Why I hate Security Press Releases

Dark Reading has a tendency of making announcement without knowing the industry.  For instance, earlier this month they made the announcement that Cylance was implementing an innovative idea of  “a new way of thinking about security services delivery. Presponse is predictive pre-detection response that will not only detect a compromise inside an organization, but also determine its attack vector and source, and predict the most likely path of attack for the future.”

So innovative that in 2008, George Mason not only thought of it, they created software to do just that called CAULDRON (short for Combinatorial Analysis Utilizing Logical Dependencies Residing on Networks).  “CAULDRON shows all possible attack paths into a network. These are then organized into an attack graph that conveys the impact of combined vulnerabilities on overall security.”

I can forgive a writer not knowing the facts.  They trust the person they interview has a deep knowledge of their subject. I do not expect a non-techie to know the industry well enough to know what research is and has going on.  Even if that research resulted in operational software.

But then Dark Reading and the rest of the press make a big splash about viruses that can defeat automated analysis by looking for mouse movements and clicks.  It seems everyone wants to talk about the “Upclicker Trojan”.

Looking for human interaction has been the bread and butter for sandbox evasion.  It took just a couple of seconds to find a posting on Threat Geek talking about evading sandboxes by using mouse movement.

The term “non-trivial human interaction” is one that  Fidelis Security has been using for the last year.  I am sure they are looking at this wondering, “Why are they interviewing Symantec and not us?  Don’t they know we know this shit?”  They are not the only ones.  ValidEdge has called the detection of these branches as Hidden Payloads,  “Hidden payload information provides invaluable insight into the ultimate intention of the malicious code before it is executed”

I am not even a hardcore malware person and I know these tricks.  Two years ago I ran into a series of malicious JAR files that were games, which infected the system after the player reached a certain score.  That is non-trivial human interaction.  I spent the last three years talking about this type of evasion, to which I give SensePost the credit for talking about it first.  I think it was Blackhat 2003 that they talked about getting rid of web bots by requiring the interaction to occur via a mouse click on their home page.  But damn, that was so long ago. I can’t remember the details well enough to reiterate them properly.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: