Victims of friendly fire presented at Virus Bulletin 2010

by Corrado Ronchi (Eisst),


Summary : In the ongoing war against malware, in order to substantially lower the hacking ROI, one increasingly important line of
defence includes techniques for application hardening. These comprise code obfuscation, dynamic and polymorphic memory
encryption, and process protection against dynamic patching and DLL injection. In this presentation we will review the
constant battle to limit violent rejections from AV products against our hardened e-banking applications. Practical
examples taken from Swiss e-banking scenarios will evidence how the growingly aggressive protection techniques used by
AV applications cannot always prevent the spread of malware, yet hinder the employment of strong protection techniques
for application hardening. Results from several case studies strongly suggest the need for a new collaborative paradigm
for protecting the client application context. This calls for the development of a structured and coordinated friend or
foe application identification (FFAPI) procedure, whereby AV products and applications can mutually interrogate each other
to discriminate legitimate tasks from potentially hostile processes. We propose to set up a cross-industry FFAPI task force
seeking contributions from both AV vendors and the enlarged e-business community, with the goal of establishing an
effective protocol for avoiding the resource-draining conflicts between AV products and hardened applications.