Malicious code detection and full disclosure

[nate () ROOT ORG (Nate Lawson)]

I have been getting a lot of flames and veiled threats from individuals
and "virus researchers" for posting the code yesterday.  There seems to be
a lot of misinformation going around so I wanted to clarify the situation.
These people are all producing the same arguments:

1.  "Posting the source allows someone to know how to write a Macro virus"

Yes, and anyone of the 100,000 or more people who got the virus the other
day can buy VB and do File->Open and see the source.  Repeat after me:
"Word macros are INTERPRETED".  All symbol information is present.  No
decompilation necessary.

2.  "By reformatting the source, you have created a new variant"

What?  Your virus scanner could be thwarted by adding whitespace?  Someone
has a problem but it isn't me.  Perhaps you'd best learn from the sandbox
mechanisms of Java or virus scanners like F-PROT.  A virus is not a virus
because it has the string "By 3le3t3 DudEZ" followed by three tabs.  It is
a virus because it does things like update Normal.dot.  Repeat after me:
"Pattern matching alone does not a virus scanner make".  Just as in the
recent thread about security scanners doing version-checking instead of
exploiting a hole, the best answer is to use a combination of techniques
to identify flaws or malicious code and then notify the user of any
uncertainties in the detection mechanism.

A perfect parallel to this is the Internet worm.  We were reminded of that
time as we paused the Exchange SMTP service to keep the program from
spreading.  Also, it was important to quickly analyze the program, making
sure it did nothing malicious like mailing a person's files to another
location.  After doing this, I believed the code itself would help others
do the same if they needed to.  An important note is that the Symantec and
McAfee web pages describing the virus both left out important information
(for instance, avertlabs.com neglected to mention the active document and
Normal.dot file infection).  If I had made any mistakes in my analysis,
another could have determined this for himself.

A good reference is the paper "With Microscope and Tweezers, An Analysis
of the Internet Worm" by Mark Eichin and Jon Rochlis.  It can be found at:

    http://www.mit.edu:8001/people/eichin/www/virus/main.html

In short, this is the same full disclosure vs. security through obscurity
debate.  Make your own decision what is appropriate; my mind has been made
up in regards to this for at least a decade.  Viruses tend to be
uninventive and boring.  This one was extremely unsophisticated, exploited
no new holes, and required user carelessness to spread.  I only got
involved because I had to help fend off the nuisance Friday.  I hope
everyone found the postings useful and will demand better virus protection
than string matching from their virus scanner vendor as well as request
that Microsoft add more virus prevention than "enable macros? yes/no" and
disallow macros from doing things like sending mail or writing to files
without notice to the user.

-Nate