funsec mailing list archives
Re: Re: Malware sharing? People are full of shit [was: Get your computer viruses here!]
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Thu, 29 Dec 2005 14:16:23 +1300
Blue Boar to Gadi:
Then let us agree most Bad Guys won't bother with it as they have better surces?I think to be completely fair, there will someday be at least one Bad Guy for whom the site in question will be the most reliable source of the desired malware. ...
Yep -- the less-than-competent-but-able-to-learn-enough-to-be-more- concerningly-effective/dangerous/nasty/etc Note that this option is _greatly exacerbated_ because this site plans not only making samples available (which, alone, don't terribly much help the tragically inept), but also making _detailed analysis_ openly available, and it's the added value of that analysis, presumably mostly done by MUCH better minds than the quasi-clueless bad guys of the sort mentioned above, that is really of value to the less clueful of the bad guys. The really clever bad guys don't need our help (and often could teach most of us a thing or two) but fortunately they are relatively rare. The near-clueless-but-still-worringly-dangerous bad guys will _LOVE_ this site and the _intended_ benefits of improved analysis, etc, etc will more than equally accrue to such miscreants, compared to the malware analysts the site's creators hope to attract.
... I'm not saying he's a smart or successful bad guy, just that he has bad intentions and wants some particular piece of malware for nefarious purposes.
Or, more importantly, wants to find some cunning trick to beat some otherwise effective control commonly deployed in his intended victim base. The smart bad guys that worked out how to circumvent all the new anti-anti-antivirus mechanisms in the new JamScan scanner or all the anti-anti-JamWall software firewall will keep that info to themselves (it's a competitive advantage to them, after all, and we are now talking about a largely commercialized malware scene), but if some smart RE posts all the gory details in their analysis at this site, the "dumb" bad guys will also, _very quickly_ be compromising their victims using those tricks. Anyone who contributes analysis to this site will thus be _helping_ the largely-gormless-but-still-potentially-dangerous bad guys (who, today, are still somewhat in the majority I think).
Does that constitute failure? I don't think it does. If the userbase is 99% people researching anti-malware, and 1% bad guys, I call that success. if it were reversed, 1% researchers and 99% bad guys, then I would say it was a failure, and should be shut down.
I disagree. The actual "improvement" in anti-whatever deployed on end- user systems that this site provides will be somewhere between negligible and none. That will be at the cost of slight, but more than enough to be worrying "improvement" in the code of the bad guys. That certainly is NOT a desirable trade-off (well, unless you actually are one of the bad guys...).
Not a failure in the sense that he has no legal basis nor right to do so, (IMNSHO) but in the practical sense that it is effectively doing more harm than good.
But it _is_ likely to do more harm than good, as I just explained...
You can also factor in a percentage of stupid people if you like, those with the proper intentions, but lack the skill or care, and infect themselves and others. Many consider them as bad or worse than Bad Guys.
8-) Hey, I'm quite certain that if we take all the guns off everyone so the stupid people stop shooting themselves in the feet, the stupid people will then just find other ways of accidentally maiming themselves. As someone once said (or, if not, they should have), the trouble with making something idiot-proof is that evolution is continually refining our idiots...
To lump a lot of the (current and ex) AV guys into one small bucket, it
And why not -- we like it in here! 8-)
has been my experience that they consider the one bumbling bad guy or incompetent good guy to constitute a total failure. AV guys, feel free to defend yourselves against my mischaracterization, if appropriate. To pick on someone in particular, I've seen Nick take some very extreme positions on this kind of thing, for example.
My extreme position here, specifically _relative to self-replicating code_ (aka "viruses"), is that "we" (I'll perhaps inappropriately speak as if for the whole of traditional AV here) have always taken the position that to act responsibly we MUST first ensure we do no further harm. Boiled-down, a part of that means making self-replicating code available to anyone who is not equally responsible is _totally unacceptable_ behaviour. When it comes to non-replicating code you could, with some support from me and others, but probably not all of traditional AV, argue that such restrictions on sample sharing not only can, but perhaps even should, be eased somewhat. This (slightly) more liberal position still causes trouble for the site under discussion however, for as it is now it makes no distinction between non-replicating and self-replicating samples. But, if in an effort to assuage those of us (and here I do not just mean AV -- many other security professionals outside AV take a similar stand on this) with very strong views on the uncontrolled sharing of viral material, it did make that distinction, it runs into the paradox of removing its raison d'etre, as to determine whether submitted samples were viral or not, would require "someone very trustworthy" to (near-)fully analyse the samples and Val would end up with the same dilemma s/he has acknowledged ignoring in the current design...
In short, I think Val should continue, and we all see what happens.
I strongly hope s/he doesn't... Regards, Nick FitzGerald _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Re: Re: Malware sharing? People are full of shit [was:Getyour computer viruses here!], (continued)
- Re: Re: Malware sharing? People are full of shit [was:Getyour computer viruses here!] Gadi Evron (Dec 29)
- Re: Re: Malware sharing? People are full of shit [was: Getyour computer viruses here!] John LaCour (Dec 28)
- Re: Re: Malware sharing? People are full of shit [was: Getyour computer viruses here!] val smith (Dec 28)
- Re: Re: Malware sharing? People are full of shit [was: Getyour computer viruses here!] Gadi Evron (Dec 29)
- Re: Re: Malware sharing? People are full of shit [was: Getyour computer viruses here!] Nick FitzGerald (Dec 29)
- Re[2]: Re: Malware sharing? People are full of shit [was: Getyour computer viruses here!] Pierre Vandevenne (Dec 29)
- Re[2]: Re: Malware sharing? People are full of shit [was: Getyour computer viruses here!] Drsolly (Dec 30)
- Re: Re: Malware sharing? People are full of shit [was: Getyour computer viruses here!] Gadi Evron (Dec 30)
- Re: Re: Malware sharing? People are full of shit [was: Getyour computer viruses here!] val smith (Dec 30)
- Re: Re: Malware sharing? People are full of shit [was: Getyour computer viruses here!] Gadi Evron (Dec 30)
- Re: Re: Malware sharing? People are full of shit [was: Get your computer viruses here!] Nick FitzGerald (Dec 28)
- Re: Re: Malware sharing? People are full of shit [was: Get your computer viruses here!] Gadi Evron (Dec 30)
- Re: Get your computer viruses here! Drsolly (Dec 27)
- Re: Get your computer viruses here! Drsolly (Dec 28)
- Re: Get your computer viruses here! Roland Dobbins (Dec 28)
- Re: Get your computer viruses here! Drsolly (Dec 28)
- Re: Get your computer viruses here! Roland Dobbins (Dec 28)