Microsoft's Scott Charney on fighting botnets, rogue antimalware

Microsoft's Scott Charney on fighting botnets, rogue antimalware

Date: Feb 25, 2011

In the final segment of SearchSecurity.com's exclusive RSA Conference 2011 video interview with Scott Charney, Microsoft's Corporate Vice President of Trustworthy Computing, he discusses a variety of concerns on the enterprise threat landscape, including fighting botnets and rogue antimalware.

More Scott Charney videos:


Read the full transcript from this video below:  

Microsoft's Scott Charney on fighting botnets, rogue antimalware

Eric Parizo: Hi, I'm Eric Parizo. Great to have you with us. Joining us today is Scott Charney, Corporate Vice President for Trustworthy Computing at Microsoft. Scott, thanks so much for joining us today.

Scott Charney: Thanks for having me.

Eric Parizo: A vexing security problem that has only gotten worse in the last couple of years is rogue antimalware. These programs avoid detection, disable legitimate antimalware, and often with astounding success trick both enterprise and consumer users into thinking they're legitimate programs. What is Microsoft doing to fight against rogue antimalware?

Scott Charney: This is one of the reasons I come back to this notion of a trusted stack. One of the challenges, of course, is where does antivirus load, and how easy is it to manipulate it. You might have even seen on February 11th, NIST issued some draft guidance around the security of bios, for example. So, we have to be cognizant that criminals are adaptive. They'll go up the stack, as they've done with social engineering, and potentially down the stack as well. What we really have to do is make sure that from the hardware up, the boot process is trusted, that the security elements, whether it's turning on the firewall or running the antivirus are in the right place in that trusted stack, so it's really hard to tamper with it.

We're going to have to do the same thing with these health certificates. So, if consumers could produce health certificates to any website that requested one, the bad guys will say, "OK, how do I fake a health certificate on an infected machine?" We have to be prepared for that, and the answer again comes back, how is that health certificate generated? How is it signed and created through a route of trust? It makes it very hard for the bad guys to do that.

Eric Parizo: Just briefly, Scott Charney, talk about the recent NIST BIOS documentation and what that means for enterprises.

Scott Charney: I think for a long time, people were focused on operating system security, and then as Windows got more secure, attacks started moving up the stack. We had it with Office, and Adobe had issues. We went up to the application layer, of course. Then, as those got better, while the attacks still continue, of course, you see this rise in social engineering, where the bad guys go, "OK. If it's harder to find a vulnerability, can I just trick the user into clicking on an attachment?"

We've kind of been focused on the operating system up, but the question is: what about the operating system down? There's firmware, there's a lot of software actually running on chips, and so you have to think about the security of the entire stack. I think the NIST document starts to point people in that direction.

Eric Parizo: There's an increasing debate in the industry about whether traditional antimalware is worth the time, trouble, and investment it takes? Do you believe enterprises should decrease their emphasis on traditional antimalware and instead focus on other technologies, like intrusion detection, log analysis and code review?

Scott Charney: No, I think they have to exist together. The reason I say that is there's been a lot of study of intrusion detection over the years. There's always this difference between intrusion detection, which is signature based, and anomaly detection that looks for anomalies. Of course, the more you move to anomaly detection, the more likely you'll find something new, but there's also a higher risk of false positive, because the anomaly could just be some new business application or user doing something completely appropriate but in a new way. Those things won't make antivirus or malware go away. I think you still have to think about risk management in a holistic sense.

Eric Parizo: Scott, a year ago when you and I talked, we talked about operation B49, the Microsoft led takedown of the Waledac botnet. It was a significant blow at the time, but 12 months later, botnet activity is still as virulent as ever. Why should enterprises be concerned about that, and what specifically is Microsoft doing to combat botnets today?

Scott Charney: When we did the B49 Waledac botnet, we said, "This is another tool in the arsenal," but it doesn't solve the problem. The Waledac botnet was amenable to that kind of response in part because a lot of it was centralized within countries where you could get legal assistance. We did get some international assistance as well, but part of this public health model that we just discussed is very much about addressing the botnet problem.

As you know, the botnets are successful because the bot-herders take over consumer machines and then use those consumer machines and give them instructions. So, we need to look at this from multiple angles. One is we do try to cut off the head of the botnet where we can, and that's what Waledac was, in part, about, but we also have to make the consumer machine less prone to takeover. That's where the public health model comes in.

Eric Parizo: Now, despite industry efforts to take down all or part of at least seven different botnets in 2010, botnet activity is still a major problem. Is an industry-wide offensive against botnets still a priority, or should the emphasis shift to defenses?

Scott Charney: I think it's worth the effort. We're capable of doing more than one thing at a time. There's no silver bullet to these problems. What you really have to do is match the response to the problem. In the Waledac case, because of the way that botnet was configured, a legal response was actually fairly effective in disabling it. In other botnets that might be more global in reach where law enforcement cannot quickly work across borders to help disable the botnet, you're going to need other approaches like a more comprehensive defensive approach.

Eric Parizo: Scott Charney, Corporate Vice President for Trustworthy Computing at Microsoft. Thanks so much for joining us today.

Scott Charney: Thank you.

More on Malware, Viruses, Trojans and Spyware

  • canderson

    Point-of-sale security: Targeted malware, Windows XP cause problems

    VIDEO - Video: Sophos' Chester Wisniewski explains why targeted malware and the presence of Windows XP are the biggest threats to point-of-sale security.
  • canderson

    How to mitigate the risk of Web malware infections with separation

    VIDEO - Web malware is a significant threat to systems. This video explains how separation effectively reduces the risk of damage from Web-borne malware.
  • canderson

    How to analyze malware with REMnux's reverse-engineering malware tools

    VIDEO - Video: Keith Barker of CBT Nuggets demonstrates how to use the free reverse engineering malware tools in REMnux to analyze malware in apps and PDFs.
  • Undocumented iOS diagnostic features spark iPhone backdoor concerns

    News - News roundup: The revelation of potential iOS backdoors -- and Apple's perceived acknowledgement of them -- has sparked debate over the definition of a backdoor and raised concerns over iOS security.

    ( Jul 25, 2014 )

  • How the CryptoLocker ransomware was defeated with its own DGA

    News - Preview: At Black Hat USA, experts will detail the steps taken by the security community and law enforcement to put down the infamous CryptoLocker ransomware.

    ( Jul 24, 2014 )

  • equipment destruction attack

    Definition - An equipment destruction attack, also known as a hardware destruction attack, is an exploit that destroys physical computer and electronic equipment. Equipment destruction attacks can be enabled simply as a result of physical access to the computer hardware, along with a tool for attack – which could also be as simple as a hammer or a cup of coffee. However, remotely-initiated malware can also be used to destroy computer equipment.
  • domain generation algorithm (DGA)

    Definition - A domain generation algorithm or DGA is a computer program used to create domain names, typically for the purpose of propagating remotely controlled Web-based malware.
  • pre-installed malware

    Definition - Pre-installed malware is malicious software that is put on a machine before it is delivered to the user. New devices are usually assumed to be uncompromised but there are numerous reports of malware existing on new hardware.

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: