Malicious Android: why the Birds are Angry

It’s no secret that trojans that misuse premium SMS services are one of the most prevalent problems in the mobile malware arena. However, the flood of “Lagostrod” and “Miriada” so-called free knock-offs of real games are peppered with code that sends text messages to premium services. Mikko Hypponen retweeted an estimate, based on comments to reddit, that the attackers could have made around $12,000,000.

According to Sophos’ Vanja Svajcer:

After more than a day on the market, the applications were pulled off by the Android Market security team. Google’s reaction has been quick, but not quick enough – at least ten thousand users downloaded one of the malicious apps from the list.

Much more information on the event in Vanja’s blog and in Sean’s blog for F-Secure.

I hope to see an apology from Chris DiBona for suggesting that anyone working for an AV company should be ashamed of themselves if they have a product for Android,  Blackberry or iOS, but won’t be holding my breath.

(Yes, this is the sort of stuff I usually post to Mac Virus, but it’s not really Apple-related, I guess, so I think I’ll probably do more of it here.)

Small Blue-Green World/AVIEN/Mac Virus
ESET Senior Research Fellow

Before you get to the blogs further down…

Welcome! Check out the links on the menu above to find out about Small Blue Green World. This is the gateway to the various blogs and bits and bobs that constitute the SBGW presence on the web.

Essentially, this is a consultancy offering services to the security industry, launched by David Harley in 2006 and with one main customer (ESET), so this particular page isn’t maintained very regularly: it has (currently) no commercial/advertising function, but it includes some papers/resources that may not be available elsewhere. The blogs linked here, however, especially those to which I contribute on ESET’s behalf, are maintained regularly.

The services I provide to ESET are quite wide-ranging, but they include blogging on the ESET blog page. I stopped contributing to SC Magazine’s Cybercrime Corner some time ago, and that page seems to have been removed. I’ll be looking back over my articles for that venue to see which might usefully be republished. Sometime…

I did write fairly regularly for Infosecurity Magazine, primarily on Mac issues, but haven’t done so for a while. Other authoring and editing includes conference papers, white papers and so on.

The ESET Threat Center and We Live Security pages include links to a range of resources. More specifically, the ESET resources page and includes white papers written specifically for ESET, papers for external conferences and workshops submitted on ESET’s behalf, links to articles written for outside publications and sites, again on ESET’s behalf, ESET’s monthly threat reports, for which I often provide articles and editing, while some of my conference presentations are available as slide decks here.

Some articles and conference papers can’t be posted on a commercial site for copyright-related reasons, so I tend to post them on this site instead. When I remember. Specifically, most of that stuff is now posted to Geek Peninsula.

AVIEN (formerly the Anti-Virus Information Exchange Network), which was run as an independent organization by myself and Andrew Lee (and before that by Robert Vibert), is still hosted on its own web site and has its own blog page hosted there, but I’m no longer heavily associated with the organization except as an occasional blogger there. I do maintain (intermittently) a phone scam resources page there.

I run several other specialist security blogs completely independently of ESET, and these include a blog focused on hoaxes, spam, scams and similar nuisances (thanks to ESET N. America CEO and long-time friend and colleague Andrew Lee, you can also access this as, and another that focuses (mostly) on Apple malware: essentially, it’s the current incarnation of the old Mac Virus web site originally founded by Susan Lesch, and sometimes includes contributions from Old Mac Bloggit, the well-known pseudonym.

We no longer host the AMTSO blog, and  I don’t do any administration on the main AMTSO site any more. I do, however, maintain an independent AV-testing blog/resource called, imaginatively, Anti-Malware Testing, and this archives most of the articles I originally posted on the old AMTSO blog – of course, they do not represent AMTSO’s official views. I also blog occasionally at other sites, include Infosecurity Magazine,  (ISC)2 and Securiteam. I used to flag current articles, papers, blogs and media coverage at The Geek Peninsula (most of this is also tweeted via but I was having trouble remembering to update it. I’m now using it as a repository for (most of) my papers, some of my articles, pointers to my current and past blogs, and so on.

If you find any broken links on this site please let us know so we can fix them and please use the contact page to get in touch. Thank you.

David Harley
Small Blue-Green World
ESET Senior Research Fellow

Execution Context in Anti-Malware Testing

[Go back to ESET White Papers page.]
[Go back to ESET blog.]

This is one of my 2009 papers, presented by Randy Abrams and myself on behalf of ESETat the EICAR 2009 Conference in Berlin.


Anti-malware testing methodology remains a contentious area because many testers are insufficiently aware of the complexities of malware and anti-malware technology. This results in the frequent publication of comparative test results that are misleading and often totally invalid because they don’t accurately reflect the detection capability of the products under test. Because many tests are based purely on static testing, where products are tested by using them to scan presumed infected objects passively, those products that use more proactive techniques such as active heuristics, emulation and sandboxing are frequently disadvantaged in such tests, even assuming that sample sets are correctly validated.

Recent examples of misleading published statistical data include the ranking of anti-malware products according to reports returned by multi-scanner sample submission sites, even though the better examples of such sites are clear that this is not an appropriate use of their services, and the use of similar reports to generate other statistical data such as the assumed prevalence of specific malware. These problems, especially when combined with other testing problem areas such as accurate sample validation and classification, introduce major statistical anomalies.

In this paper, it is proposed to review the most common mainstream anti-malware detection techniques (search strings and simple signatures, generic signatures, passive heuristics, active heuristics and behaviour analysis) in the context of anti-malware testing for purposes of single product testing, comparative detection testing, and generation of prevalence and global detection data. Specifically, issues around static and dynamic testing will be examined. Issues with additional impact, such as sample classification and false positives, will be considered – not only false identification of innocent applications as malware, but also contentious classification issues such as (1) the trapping of samples, especially corrupted or truncated honeypot and honeynet samples intended maliciously but unable to pose a direct threat to target systems (2) use of such criteria as packing and obfuscation status as a primary heuristic for the identification of malware.

EICAR execution context paper

Mac Malware

You may be aware that I have a long-standing love/hate relationship with the Mac community (love Macs, hate the maulings I get whenever I comment on Mac security: somehow I keep forgetting that Macs are 100% secure and Mac users are 100% more intelligent that Windows users. Sigh…)

If you have an interest in Mac issues, you might find my Securiteam blog interesting. Or not.

AVIEN Guide published

Good day to you, my loyal readers.

How are you both?

It’s been a long time since I posted anything here, which doesn’t mean things have been happening (too many things have been happening!)

The “AVIEN Malware Defense Guide for the Enterprise” was published in the US by Syngress early in August, 2007. This is a major publishing project I put together with AVIEN (Anti-Virus Information Exchange Network) and AVIEWS (Anti-Virus Information and Early Warning System) members. It will be published in the UK in early September. Read more on the book’s own web site here. Some of the authors will be at Infosec New York (11th-12th September) signing copies at the ESET stand, and at the Virus Bulletin conference in Vienna later in September (where Andrew Lee and I are presenting a phishing paper, by the way).

I also got somewhat irritated by a poor, misleading comparative test of antivirus products presented by at the Linuxworld expo: so irritated that I put a white paper here and a blog entry at Technet on the subject of testing. This is probably not the last you’ll hear of this from me.

Talking of AVIEN, as of 15th August I became the interim Administrator there. Essentially, my job is to keep order while the membership decide whether they want to change the structure of the organization. More about that on the AVIEN site in due course.