Company owner Christopher Mallick broke the news to ePassporte customers in an e-mail sent Thursday, saying Visa International had suspended the company’s ePassporte Visa program, which is processed through St. Kitts Nevis Anguilla National Bank.

Dear ePassporte Account Holders,

Please be advised that, at 12:00 PM PDT today, September 2, 2010, we were notified that effective immediately, Visa International has suspended our banking partner’s (St. Kitts Nevis Anguilla National Bank) ePassporte Visa program. The ePassporte e-Wallet program continues to be up and running, except funds cannot be transferred between your Visa Account and your e-Wallet. At this time ePassporte can no longer issue Visa Cards, and the ability for our Account Holders to make point of sale purchases and withdraw funds from ATMs has also been suspended.

At this time we do not know why this drastic action was taken by Visa. To us, it is unconscionable that such action would be taken without the opportunity for ePassporte to fully understand Visa’s reasons and to be able to take all steps necessary to keep our program running the way it has so successfully done for over 7 years. But that is what Visa has done.

As soon as we have more information we will be in contact with you.

In the meantime please be assured that your funds are safe.

We are very sorry for the short notice and apologize for any inconvenience this may cause. The ePassporte team is working diligently to rectify this situation.

We kindly ask you to bear with us while we work through this issue.

Please feel free to contact us via the message center or at our call center, should you have any questions, comments or concerns.

Thank You,

Christopher Mallick

ePassporte’s Visa Virtual Account allowed customers to pay online at any Website that accepted Visa cards. The program also issued customers physical cards that could be used to withdraw cash at ATMs around the globe.

I reached out to both Mallick and Visa for further details and will update this blog if I hear from either.

This news caught my attention because I have recently encountered ePassporte accounts tied to several shady affiliate programs, such as those used to reward people who promote rogue anti-virus products and online pharmacy sites.

A number of adult Webmaster forums are buzzing with the news, but few seem to know more than what’s in the statement from ePassporte. However, the administrator of the online forum italkcash.com suggests that the move by Visa is in response to new anti-money laundering requirements mandated by the Credit Card Act of 2009, which affects prepaid cards and other payment card instruments that can be reloaded with funds at places other than financial institutions.

While ePassporte’s Mallick can’t be happy about these developments, the situation may provide a nice bump for his new movie: Mallick helped produce the Paramount film Middle Men, a movie released Aug. 6, 2010 that is based on his personal experiences in the porn Web site billing industry. The synopsis from the film’s Wikipedia entry seems oddly prescient:

In 1995, straight-and-narrow businessman Jack Harris (Luke Wilson) who builds the first online billing company dealing exclusively with adult entertainment, finds himself in the middle of a whirlwind filled with starlets, con men, Russian mobsters, federal agents, and international terrorists. Caught between a porn star and the FBI, Harris learns that even becoming one of the wealthiest entrepreneurs of his generation may not be enough to keep him out of trouble. It is based on the experiences of producer Christopher Mallick.

Click the image below for a Youtube.com trailer of the movie.

The attackers stole the money from The University of Virginia’s College at Wise, a 4-year public liberal arts college located in the town of Wise in southwestern Virginia.

Kathy Still, director of news and media relations at UVA Wise, declined to offer specifics on the theft, saying only that the school was investigating a hacking incident.

“All I can say now is we have a possible computer hacking situation under investigation,” Still said. “I can also tell you that as far as we can tell, no student data has been compromised.”

According to several sources familiar with the case, thieves stole the funds after compromising a computer belonging to the university’s comptroller. The attackers used a computer virus to steal the online banking credentials for the University’s accounts at BB&T Bank, and initiated a single fraudulent wire transfer in the amount of $996,000 to the Agricultural Bank of China. BB&T declined to comment for this story.

Sources said the FBI is investigating and has possession of the hard drive from the controller’s PC. A spokeswoman at FBI headquarters in Washington, D.C. said that as a matter of policy the FBI does not confirm or deny the existence of investigations.

The attack on UVA Wise is the latest in a string of online bank heists targeting businesses, schools, towns and nonprofits. Last week, cyber thieves stole more than $600,000 from the Catholic Diocese of Des Moines, Iowa.

Update, Sept. 4, 4:27 p.m. ET: Jordan Fifer, a reporter for the Highland Cavalier, the official student newspaper for UVA-Wise, writes that school officials now say they have recovered the stolen money.

Recommended reading:

Target: Small Businesses

Charting the Carnage from Ebanking Fraud

eBanking Guidance for Banks and Businesses

Avoid Windows Malware: Bank on a Live CD

In a statement released last week, the diocese said the fraud occurred between Aug. 13 and Aug. 16, apparently after criminals had stolen the diocese’s online banking credentials. The Diocese it was alerted to the fraud on Aug. 17 by its financial institution, Bankers Trust of Des Moines.

The diocese also said the FBI and U.S. Treasury Department were notified, and that the FBI had taken possession of several diocesan computers. To date, roughly $180,000 has been recovered.

The diocese added that law enforcement had advised them that the theft seems to have been the work of a highly sophisticated operation based overseas, which moved the stolen money out of the United States by recruiting people who unknowingly act as intermediaries.

“While the Diocese of Des Moines is protected by insurance and anticipates the restoration of the funds, we have been advised that such criminal activity is rampant,” Des Moines Bishop Richard Pates said. “Obviously, any entity that experiences such a crime should be significantly concerned.”

Once again, the theft involves so-called money mules willingly or unwittingly recruited by a specific money mule cash-out gang whose work I have written about several times already. Among the mules involved in this incident was a man in Newnan, Ga. who received almost $30,000 of the church’s cash. Daniel Huggins, the 29-year-old owner of Masonry Construction Group LLC, got mixed up with a company calling itself the Impeccable Group, claiming to be an international finance company operating out of New York.

Huggins said the Impeccable Group recruited him via e-mail, claiming it had found his resume on job search site Monster.com. The Impeccable Group told him he would be doing payment processing for the company, and on Aug. 16, Huggins’ erstwhile employers sent him two payments, one for almost $20,000 and another for slightly less than $10,000.

Huggins said he contacted the Impeccable Group shortly after the transfers because the amounts seemed quite high and the transfers appeared to be coming from the Catholic Church. The scammers apparently were ready for this question and were quick on their feet with a reply that was as plausible as it was diabolical: Huggins was told the money was going to be distributed as legal settlements to people who had been affected by the clergy sexual abuse scandals that have rocked the church in recent years.

“The told me it was going to be payouts to some of the settlements in the sex crimes cases against the Church,” Huggins said.

Huggins’ bank discovered the fraud and froze his account while there was still almost $10,000 left in it from the fraudulent transfers. Huggins said he was told to expect a call from lawyers for the Des Moines diocese, but he’s conflicted about whether he will return the money he made from his part in the scam: Minus the Western Union and Moneygram wire fees, Huggins earned commissions totaling nearly $800 for helping the thieves transfer the stolen money out of the country.

“I already sent the money to pay off my credit card balance,” Huggins said. “I guess I’m still up in the air on that one.”

The screen shots below were taken of Huggins’ “task manager,” an online communications panel that Impeccable Group used to communicate with money mules they had recruited.

According to security firm M86 Security Labs, junk e-mail being relayed by Pushdo (a.k.a. Cutwail) tapered off from a torrent to a dribble over the past few days. M86 credits researchers at LastLine Inc., a security firm made up of professors and graduate students from University of California, Santa Barbara, the Vienna University of Technology (Austria), Eurecom (France), and Ruhr-University Bochum (Germany).

LastLine’s Thorsten Holz said his group identified 30 Internet servers used to control the Pushdo/Cutwail infrastructure, located at eight different hosting providers around the globe. Holz said Lastline contacted all hosting providers and worked with them to take down the machines, which lead to the takedown of nearly 20 of those control servers.

“Unfortunately, not all providers were responsive and thus several command & control servers are still online at this  point,” Holz wrote on the company’s blog. “Nevertheless, this effort had an impact on Pushdo/Cutwail, which you can also see in new Anubis reports generated today  by re-running the analysis: Many connection attempts fail and infected machines can not receive commands anymore.”

It will be interesting to see whether this action has a lasting effect on the Pushdo/Cutwail botnet, which has rebounded from similar infrastructure attacks in the past. In January 2010, researchers at Neustar and several ISPs targeted the control servers for the Lethic botnet, another botnet that at the time was estimated to be responsible for relaying roughly one in ten spam e-mails. But just a month after that takedown, spam volumes from Lethic began recovering.

In May 2009, the Federal Trade Commission ordered the unplugging of a hosting provider in Northern California called 3FN, which was at the time hosting a large number of Cutwail control servers. The 3FN takedown — a type of botnet assault that I like to call a “shun” — relies on ostracizing or immobilizing ISPs and hosting providers that repeatedly turn a blind eye to serious abuse on their networks.

This latest action by Lastline falls into the other major takedown category, a group of tactics best described as “stuns,” wherein researchers target a botnet’s control infrastructure in a coordinated takedown. I discuss both of these tactics in the latest McAfee Security Journal, available at this link.

The invitation, sent via e-mail on Aug 13 by White House Senior Adviser for Intellectual Property Enforcement Andrew J. Klein, urges select recipients to attend a meeting on Sept. 29 with senior White House and cabinet officials, including Victoria Espinel, the Obama administration’s intellectual property enforcement coordinator.

“The purpose of this meeting is to discuss illegal activity taking place over the internet generally, and more specifically, voluntary protocols to address the illegal sale of counterfeit non-controlled prescription medications on-line,” the invitation states.

Klein did not return calls seeking more information. A spokeswoman for the White House Office of Management and Budget confirmed the event, but declined to offer further details. The meeting appears to be a continuation of the administration’s Joint Strategic Plan on Intellectual Property Enforcement, an initiative unveiled in June that promised to “address unlawful activity on the internet, such as illegal downloading and illegal internet pharmacies.”

According to the World Health Organization, approximately 8 percent of the bulk drugs imported into the United States are counterfeit, unapproved, or substandard, and 10 percent of global pharmaceutical commerce — or $21 billion — involves counterfeit drugs. LegitScript.com, a verification service for online pharmacies, is currently tracking more than 45,000 rogue Internet pharmacies.

A report (PDF) released in June by anti-spam and domain policy compliance group Knujon (“nojunk” spelled backwards) found that some 162 domain name registrars may be in breach of their contracts with the Internet Corporation for Assigned Names and Numbers (ICANN), the entity which oversees the registrar system. Many of the registrar violations named in that report were linked to rogue online pharmacies that are being advertised through spam and/or pharmacy affiliate programs like Glavmed and RX-Promotion — both affiliate networks that have been tied to botnet and cybercrime activity.

According to the conference Web site, MalCon is “the worlds [sic] first platform bringing together Malware and Information Security Researchers from across the globe to share key research insights into building the next generation malwares. Spread across the world, malcoders now have a common platform to demonstrate expertise, get a new insight and be a part of the global MALCODER community. This conference features keynotes, technical presentations, workshops as well as the EMERGING CHALLENGES of creating undetectable stealthy malware.”

The call for papers shows that this security conference is encouraging malware writers of all shapes, ages and sizes to bring and share their creations. “We are looking for new techniques, tool releases,unique research and about anything that’s breath-taking, related to Malwares. If your presentation, when given with all its valid techno-Jargon can give our moderators a head-ache, you are right up there. The papers and research work could be under any of the broad categories mentioned below. You can submit working malwares as well.”

Among the “malwares” encouraged are novel phishing kits, botnets and mobile phone-based malware, malware creation tools, cross-platform malware infection techniques, and new malware self-defense mechanisms, such as anti-virus exploitation techniques.

At first, I didn’t know what to make of this conference, which was initially brought to my attention by a clueful source in the botnet underground. My hoaxmeter went positively bonkers after I pinged both of the e-mail addresses listed on the site and each e-mail bounced.

But then I caught up with Rajshekhar Murthy, the coordinator for the conference. Murthy said MalCon will be hosted on Dec. 3 in Mumbai, and then again on Dec. 5 at the Clubhack 2010 conference in Pune, India, which has apparently attracted oft-quoted security expert Bruce Schneier as a leading speaker.

Murthy confirmed that the idea behind the conference was indeed to attract malware writers.

“You are right, the major goal of the conference is to encourage and foster the creation of malcode. But it is done for all the good reasons,” Murthy wrote in an e-mail to KrebsOnSecurity.com. “There are only a handful companies that dominate and sell Anti-malware / Anti-virus programs, compared to a huge number of malcoders who release a million new malwares every year. The approach to the problem is always ‘Reactive’ and is done if the malcode is detected in time.”

Murthy continued: “While a conference can be done by inviting the best / well known security experts who can share statistics, slides and ‘analysis’ of malwares, it is not of any benefit to the community today except that of awareness. The need of MalCon conference is bridge that ignored gap between security companies and malcoders. They have to get on a common platform and talk to each other. Just like the concept of  ‘ethical hacking’ has helped organizations to see that hackers are not all that bad, it is time to accept that ‘ethical malcoding’ is required to research, identify and mitigate newer malwares in a ‘proactive’ way.”

For his part, Schneier said he does not agree with the idea that better malware is needed to fine-tune computer security tools.

“The bad guys produce more than enough malware to stimulate research,” Schneier wrote in an e-mail.

At any rate, it’s time to get working on your malwares already, people! Final papers are due Nov. 10. Oh, and if anyone decides to go and can snag me a T-shirt from the con, I’m an extra large.

Independent testing firm NSS Labs looked at the performance of 10 commercial anti-virus products to see how well they detected 123 client-side exploits, those typically used to attack vulnerabilities in Web browsers including Internet Explorer and Firefox, as well as common desktop applications, such as Adobe Flash, Reader, and Apple QuickTime.

Roughly half of the exploits tested were exact copies of the first exploit code to be made public against the vulnerability. NSS also tested detection for an equal number of exploit variants, those which exploit the same vulnerability but use slightly different entry points in the targeted system’s memory. None of the exploits used evasion techniques commonly employed by real-life exploits to disguise themselves or hide from intrusion detection systems.

Among all ten products, NSS found that the average detection rate against original exploits was 76 percent, and that only three out of ten products stopped all of the original exploits. The average detection against exploits variants was even lower at 58 percent, NSS found.

NSS President Rick Moy said most vendors appear to have chosen to focus on detecting the malicious software variants delivered by these exploits than on blocking the exploits themselves. Moy notes that while the anti-virus vendors state they are now processing more than 50,000 malware samples every day, it appears the majority of vendors still fail to block the most widely-used methods of delivering those malware samples.

“When you’re talking about exploits that have been published on a government funded web site for months on end, there’s really no good excuse as to why you’re not covering that,” Moy said. “Since there are far fewer exploits than malware, it is imperative that attacks be defeated in the  earliest possible stage.”

The NSS tests revealed that certain exploits were consistently missed by the anti-virus products, particularly those that attacked the IE peers and MS VBscript help Internet Explorer vulnerabilities that Microsoft first disclosed in March 2010.

Moy shared a copy of the report on the condition that I refrain from disclosing how each individual product performed, as his company plans to sell the report. But as with the last NSS report I wrote about — which looked at how long it takes anti-virus products to block malicious Web sites — this study focuses on testing individual aspects of anti-virus product performance, including some areas that are glossed over in industry tests.

Even without information about which products earned the highest marks in exploit blocking, one takeaway from the report is the importance of patching as soon as possible after a vendor releases a fix, Moy said.

“There is not a lot of focus on stopping exploits, is what we’re finding, even though certainly at least against the older exploits these security products should act as a virtual patch,” Moy said, adding that organizations should consider developing custom exploit signatures for high-value systems, either at the host or network layer. “The ‘patch immediately’ approach probably works for smaller organizations, but larger companies tend to wait quite a while to make sure patches don’t conflict with homegrown apps.”

Still, NSS doesn’t make a lot of information available about its methods, and this omission has driven much of the criticism of previous NSS Labs reports.

“It would be nice if at least some information about the way the figures were arrived at were available for scrutiny, so that an interested party would have more than just a rather spectacular but otherwise context-free chart to gauge the relative value of the report,” wrote Kurt Wismer, an anti-virus industry watcher and blogger. “As it stands, the information they make available on their site is worse than useless – figures without adequate context are precisely where the idiom of ‘lies, damn lies, and statistics’ comes from. Posting the context-free chart the way they have only serves to sensationalize the report.”

Wismer said the study highlights an area where many products have room for improvement, and that having more anti-virus products blocking the exploitation stage would be a very advantageous improvement. But he said the report itself doesn’t provide a full picture of the performance of these products.

“It just doesn’t tell the customer whether or not they’d actually be protected in the real world,” Wismer wrote in an e-mail to KrebsOnSecurity.com. “The more links in the chain of events leading to compromise that can be used to a defenders advantage. a chain is only as strong as it’s weakest link and so only one stage of a multi-stage attack needs to be blocked in order for the final intended outcome to be thwarted. A test that doesn’t include all the stages therefore necessarily omits information that could be important in determining which products provide the best assistance at protection.”

Interestingly, a series of reports released earlier this month by anti-virus testing lab AV-Test comes to similar conclusions as the NSS report about the exploit-blocking abilities of the major anti-virus products. According to AV-Test, the industry average in protecting against exploits (both known and unknown) was 75 percent.

Undated photo of Leo Kuvayev, courtesy Spamhaus.org.

A man known as one of the world’s top purveyors of junk e-mail has been imprisoned in Russia for allegedly molesting underage girls from a Moscow orphanage, KrebsOnSecurity.com has learned.

According to multiple sources, Leonid “Leo” Aleksandorovich Kuvayev, 38, is being held in a Russian prison awaiting trial on multiple child molestation charges.

Sources in the United States and Russia said that Kuvayev, who holds dual Russian-American citizenship, was alleged to have molested more than 50 young girls he had lured away from one or more local orphanages. He was brought in for questioning after one of the girls reported the incident to Russian police, who reportedly found videotaped evidence of the incidents.

Brandon A. Montgomery, a spokesman for the Immigration and Customs Enforcement (ICE) division at the U.S. Department of Homeland Security, confirmed that Kuvayev was indicted on Aug. 3, 2009, and arrested on Sept. 15 in Moscow for child molestation charges.

“Our attaché in Moscow is working with the criminal investigative team in Russia, and the investigation is ongoing,” Montgomery said.

The Russian criminal case against Kuvayev, Case. No. 378243, charges him with violations of Russian Criminal Code 134, which prohibits “crimes against sexual inviolability and sexual freedom of the person.” According to sources in Russia familiar with the case but who asked not to be named, Kuvayev is being held in a Moscow jail awaiting trial, which is currently scheduled to start 10 months from the date of his incarceration on Dec. 22, 2009.

Kuvayev in Thailand, 2001

Kuvayev is widely considered one of the world’s most notorious spammers. Anti-spam group Spamhaus.org currently features Kuvayev as #2 on its Top 10 worst spammers list.

In 2005, the attorney general of Massachusetts successfully sued Kuvayev for violations of the CAN-SPAM Act, a law that prohibits the sending of e-mail that includes false or misleading information about the origins of the message, among other restrictions. Armed with a massive trove of spam evidence gathered largely by lawyers and security experts at Microsoft Corp., the state showed that Kuvayev’s operation, an affiliate program known as BadCow, was responsible for blasting tens of millions of junk e-mails peddling everything from pirated software to counterfeit pharmaceuticals and porn.

Massachusetts was able to sue Kuvayev because he once held a driver’s license in the state and had rented a mailbox there for his business (two of Kuvayev’s younger sisters live in the Boston area, but did not respond to requests for comment).

In an apparent bid to sidestep those charges, Kuvayev fled the United States for Russia. A Massachusetts judge later convicted Kuvayev of CAN-SPAM violations, and ordered him to pay $37 million in civil penalties. FBI officials say BadCow was raking in more than $30 million each year at the time.

Spamhaus credits Kuvayev as being first mass-spammer to send junk e-mail messages as image files in order to evade text-based spam filters. In addition, Spamhaus says Kuvayev kept close relationships with individuals who maintained large botnets, or groupings of hacked PCs that are typically used to relay junk e-mail, and that he may be the person known online as “Pharmamaster,” the individual who claimed responsibility for massive online attacks in 2006 that drove anti-spam provider BlueSecurity out of business.

According to Spamhaus, if Kuvayev is not Pharmamaster, then that moniker belongs to his former business partner, a 37-year-old Russian named Vlad Khokholkov. Sources say Khokholkov is now operating the affiliate program Kuvayev used to run — called “Mailien” — which appears still to be running at full steam and soliciting new spammers, despite Kuvayev’s incarceration. Mailien offers affiliates 40-50 percent of each sale, and some of its “Pharmacy Express” brand partner spam sites currently incorporate familiar trademarks in their domain names, including ebaymeds.com, facebookmeds.com, yahoomeds.com and twittermeds.com, to name just a few. A person answering the ICQ number associated with Mailien’s support desk claimed not to know anyone by the name Khokholkov, but when asked about Kuvayev said that the information could not be provided because it was confidential.

The theme of this edition of the journal is finding ways to take security on the offense, and it includes articles from noted security researchers Joe Stewart and Felix “FX” Lindner.

Here’s the lead-in from my contribution:

The security technologies most of us rely on every day — from anti-virus software to firewalls and intrusion detection devices — are reactive. That is, they are effective usually only after a new threat has been identified and classified. The trouble is that, meanwhile, an indeterminate number of individuals and corporations become victims of these unidentified stalkers.

Until quite recently, this “bag ‘em and tag ‘em” approach to dealing with malicious activity online had become so ingrained in the security community that most of the thought leaders on security were content merely to catalog the Internet’s worst offenders and abide the most hostile networks. Exponential increases in the volume and sophistication of new threats unleashed during the past few years — coupled with a pervasive attitude that fighting criminal activity online is the principal job of law enforcement — have helped to reinforce this bunker mentality.

Then, in the fall of 2007, something remarkable happened that seemed to shake the security industry out of its torpor: a series of investigative stories in the mainstream and technology press about concentrations of cybercrime activity at a Web hosting conglomerate in St. Petersburg known as the Russian Business Network (RBN) caused the ISPs serving the infamous provider to pull the plug. The RBN, which had been a vortex of malicious activity for years, was forced to close up shop and, subsequently, scattered its operations.

This was the first of many examples that would demonstrate the strategic (and, arguably, cathartic) value of identifying and isolating significant, consistent sources of hostile — if not criminal — activity online. I will focus on two popular methods of taking the fight to the enemy and will offer a few thoughts on the long-term viability of these approaches.

Copies of the journal are available from this link.

As I wrote last month:

Attackers usually craft software exploits so that they write data or programs to very specific, static sections in the operating system’s memory. To counter this, Microsoft introduced with Windows Vista (and Windows 7) a feature called address space layout randomization or ASLR, which constantly moves these memory points to different positions. Another defensive feature called data execution prevention (DEP) — first introduced with Windows XP Service Pack 2 back in 2004 — attempts to make it so that even if an attacker succeeds in guessing the location of the memory point they’re seeking, the code placed there will not execute or run.

These protections are available to any applications built to run on top of the operating system, and they’re designed to make it difficult for attackers to develop reliable exploits for vulnerabilities in Windows applications. As we saw last month, few top apps invoke the protections, but many readers may be surprised to learn that few anti-virus products have adopted these technologies.

I installed the trial versions of a dozen top anti-virus and security suites on a virtual machine running Windows Vista, and then checked each product’s executable files using Microsoft’s excellent Process Explorer tool, which provides a mass of information about processes running on your Windows system, including whether or not those processes invoke DEP and/or ASLR.

Among the anti-virus products that used neither ASLR nor DEP were AVAST Home Edition, AVG Internet Security 9.0, BitDefender Internet Security 2010, ESET Smart Security, F-Secure Internet Security, Norton Internet Security 2010, Panda Internet Security 2010 and Trend Micro Internet Security 2010.

Microsoft Security Essentials was the only product that used both ASLR and DEP consistently on Windows Vista (although interestingly it does not invoke DEP on Windows XP). Other anti-virus suites I tested used either ASLR or DEP (or both), but only in some applications that make up the suite. For example, McAfee Internet Security’s “mcagent.exe” program runs both ASLR and DEP, while four other executable processes spawned by the program ran DEP but not ASLR (since these tests were run, McAfee has changed the trial version of MIS available on its site, and the company sent me a screen shot that shows DEP and ASLR on all running processes in that version).

Similarly, I found that the anti-virus suite from Avira ran its main avguard.exe program in ASLR mode but did not use DEP. The rest of the program files that ship with this product run neither ASLR nor DEP. Kaspersky Internet Security had DEP enabled on just one process (the browser plug-in), and did not invoke ASLR with any program components.

To be sure, DEP and ASLR are not panaceas: Security researchers have come up with a number of clever ways to bypass these protection mechanisms. Still, it’s interesting to note the lack of these features in anti-virus products for two reasons: First, even researchers who have developed exploits to work around these protections say the two technologies raise the bar significantly for malicious coders. Second, anti-virus products are not immune to introducing their own exploitable software flaws.

I sought comment from all of the anti-virus vendors whose products I examined (except for Microsoft) and received a few responses. Most either downplayed the usefulness of the two technologies in combating today’s threats, or said that they planned to implement the protections in upcoming releases.

Mikko Hypponen from F-Secure said that “adding support for DEP and ASLR in our products is on our roadmap, but has not been implemented yet. This is because we’ve focused our development efforts lately to focus on performance. Once we have this feature ready, it will be available to all of our customers through our update channel.”

Pedro Bustamante, a senior research adviser at Panda Security, said Panda decided not to use either ASLR or DEP in favor of their own technology “to provide protection not only for the single AV processes but also for other types of operations. For example our products include a Shield component which already takes care of the protection as offered by ASLR and DEP, in addition to other types of self-protections such as preventing a process from injecting a thread into a separate process, preventing certain applications from executing dangerous operations on the system (such as Adobe Acrobat dropping an executable in the system and running it), protection of the AV files in the installation directories, etc.”

Bustamante continued: “These Microsoft technologies might be a good solution for certain types of more basic applications, but from our point of view are insufficient for an anti-malware product trying to get a more defense-in-depth approach to securing the whole OS and third party applications.”

Bitdefender said it plans to incorporate DEP and ASLR in its 2011 suite of products.

Symantec’s director of product management, Dan Nadir, said Norton Internet Security 2010 does in fact include support for DEP (although my experiments with Process Explorer showed it was not enabled) and that the company is “evaluating possible support of ASLR in future versions of our products.”

The research team from ESET responded: “Based upon the types of attacks we see against security software, and the likely attack scenarios, ASLR and DEP do not provide any significant defense. [While] enabling ASLR and DEP is quite trivial, the complexity come in assuring the proper test matrix has been implemented. Without proper testing ASLR can be weaponized…We will consider adding the features in the future, but not without extremely rigorous testing.”