Hong Jia Microsoft
Dennis Batchelder Microsoft
download slides (PDF)
On 7 March, something in our automated systems went horribly wrong, and we issued three incorrect detections:
Hundreds of thousands of our customers were affected. Within eight hours, we corrected the FPs, released fixes, and launched a post-mortem to understand why our automated system failed.
Simple answer: our automated systems had been attacked. One day before, our systems were poisoned with hundreds of crafted clean files containing fragments of our (and other AV vendor) detection patterns. Our automated systems were tricked into detecting clean files, and our customers suffered.
We kept digging, and we found evidence of several other attacks against our and other AV vendors' automation. We'd like to share with the AV industry both what we've learned, as well as our recommendations on working together to limit the damage from these attacks.
VB2013 takes place 2-4 October 2013 in Berlin, Germany.
The full programme for VB2013, including abstracts for each paper, can be viewed here.