Infected Firefox Add-in Demonstrates Need for Internal Code Protection

We've seen this threat before in the software piracy world, where illegal versions of antivirus products have been distributed via P2P networks with embedded malware. This latest story demonstrates the ease in which malware can cloak itself and be distributed within a legitimate application.

Mozilla unwittingly shipped the "W32/Xorer.A" worm embedded in a Firefox language pack. Although the story discusses the need for frequent virus scanning, malware writers could ensure that each time the file embeds itself, its signature is jittered to avoid detection. Imagine a scarier scenario where an enterprise or financial application becomes infected (by a compromised machine, insider threat, or offshore development) and the malware buried within the application is then distributed across thousands of desktops. Programming techniques exist that obscure the malware within application binaries and prevent it from being detected by virus scanners.

One option is to use software protection technology. By embedding runtime monitoring capabilities within an application file, the application can ensure its own integrity and prevent it from running in a tampered state no matter where it is distributed.

Crackers – A Lesson in Channel Marketing?

The Department of Justice announced the sentencing of a cracker to 30 months in prison – read the full press release here. This case was part of "Operation Copycat" which has resulted in over 40 convictions. It appears that in this case that Mr. Fish was caught circumventing the licensing and encryption technology being used to protect software and DVDs and was quite busy within the groups with over 13,000 software and other assets being pirated.

As many of you know, warez groups are made up individuals that fulfill specific roles, and this announcement did a good job of describing some of roles which I’ve expanded on below.

• Cracker/encoder - reverse engineer and circumvent copy protection, code protection, and licensing schemes
• Packager - builds and test crack software for release
• Equipment Suppliers - provides hardware and computers for the group
• Supplier - acquires software from within vendor or their supply chain to be provided to the group for cracking and distribution
• Brokers - find groups to participate and recruits crackers
• Courier - distributes crack releases

It doesn’t take a lot of imagination to see how this model mirrors how many software vendors market and sell their software. As I’ve said before piracy groups have become their own ISVs - they've got developers, testers and distribution.

This raises a couple of interesting questions: how can software vendors minimize the impact of piracy and is there anything they can learn from the pirates’ “business model?”

The Stars Were Out at RSA 2008

Since this is my first post to the V.i. Labs Software Protection blog, an introduction probably makes sense: I'm the marketing manager at V.i. Labs and work with your usual blogger, Vic.

It’s been over a week since it ended, but I’ve finally recovered from RSA 2008 in San Francisco (April 7-10). While there’s already been some interesting commentary on the RSA conference, I’m surprised that there hasn’t been more discussion on all the celebrities that were in attendance. Apparently, the aisles were a virtual red carpet – just from the V.i. Labs booth we saw Omarosa and Bono (click the link for video or see it below). I’m still not exactly sure why they were there – when you attend the RSA conference you expect to see Art Coviello, not news crews from “Entertainment Tonight.”

What I am sure about is the interest we saw in software protection. To be sure, most of the attendees were focused on traditional information security topics – authentication, access control, perimeter security, etc. It was interesting to see the number of attendees and exhibitors who had already been thinking about protecting their applications from tampering or code theft (especially for those folks developing for Microsoft .NET). Even better, there were other exhibitors addressing various aspects of software protection – a positive sign of market interest and need.

- Michael

Compass Bank Data Breach

A insider breach was reported at Compass Bank, see "Insider theft case at Compass Bank affected more than 1M customers". According to Compass Bank Web site, they have 420 full-service banking centers. Securing branch banking centers is an immense challenge for protecting customer data and financial applications. Branch banks may not have the security expertise and sophistication of larger institutions yet host sensitive applications.

-Vic

USPTO's Program for Protecting IP Theft in China

United States Patent and Trademark Office (USPTO) office annouced a new program for businesses to help protect against counterfeiting and piracy. The focus of the seminar appears to be drafting enforceable IP agreements. Although needed, when it comes to software products and digital assets agreements need to coupled with software protection approaches to be effective. Some interested data was including in the release:

"China was the number one source of counterfeit products seized by U.S. Customs and Border Protection (CBP) in 2007, accounting for 80 percent of all seizures."

"piracy and counterfeiting - which cost the American economy approximately $250 billion annually"

Combating piracy by lowering software prices?

SIIA’s Anti-piracy division 2007 year in review report lists the top pirated software titles. They include some of the most popular and used software in both the consumer and business space. If I exclude Adobe Creative Suite and AutoCAD, the software prices average out to $88 per user (using Google pricing searches- see below). I believe many these titles can remove themselves from this list by adopting a SaaS model. Given their price point and popularity I believe these vendors could see significant drop in piracy by lowering the dependence of revenue based on software installs and generating more their revenue from online subscriptions and services.  Vendors of higher value software (like EDA, CAE, and other specialized engineering software) have less of an opportunity to do this since their software must often operate offline and most of their functionally is in place with their client software. These vendors have and will continue to fight piracy with legal and software protection strategies.

2007 Software Titles Most Frequently Pirated By Companies 
Symantec Norton Anti-Virus  $20
Adobe Acrobat    $88
Symantec PC Anywhere  $199
Adobe PhotoShop   $289
Autodesk AutoCAD   $1,700
Adobe DreamWeaver  $298
Roxio Easy CD/DVD Creator $24
Roxio Toast Titanium   $49
Ipswitch WS_FTP   $89
Nero Ultra Edition   $89
McAfee Virus Scan   $65
McAfee Internet Security Suite $65
Intuit TurboTax   $40
Intuit Quicken Home & Business $60
Symantec Norton Ghost   $65
Adobe Creative Suite   $2,000

Average price Without Autodesk AutoCAD and Adobe Creative Suite = $88

China's anti-piracy efforts

After reading this recent article on the success of China's anti-piracy efforts, I realized how difficult it will be for specialized or high value software vendors to see the same gains. The article describes how "China had launched a crackdown and ordered authorities to buy computers with pre-installed legitimate software". In addition, it was also reported that 3,600 enterprises had come under the government’s "scanning". However, the applications they targeted are primarily the ones that come loaded on OEM machines (i.e. Adobe, Symantec, etc.). Buying legit pre-installed software will do nothing to prevent the pirating of specialized EDA, CAE, and other high value applications used to design and produce products in China.

-Vic

Hardening Active X Controls Used By Facebook and MySpace

As evident by vulnerability discovered in Active X controls used by FaceBook and MySpace (Gregg Keizersee's Computerworld article), Active X base applications are in general, great candidates for application hardening and protection approaches. In my own experience with gaming providers who use the same technology to enable on-line gaming, the application code is cached and executed on the desktop which makes it a prime target for reverse engineering and malicious tampering. Hardening the code and enabling real time tampering checks with a backend server would offer strong deterant against tampering of these components as well as discovery of the exploit itself.

-Vic

Feb 21st Forrester / V.i. Labs Webinar: Best Practices for Protecting .NET Applications

Just wanted to discuss the reason why we chose this Web seminar subject. We considered many topics that were relevant to the software protection space like anti-piracy, gaming security and others. However, I have personally noted a significant trend in the markets we focus on (high value software vendors and enterprise application developers) – more and more organizations are adopting the Microsoft .NET framework for application development and at the same time realizing the challenge of securing the code from decompiling.

For example, we had a recent prospect that had performed an open source audit of their application code and was very surprised by the level of source code information visible within their .NET binaries. My belief is that this issue has been well known at the developer level, but is only now gaining visibility within the corporate council and business unit levels because of the threat to their IP resident within the software applications.

We also approached Chenxi Wang from Forrester because of her expertise and interest in this area. In fact she did her doctoral thesis in software (see her bio here). So if you have a chance, please join us for the Webinar – I believe you will find it informative and not the typical product pitch.

-Vic

Another Scare With Software Development Outsourcing

What does Solidworks, Alibre Inc, and  InterOp Software have in common?

They were all victims of source code theft by disgruntled employees of these organizations international outsourcing partners. The InterOp incident was reported by an Indian news service. See additional discussion  on Steve Gold's SecurityWatch blog. It involved an employee of 3DPLM Software Solutions, an India based outsource development company sending InterOp’s source code to the employee’s husband before she resigned. 3DPLM put the value of the source code at $12M. No discussion on the motive, but I would guess she had new job with one InterOp's competitors.

-Vic