Posted by: David Harley | February 8, 2016

The Malware Museum: another take on emulation

I’ve been feeling pretty old recently. Well, I am old: at any rate, past the age where anyone with half a life would be spending their waking hours walking the dog or practicing the ukulele.

Right now, though, I feel particularly old. That’s because I’ve been reminded several times in the past few days of those halcyon days when malware meant (mostly) viruses, discussions about whether worms were viruses, and whether the correct plural is virii. It isn’t, but I rather liked the explanation that it’s one virus, two virii, three viriii, four viriv and so on – hat tip to my friend and sometime co-author Robert Slade for drawing my attention to that one. Though if you’re creating a virus clock, it should be four viriiii but five virv. (I apologise to whoever pointed out to me that clocks use IIII for Roman clockfaces, not IV – I can’t remember who it was!)

clock copy

I can’t actually remember anyone doing a virus clock, but anti-virus companies did, in the 1990s, offer various awareness-raising goodies such as calendars with the dates on which payloads were triggered, virus simulations, and so on. (Whether the intention was to raise awareness of malware or of anti-virus products is moot.) And while part of my present state of depression is because I’ve been getting rid of virus-related books, magazines and even hard-copy conference proceedings, it’s also because Mikko Hypponen has revisited that era with the announcement of the Malware Museum, ‘ a collection of malware programs, usually viruses, that were distributed in the 1980s and 1990s on home computers.’ Though this isn’t an opportunity to top up your collection of malware so that you can test whether security products detect obsolete malware. Destructive code has been removed and the visual effects of malware such as Cascade, Casino and Ambulance (see screenshot below) are displayed in Javascript using DOSbox emulation.


David Harley

Posted by: David Harley | January 29, 2016

Testing APT Defences

In case you missed it, one of the highlights of the 2015 Virus Bulletin conference was a paper by Simon Edwards, Richard Ford and Gabor Szappanos (all very familiar names in AMTSO and security product testing circles) on ‘Effectively Detecting APT Defences’.

A blog article at Virus Bulletin gives links to the paper in HTML and PDF format, as well as a video. Highly recommended.

David Harley 

Posted by: David Harley | January 12, 2016

Exorcising the APT

It’s almost a relief for a jaded security researcher to hear about the Reverend Jo Ellen Michelle Talley, who apparently removes malware using a number of alternative techniques including ‘magic spells’ and ‘magic charms’, but hasn’t so far claimed that anti-virus is dead and that Wicca is the security service that has replaced it. Even better, she has never used – as far as I know – the term APT or claimed that there is no way in which the effectiveness of her product can be tested.

Apparently, she is able to draw out a virus using a black bowl with a magnet and water, following up with saging (whatever that is), purification and a protection spell. All of which sounds perfectly testable, if a little labour-intensive.

So if your PC appears to be a basket case, maybe you should make sure it’s a Wicca basket.

HT to Julio Canto, who drew my attention to the Motherboard article. (And to Simon Edwards for his work on testing APT-oriented products.)

David Harley

Posted by: David Harley | December 19, 2015

IOActive on the security of mobile banking apps

If you’re using banking apps on an iOS device, you might be interested in some research by Ariel Sanchez, following up on his earlier research into the security of mobile banking apps from some major banks. (You might find Paul Ducklin’s commentary for Sophos on the earlier research of interest, too.)

Sanchez’s analysis is restricted to a general consideration, without identifying individual apps or banks. Still, you might find it useful – if mildly disturbing – to see how well (or otherwise) banking apps currently stand up to his testing on:

  • Transport security
  • Compiler protection
  • UIWebViews
  • Insecure data storage
  • Logging
  • Binary analysis

Commentary by John Leyden for The Register here.

It would be interesting to see if the picture is any different on Android, if there’s any comparable research available. (I haven’t seen any, but that doesn’t mean there is none.)

Also posted on the Mac Virus blog.

David Harley


Posted by: David Harley | December 15, 2015

Counting Malware

An issue I’ve looked at before – e.g. in The Game of the Name (revisited) on this blog – looked at from a slightly different angle. Only slightly different, though: if you’re going to use numbers of new samples seen daily (or monthly, or whatever) as some sort of criterion for product evaluation, you might want to be pretty sure you know what those numbers really refer to.

Counting Malware & Running Out of Fingers on the IT Security UK blog.

David Harley

Older Posts »



Get every new post delivered to your Inbox.