Chapter 10 - PowerPoint Presentation

Slide1

Chapter 10

People and CommunitiesSlide2

Malware Authors

“... [virus writers] have a chronic lack of girlfriends, are usually socially inadequate and are drawn compulsively to write self-replicating codes.” --- Jan

Hruska

,

Sophos

Little is known about malware writers

Why?Slide3

Malware Authors: Who?

Stereotype: 16 year old male living in his parents’ basement in Norway

Also college students, professionals,…

“gender differences in moral development may partially explain the lack of females”

Many virus writers “grow out of it”

Among malware writers

General distaste for destructive codeSlide4

Malware Authors: Who?

Technical skill of virus writers?

AV community think little of virus writers skills

Skill level has probably improved since book written

Why?Slide5

Malware Authors: Why?

Many possible reasons

Fascination with technology --- create software to outwit AV people (game)

Fame --- among malware writers

Graffiti --- “form of expression”

Revenge --- disgruntled employee, etc.

Ideology --- hard to assess, but perhaps Code Red is an exampleSlide6

Malware Authors: Why?

Commercial sabotage --- e.g., attack to reduce company’s stock price

Extortion --- e.g.,

cryptovirology

Warfare and espionage --- info warfare,

cyberterrorism

Malware battles --- for example,

Mydoom/Netsky/Bagle

in

2004

60 variants in 3 months, “attacked” each other

Commercial gain --- writers paid for their work, e.g.,

botnets

for spamSlide7

Malware Authors: Why?

Author

say

s

graffiti

angle

“

interesting

…

deserves

further research”

What do you think?

Virus writing as a glorified prank?

Maybe true in the past

Probably not so much today

Now there is more of a profit motiveSlide8

AV Community

Like virus writers, not a lot written about AV people either

Seems to me…

They’re just ordinary geeks

Like everybody else you knowSlide9

Perceptions

Conspiracy theory

AV people write/plant malware

No evidence to support this and…

…lots of evidence to contrary

Effort spent on “unknown” malware

Way more malware than “necessary”, etc.

AV people do need to keep up

Research, study VX sites, etc.Slide10

Another Day in Paradise

AV workday is long

“80 hour work week is not uncommon”

Sounds like Silicon Valley to me…

AV company maintains

Databases of malware and

goodware

Suspicious

file arrives

from

honeypot

, customer,

or other source

File first compared to both databases

If not in either, analyze itSlide11

Another Day in Paradise

If file is malware…

Update signatures, AV software, databases

Distribute updates

AV

employee

workday is long

AV

company

workday is endless

Around-the-clock coverage

Offices in different time zones, continuous threat monitoring, etc., etc.Slide12

Customer Demands

What do customers want?

100% detection with no false positives

What to detect? Malware

and

what

?

Gray area detection

--- “delicate issue”

Jokes and games

Cracking tools

Adware/Spyware

Remote administration tools (

RATs

)

Legal concerns

wrt

false positivesSlide13

Engineering

Malware can be classified as:

In the wild --- active in real world

In the zoo --- not active

WildList

Organization

Much easier to only detect malware that is “in the wild”, i.e., active

Orders of magnitude

less malware

So, i

s

this a good idea for AV company?Slide14

Open Questions

Should

AV

software also:

Provide a firewall?

Provide content filtering?

Perform spam detection?

Apply software patches?

Other?Slide15

Open Questions

AV people reverse engineer software

Is this legal?

Users may look at quarantined files

Could this violate privacy laws?

What about false positives?

AV software is almost universally used

So, if you don’t use it, could you be held legally negligent?