funsec mailing list archives
Re: Consumer Reports Slammed for Creating 'Test' Viruses
From: Drsolly <drsollyp () drsolly com>
Date: Sun, 20 Aug 2006 00:37:50 +0100 (BST)
On Sun, 20 Aug 2006, Peter Kosinar wrote:
Hello, The following response is based on my observation, referring to "people" does not imply that it reflects my or your point of view. :-)*I* don't think that, generally speaking. (I seriously doubt that no one, ever, working for an AV company hasn't written or modified some malware. But generally, no, I don't believe they are creating the malware.)Actually, there are documented cases when former virus-writer(s) were employed by AV companies.
I know of one case. In that case, the employer was the US distribution company, and when the main AV company found out, they sent an ultimatum, and the virus-writer was fired. If you know of others, I'd be interested to hear of them.
On the other hand, I seriously doubt that there are people who wrote a virus -while- working for an AV company. Once someone sees the amount of malicious software (s)he needs to fight against, the slightest thoughts of adding to it get kicked out very quickly. :-)However, that is a HUGE reason why AV people are so paranoid about creating malware, because of 20 years of people waiting to pounce the moment there is a hint that they do.Indeed; it's happens too often that the first reaction of laymen to people working in the AV industry is like this: "I work for an AV company." "Oh really? So, just between us, you do write viruses, don't you? So that you'll get more profit... How many of them have you written?". It's a shame, but it is so :-(
Why don't people think that dentists cause cavities and surgeons cause hernias?
Blue Boar is right in assuming that AVs rely on updates (the distinction between the "scanning engine", "signatures", and other parts of the AV is disappearing over the time).
It disappeared in 1991.
As Nick and I pointed out in our previous replies, it's -incredibly- easy to make the test meaningless from the technical point of view. Quick summary: Did they check each of those 5500 pieces of malware and actually verified that they work -and- that they perform their malicious activity?
Unlikely. I was frequently the victim of a product test that gathers a zillion files, didn't chaeck that they were viruses, and gave the highest marks to the product with the greatest false alarm rate. I vividly remember one of them, in which the test publication was very complete, and you could even see the sizes of the test files. One of the test files was two bytes long. One product detected that as a virus. The tested took the view that "A file is a virus, if *any* of the products say it is". It took me a while, but I finally convinced him of the utter fatuity of that view, and that he was probably publishing pretty much the reverse order of how good the products were. He changed his proticol, though, and then discovered that to determine which of the files were actually working viruses, was *very* time consuming, and told me so. "Tough", I said. "You want to do the test, you have to pay the price."
One easy-to-think-up bad idea is to take the files, run all the AVs on them and delete the files which weren't detected by any of the participating AVs. This "ensures" that your testing set consists only of malware. Or not? The answer is obvious -- each and every useful AV has false positives (yes, I can make an AV which has no false positives but it'll be a huge monster, thus not -useful-), so your testing set is, most likely, contamined by clean files. In fact, if one of the tested products is extremely false-positive-rich, it'll probably score very well in the subsequent scanning of the testing set prepared in this way.
But that has, as I described above, been done. Possibly more than the one case I know of.
Actually, Ryan, assuming that by 80's-style file infector you mean an infector for MS-DOS-running machines of those days -and- using the techniques common in those days, I doubt it'll be undetected by all the AVs. Yes, it is possible to write such a thing (and it is not all that difficult) with current knowledge and ideas but if you really adhered to the virus-writing principles used then, the result will be quite likely to be detected.
But then his test suite of viruses is *totally* irrelevant to the actual threat in the world today. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- RE: Consumer Reports Slammed for Creating 'Test' Viruses Alex Eckelberry (Aug 19)
- RE: Consumer Reports Slammed for Creating 'Test' Viruses Drsolly (Aug 19)
- Re: Consumer Reports Slammed for Creating 'Test' Viruses Blue Boar (Aug 19)
- Re: Consumer Reports Slammed for Creating 'Test' Viruses Peter Kosinar (Aug 19)
- Re: Consumer Reports Slammed for Creating 'Test' Viruses Blue Boar (Aug 19)
- Re: Consumer Reports Slammed for Creating 'Test' Viruses Drsolly (Aug 19)
- Re: Consumer Reports Slammed for Creating 'Test' Viruses Drsolly (Aug 19)
- Re: Consumer Reports Slammed for Creating 'Test' Viruses Peter Kosinar (Aug 19)
- Re: Consumer Reports Slammed for Creating 'Test' Viruses Drsolly (Aug 20)
- Re: Consumer Reports Slammed for Creating 'Test' Viruses Blue Boar (Aug 19)
- RE: Consumer Reports Slammed for Creating 'Test' Viruses Drsolly (Aug 19)
- Re: Consumer Reports Slammed for Creating 'Test' Viruses Drsolly (Aug 19)
- Re: Consumer Reports Slammed for Creating 'Test' Viruses Blue Boar (Aug 19)
- Re: Consumer Reports Slammed for Creating 'Test' Viruses Drsolly (Aug 19)
- Re: Consumer Reports Slammed for Creating 'Test' Viruses Blue Boar (Aug 19)
- Re: Consumer Reports Slammed for Creating 'Test' Viruses Drsolly (Aug 20)
- RE: Consumer Reports Slammed for Creating 'Test' Viruses Drsolly (Aug 19)
- RE: Consumer Reports Slammed for Creating 'Test' Viruses security curmudgeon (Aug 19)