First published: 26th November 2012
The city of Hangzhou, China, was the venue of the 15th annual conference of the Anti-Virus Asia Researchers Association (AVAR) on the 13th and 14th of November. Hangzhou is the capital of Zhejiang province, has a population of about 7 million and is famed for the beautiful West Lake area.
Mobile malware, and, in particular, Anroid malware, was covered by several speakers. Andreas Marx and Maik Morgenstern described the approach of AV-TEST to test and certify Android security products. They first described the problems with existing tests, and took a user-centric view of how they would evaluate the products. This leads to consideration of peripheral criteria, such as the effect of the security application on battery life, and remote lock or wipe features, that are not tested on other, static platforms. They plan to test twenty to thirty of the most common Android security applications every two months, and to continually improve their testing.
Zhang Jian reported on the situation in China, as seen from the National Computer Virus Emergency Response Centre and Computer Anti-Virus Products Testing Centre. Most of the respondnts to an online survey of 196 million users were using anti-virus software (85%) and a firewall (78%) but still 68% witnessed security issues, often related to vulnerabilities or lack of proper password or access control. Malware transmission was mainly by online, mobile or email channels. In a survey of over 7000 Government websites, 29% were found to have security holes.
Dennis Batchelder explained how a healthy anti-virus ecosystem was important to Microsoft. The Microsoft Malware Protection Center (MMPC) uses four metrics to evaluate their performance: False Negative Impact; Time To Protect; Actives Per Month (systems where an infection had to be removed); and Fast Sourced (the percentage of samples Microsoft collected itself, as opposed to received from their anti-virus partners). The MMPC strategy to protect their brand is to ensure all systems using Microsoft's products are protected (though not necessarily by a Microsoft product); to disrupt the malware ecosystem by reducing the reach and time to live of malware, making it difficult for criminals to get a return on their investment; and to encourage, paradoxicly, diversity, unity and value in the anti-virus ecosystem. Diversity means no monoculture of anti-virus products, thus increasing the difficulty of creating effective malware. Unity means cooperation within the anti-virus industry. Value means users being happy to pay for the protection they get from anti-virus products.
Igor Muttik and Mark Kennedy introduced the IEEE Software Taggant System. This industry-cooperation system addresses the problem of the high volume of obfuscated malware by allowing software packer vendors to mark their product's output with license-specific markers. Then, if a license is found to be being used for packing malware, it can be blacklisted and anti-virus products can block accordingly. False positives on packed software are eliminated, and packer vendors can continue to sell their products to legitimate users. Only malware authors loose out, when they find their expensive (or pirated) packing software quickly gets blacklisted.
Aleksandr Matrosov and Eugene Rodionov won the Best Speaker award for their technical analysis of the Festi botnet. Festi is one of the most powerful botnets for sending spam and performing DDoS attacks and it has stiking features that distinguish it from other malware with similar functionality
Sometimes it seems that there is a lot of low-end activity, compromising end-user machines for botnets or tricking users into installing fake anti-virus products, and some very high-profile, military grade attacks like Stuxnet, Duqu, Flamer and Gauss. Righard Zweinenberg reminded us of the middle range, with a case study of Medre.A and industrial espionage. ACAD/Medre.A is a worm written in AutoLISP, a programming language used in AutoCAD, the popular Computer-Aided Design software. ESET's malware collection system detected an outbreak of the malware in Peru and investigation showed that it was stealing designs from infected systems and emailing them to accounts in China. In a demonstration of effective cooperation, ESET contacted Tencent, the ISP for the destination addresses, the Chinese National Computer Virus Emergency Response Center (CVERC) and AutoCAD. The accounts were swiftly blocked and a free stand-alone cleaner was made available.
Checking that a Windows executable is signed gives assurance that we know which company created the program, and that it has not been modified after it was signed. Unfortunately, Igor Glücksmann reported on flaws in the Windows Authenticode Portable Executable Signature Format that allow modified executables to execute an arbitary payload without invalidating the signature. Microsoft has issued a partial fix (MS12-024), but the underlying design fault remains, and it is an important reminder that there is more to security design than adding a signature.
Other presentations covered rootkits, the implications of IPv6 and IDNs, Windows 8 and social network exploits.
The panel discussions reflected the hot topics: mobile malware, false positive reduction, advanced persistent threats and user issues.
The Gala Dinner featured Chinese entertainment: drumming, dancing and singing. After the conference, a bus tour took some of the participants to the highlights of the West Lake area.