[liberationtech] Local spike in human rights malware attacks from China

[Nathan Freitas]

On 11/13/2010 02:16 PM, katmagic wrote:
> virustotal.com supports SSL: https://virustotal.com/ . That said, I'm

Good point. *Must* get into the habit of always sharing the https://
link on sites that support it.

> not sure relying on a virus scanner, much less an external virus
> scanner, is a good idea. The idea of virus scanning has deep and
> fundamental flaws, namely that detecting malicious behavior with any

I fundamentally agree, but there are a few reasons why I recommend
VirusTotal (or any similar service) in this type of situation. First,
the service utilizes multiple virus scanners (more than 20 I believe),
so it provides broader coverage than just running a single scanner on
your own desktop system. In addition, because you can use the system
completely via email, without having to download the contents of
attachments to your local system, it some ability to assess a file on
the go.

Also, from my experience training and supporting human rights orgs, many
of the types of attacks they see are not sophisticated, polymorphic
attacks, but are more akin to grenades lobbed over a wall. For every
GhostNet, zero-day targeted intrusion, they are hundreds of other daily
broad attempts to just broadly infect with some lame, known flaw in an
unpatched versions of Windows or Adobe Reader.

> In short, it mostly gives a false sense of  security.

Agreed on this. Training a user to be more completely aware of various
styles of threats, be a better critical thinker about the possibility of
social engineering type attacks over email, and properly setup on email
services that offer strong security, identity protection, and more, will
go much farther than just installing a malware scanner and telling them
they are now "safe".

Still I think there is room for network/cloud-based tools like
VirusTotal to play a role in defending against these types of attacks.

+n