Re: Consumer Reports Slammed for Creating 'Test' Viruses

[Drsolly <drsollyp () drsolly com>]

On Sun, 20 Aug 2006, Peter Kosinar wrote:

> Hello,
>
> The following response is based on my observation, referring to "people" 
> does not imply that it reflects my or your point of view. :-)
>
> > *I* don't think that, generally speaking.  (I seriously doubt that no 
> > one, ever, working for an AV company hasn't written or modified some 
> > malware.  But generally, no, I don't believe they are creating the 
> > malware.)
>
> Actually, there are documented cases when former virus-writer(s) were 
> employed by AV companies.

I know of one case. In that case, the employer was the US distribution 
company, and when the main AV company found out, they sent an ultimatum, 
and the virus-writer was fired. If you know of others, I'd be interested 
to hear of them.

> On the other hand, I seriously doubt that there 
> are people who wrote a virus -while- working for an AV company. Once 
> someone sees the amount of malicious software (s)he needs to fight 
> against, the slightest thoughts of adding to it get kicked out very 
> quickly. :-)
>
> > However, that is a HUGE reason why AV people are so paranoid about 
> > creating malware, because of 20 years of people waiting to pounce the 
> > moment there is a hint that they do.
>
> Indeed; it's happens too often that the first reaction of laymen to people 
> working in the AV industry is like this: "I work for an AV company." "Oh 
> really? So, just between us, you do write viruses, don't you? So that 
> you'll get more profit... How many of them have you written?". It's a 
> shame, but it is so :-(

Why don't people think that dentists cause cavities and surgeons cause 
hernias?
 
> Blue Boar is right in assuming that AVs rely on updates (the distinction 
> between the "scanning engine", "signatures", and other parts of the AV is 
> disappearing over the time).

It disappeared in 1991.

> As Nick and I pointed out in our previous replies, it's -incredibly- easy 
> to make the test meaningless from the technical point of view. Quick 
> summary: Did they check each of those 5500 pieces of malware and actually 
> verified that they work -and- that they perform their malicious activity?

Unlikely. I was frequently the victim of a product test that gathers a 
zillion files, didn't chaeck that they were viruses, and gave the highest 
marks to the product with the greatest false alarm rate.

I vividly remember one of them, in which the test publication was very
complete, and you could even see the sizes of the test files. One of the
test files was two bytes long. One product detected that as a virus. The
tested took the view that "A file is a virus, if *any* of the products say
it is". It took me a while, but I finally convinced him of the utter
fatuity of that view, and that he was probably publishing pretty much the
reverse order of how good the products were.

He changed his proticol, though, and then discovered that to determine 
which of the files were actually working viruses, was *very* time 
consuming, and told me so. "Tough", I said. "You want to do the test, you 
have to pay the price."
 
> One easy-to-think-up bad idea is to take the files, run all the AVs on 
> them and delete the files which weren't detected by any of the 
> participating AVs. This "ensures" that your testing set consists only of 
> malware. Or not?
>
> The answer is obvious -- each and every useful AV has false positives 
> (yes, I can make an AV which has no false positives but it'll be a huge 
> monster, thus not -useful-), so your testing set is, most likely,
> contamined by clean files. In fact, if one of the tested products is 
> extremely false-positive-rich, it'll probably score very well in the 
> subsequent scanning of the testing set prepared in this way.

But that has, as I described above, been done. Possibly more than the one 
case I know of.
 
> Actually, Ryan, assuming that by 80's-style file infector you mean an 
> infector for MS-DOS-running machines of those days -and- using the 
> techniques common in those days, I doubt it'll be undetected by all the 
> AVs. Yes, it is possible to write such a thing (and it is not all that 
> difficult) with current knowledge and ideas but if you really adhered to 
> the virus-writing principles used then, the result will be quite likely to 
> be detected.
 
But then his test suite of viruses is *totally* irrelevant to the actual 
threat in the world today.

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.