˛ Summary
˛ Solutions Fast Track
Introduction
In the first section of this chapter, Robert Vibert, founder of the Anti-Virus Information Exchange Network (AVIEN) and the Anti-Virus Information and Early Warning System (AVIEWS), relates the historical origins and development of these two closely linked organi- zations. His story is important. While these are significant and interesting organizations in their own right, their story also reflects an important phase in the history of viruses and virus management. In the few years since AVIEN was founded, we’ve seen the focus shift across the board from virus management to malicious software (malware) management. Furthermore, where a Gods and Ants view once predominated in the antivirus industry, there is a more harmonious relationship between the antivirus industry and other security professionals.
In fact, it sometimes seems that everyone outside the antivirus industry is a virus/ antivirus expert, in his or her own estimation (False Authority Syndrome). On the other hand, it also seems that people within the security industry think they have sole custody of all security knowledge, and that the rest of the world knows just enough to put their hands in their corporate pockets and pay for the solutions that are offered them.The truth is out there somewhere between “AV knows nothing” and “AV knows everything.” In the second section, David Harley looks at the uneasy relationship between the anti-malware industry and its customers, in the hope of finding it.
Various members of Team Anti-Virus, a loose grouping of independent antivirus researchers, have been considering the issues around professional expertise and qualifications inside and out- side the security industry for some years. In the last section, James Wolfe compares the roles of the independent researcher, the vendor-employed specialist, and the corporate security specialist, and David Harley and Ken Bechtel look in more detail at certification issues.
History of AVIEN and AVIEWS
This isn’t a book about AVIEN (see Figure 1.1) and AVIEWS, though it starts and finishes with them. If there is something really important about these groups, though, it’s their membership, combining the talents of a high percentage of the most able administrators, researchers, support professionals, and security experts in the world. And telling you something about them will tell you something about the world we all live in.
Background: So Who Is Robert Vibert?
For the years 1993 to 1999, I was heavily involved in the antivirus world. My companies in Portugal and Canada sold millions of dollars worth of antivirus software to large corpora- tions, government agencies, departments, and financial institutions. During those years, it was said that I walked, talked, lived, breathed, slept, and dreamt about antivirus software and solving the malware problems faced by my customers.
In the middle of 1999, I jumped ship from the sales world, due in part to McAfee’s taking over Dr. Solomon’s, the company that made the antivirus company that my
companies had been selling as our flagship product.The other part of this decision was the fact that prior to selling software, I had worked for a number of years as an independent consultant and I longed to return to that role.
From 1999 to 2001, I once again acted as an independent security consultant, advising the Canadian government on antimalware defenses and providing security audit services. It was also during this time that AVIEN took shape. I’ll tell that story in a moment, but first, some context.
AV Vendor/Researcher Lists and Groups
For many years, security specialists around the world working to defend their organizations against attacks from viruses, worms, and other forms of malware, had essentially two choices if they wanted to learn more about this topic: work in relative isolation or be invited to join a vendor-oriented group.
The vendor-oriented groups (CARO, REVS, VForum, AVPD, and so forth) were designed from the beginning to respond to the need to share information on malware, but membership
was usually restricted to those who worked for a software vendor or occasionally to corporate employees and university researchers who were invited to join to share their insights.
T
IPThe antivirus industry is as generous with its acronyms as the rest of the com- puter industry.
CARO is the Computer Antivirus Research Organization, a shadowy group of (mostly Old Guard) anti-virus (AV) researchers.
REVS was a (now defunct) attempt to streamline sample sharing between AV companies.
VForum is a virus/malware researcher mailing list.
AVPD is the Antivirus Product Developer Consortium.
For the vast majority of security specialists working in large organizations on malware defense, there was little hope of entering that circle.There were some in the antivirus industry who defended the exclusivity of the groups as necessary due to trust issues. In the early days of fighting viruses, the level of caution around storage and distribution of viruses was quite high. I still remember all the precautions we took to make sure that viruses did not fall into the wrong hands, and how annoyed many were that people were actually selling viruses on CDs.
To become a member of these vendor-centric groups was quite an achievement, and the growth of their membership numbers was slow.
Meanwhile, a growing number of security specialists in larger organizations had a need to understand the threat their organizations faced.They could read the few books on the subject that were published, try to sift some information out of the noise on Usenet groups like www.alt.comp.virus, take training from vendors, and do their own research. Meanwhile, the complexity of mounting defenses grew constantly, as more and more operating systems and networks were subject to malware attacks.
While I worked selling antivirus software, I would have access to the researchers who dealt directly with the viruses and who discussed in hushed tones the gaping security holes in operating systems, hoping that the authors of malware would not stumble across them. While it certainly felt good to be on the edge of the inner circle and to rub shoulders with the most talented antimalware researchers, there was no shortage of people wanting better access to the information that would make their jobs easier.
VB 2000: A Star is Born
Every year, Virus Bulletin, a UK publication focused on malware and spam issues, organizes a conference in the fall. In 2000, the venue was Orlando, Florida, and I was scheduled to speak about “Anti-Virus Deployment - Doing it Right.”
I decided to take my family to Florida, as the VB conference was being held near the amusement parks, and we piled into the car and drove from our home near Ottawa, in Ontario, to Orlando. On the way, I stopped in to see Ken Bechtel, a fellow traveler on the antivirus road. I mentioned the conversations I had been having with some of the security folks at Nortel Networks, mainly John Morris and Peter Sherwood, and with some of my fellow ISSA members.These conversations centered on the need to exchange information on the virus threat and how to best leverage investments in anti-virus defenses.
Ken had also had some ideas along the same lines and we agreed to float the topic at the VB conference.
Cocktails For Two — and More
During the opening cocktail hour, Ken and I started discussing the need for better sources of up-to-date information and resources for dealing with malware threats, as well as the need to stop re-inventing the wheel and to learn from the efforts of other anti-virus specialists.
Soon, a small group of anti-virus specialists from companies such as Nortel, Boeing, and Prudential were gathered and plotting the start of a forum where they could talk openly about their issues concerning AV companies and products and share ideas.
During my presentation on anti-virus solution deployment in enterprise environments, I offered to coordinate the formation of a group of like-minded people to discuss these topics. Inside AVIEN, we fondly refer to this as our “conception.” During the remainder of the conference, people pressed their business cards into my hands and I diligently filed them in my pockets.
After the Hangover
A few weeks later, after arriving back home, I contacted these people to confirm that they were really interested in collaborating like this.The response was overwhelmingly in favor of going forward with the plan, and as a result, the world witnessed the formation of a closed, private network. Early on, members agreed that there would be some restrictions on who could belong to AVIEN, so as to ensure that topics discussed were those most important to the majority of members.
One Day at a Time
Since the beginning, members of AVIEN have always been people who look after medium- to large-sized organizations, with at least 1,500 PCs under their care.They have always been employed only by organizations that do not sell anti-virus software, and they have always agreed to abide by a strict code of conduct with regard to confidentiality and mutual respect.
The main activities of AVIEN occurred on several e-mailing lists where discussions focused on deployment of AV software, new viruses that were spotted, and lots of “get-to-know-each- other” conversations. Initially hosted on my e-mail server, it soon became necessary to move the
lists to more robust and reliable e-mail systems, especially as warnings about new malware attacks become more common.
The Early Warning System (EWS), created by AVIEN so as to share information
between members about new attacks, proved to work very effectively. Not only did it help a number of people save their organizations from major malware attacks, but it was also moni- tored closely by certain security organizations, which promptly recycled the information in various forms.
Oh No, The Users Are Ganging Up On Us!!!
Almost from the start, the anti-virus vendor community was suspicious of the aims and intent of AVIEN. Many thought that users were looking for any excuse to bad-mouth the vendors and that AVIEN members spent their time talking about them. Even when this was firmly denied, some AV gurus found it hard to accept, or perhaps it was their egos that found it hard to conceive an information exchange network that was doing very nicely without them, thank you.
In any case, AVIEN initially received a somewhat grudging welcome from the vendor community, and some of them even tried to infiltrate AVIEN to find out what was going on.There was a constant stream of requests for special access to AVIEN from vendors and from those who did not meet the 1,500 PC requirement. In the end, a solution was found by opening the door to a major subset of the mailing lists to anyone willing to pay the annual support fee, which covers the administrative costs of the lists.
AVIEN was thus the catalyst for the formation of AVIEWS, which encompasses not only people in large organizations, but vendors and smaller organizations as well.
Today, the two groups exist in harmony, and all AVIEN members are automatically members of AVIEWS, though not vice versa, and there are rules against misusing informa- tion received through the lists for direct marketing purposes.
The Objectives of AVIEN and AVIEWS
Members of AVIEN and AVIEWS (as was shown in Figure 1.2) share common goals, which are to:
■ Share information about the anti-virus and malware reality in each organization
■ Share information about the techniques used to combat viruses and other malware
■ Share information about anti-virus products
■ Share information about viruses causing problems
■ Participate in an Earl Warning System (EWS)
AVIEN Membership Benefits
AVIEN members receive a number of benefits:
■ They discuss with their peers the anti-virus software/hardware issues that concern them
■ They receive support in their efforts to implement changes in how defenses are organized
■ They receive a subscription to all the AVIEWS services, in addition to AVIEN- specific mailing lists
■ They enjoy the warmth of a community of practice, which has developed
Alerts and Advisories
Not only do the organizations send out alerts, but members also inform each other about suspicious incidents before they explode into real alert-type situations. For example, the VBS/Homepage malware was being discussed by AVIEN and AVIEWS members the day before it first made its mark on the world. Nowadays, topics for discussion range far wider,
Peer Discussions
Those joining AVIEN and AVIEWS get access to a number of discussion mailing lists, where they can discuss viruses and what’s going on in the AV world, including what products are catching or missing which pieces of malware.
Some of the topics members have discussed:
■ Characteristics of malicious code as it is discovered, particularly those programs that propagate quickly by exploiting common vulnerabilities.
■ Problems/insights on enterprise deployment of the different AV packages with emphasis on pitfalls and timesaving techniques.
■ Tweaking the different AV heuristic detection engines to reduce false-positives without impairing/decreasing AV capabilities.
■ Lessons learned - Are you seeing a problem with vendor X and what did you do about it?
■ Virus countermeasures other than AV scanning software. AVIEN members may not have invented generic filtering, but certainly made a major contribution to refining it.
■ Monitoring virus activity within a corporation.
■ Techniques for fighting major virus outbreaks.
■ Common problems such as the lack of an effective virus naming convention.
■ Software distribution methods and issues.
■ Verification methods - How do you check to make sure your user base is up to date?
■ MS Exchange - What works best on a clustered environment?
■ Opinions on the trend towards AV companies providing on-site services.
AVIEN Projects
AVIEN and AVIEWS members have participated in a number of projects apart from this book project (others are planned).The certification project for anti-virus professionals cur- rently resting with Team Anti-Virus is described at the end of this chapter.
In 2006, the first AVIEN Virtual Conference, “Battling Malware: A View from the Trenches,” was attended by 156 people across 14 countries and attracted many positive com- ments. Speakers and presentations included:
■ The Fog of War: Informational Challenges to Malware Defense and Incident Response (Gaby Dowling).
■ Spy-Where? (Mary Landesman)
■ Criminalization of Code (Ken Dunham)
■ Mobile Threats (Mikko Hypponen)
■ Weapons of Bot Destruction: Conventional and Non-conventional Tactics to Defend a Network Against an Evolving Threat ( John Morris and Eric Kedrosky)
The 2007 conference on “The New Face of Malware – Stories from the Battlefield” was also very successful, and included the following speakers and presentations:
■ Rootkits: No Longer Just a *nix Problem (Martin Overton)
■ The Common Malware Enumeration (CME) Initiative (Desiree Beck)
■ Collaborative Response to Targeted Attacks (Matt Ziemnaik)
■ Hackers’ Favorite Hiding Places - Initial Places to Look for rootkits,Trojans and Other Malware (Paul Schmehl)
Other public initiatives have included a public “call to action” on the spyware threat and a petition about the dangers of teaching the writing of viruses as a tool for learning about anti-virus defenses.
Less public projects have included a virus encyclopedia project, surveys, a repository of useful tools, informational resources, and so on.
Anti-virus Vendor Image
“Nobody likes me, everybody hates me, going out into the garden to eat worms.” Not to mention viruses, and Trojans, and quite a few other types of malware. And, in the Blue Corner (as they used to say in the wrestling broadcasts), there’s anti-virus software. Nearly everyone uses it, nearly everyone resents having to use it, and few people understand it as well as they want you to think they do.
This section considers the tensions between vendors and customers, AV vendors and other security vendors and agencies, the anti-virus community in its broadest sense and the rest of the world. We then try to sort out the truth behind some of the myths and half- truths, and look at the real competencies of a little-understood and little-appreciated community venture.
AVIEN & AVIEWS: Independents
and Vendors in Anti-Malware Research
I’ve no wish to overstress points already made by Robert Vibert, or made in the next section by James Wolfe, but the closely related organizations, AVIEN and AVIEWS, represent an unusual type of partnership between two not entirely disparate groups:
■ Enterprises that use security software (especially for the management of malicious code)
■ Vendors who supply those products and services.
N
OTEWhy are they not entirely disparate? For one thing, because there are a number of groups and individuals that don’t exactly fit into either of these main groups, as James Wolfe tells us later in this chapter. Not all reputable anti-virus researchers are aligned to security vendors (or to major enter- prises). In fact, it’s increasingly common for researchers outside the anti-virus industry to “cross the floor” to the opposite side of the House of
AV/Customer Representatives, and sometimes back again. Sometimes, whole organizations may stop being just customers and become security vendors in their own right. Microsoft is perhaps the most obvious example: while out- and-out security products are a small part of its product range, the company is, nevertheless, a major player in the security industry. For this and other rea- sons, it gets harder to separate the anti-virus industry from the rest of us.
There is actually a potential tension between allconsumers and suppliers.The consumer fears that the supplier may charge or overcharge for a product that may be unnecessary, inad- equate, or both. (There is an exception of sorts: luxury items for which the main selling point is that they are “reassuringly expensive.” Even here, though, there is the potential fear that the item may be less exclusive than the buyer expects.) The vendor, meanwhile, will have a number of fears relating to loss of revenue: fraudulent purchases, piracy
copyright/intellectual property rights (IPR) issues, post-sales support issues, and so on. It would be naive to suggest here that these issues don’t ever affect the relationships between the organizations represented in AVIEN who buy security software, and the secu- rity vendors who are represented (among other groups) in AVIEWS. Indeed, the fact that security vendors are not eligible for representation in AVIEN gives the lie to such a sugges- tion. Sometimes, people want to talk about AV issues without worrying about offending or being overheard by vendors.To some members, though, one of the most valuable benefits of