are signatures the new mp3? how to fight the misuse of intellectual property

Click to edit Master title style

• Click to edit Master text styles– Second level

• Third level– Fourth level

» Fifth level

June 10th, 2009 Event details (title, place)

Are signaturesthe new mp3?

How to fight the misuseof intellectual property

Magnus Kalkuhl, Senior Virus Analyst

Global Research and Analysis Team, Germany

Kaspersky Lab International Press Tour “Cyberthreat Landscape 2009: Outcomes, Trends and Forecasts”, Moscow, January 28-31, 2010


Setting up an AV company in 2000

• Find valuable sources for new malware and become part of the AV social network

• Invest lots of money in fast and effective analysis and scan technologies

• Invest lots of money in initial research or hire trained analysts

• Establish worldwide distribution channels


Setting up an AV company in 2010

• Find a cheap server

• Find a cheap programmer

• Buy some AV scanners

• Ask your PR agency to announce your new product


• Click to edit Master text styles– Second level• Third level– Fourth level» Fifth level


Is it really that easy?Let's have a closer look


The power of AV comparison sites

• Virustotal, Jotti, etc.

• Entirely based onon-demand scaning

• Service helps many magazines and customers to decide whether a file is malicious or not


The power of AV comparison tests

• AV-Test.org:Performs paid comparison tests for major magazines all over the world

• AV comparatives:Regularly issues test results with proactive and on-demand comparisons being the most important ones

• Most tests are based on on-demand scanning


There are many ways to protect the user

Content filters (anti-spam, anti-phishing, URL advisor etc.)

Static detection (signature based)

Emulation of the program before it is executed

Behaviour-based detection while a program is running

Sandbox isolating software from the rest of the system

HIPS incl. application firewall preventing malicious actions and access

Kaspersky Security Network (real-time in-the-cloud detection)


• Click to edit Master text styles– Second level• Third level– Fourth level» Fifth level

Event details (title, place)

On-demand detection is not the most important aspect for the user's security, but for his purchase decision


How to improve on-demand detection

• More aggresive heuristics → more false positives

• Investing more money into analysts, honeypots and analysis systems → very expensive

• Adding detection based on competitors‘ classifications → ...ethical?


Reusing expertise of other companies

• Level 1: OEM Partnership

• Level 2: Asking a competitor for samples

• Level 3: In-depth analysis of samples that were detected by a multiscanner

• Level 4: Simpy adding detection based on multiscanner results - or even worse: Extracting competitors' signatures directly from the signature update files


Real life example?

Source: http://malwarebytes.besttechie.net/2009/11/02/iobit-steals-malwarebytes-intellectual-property/


Real life example?

Source: http://blog.iobit.com/archives/tag/malwarebytes


Real life example?

Source: http://malwareresearchgroup.com/forum/viewtopic.php?f=7&t=159&p=509

Shortly after IObit was accused of plagiatism, their database shrank by 47.5%. According to this posting, this also affected their detection rate.


Similarities to the music industry

• Users don't care where it comes from as long as it works for small money

• Every additional person using such a service means less money for real research

• As a consequence the companies which create/sell a product will have less money → lower quality for all


In-the-cloud AV will make things worse

• Setting up the infrastructure is cheap

• Using multiscanner detectionensures very high scan results

• Everything happens behind closed doors


What can be done about it?

• From a technical perspective: Not much, and superiour heuristics won't help as long as people love on-demand-scan-comparisons with millions of samples

• By using “marker” signatures, it might be easier to detect theft of intellectual property

• Laws need to be updated in order to protect AV companies‘ IP better


Do you remember this picture?

• Experiment started by Computerbild magazine in 2009


• Click to edit Master text styles– Second level

• Third level– Fourth level

» Fifth level


Let's talk about it!

Senior Virus Analyst, Global Research and Analysis Team, Germany

Magnus Kalkuhl


are signatures the new mp3? how to fight the misuse of intellectual property

Documents

placeondemand detection

master title styleclick

expensiveadding detection

demand comparisons

real life example

samples level

multiscanner level

demand scaning service