Tag Archives: av manufacture

Beyond good and evil?

A few days ago Microsoft announced a large scale raid on the dynamic DNS service No-IP, as a result of which 22 of its domains were seized. The guys in Redmond said there were very good reasons for this: No-IP hosts all kinds of unpleasant malware; No-IP is a breeding ground of cybercriminals; No-IP is an epicenter for targeted attacks; and No-IP never agrees to working with anyone else on trying to root out all the badness.

Like in most conflicts, the sides have exchanged the contradictory volleys of announcements in the eternal tradition of ‘it’s his fault – no she started it’.

In particular, No-IP has said it’s a real goody-two-shoes and always willing to cooperate in eliminating sources of cyberattacks, while its clients are most displeased with the raid and consider it an illegal attack on legal business – since it’s possible to find malware practically anywhere, so interrupting services through a court is simply not on.

Is it legal to shut down a service because of #malware found?… When it can be found everywhere?…Tweet

In the meantime, the result of the raid has been rather far-reaching: more than four million sites were pulled, including both malicious and harmless ones – affecting 1.8 million users. Microsoft is trying to sieve the wheat from the chaff and get the clean sites back up and running; however, many users are still complaining about ongoing disruption.

To work out who’s to blame is a thankless and probably hopeless task. I’ll leave the journalistic investigations to… the journalists. Instead, here let me give you some food for thought: dry, raw facts and figures – so maybe/hopefully you’ll be able to come to your own conclusions about the legality and ethicality of MS’s actions, based on those facts and figures…

1)      Shutting down 22 No-IP domains affected the operations of around 25% of the targeted attacks that we keep track of here at KL. That’s thousands of spy and cybercriminal operations ongoing for the last three years. Approximately a quarter of those have at least one command and control center (C&C) with this host. For example, hacker groups like the Syrian Electronic Army and Gaza Team use only No-IP, while Turla uses it for 90% of its hosts.

2)      We can confirm that out of all large providers the No-IP dynamic DNS was the most unwilling to cooperate. For example, they ignored all our emails about a botnet sinkhole.

3)      Our analysis of current malware shows that No-IP is often used by the cyberswine for botnet control centers. A simple search via the Virustotal scanning engine confirms this fact with a cold hard figure: a total of 4.5 million unique malware samples sprout from No-IP.

4)      However, the latest numbers from our security cloud (KSN) show something not quite so cut and dry. Here’s a table showing detections of cyberattacks from dozens of the largest dynamic DNS services:

Service % of malicious hosts Number of detections (in a week)
000webhost.com 89.47% 18,163
changeip.com 39.47% 89,742
dnsdynamic.org 37.04% 756
sitelutions.com 36.84% 199
no-ip.com 27.50% 29,382
dtdns.com 17.65% 14
dyn.com 11.51% 2321
smartdots.com 0.00% 0
oray.com 0.00% 0
dnserver.com 0.00% 0

So – No-IP isn’t leading in the number of detections, even though they’re still really high compared to most.

Here’s some more info for comparison: the % of malware hosts in the .com zone makes up 0.03% of the total; in the .ru zone – 0.39%; but in No-IP the figure’s 27.5%!

And now for other figures that add a bit of a different perspective: in one week, malware domains on No-IP generated around 30,000 detections, while in the same week on one of the most malicious domains in the .com zone, the figure was 429,000 – almost 14 times higher. Also: the tenth most infected domain in the .ru zone generated 146,000 detections – that is, about the same as the first ten providers of dynamic DNS mentioned above put together!

To summarize…

On the one hand, blocking popular services that are used by thousands – if not millions – of typical users: it ain’t right. On the other hand, closing spawning grounds for malware is right – and noble.

The takedown of No-IP domains. Was it right or wrong? Ambiguity with a big ATweet

But then mathematics takes on the role of devil’s advocate, and proves:

Quantitatively, closing all the domains of No-IP is no more effective in combatting the distribution of malware than closing one single top malware domain in one of the popular zones, i.e., .com, .net, or even .ru. Simpler put, even if you were to shut down all providers of dynamic DNS – the Internet still wouldn’t become ‘cleaner’ enough to notice the difference.

So there you have it – ambiguity with a big A. 

It leaves anyone in their right and honest-with-themselves mind to admit things are far from black and white here, and as regards the right and wrong, or good and bad, or Nietzsche’s thing – who can tell?

Still, another thought comes to mind at some point while reflecting on all this…

It’s further evidence that as soon as the quantity of piracy or degree of criminality gets above a certain threshold, the ‘powers that be’ get involved all of a sudden and start closing services, ignoring any notions of Internet freedom or freedom to do business. It’s just the way things are, a rule of life of human society: If it stinks, sooner or later it’ll get cleaned up.

The list of blocked services is already rather long: Napster, KaZaA, eMule, Pirate Bay and so on. Now No-IP‘s been added to the list.

Who’s next?

// Bitcoin? It’s already begun.

 

Cybernews from the dark side – June 24, 2014

Patent trolls – continued.

Here, alas, passions are still running high, with the occasional fit of… passion. Indeed, the issues related to patent parasites haven’t gone away; it’s just that only the most interesting – ‘loudest’ – cases ever get heard about. But if you dig deeper, you eventually hit upon stuff that is interesting, just not paid attention to. Which is what we did – and found quite a bit on patent trolls worthy of the title of this blogpost. So, he we go…

The irony’s all too much.

For this item I didn’t have to dig all that deep actually – I just checked Ars Technica. There I found some rather familiar glorification of the patent aggregator RPX – made out to be a sweet and innocent protector of orphans, the poor, and princesses (from dragons). I just couldn’t believe what I was reading: “RPX works by selling memberships to companies that feel harangued by patent trolls, including Apple and many other tech companies. RPX basically buys up patents it believes will be used by trolls. By uniting the buying power of many companies, it can get the patents for a bargain price.”  Well, maybe I could believe it… I was just so rattled at being reminded of the hypocrisy.

WHAT? RPX is some kinda anti-troll? And trolls may fly…

Patent TrollSource

We first came across this so-called anti-troll in the year of its creation, and were one of the first to bite it back – successfully.

Read on: a simple arrangement…

Breathe the pressure!

Prevention is better than cure. And that goes for fighting patent trolls too.

With this old adage in mind we recently filed a lawsuit against Device Security LLC seeking invalidation and non-infringement of the patent covering the tech involved in protecting data on mobile devices. This marks a distinct change of tactics on our behalf: Though we’ve been warring with patent parasites for eight years already, this is the first time we’ve gone for a preventative attack.

Kaspersky Lab vs Device Security LLC

Read on: So why have we done this, and why?…

Enter your email address to subscribe to this blog
(Required)

“To live is to war with trolls”*

The euphoria after our recent single-handed victory over a patent troll has died down – a little. It was real nice to read lots of different accounts of the good news (like this, this, this, this and this) and multiple encouraging  comments from users. However, the real struggle has only just begun – ahead lies a lot of hard work and hassle, albeit interesting hassle. So now’s probably a good time to sum up everything.

comment1

comment2

comment4Source

Read on: The first and main thing – never let your guard down…

The patent trolls can be defeated – just never give up!

Hurray! Drum roll… cymbal crash + orchestral hit! We’ve beaten yet another US patent troll! The enemy is defeated, demoralized, and on the run! Churchill was right: “Never give up!” We’ve followed his advice in our fight against a particular troll. As a result the troll gave up and ran away with nothing and its tail between its legs.

“Shock, happiness, joy and adrenaline – all in one”

– That’s how N.K. (our Chief Intellectual Property Counsel) described this victory. For this time the troll was of a higher caliber and its ‘connections’ were way more heavyweight.

lodsys

Shock, happiness, joy and adrenaline all in one – I couldn’t agree more. Our 18-month court case with Lodsys (one of the ‘tentacles’ of the world’s largest and most notorious of patent trolls – Intellectual Ventures (“IV”)) was brought to a sudden halt by a full and unconditional capitulation by this abominable patent parasite. As per the norm, we won once again alone, with another 54 defendant companies deciding to settle with the extortionist, while others shamefully fled the battlefield altogether. In all the patent troll has shaken down more than 400 IT companies!

Now for the details…

More: Once upon a time there was an inventor, who invented feedback…

Revenge can be sweet, especially against patent trolls.

Payback can be slow – painfully slow – in coming, but thankfully, at last, it does seem to be showing signs of finally arriving and hitting some most unsavory types – patent trolls – squarely in the nether regions.

I’ve already waxed lyrical here about trolls and what needs to be done to up the fight in tackling this scourge.

Here, let me give you a quick review of what needs to be done:

  • Patent use to be limited – a ban on claims for a term preceding their acquisition;
  • Mandatory compensation of a defendant’s expenses if a lawsuit against it is either defeated in court or withdrawn;
  • A ban on patent aggregators bringing lawsuits;
  • An increase in the required detail and accuracy of patent descriptions, and mandatory technical expert examinations;
  • The main thing: not for ideas to be patented, but their concrete practical application.

Sometimes it seems like US legislators read my blog! Finally, something is getting done – and not just anywhere, but in the state of Vermont, where the first anti-troll law has come into effect!

There’s a lot of interesting stuff in this law, but what I like most in it is that now a defendant company can demand from a patent troll reimbursement of all its legal costs if it manages to prove that the troll acted not in good faith.

More: Special thanks for the law go to … a patent troll!

Magdeburg: AVant garde.

There’s a Russian saying that translates roughly something like ‘live a century, you’ll be amazed for a century’. Meaning, I reckon, that when you think you’ve seen it all, you in fact won’t have. For me, this applied to the trip I made to the city of Magdeburg recently, for it did just that – amazed.

On the whole the place is a little dull and provincial (in my opinion, that is; but then again – I do live in Moscow most of the year :). There’s the river (the Elbe, but here it’s still quite meager), the impressive banks thereof, the equally impressive walls of the castle (restored) and the gothic cathedral. There’s not a great deal besides that. Apart from one feature that makes up for all that dullness…

In the center of the city there’s a totally incongruent large residential/commercial building known as the Green Citadel of Magdeburg. Just check out the colors, shapes and patterns! You seen anything quite like it?

The artist responsible for this architectural aberration is Friedensreich Hundertwasser, a Gaudi for the late 20th century. This is just one of the many buildings he transformed into a masterpiece across central Europe – in his totally original and mind-blowing style.

This Austrian was a true maverick, so I’m a fan for sure. He believed that folks shouldn’t live in box-like houses that are all the same, and that inhabitants should be encouraged to paint or in some other way change the walls around them. And that meant interior walls too. He was also into converting disused factories into avant garde pieces of art.

Enough words. Now for some pix:

magdeburg-1

More: What were we doing here in the first place?

Patents against innovation – cont’d.

“Patents against innovation”. Sounds as paradoxical as “bees against honey”, “hamburger patties against buns”, “students against sex” or “rock ‘n’ roll against drugs”.

Patents against innovation? How can that be possible? Patents exist to protect inventors’ rights, to provide a return on R&D investment, and generally to stimulate technological progress. Well, maybe it’s like that for some things, but in today’s software world – no way.

Today’s patent law regarding software is…well, it’s a bit like one of those circus mirrors where reality is distorted. Patent law is now just so far removed from common sense that it’s patently absurd; the whole system right down to its roots needs to be overhauled. ASAP! Otherwise innovative patents meant to encourage and protect will simply fail to materialize. (Good job, patent system. Stellar work.)

So how did everything end up so messed up?

Well, despite the virtuous original intention of patents to protect inventors – today they’ve mainly turned into nothing more than an extortion tool, whose objective is just the opposite of protecting innovation. The contemporary patent business is a technological racket – a cross-breed between… a thieving magpie and a kleptomaniac monkey – with a malicious instinct to drag anything of value back to its lair.

Growth in the number of patent lawsuits with the participation of trolls

trollcase

 Source: PatentFreedom

Now for some detail. Let’s have a closer look at the patent business.

More: aggregators, trolls and pools …

One step forward, two steps back.

“Everything ought to happen slowly, and out of joint, so we don’t get above ourselves, so we remain miserable and confused”

Venedikt Yerofeev. Moscow Stations

I never thought I’d ever use this phrase when talking about the antivirus industry, but that’s what it’s come to. You know, not everything in this world progresses smoothly. Economic realities and the need for new customers often manage to lure even the best over to the dark side. This time, one of the best-known test labs in the AV industry – AV-TEST – has succumbed.

Comparative testing: A bit of background for the uninitiated

How do you go about picking the best of any particular product? And how do you know it’s the best? Well, you would probably start by looking at the results of comparative testing in a specialist magazine, or the online equivalent. I’m sure this is not news to you. The same goes for AV solutions – there are a number of test labs that evaluate and compare a huge variety of antivirus products and then publish the results.

Now, for some unknown reason (below I’ll try and guess why exactly) the renowned German test lab AV-TEST has quietly (there was no warning) modified its certification process. The changes mean that the certificates produced by the new rules are, to put it mildly, pretty useless for evaluating the merits of different AV products.

Yes, that’s right. I officially declare that AV-TEST certification of AV solutions for home users no longer allows product quality to be compared adequately. In other words, I strongly recommended not using their certificate listings as a guide when choosing a solution to protect your home PC. It would be natural to believe that two products that both have the same certification must be equal (or close to equal) in performance. With AV-TEST’s new certification standards, the onus is on the user to carefully investigate the actual results of each individual test…they may find that a product that blocked 99.9% of attacks has the same “certification” as a product that only blocked 55%.

avtest_cert_balance_blue

More: let’s take a closer look at what happened and why…

New viruses from Chelyabinsk so advanced they blow the mind.

Every day our valiant antivirus lab processes hundreds of thousands of files. Each single day! Admittedly, some of them turn out to be clean and honest files, or just broken code, innocent scripts, assorted scraps of data, etc., etc., etc., but mostly it’s maliciousness – a lot of which is analyzed and processed automatically (as I’ve already mentioned on these cyberpages).

But every now and again we come across some reeeaaal unusual items – something totally new and unexpected. Something that activates the little grey cells, makes the heart beat faster, and gets the adrenaline pumping. I mean things like Stuxnet, Flame, Gauss and Red October.

Anyway, it looks like we’ve found something else in this original-oddity category…

Yes, we’ve detected another malware-monster – a worm originating from the cyberstreets of the Russian Internet. What we were able to say straight off was that it surpasses in sophistication by a long way not only all known malicious programs today – including professional cyberspies and cyberweapons – but also any other known software – judging by the logic of the algorithms and the finesse of their coding.

Yes folks, this is big!

We’ve never come across such a level of complexity and perplexity of machine code with program logic like this. Analyzing the most complicated worms and Trojans normally takes several weeks – whereas this baby looked like it’d take years! Maybe several years!!! It’s just so darn elaborate and convoluted.

I don’t know a single software company that would have been able to develop such a beast. Nor any cybercriminals with their mostly primitive malware. Nor any of the secret services assumed to be behind the more artful malware that’s appeared in recent years. No. This new find simply cannot be the work of any of those three.

So… Are you sitting down? No? Change that.

I’d say it’s theoretically impossible to say that this code was written by a human being (glad to be seated now?).

This code is so infernally intricate that I fear this newly-discovered worm must have extraterrestrial origins.

Hohoho

But wait – there’s more…