Tuesday, 25 March 2014

APT testing like it's 2004

Is it time to start testing anti-virus software using methods I last employed ten years ago?

While constructing a timeline for Dennis Technology Labs, the security testing venture I started in 2008, I realised that I've been involved in anti-malware testing for over a decade.

This is because, as a journalist, I used to test anti-malware software every year or so, probably from around 2000.

It seems that some of the rather 'edgy' testing techniques I used in the early days are coming into fashion now that 'Advanced Persistent Threats' (APTs) are perceived as being a significant threat.

Looking through my files I found one of the first anti-virus tests I ever published, in the now defunct Computer Buyer magazine.

The report (PDF), which appeared in 2004, contains this description of how I conducted the tests:
"Anti-virus programs should be able to detect the current, high-threat files being sent around the internet. Our test files included some of the most virulent and commonly found viruses, as well as well-known backdoor Trojans and harmful Visual Basic scripts that we generated using well-known virus-generation tools. None of these files should pose any problem to a decent scanner.We compressed copies of each into Zip files, too.
Finally, just to add a bit of a challenge, we also used a few tricks to disguise the backdoor files. These tricks rely on freely available executable packers and a wrapper program that can attach the backdoor to another, more innocent file – in our case,Windows’ Minesweeper game.Whoever runs the game can play it, but will also unwittingly hand over control of their PC to the attacker.All the tests were run in Windows XP Professional."
What the article doesn't mention there, but alludes to in the individual product reviews, is that I ran all files and monitored their behaviour to ensure that they were actually a threat to the system.

For example, I would try to connect to the BackOrifice Trojan used (but not named) in this test, and control the victim system remotely.

Here's an extract from the Norton Antivirus 2004 product review:
"Even when we increased the heuristic level to the Highest setting, our backdoor Trojans were able to enter and operate on the system unhindered."
Clearly such a small test provides the reviewer with time to play with configurations. This doesn't really scale when handling hundreds of malicious URLs and dozens of anti-malware programs.

I received a lot of angst from the anti-virus industry whenever one of these reviews was published. The people I spoke to at those companies really didn't like the idea of testers 'creating' threats, whether or not they used easily-available tools and well-known techniques.

Judging by some of the conversations I'm having with companies producing anti-APT solutions it might be time to start digging out the old BackOrifice, eLiTeWrap and UPX packer tools.

Thursday, 13 March 2014

Retro: Windows 98 end-of-life

I wrote the following column for Computer Shopper magazine when Microsoft ceased providing security updates for Windows 98.

It seems appropriate to republish it now, as Windows XP is on the verge of the same fate.

October 2006
Computer Shopper magazine #224
Rants & Raves

So long, Windows 98. Rest in peace. When you were born you made getting online easier, you made using large hard disks possible and you were easier to install.

You had a new desktop system that not only allowed users to display web content live from slow and expensive dial-up connections, but regularly caused the system to crash.

You helped destroy Netscape’s business with your integrated web browser, simultaneously heralding the beginning of years of security problems for Windows users, and your integrated Media Player was judged anti-competitive, too.

So long, Windows 98. Rot In Pieces.

After eight years, Microsoft has pulled the plug on Windows 98. No longer will the company provide updates, even if (or rather, when) further security holes are found. The same goes for Windows Me. That’s OK, though, because no-one uses Windows 98/Me any more. No-one except the estimated remaining 70 million users.


So who is using Windows 98 these days? My guess would be a mixture of people who are non-technical and those who can’t afford to buy a PC every few years. The original date for termination of Windows 98 support was 2003. It is thought that pleas from the developing world persuaded Microsoft to issue updates for a further three years. There will also be plenty of people who could afford a new computer but don’t see any reason to do so – if it still works, why worry?

If these people don’t use the internet, there is no real reason to upgrade. As long as they’re happy with their PC’s performance, don’t share files with anyone and don’t try anything clever with wireless networks then they should be reasonably safe to continue.

For now, you can still buy Windows 98-compatible firewalls and antivirus software, and the free Firefox web browser is also available from www.mozilla.org, so most internet risks can be reduced, even if you do want to browse the web and collect email safely using your old PC.

Radio 5 Live called me this month to find out if listeners should just buy a new Windows XP PC and have done with it. I wanted to say, “No, just keep your thirdparty security software up to date, install a different web browser and email client and it will be OK”. But buying a new PC is the easiest way forward. The fact that you can buy a reasonable Dell laptop for £399 makes the decision easier still.


There is an argument that you should wait for Windows Vista to arrive before buying a new PC because, before you know it, Windows XP will be at the end of its life, too. But that means spending hours locking down your Windows 98 machine (and are you really sure you’ve done it right?) for just six months of operation before Vista supposedly arrives. Is it worth your time?

If you are very technically minded, you could install a Linux distribution on your old PC and breathe new life into it. You might even find it runs faster. You might also find you can’t get it working at all, but that’s all part of the fun.

The missus has a laptop that runs Windows 98. It’s a small, slim, silver machine that runs fast and performs the basic internet-based tasks for which it was bought. I am ashamed to admit that it doesn't even have a firewall or anti-virus software installed on it, although it does operate behind a hardware firewall.

It has never shown any symptom of viruses or spyware*, mainly because it is only used for about half an hour a week to check a Gmail account, which is scanned for viruses by Google. We discussed the options, including hardware upgrades and the Linux route.

This discussion was short, and I was made clearly aware that the way forward involved the minimum amount of time with the computer in pieces on the living room floor and the minimum number of late nights featuring me swearing at installation screens in the spare room.

We decided to buy a cheap £399 replacement laptop that will run Windows XP Home for the next few years. If you are one of the 70 million Windows 98 users out there, that is my advice to you, too.

* I am aware of how naive this sounds these days.