2012-01-01
Abstract
‘The ability to exchange URLs in real time is a particular advantage ... since malicious URLs are usually a time-critical issue.' Philipp Wolf
Copyright © 2012 Virus Bulletin
When I first applied for a job in the IT security industry back in 1999, I set my sights on the virus lab because it sounded like the most interesting area of the business. When I got my lucky break, one of the first tasks assigned to me was to replicate file infectors. One morning my boss came in and gave me a new, undetected virus sample. He told me that, although virus samples were usually sent to us by customers, this one had come from a competitor. I was confused. ‘From a competitor?’, I thought, ‘Why on earth would they send us viruses? Won’t they lose their competitive edge?’
I kept my questions to myself and analysed the virus, but eventually my curiosity got the better of me. I asked my boss what this ‘competitor sharing’ was all about. He explained: ‘You can’t always be the first one to find a new virus; that’s why we share them. Ultimately, all of us in this industry have the same goal: to protect people who don’t know as much about viruses as we do.’ I was fascinated by this idea, and looking back I think this collaborative spirit was one of the main reasons I was drawn to the anti-malware industry.
As time went by, I was put in charge of collection sharing. In other words, I decided which malware files Avira would share with other security vendors and who those third parties would be. During that time, there were countless presentations and discussions at various conferences and meetings about the sharing of malware and about the possibility of creating a centralized point for doing so. Unfortunately, the industry never came up with a workable solution. Not only were there political issues, but the sharing of malicious files via one centralized point also posed technical challenges. In particular, accommodating the ever-growing volume of malicious files would involve huge hardware costs.
But as time went on, the threat landscape changed. Traditional viruses all but disappeared, and more and more threats began to lurk on the web. This development introduced a new sharing vector: malicious URLs. Soon many companies were sharing malicious URLs in addition to malicious files.
It was after a conversation about our companies sharing URLs at a Virus Bulletin conference that Costin Raiu, Tony Lee, Jong Purisima, Nick Bilogorskiy and I decided to revisit the idea of a centralized point for sharing. Creative technicians that we are, we named the project MUTE (Malware URL Tracking and Exchange). MUTE allows a company to consolidate a 1:N relationship (the company shares with many others) into a 1:1 relationship (the company shares with MUTE and MUTE shares with it). While collecting the same data from the other companies, each member additionally benefits from statistics, search functionality, real-time sharing, unified data and so on. The ability to exchange URLs in real time is a particular advantage of the system compared to the way they are shared now, since malicious URLs are usually a time-critical issue.
Since URLs are very small pieces of data, the technical challenges involved in sharing them are minor compared with those of sharing files. We kicked off the MUTE back-end in October at the VB2011 conference in Barcelona. After our presentation, many vendors expressed an interest in joining MUTE – a promising sign for the project!
Right now the MUTE system is in beta. Various companies are testing it for bugs and other problems. We have been pleasantly surprised by the absence of political obstacles – at least from the feedback we have received so far. The members of MUTE are looking forward to seeing the system evolve, welcoming new members and spreading the great spirit of sharing within the anti-malware industry.
