How The Anti-Virus Industry Is Turning A White Hat Black, or (at least ) Gray

["Fergie" <fergdawg () netzero net>]

Via eMail Battles.

[snip]

On the 28th day of December 2005, Tibbar encrypted the public version of Hacker Defender, the world-famous Windows 
rootkit. At the same time, the anonymous author unleashed codeCrypter on the web.

Then Tibbar waited.

On the first of March 2006, Tibbar ("Rabbit" spelled backwards) submitted the codeCrypter'd Hacker Defender to 
VirusTotal, an online virus testing service used by white and black hats alike.

The results were dispiriting. Despite two months' warning, just four of 24 anti-virus engines recognized Tibbar's 
creation: BitDefender, Ikarus, NOD32 and VBA32. Three a/v engines, CAT-QuickHeal, Fortinet and Panda, spotted something 
they considered suspicious.

Tibbar waited three weeks, then tried again at a different malware scanner: Jotti. The results were slightly more 
encouraging. This time, AntiVir, BitDefender, Dr. Web, Fortinet, Kaspersky Anti-Virus, NOD32 and VBA32 caught him. AVG 
AntiVirus caught a generic backdoor. That's eight of 15 vendors. Better.

On the fifth of April, Jack Koziol took up the gauntlet at Ethical Hacking and Computer Forensics. He packaged and 
resubmitted the codeCrypter'd Hacker Defender rootkit to VirusTotal. Sadly, his list of worthies expanded by only one. 
Kaspersky found the rootkit.

[snip]

More:
http://www.emailbattles.com/archive/battles/adware_aadddbhadc_ia/

- ferg


--
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawg () netzero net or fergdawg () sbcglobal net
 ferg's tech blog: http://fergdawg.blogspot.com/


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.