight the misuse of intellectual property
Click to edit Master title style
• Click to edit Master text styles– Second level
• Third level– Fourth level
» Fifth level
June 10th, 2009 Event details (title, place)
Are signaturesthe new mp3?
How to fight the misuseof intellectual property
Magnus Kalkuhl, Senior Virus Analyst
Global Research and Analysis Team, Germany
Kaspersky Lab International Press Tour “Cyberthreat Landscape 2009: Outcomes, Trends and Forecasts”, Moscow, January 28-31, 2010
Kaspersky Lab International Press Tour “Cyberthreat Landscape 2009: Outcomes, Trends and Forecasts”, Moscow, January 28-31, 2010
Setting up an AV company in 2000
• Find valuable sources for new malware and become part of the AV social network
• Invest lots of money in fast and effective analysis and scan technologies
• Invest lots of money in initial research or hire trained analysts
• Establish worldwide distribution channels
Kaspersky Lab International Press Tour “Cyberthreat Landscape 2009: Outcomes, Trends and Forecasts”, Moscow, January 28-31, 2010
Setting up an AV company in 2010
• Find a cheap server
• Find a cheap programmer
• Buy some AV scanners
• Ask your PR agency to announce your new product
Click to edit Master title style
• Click to edit Master text styles– Second level• Third level– Fourth level» Fifth level
June 10th, 2009 Event details (title, place)
Is it really that easy?Let's have a closer look
Kaspersky Lab International Press Tour “Cyberthreat Landscape 2009: Outcomes, Trends and Forecasts”, Moscow, January 28-31, 2010
The power of AV comparison sites
• Virustotal, Jotti, etc.
• Entirely based onon-demand scaning
• Service helps many magazines and customers to decide whether a file is malicious or not
Kaspersky Lab International Press Tour “Cyberthreat Landscape 2009: Outcomes, Trends and Forecasts”, Moscow, January 28-31, 2010
The power of AV comparison tests
• AV-Test.org:Performs paid comparison tests for major magazines all over the world
• AV comparatives:Regularly issues test results with proactive and on-demand comparisons being the most important ones
• Most tests are based on on-demand scanning
Kaspersky Lab International Press Tour “Cyberthreat Landscape 2009: Outcomes, Trends and Forecasts”, Moscow, January 28-31, 2010
There are many ways to protect the user
Content filters (anti-spam, anti-phishing, URL advisor etc.)
Static detection (signature based)
Emulation of the program before it is executed
Behaviour-based detection while a program is running
Sandbox isolating software from the rest of the system
HIPS incl. application firewall preventing malicious actions and access
Kaspersky Security Network (real-time in-the-cloud detection)
Click to edit Master title style
• Click to edit Master text styles– Second level• Third level– Fourth level» Fifth level
Event details (title, place)
On-demand detection is not the most important aspect for the user's security, but for his purchase decision
Kaspersky Lab International Press Tour “Cyberthreat Landscape 2009: Outcomes, Trends and Forecasts”, Moscow, January 28-31, 2010
How to improve on-demand detection
• More aggresive heuristics → more false positives
• Investing more money into analysts, honeypots and analysis systems → very expensive
• Adding detection based on competitors‘ classifications → ...ethical?
Kaspersky Lab International Press Tour “Cyberthreat Landscape 2009: Outcomes, Trends and Forecasts”, Moscow, January 28-31, 2010
Reusing expertise of other companies
• Level 1: OEM Partnership
• Level 2: Asking a competitor for samples
• Level 3: In-depth analysis of samples that were detected by a multiscanner
• Level 4: Simpy adding detection based on multiscanner results - or even worse: Extracting competitors' signatures directly from the signature update files
Kaspersky Lab International Press Tour “Cyberthreat Landscape 2009: Outcomes, Trends and Forecasts”, Moscow, January 28-31, 2010
Real life example?
Source: http://malwarebytes.besttechie.net/2009/11/02/iobit-steals-malwarebytes-intellectual-property/
Kaspersky Lab International Press Tour “Cyberthreat Landscape 2009: Outcomes, Trends and Forecasts”, Moscow, January 28-31, 2010
Real life example?
Source: http://blog.iobit.com/archives/tag/malwarebytes
Kaspersky Lab International Press Tour “Cyberthreat Landscape 2009: Outcomes, Trends and Forecasts”, Moscow, January 28-31, 2010
Real life example?
Source: http://malwareresearchgroup.com/forum/viewtopic.php?f=7&t=159&p=509
Shortly after IObit was accused of plagiatism, their database shrank by 47.5%. According to this posting, this also affected their detection rate.
Kaspersky Lab International Press Tour “Cyberthreat Landscape 2009: Outcomes, Trends and Forecasts”, Moscow, January 28-31, 2010
Similarities to the music industry
• Users don't care where it comes from as long as it works for small money
• Every additional person using such a service means less money for real research
• As a consequence the companies which create/sell a product will have less money → lower quality for all
Kaspersky Lab International Press Tour “Cyberthreat Landscape 2009: Outcomes, Trends and Forecasts”, Moscow, January 28-31, 2010
In-the-cloud AV will make things worse
• Setting up the infrastructure is cheap
• Using multiscanner detectionensures very high scan results
• Everything happens behind closed doors
Kaspersky Lab International Press Tour “Cyberthreat Landscape 2009: Outcomes, Trends and Forecasts”, Moscow, January 28-31, 2010
What can be done about it?
• From a technical perspective: Not much, and superiour heuristics won't help as long as people love on-demand-scan-comparisons with millions of samples
• By using “marker” signatures, it might be easier to detect theft of intellectual property
• Laws need to be updated in order to protect AV companies‘ IP better
Kaspersky Lab International Press Tour “Cyberthreat Landscape 2009: Outcomes, Trends and Forecasts”, Moscow, January 28-31, 2010
Do you remember this picture?
• Experiment started by Computerbild magazine in 2009
Click to edit Master title style
• Click to edit Master text styles– Second level
• Third level– Fourth level
» Fifth level
June 10th, 2009 Event details (title, place)
Let's talk about it!
Senior Virus Analyst, Global Research and Analysis Team, Germany
Magnus Kalkuhl
Kaspersky Lab International Press Tour “Cyberthreat Landscape 2009: Outcomes, Trends and Forecasts”, Moscow, January 28-31, 2010