Are signatures the new mp3? How to fight the misuse of intellectual property - PowerPoint PPT Presentation

apollo
slide1 n.
Skip this Video
Loading SlideShow in 5 Seconds..
Are signatures the new mp3? How to fight the misuse of intellectual property PowerPoint Presentation
Download Presentation
Are signatures the new mp3? How to fight the misuse of intellectual property

play fullscreen
1 / 18
Download Presentation
Presentation Description
99 Views
Download Presentation

Are signatures the new mp3? How to fight the misuse of intellectual property

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Are signaturesthe new mp3? How to fight the misuseof intellectual property Magnus Kalkuhl, Senior Virus Analyst Global Research and Analysis Team, Germany Kaspersky Lab International Press Tour “Cyberthreat Landscape 2009: Outcomes, Trends and Forecasts”, Moscow, January 28-31, 2010

  2. Setting up an AV company in 2000 • Find valuable sources for new malware and become part of the AV social network • Invest lots of money in fast and effective analysis and scan technologies • Invest lots of money in initial research or hire trained analysts • Establish worldwide distribution channels

  3. Setting up an AV company in 2010 • Find a cheap server • Find a cheap programmer • Buy some AV scanners • Ask your PR agency to announce your new product

  4. Is it really that easy? Click to edit Master title style • Click to edit Master text styles • Second level • Third level • Fourth level • Fifth level Let's have a closer look June 10th, 2009 Event details (title, place)

  5. The power of AV comparison sites • Virustotal, Jotti, etc. • Entirely based onon-demand scaning • Service helps many magazines and customers to decide whether a file is malicious or not


  6. The power of AV comparison tests • AV-Test.org:Performs paid comparison tests for major magazines all over the world • AV comparatives:Regularly issues test results with proactive and on-demand comparisons being the most important ones • Most tests are based on on-demand scanning

  7. There are many ways to protect the user Content filters (anti-spam, anti-phishing, URL advisor etc.) Kaspersky Security Network (real-time in-the-cloud detection) Static detection (signature based) Sandbox isolating software from the rest of the system Emulation of the program before it is executed Behaviour-based detection while a program is running HIPS incl. application firewall preventing malicious actions and access

  8. Click to edit Master title style • Click to edit Master text styles • Second level • Third level • Fourth level • Fifth level On-demand detection is not the most important aspect for the user's security, but for his purchase decision Event details (title, place)

  9. How to improve on-demand detection • More aggresive heuristics → more false positives • Investing more money into • analysts, honeypots and • analysis systems → very • expensive • Adding detection based on competitors‘ classifications → ...ethical?

  10. Reusing expertise of other companies • Level 1: OEM Partnership • Level 2: Asking a competitor for samples • Level 3: In-depth analysis of samples that were detected by a multiscanner • Level 4: Simpy adding detection based on multiscanner results - or even worse: Extracting competitors' signatures directly from the signature update files

  11. Real life example? Source: http://malwarebytes.besttechie.net/2009/11/02/iobit-steals-malwarebytes-intellectual-property/

  12. Real life example? Source: http://blog.iobit.com/archives/tag/malwarebytes

  13. Real life example? Shortly after IObit was accused of plagiatism, their database shrank by 47.5%. According to this posting, this also affected their detection rate. Source: http://malwareresearchgroup.com/forum/viewtopic.php?f=7&t=159&p=509

  14. Similarities to the music industry • Users don't care where it comes from as long as it works for small money • Every additional person using such a service means less money for real research • As a consequence the companies which create/sell a product will have less money → lower quality for all

  15. In-the-cloud AV will make things worse • Setting up the infrastructure is cheap • Using multiscanner detectionensures very high scan results • Everything happens behind closed doors

  16. What can be done about it? • From a technical perspective: Not much, and superiour heuristics won't help as long as people love on-demand-scan-comparisons with millions of samples • By using “marker” signatures, it might be easier to detect theft of intellectual property • Laws need to be updated in order to protect AV companies‘ IP better

  17. Do you remember this picture? • Experiment started by Computerbild magazine in 2009

  18. Let's talk about it! Magnus Kalkuhl Senior Virus Analyst, Global Research and Analysis Team, Germany Kaspersky Lab International Press Tour “Cyberthreat Landscape 2009: Outcomes, Trends and Forecasts”, Moscow, January 28-31, 2010