Infected Firefox Add-in Demonstrates Need for Internal Code Protection

We've seen this threat before in the software piracy world, where illegal versions of antivirus products have been distributed via P2P networks with embedded malware. This latest story demonstrates the ease in which malware can cloak itself and be distributed within a legitimate application.

Mozilla unwittingly shipped the "W32/Xorer.A" worm embedded in a Firefox language pack. Although the story discusses the need for frequent virus scanning, malware writers could ensure that each time the file embeds itself, its signature is jittered to avoid detection. Imagine a scarier scenario where an enterprise or financial application becomes infected (by a compromised machine, insider threat, or offshore development) and the malware buried within the application is then distributed across thousands of desktops. Programming techniques exist that obscure the malware within application binaries and prevent it from being detected by virus scanners.

One option is to use software protection technology. By embedding runtime monitoring capabilities within an application file, the application can ensure its own integrity and prevent it from running in a tampered state no matter where it is distributed.

The Stars Were Out at RSA 2008

Since this is my first post to the V.i. Labs Software Protection blog, an introduction probably makes sense: I'm the marketing manager at V.i. Labs and work with your usual blogger, Vic.

It’s been over a week since it ended, but I’ve finally recovered from RSA 2008 in San Francisco (April 7-10). While there’s already been some interesting commentary on the RSA conference, I’m surprised that there hasn’t been more discussion on all the celebrities that were in attendance. Apparently, the aisles were a virtual red carpet – just from the V.i. Labs booth we saw Omarosa and Bono (click the link for video or see it below). I’m still not exactly sure why they were there – when you attend the RSA conference you expect to see Art Coviello, not news crews from “Entertainment Tonight.”

What I am sure about is the interest we saw in software protection. To be sure, most of the attendees were focused on traditional information security topics – authentication, access control, perimeter security, etc. It was interesting to see the number of attendees and exhibitors who had already been thinking about protecting their applications from tampering or code theft (especially for those folks developing for Microsoft .NET). Even better, there were other exhibitors addressing various aspects of software protection – a positive sign of market interest and need.

- Michael

Hardening Active X Controls Used By Facebook and MySpace

As evident by vulnerability discovered in Active X controls used by FaceBook and MySpace (Gregg Keizersee's Computerworld article), Active X base applications are in general, great candidates for application hardening and protection approaches. In my own experience with gaming providers who use the same technology to enable on-line gaming, the application code is cached and executed on the desktop which makes it a prime target for reverse engineering and malicious tampering. Hardening the code and enabling real time tampering checks with a backend server would offer strong deterant against tampering of these components as well as discovery of the exploit itself.

-Vic

Differentiating Software protection from Copy protection

Laurentiu Cristofer’s blog discusses the differences between security and copy protection. I agree with his points and the eventual comparison between security and obfuscation. However, the discussion needs to differentiate between copy protection and software protection technology.

Copy protection solutions attempt to control the usage of applications and the number machines software can be installed on. Although technology in this space may share certain software protection capabilities (i.e. encryption, obfuscation) in my opinion they are closer cousin to software licensing and DRM systems.

Software protection technology is squarely focused on creating technology that makes it expensive and time consuming to reverse engineer valuable software. I would have to agree with classification that falls more under obfuscation then security, but I believe software protection is a specialized technology and has a wider applicability then copy protection. For example, software protection can be used effectively to prevent decompiling .NET applications, without it the intermediate level code is subject to variety of threats by individuals with only novice software skills using any publicly available tools. In the piracy realm, reverse engineering is used to bypass licensing and copy protection schemes at the machine code level, but again using obfuscation, run-time re-encryption, and anti-debugging and tampering techniques you can deter this by layering protection on top of licensing in per software title unique way. This can prevent a “class break” as well as require increasingly higher skill levels to crack the protection.

Again, because software has to be available unprotected for the CPU its not absolute security, but I liken the value of this technology to protecting your house. Depending on where you live and value you assign to the property you are going to install a combination of locks, tall fence, and maybe a security system. None of these are foolproof, but your property is less attractive to intruders.

Vic

Application Outsource Risk Survey Data

About 125 IT/Software developers took our survey at TechEd in June 07 on the risks associated with outsourced application development. Over 60% of those survey were from enterprise organizations and 12% with software vendors (see diagram below). When asked if they believe that outsourcing software development has increased your company’s code theft, piracy, or malicious tampering risks? 30% answer yes and 38% were not sure. We attribute a large amount of the unsure votes the people being surveyed not having direct involvement with outsource partner selection and management.

USPTO and Intellectual Property (IP) theft in China

USPTO announced a seminar series to educate businesses on the IP theft risk in China. The announcement further estimates that piracy and counterfeiting costs the American economy approximately $250 billion annually. Although this estimate includes hard goods as well as software, it does underscore the challenge doing business in China.

-Vic

Microsoft WGA Issues and On-line Activation

The recent failure with its Genuine Advantage (WGA) validation system (see Gregg Keizer's Computer World story) illustrates the downsides of using on-line activation for licensing and software protection. Although activation holds promise for helping to deter software piracy, it introduces a dependency and point of failure that is not be acceptable for all applications. However, it’s a difficult problem to resolve without greater software protection, because as soon as you allow an offline licensing scenario to exist it will be exploited by the piracy crack groups.

Vic