Network News

X My Profile
View More Activity

Former anti-virus researcher turns tables on industry

A security researcher shunned by the anti-virus community for violating its unwritten rules has attempted to turn the tables, erecting a Web service that virus writers could use to make their creations more stealthy and undetectable for longer periods of time.

At issue is a new site called avtracker.info, which aims to keep tabs on the different automated analysis services used by the security industry, such as Virustotal, ThreatExpert, and Norman Sandbox.

Researchers who unearth new malicious code samples often submit them to these services to learn more about how the malware behaves and to see whether the samples are currently detected by anti-virus products. The results of each scan are shared broadly within the security industry, allowing anti-virus makers that don't detect the malware to incorporate detection for them in future updates that are pushed out to customer PCs

Enter AV Tracker. Armed with up-to-date information about these automated scanning services, malware writers could instruct their creations to quit loading or destroy themselves if they detect they are being downloaded by one of these services.

Austrian hacker Peter Kleissner told Security Fix he created AV Tracker. Kleissner is a young man who many in the community came to know only in August when he spoke at the annual Black Hat security conference in Las Vegas. In his talk, the 18-year-old detailed and released a tool called a "bootkit," which makes it possible for malicious software to compromise a Microsoft Windows PC at a fundamental level (before the operating system even boots up, hence the name).

At the time, Kleissner was employed by Ikarus Software, an Austrian anti-virus firm where he had worked for the previous 14 months. Kleissner said a number of people had complained that his publishing of the bootkit instructions was not in keeping with the company's goal of helping Internet users stay safe online, and that as a result Ikarus asked him to resign. Ikarus did not respond to requests for comment.

Two weeks later, Kleissner found himself exiled from "Incidents & Insights," one of several invite-only security mailing lists maintained by members of the research community. Ken Dunham, the administrator of that list and director of global response for security firm iSight Partners, declined to comment for this story. But according to information shared with Security Fix, Dunham evicted Kleissner from the list after the latter disclosed he had hacked an Internet kiosk in a Zurich airport on his way home from Black Hat.

Last week, Vitaly Kamluk, director of research at Russian anti-virus giant Kaspersky Lab, took aim at Kleissner for the service. In a simmering blog post titled, A Black Hat Loses Control, Kamluk noted that Kleissner sent Kaspsersky and other anti-virus makers and malware scanning partners a sample program designed to harvest the Internet addresses of their scanning machines.

Kamluk said the sample Kleissner submitted also included a taunting message that suggested that Kleissner was working with one of the world's most notorious malware writing gangs. Kamluk also lambasted Kleissner for suggesting that malware writers could use the address information in AV Tracker to attack the malware scanning services.

In an interview with Security Fix, Kleissner acknowledged he was upset at being ostracized by the anti-virus community. But he said he is not working with malware gangs and that his Easter egg message to the ant-virus industry was little more than a joke.

"I'm always doing computer research stuff, and people can use my knowledge or not, but I won't stop publishing things," Kleissner said.

In some sense, what AV Tracker is attempting to do typifies the type of back and forth battle that has been ongoing between the anti-virus industry and malware writers for many years. Entire families of malware will prevent users of infected PCs from visiting security Web sites and forums that offer to help people clean their machines. In addition, many families of malicious software simply won't run if they detect they're being executed inside of analysis tools commonly used by anti-virus researchers.

Some security experts in the anti-virus community are dismissing AV Tracker as a publicity stunt, while others wonder what all the fuss is about.

"I've always assumed virus writers were doing this all along," said Dmitri Alperovitch, vice president of threat research at McAfee,
"That's why I'm not shocked by this."

But Richard J. Zwienenberg, chief research officer at Norman ASA, a Norwegian security firm that operates the malware analyzing service Norman Sandbox, suggested that services like AV Tracker - to the extent that they accurately track up-to-the-minute Internet addresses used by online malware analysis sites - could pose a problem for some security technologies.

"In general of course AV Tracker is not the best thing that can happen. [Whether] it is a big concern depends on the way the malware authors start to use it, and how the products targeted are set up," Zwienenberg said. "If your in-the-cloud solution is based on a single [Internet address] or a small range of [addresses], then you may have a problem if your security is depending on this. Given the open nature of the Internet, events as av-tracker.info are inevitable."

virustotal.JPG

Julio Canto, project manager at virustotal.com, a malware scanning service based in Spain that runs all submitted malware samples through more than three dozen anti-virus scanners, said he's not too concerned about Kleissner's new project. At least not yet: According to Canto, several of the Internet addresses listed on AV Tracker are merely the outward-facing addresses assigned to malware scanning services, or are incorrect entirely.

"It is quite a simplistic point of view assuming that anti-virus vendors or other entities will use static Internet addresses for checking incoming samples," Canto said.

Still, he said, a more comprehensive and timely list of addresses at AV Tracker could become a thorn in the side of the security industry if broadly adopted by malicious software makers.

"If malware writers would start with this kind of stuff, there would be an arms race -- with one side doing blacklisting and the other side moving to fast-replaced Internet ranges and so on, or simply checking from multiple Internet addresses at one time," Canto said. "Unfortunately, I think that is just a drop of water in an ocean of smart people turning to the dark side."

For his part, Kleissner denied he has somehow turned to "the dark side."

"I have done lots and lots of research and helped other anti-virus vendors, and I'm always open for anything," he said. "I won't make a difference between black hats and AV companies. To me it's not good or bad, it's just technology."

By Brian Krebs  |  October 27, 2009; 7:45 PM ET
Categories:  From the Bunker  | Tags: avtracker.info, peter kleissner  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Barackobama.com 'hack' is a hoax
Next: Nastygram: Spoofed FDIC bank fail e-mail

Comments

"iSight Partners" well done :-)

Anyone who fires a researcher for advancing the state of security needs to re-evaluate their goals as a company.

It goes to show that companies like this care more about keeping their customers ignorant than actually taking the time to fix the real problems that are already out in the wild.

Posted by: osiuerer | October 27, 2009 9:51 PM | Report abuse

What a messy business. This can't remain part of our everyday lives. A question: where does one submit a Linux ELF or Mach-O binary for inspection? ;)

Posted by: Rixstep | October 28, 2009 3:11 AM | Report abuse

Please note that contrary to this publication, "Anubis" is not maintained by iSIGHT Partners but by Secure Business Austria and developed by the International Secure Systems Lab. More information on their site: http://anubis.iseclab.org/?action=about.

Posted by: Joep_ | October 28, 2009 7:48 AM | Report abuse

"To me it's not good or bad,it's just technology."

Nothing really knew or even more,"innovating",
in this type of Weltanschauung:
others have claimed and acted in the very same way in the past,
and the results are more or less known and teached to people,
from the very early...school years:
the development and use of mass destruction weapons,
against unsuspected innocent people...

Under the same logic,
why not just gradually hack and take over the whole net,
eg.hospitals,goverment organizations,army facilities etc.,
And then,publish a detailed paper,
about how much insecure tcp/ip is in it's fundamentals,heh...
The world economy might collapse as a side effect,
but then - when everything starts back from zero point,
it will be "safer",isn' it so?
Doh,enough with these nihilistic and pseudo-"innovative" ideas,
regarding "technologic advances" and security - let's grow up...

"I won't make a difference between black hats and AV companies."

...really?You should tell that to victimized end-users,
that lost their money and private data,
by malware that sneaked into their machines...
If no difference supposedly exists for you,
then you shouldn't be working in AV companies - simple as that.

Kinda like saying...i'm neither with the US Army,
neither with Iraq guerillas.
Neither with a neutral and peace-friendly side though:
I develop guns(not bad or good,just "technology"),
and sell them to anyone that pays me well enough...

Posted by: zomg | October 28, 2009 10:48 AM | Report abuse

Perhaps he should use his talents to come up with a way to PREVENT the spread of malware instead of just helping them...

Just a thought...

Other than that, I dont fault him for taking a purely neutral stance on the subject..

Posted by: ProveMeWrong | October 28, 2009 11:51 AM | Report abuse

Everyone should have a copy of Malwarebytes downloaded, and run it periodically to get updates. Once you get one of the scareware infestations it can be almost impossible to go to any sites that may be of help.

Posted by: tojo45 | October 28, 2009 12:30 PM | Report abuse

Hi, Brian. Ref comment above regarding Malwarebytes. It's not free and I'd like to hear your take on that application. Thanks and keep the good stuff coming.

Posted by: VeronaItaly | October 28, 2009 3:50 PM | Report abuse

Hi, Brian. Ref comment above regarding Malwarebytes. It's not free and I'd like to hear your take on that application. Thanks and keep the good stuff coming.

Posted by: VeronaItaly | October 28, 2009 3:50 PM | Report abuse

++++++++++++++++

I'm not Brian, but Malwarebytes is free at
http://www.malwarebytes.org/mbam.php

Posted by: JkR- | October 28, 2009 4:51 PM | Report abuse

And, I should add that it is, IMHO, the current best of breed, along with Super AntiSpyware. Best used for cleanup scans, not as a constant defense.

Your mileage may vary.

Posted by: JkR- | October 28, 2009 4:58 PM | Report abuse

Brian lists his thoughts about it here:

http://voices.washingtonpost.com/securityfix/2009/09/what_to_do_when_rogue_anti-vir.html

Quote: "...download and install one (or both) of the following tools: Malwarebytes' Antimalware, and Superantispyware. I've found that these programs are almost always able to root out invaders left behind by scareware attacks."

Posted by: JkR- | October 28, 2009 5:02 PM | Report abuse

"To me it's not good or bad, it's just technology."

I'm sure the makers of the original nuclear weapon said the same thing.

The guy's just 18 years old, so I understand where he's coming from. Maybe if he were ever to see the real-life effects of how his "research" may destroy the life of some poor techno-illiterate unfortunate enough to get "bootkitted", he may reconsider. Although, on second thought, he may not. Sociopaths do exist in the real world.

Posted by: red_gti2000 | October 28, 2009 5:39 PM | Report abuse

@oisuerer:

So, this alleged human being is fired by his firm. This means he's entitled to wreak havoc (or attempt to wreak havoc) on people all over the world, because his feelings have been hurt? His actions AND your defense are narcissistic in the extreme. Even if an someone feels entitied to revenge, retribution, or redress, it needs be proportional.
Herrchen Kleissner is a rotter.

Posted by: featheredge99 | October 28, 2009 8:17 PM | Report abuse

This trend is not limited to the AV industry. Many companies these days will censor employees' freedom of speech or their outside activities if they think said speech or activities will negatively impact their corporate image. The First Amendment does not protect any US citizen from being censored by a private organization or company. Such censorship and other forms of intimidation such as termination of employment are insidious and border on authoritarianism. People want organizations to be responsible entities, not irresponsible entities with an appearance of responsibility. Part of the problem here is money. When a lot of money is at stake, people will harm others to preserve their jobs and income. It doesn't matter that their customers are harmed indirectly in the process, but their customers may never find out because the problem is hushed up or the employee is silenced by threat or intimidation, even if the matter is trivial.

Speaking specifically about AV companies though, AV companies make a lot of money and their adversaries are ephemeral and transnational, making them almost impossible to stop. Consequently, both sides play a cat and mouse game where each benefits, but the customers/victims lose. It is not to the economic benefit of either the AV vendors or the malware vendors to make a product that absolutely protects or destroys a customer's or a victim's business. Total effective protection or destruction hurts the cumulative lifetime profits of both parties. Unfortunately, everyone else is caught in the middle of this duel and is forced to pay for it.

Speaking specifically about this incident though, every guard dog owner gets bit by their guard dog from time to time, so why the surprise and overreaction by the "owner"? When an IT Security industry insider speaks up or shows that things have not really changed significantly as far as IT Security is concerned, people either ignore it, downplay the significance of it, or hush it up through threat or intimidation rather than fix the underlying problem. Look at Dan Geer (http://en.wikipedia.org/wiki/Dan_Geer) as an example. He spoke truth to power. He did nothing other than state what everyone knew and got fired for it. So, is anyone surprised that this incident due to another professional's research happened or that such bad behavior by a company or industry is condoned? Until the underlying economic incentives are changed, such bad behavior by companies will continue and such practices will be encouraged, and we all will suffer as a result.

Posted by: jbmoore61 | October 30, 2009 12:54 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company