180 likes | 258 Views
Are signatures the new mp3? How to fight the misuse of intellectual property. Magnus Kalkuhl, Senior Virus Analyst Global Research and Analysis Team, Germany. Kaspersky Lab International Press Tour “Cyberthreat Landscape 2009: Outcomes, Trends and Forecasts”, Moscow, January 28-31, 2010.
E N D
Are signaturesthe new mp3? How to fight the misuseof intellectual property Magnus Kalkuhl, Senior Virus Analyst Global Research and Analysis Team, Germany Kaspersky Lab International Press Tour “Cyberthreat Landscape 2009: Outcomes, Trends and Forecasts”, Moscow, January 28-31, 2010
Setting up an AV company in 2000 • Find valuable sources for new malware and become part of the AV social network • Invest lots of money in fast and effective analysis and scan technologies • Invest lots of money in initial research or hire trained analysts • Establish worldwide distribution channels
Setting up an AV company in 2010 • Find a cheap server • Find a cheap programmer • Buy some AV scanners • Ask your PR agency to announce your new product
Is it really that easy? Click to edit Master title style • Click to edit Master text styles • Second level • Third level • Fourth level • Fifth level Let's have a closer look June 10th, 2009 Event details (title, place)
The power of AV comparison sites • Virustotal, Jotti, etc. • Entirely based onon-demand scaning • Service helps many magazines and customers to decide whether a file is malicious or not
The power of AV comparison tests • AV-Test.org:Performs paid comparison tests for major magazines all over the world • AV comparatives:Regularly issues test results with proactive and on-demand comparisons being the most important ones • Most tests are based on on-demand scanning
There are many ways to protect the user Content filters (anti-spam, anti-phishing, URL advisor etc.) Kaspersky Security Network (real-time in-the-cloud detection) Static detection (signature based) Sandbox isolating software from the rest of the system Emulation of the program before it is executed Behaviour-based detection while a program is running HIPS incl. application firewall preventing malicious actions and access
Click to edit Master title style • Click to edit Master text styles • Second level • Third level • Fourth level • Fifth level On-demand detection is not the most important aspect for the user's security, but for his purchase decision Event details (title, place)
How to improve on-demand detection • More aggresive heuristics → more false positives • Investing more money into • analysts, honeypots and • analysis systems → very • expensive • Adding detection based on competitors‘ classifications → ...ethical?
Reusing expertise of other companies • Level 1: OEM Partnership • Level 2: Asking a competitor for samples • Level 3: In-depth analysis of samples that were detected by a multiscanner • Level 4: Simpy adding detection based on multiscanner results - or even worse: Extracting competitors' signatures directly from the signature update files
Real life example? Source: http://malwarebytes.besttechie.net/2009/11/02/iobit-steals-malwarebytes-intellectual-property/
Real life example? Source: http://blog.iobit.com/archives/tag/malwarebytes
Real life example? Shortly after IObit was accused of plagiatism, their database shrank by 47.5%. According to this posting, this also affected their detection rate. Source: http://malwareresearchgroup.com/forum/viewtopic.php?f=7&t=159&p=509
Similarities to the music industry • Users don't care where it comes from as long as it works for small money • Every additional person using such a service means less money for real research • As a consequence the companies which create/sell a product will have less money → lower quality for all
In-the-cloud AV will make things worse • Setting up the infrastructure is cheap • Using multiscanner detectionensures very high scan results • Everything happens behind closed doors
What can be done about it? • From a technical perspective: Not much, and superiour heuristics won't help as long as people love on-demand-scan-comparisons with millions of samples • By using “marker” signatures, it might be easier to detect theft of intellectual property • Laws need to be updated in order to protect AV companies‘ IP better
Do you remember this picture? • Experiment started by Computerbild magazine in 2009
Let's talk about it! Magnus Kalkuhl Senior Virus Analyst, Global Research and Analysis Team, Germany Kaspersky Lab International Press Tour “Cyberthreat Landscape 2009: Outcomes, Trends and Forecasts”, Moscow, January 28-31, 2010