Other speakers included Anthony Clark and Danny Quist of Offensive Computing, who gave a talk on "Malware Secrets," based on their research and collection of 275,000 malware samples. Their talk included an overview of the economics of malware, which I believe is essential for understanding how best to combat it. They looked at the underground economy fairly narrowly focused on malware itself, and the cycle of its production, use, reverse engineering by whitehats, the development of antivirus patterns, and then demand for new undetectible malware, and observed that in that particular cycle it's probably the legitimate security companies such as antivirus and IDS vendors who make the most money. They didn't really look at the broader features of the underground economy, such as how botnets are used as infrastructure for criminal enterprises, or the division of criminal labor into different roles to disperse risk, though they certainly mentioned the use of compromised machines for spamming and phishing attacks. They skipped over some of the technical details of their work on automating the unpacking and decryption of malware, which was probably appropriate given the mixed levels of technical background in this audience. A particularly noteworthy feature of their research was their list of features of antivirus software that should be examined when making a purchase decision--performance, detection rates, miss rates, false positive rates, system intrusiveness, a product's own security, ease of mass deployment, speed, update frequency, use of signatures vs. other detection methods, ability to clean, capabilities with various categories of malware (rootkits, trojans, worms, backdoors, spyware), and ability to detect in real time vs. during a scan.
Alex Quintana of Sandia National Labs also spoke about current trends in malware, in the most frightening talk of the conference. He talked about how malware has gone from something that attacks exposed servers on the Internet to something that individual clients pull to their machines from the Internet, usually via drive-by downloads. He demonstrated real examples of malware attacks via web pages and via Shockwave Flash, PowerPoint, and Word documents, and explained how one of his colleagues has coined the word "snares" for emails or web pages that lure individuals into targeted drive-by malware downloads. There was a wealth of interesting detail in his presentation, about trojans that use covert tunnels and hiding techniques, injecting themselves into other running processes, using alternate data streams, and obfuscated information in HTTP headers and on web pages. One trojan he described rides on removable media such as USB thumbdrives and runs when inserted into a PC thanks to Windows Autorun; it drops one component that phones home to accept instructions from a command and control server, and another that causes the malware to be written out on any other removable device inserted into the machine. It's a return of the old-fashioned virus vector of moving from machine to machine via removable media rather than over the network.
From law enforcement, there were presentations from Melissa McBee-Anderson of the Internet Crime Complaint Center (IC3, another public-private partnership, which acts as a clearinghouse for Internet crime complaints and makes referrals of complaints to appropriate federal, state, , local, and international law enforcement agencies) and from various agents of the Cyber Squad of the Albuquerque FBI office. These presentations were somewhat disappointing in that they demonstrated how huge the problem is, yet how few prosecutions occur. For example, after the 2004 tsunami disasters, there were over 700 fake online charities set up to prey on people's generosity after a disaster, yet only a single prosecution came of it. In 2005, the number of fake online charities for hurricanes Katrina and Rita was over 7,000, yet only five prosecutions came of those, including one in Albuquerque. Yet even that "successful" prosecution led to no jail time, only community service and probation. Frank Abagnale's presentation also included some woeful statistics about prosecutions for white collar crime and check fraud that explicitly made the same point that was implicit in several of the law enforcement presentations. To IC3's credit, however, the showed an example of a link chart generated from their crime complaint data, a very tiny portion of which was brought to them by a law enforcement agency seeking more information, the rest of which came from multiple received complaints. That link chart showed many interconnected events by five organized fraud gangs. Ms. McBee-Anderson also reported on successful international rosecutions against individuals at Lagos, Nigeria's "walking Wal-Mart," where people were selling goods purchased with stolen credit card information and using forged cashier's checks. (I'm still amazed that anyone actually falls for the Nigerian online fraud schemes, but they do.)
The conference did a good job of making clear some specific threats and offering recommendations on necessary (yet unfortunately individually insufficient) defenses. It's quite clear that relying solely on law enforcement to provide you with a remedy after the fact is a bad idea. It's essential that private enterprises take preventative measures to protect themselves, and use a layered, defense-in-depth approach to do so.