All malware defeats 90% of defenses

When the FBI speaks, you can tell they don't know anything about hacking. An example of this quote by Joseph Demarest, the assistant director of the FBI’s cyberdivision:

"The malware that was used would have slipped, probably would have gotten past 90% of the net defenses that are out there today in private industry, and I would challenge to even say government”

He's trying to show how sophisticated, organized, and unprecedented the hackers were.

This is nonsense. All malware defeats 90% of defenses. Hackers need do nothing terribly sophisticated in order to do what they did to Sony.

Take, for example, a pentest we did of a Fortune 500 financial firm. We had some USB drives made with the logo of the corporation we were pen-testing. We grabbed a flash game off the Internet, changed the graphics so that they were punching the logo of their main competitor, and put text in the Final Score screen suggesting "email this to your friends and see what they get". We then added some malware components to it. We then dropped the USB drives in the parking lot.

This gave us everything in the company as people passed the game around. The CEO and many high-level executives ran it on their machines. Sysadmins ran it. Once we got control of the central domain controller, we got access to everything: all files, all emails, ... everything.

The point I'm trying to make here is that we used relatively unsophisticated means to hack an extremely secure company. Crafting malware to get past their anti-virus defenses is trivially easy. Everything we did was easy.

The problem isn't that hackers are sophisticated but that company are insecure. Companies believe that anti-virus stops viruses when it doesn't, for example. The FBI perpetuates this myth, claiming Sony hackers were sophisticated, able to get around anti-virus, when the truth is that Sony relied too much on anti-virus, so even teenagers could get around it.

The FBI perpetuates these myths because they want power. If the problem is sophisticated hackers, then there is nothing you can do to stop them. You are then helpless to defend yourself, so you need the FBI to defend you. Conversely, if the problem is crappy defense, then you you can defend yourself by fixing your defenses.

---

Update: Here is a previous post where I add a Metasploit exploit to a PDF containing a legal brief that gets past anti-virus.

Third Circuit Court giggle

Yet again we have an example how the judicial system treats hacking like witchcraft. Lawyers submitting briefs to the court are required to have (the hacking equivalent of) a Catholic priest sprinkle Holy Water on the document to exorcise any demons or curses.

Astroturfing AV: When the wolves guard the hen house

Like any typical morning, I woke up, picked up my iPhone, fired up a twitter app and prepared to be educated about current happenings in the world. I was initially bored when I stumbled across a blog post on the Kapersky Lab Security sponsored site "threatpost" entitled “Some Researchers Lack Basic Ethics”. I assumed that I would read another generic article about AV researchers selling warez to the Russian Mafia or something truly nefarious along those same lines. Instead I was treated to a thinly disguised PR talking point by a Kaspersky researcher, Roel Schouwenberg. The central theme to Schouwenberg's post was the vilification of ethicless researchers who demonstrate how easily an attacker can evade signature based AV systems.

The evil ethics-lacking incident drawing the ire of Schouwenberg is a University of Michigan project, Polypack. The Polypack Project is a website that demonstrates how Crimeware-as-a-Service, a generic term describing anyone who creates malware for a system, works with specific detected malware sample that the user uploads to the site. To quote Schouwenberg:

“The idea behind the site is that people can upload (detected) malware files and make them undetected by as many anti-virus products as possible.”

Being able to tell how easy a malware sample can be made undetected by various AV products...could you think of anything worse for an AV sales person?

I visualize how this conversation went down: A Kaspersky sales guy didn’t make his anti-virus product sales numbers and blamed it on the Polypack Project. Without further questioning, the PR people immediately dispatched a researcher to debunk the accuracy and validity of this project. You can tell this isn’t an earnest effort by Schouwenberg to educate a reader, at no point does Schouwenberg ever provide a link to the project so that the reader can review and make the decision for themselves Schouwenberg and the PR people are banking on the laziness of their reader.

The Polypack Project can be found here with the research paper here. Contrary to the claims of PR people at an AV sales company, I think this project is a good piece of engineering and evaluation of a failing technology. Through this project, a user can determine which AV system fails to detect a higher number of malware (aka viruses). In turn, a large company can spend less money, time, and resources deploying a highpriced signature based AV system if they know it has the most holes. Hrm, why is Kapersky afraid of this sort of open testing? The crowning jewel of Schouwenberg's post is when he cites numbers for how many samples are received and analyzed in a day. He makes the numbers sound almost overwhelming and intends to convey the message that “we can’t protect you from the bad guys if we have to spend time handling shortcomings in our engine pointed out by projects like this”. Schouwenberg fails to point out that technology like the Polypack Project is useless to criminals as criminals have their own tools for these types of testing.

Unfortunately for Kapersky (and other AV sales companies), projects such as the Polypack Project highlight the fallacy that signature based AV products can protect anything other than sales numbers. Could you imagine a slightly different scenario: "Cigarette company employee states that research into tobacco/cancer link is unthical?"

Life imitating art?

That is interesting. Not so long ago Rob and I spoke at Microsoft’s Bluehat conference about a variety of topics under the heading of “Breaking and Breaking into Microsoft Security tools”. One of the sections covered how easy it is to reverse an Anti-virus tools rule set and modify it which concluded with a live demo of a popular tool causing a Windows XP SP2 machine to crash.

I open my rss reader this morning and b00m, Whitedust has an article about something similar happening in China. It may not have been malicious but it still shows something that Rob and I have been talking about for years: security problems exist because code has gotten so complex it’s hard to get right. The solution for this is not layering more complex code on top of the already broken code and hoping the dam holds.

A leading industry analyst I know said “it’s amusing that since blaster, we've had bigger outages from bad AV signatures on most major products than the viruses themselves”. Can anybody else see the sun setting on these products?

UPDATE: Infoworld is also running a story on it.