Anti-malware's backward brother  
Posted by Gunter Ollmann on October 15, 2007 at 10:41 AM EDT.

A couple of weeks ago I was asked by a journalist to go in to a little more depth about the increase in malware being observed.  As you’ve probably noted, the mid-year X-Force threat report pointed out that nearly as much malware was captured and analyzed within the first six months of 2007 than for the whole of 2006 – 210,000 distinct samples of malware.  Now, when I say distinct, what I mean is that each sample had its own “unique” arrangement of malicious code and thereby MD5 checksum – rather than the fact that its filename was unique.

However, given the tactics used in now-common serial variant attacks, different code compression techniques, along with the use of different packers and file chaffing, do affect MD5 calculations – so this sample figure isn’t the same as counting distinct families of malware.

A sharing, caring community

An obvious question relates to how IBM ISS happened to get its hands on so many new malware threats.  While we certainly have quite a few systems that automatically capture samples – be they anti-spam services, Honeynets, Darknets, or whatever – the majority of samples gathered and analyzed by the X-Force come through malware sharing communities (hence the reason why so many anti-virus vendors appear to be reporting roughly the same numbers).

In the anti-malware world, these malware sharing communities are invaluable.  In fact they’re so valuable that they’re free – with the ‘cost’ of admission being trust and reputation; not so much of the company or vendor, but rather the personal trust and reputation of the researchers themselves.  Because of this ever vigilant community, once a new form of malware has been discovered by any of its members, any other member can obtain a copy so their company can test or develop appropriate protection.

If only the same were true of the vulnerability community.

An anti-vulnerabilitiy community?

Granted, the anti-malware business has been around for around a decade longer than “anti-vulnerability” business (I’d include IDS/IPS and vulnerability scanning together in this), but it’s still disheartening how little trust or sharing there is in this younger community – particularly between security vendors.

You’d think that given the number of vulnerabilities being publicly disclosed, combined with the numbers actually discovered through normal business operations (see my earlier blog entry on counting vulnerabilities), that vulnerability discovery was just another commodity.

From my perspective, it is a commodity, however the lack of information sharing seriously hampers the efficient development of protection for all vendors – whether or not they happen to be vendors in the security business.

At first glance you’d have thought that the first-ever decrease in vulnerability trends would be great news (X-Force reported a three percent drop for the first half of this year compared to 2006), but in reality it would appear that this drop can probably be attributed to the increasing market for selling vulnerability information rather than a drop in actual discovery rates.  Perhaps also the numbers have become so great now that businesses have become anesthetized to the numbers – just another damning statistic on a “scary stats” slide of some security consultants presentation.

The fact that vendors don’t readily share this type of information amongst those that can add protection for their mutual customers perhaps reflects the relative immaturity of the anti-vulnerability business when compared to the anti-malware business.  It certainly doesn’t help when fringe security vendors insist in embarking on vulnerability purchase schemes and auctions programs –creating an artificial commercial market for vulnerability information.

Tight lips, sink ships?

Consider for a moment all those vendors around the world that provide network protection against vulnerability exploitation.  I don’t know how many of them there are (where’s an analyst when you need one?), but I’d guess that there are several hundred “notable” ones.  When a new vulnerability gets disclosed, the research teams and protection engineers at each of those vendors must understand it.  Depending upon their capabilities to do so, and the priority to assigned to researching it, hopefully they’ll release some kind of protection update.

In effect, each security vendor is basically reinventing the wheel for every vulnerability they cover. 

Well, that doesn’t make a lot of sense to me.

OK, you may think “who cares, the security business is supposed to be competitive”.  But what about the fact that practically any business you care to name relies upon protection technologies from multiple vendors – so, in reality, the end customer is the one paying for this repetitive wheel invention.

In my opinion the vulnerability protection world really needs to quickly borrow a few leaves from the anti-malware community book of efficient business practices, and to start sharing information between trusted sources (whether that be at a personal or vendor level).  All these gifted vulnerability researchers and reverse engineers need to be working on developing protection technologies that can stop entire classes of threat rather than having to re-dissect yet another disclosed vulnerability that is probably being simultaneously studied by a couple of hundred other researchers around the world.

Fingers crossed that this decade-old head start of anti-malware sharing can be caught up by the anti-vulnerability community in a much shorter period.

    Copyright 2001-2007 © Gunter Ollmann