Infinite Malware & Infinite Protection?

Infinite detection of malware? In Sophos' blog entry "To infinity and beyond" it's pointed out that there's an infinite number of malware threats (and that there'll be more tomorrow). It's also implied that customers are protected against these infinite threats by infinite detection capabilities - which is obviously taking the theme in to some far-flung infinite parallel universe with infinitely better anti-virus solutions that we have in our particular reality.

Nevertheless, their perspective of infinite malware is quite correct. Given that malware can by dynamically generated (checkout the paper on x-morphic attack engines), exhibit polymorphic capabilities and is generally created faster than it can be counted, captured and cataloged, then for all intents and purposes it is infinite.

Which means I have to chuckle when I hear or read any media coverage about the number of malware a particular vendor has captured and written detection signatures for. It's like saying "look, I tripped over 2,543,234 pieces of malware around the world last year and developed protection of each of them". Then, with my mathematicians hat on... infinite threats minus 2,543,234discovered threats still leaves an infinite number of threats. Or, expressing detection coverage as a percentage of scale of the threat = zero percent.

Obviously that's not precisely true. Anti-virus technologies are generally OK at detecting the stuff they've seen before and with generic catch-all signatures they can often capture or label related families of malware as being malicious - or at the very least "suspicious". The problem tends to grow in to frustration when practically every binary file downloaded from the Internet gets marked as "suspicious" - and hence the label becomes meaningless.

Despite all this, Sophos is spot on - there's an intinite number of malware out there, and there'll be more tomorrow. Welcome to the day after yesterday.

Comment Spam and SEO Campaign Apology

By way of an update to yesterdays blog covering my concerns over a comment spam and SEO campaign by Sophos (of which this blog was one such target), I received an apologetic email from Sophos early this morning and we exchanged a couple of followup responses.

Here's some of this morning's email apology:

I am mortified, as is everyone in our marketing team, that this has happened.

The messages were not posted on that guy's blog by an employee of Sophos, but by a worker at an external company hired by our marketing department.

We have called the company concerned in for a meeting today, and will be reading the riot act to them. Furthermore, we will be ensuring that this kind of activity stops immediately, as it runs counter to everything we believe in as a computer security company.

There's enough junk on the internet already - we don't need firms representing computer security companies adding to the problem with such inane and unprofessional posts.

We strive to be much much better than this, and on this occasion things went badly wrong. I'm genuinely sorry.

Just so you know, we are going to put better processes in place so that third party agencies understand what Sophos does and doesn't find acceptable in promoting our brand.

Thanks for the quick response Sophos. Apology accepted.

Sophos - Stop Spamming Me and End Your SEO Campaign

Spam takes on many different forms. Sure, we're all familiar with the crap that makes it in to our inbox, but what about the other stuff - like the stuff that appears as comments in our blog entries?

Blog comment spam is on the rise, particularly when it's used less as a direct advertising tool and more for Search Engine Optimization (SEO) attacks/manipulation. In most cases I've observed, the SEO-orientated blog spam has been initiated by the bad guys - looking to escalate their infectious drive-by Web sites to the top of search engine results.

Lately though, I've noticed that a well-known security vendor - Sophos - has been employing this tactic. For example, check out the following blog comment submissions (pending moderation):


For the last few weeks there have been similarly themed comment submissions, typically initiated by the same accounts and targeting the same blog entries (based upon keywords).

This tactic is common, and there are a number of tools designed to automated this kind of spam and SEO attack.

What's interesting (and annoying at the same time) is that this repeated spam appears to be initiated by Sophos. As you'll see in the three comments above, the word "malware" is hyperlinked and in all cases points back to http://www.sophos.com/products/malware-protection/

I find this a pretty unsavory tactic, especially if it's initiated by a security company looking to be trusted by its customers.

Sophos - if you're listening - stop your comment spam campaign and end your SEO attacks. It's unprofessional.