IP: Fabricated Virus Threats?

[Dave Farber <dave () farber net>]

------ Forwarded Message
From: CurrencyKid () aol com
Date: Fri, 14 Jun 2002 19:40:07 EDT
To: dave () farber net
Subject: Fabricated Virus Threats?


Slashdot | McAfee Manufactures Virus Threat
<http://features.slashdot.org/features/02/06/14/1343223.shtml?tid=166>

Posted by michael <mailto:michael@@slashdot.org>  on Friday June 14,
@10:30AM
from the virus-laboratory-has-new-sinister-meaning dept.
The sleaze has gotten out of hand; it's time to roast a group of 20 or so
companies whose profits are directly linked to creating fear in their
customers, who have to keep discovering new sources of fear to improve their
bottom line - or in the absence of new discoveries, keep inventing new
sources of fear. Yes, it's time to take on the anti-virus software vendors.
The latest "news" to come out of the AV industry is New Virus Infects
Picture Files <http://www.wired.com/news/technology/0,1282,53196,00.html> .
McAfee put up their description <http://vil.nai.com/vil/content/v_99522.htm>
and made sure to issue a wide-spread press release
<http://www.mcafeeb2b.com/aboutmcafeeb2b/pressroom/pr_template.asp?PR=/Press
Media/06132002.asp&Sel=1283>  to stir up some interest. McAfee's spokesdrone
fans the flames:

"Potentially no file type could be safe."

That evolution should make computer users think twice about sending pictures
or any other media over the Internet, Gullotto said.

"Going forward, we may have to rethink about distributing JPGs." Now, if you
know much about computing, you may be a little suspicious of this. JPEGs are
compressed image files that only contain data representing an image to be
displayed, not code to be executed. A modification of that data might screw
up the picture of your cat dangling from the edge of the kitchen table you
like so much, but it won't turn the image into a potential virus
transmitter, because the programs that display JPEGs don't read them with an
eye toward executing the code. An image file is just data to be displayed.
The line between "data" and "code" is a little bit fuzzy - often
<http://www.sysadminmag.com/tpj/obfuscated/>  particular characters or a
particular file can be both data and code, depending on the context of how
other code handles it. Or a particular file can include both data and code
separately, like a Microsoft Word file that includes data (your text) and
code (some ma! cro designed to be executed by Word when the document is
opened).

But for JPEGs there's a well-designed standard, and it doesn't include
executing code of any sort. If a JPEG-handling program doesn't like the data
it sees, it should just stop trying to display the image, not decide to
start executing code from the image. JPEGs are mostly harmless
<http://cowboyneal.org/pics/penguinhat.jpg> .

McAfee's claim of a virus spread through JPEGs requires one essential
element: you have to have already been infected by ANOTHER virus transmitted
by some actual executable code. What it comes down to is:

Once you're infected with a virus, the virus can set you up to be infected
by other viruses.

No shit, Sherlock. Once you have enemy code running on your system, you're
toast. A virus could alter Microsoft Word so that opening any Word document
at all would erase every file on your hard drive, making every single Word
document in existence a deadly threat -- to you, and to you alone. But this
isn't a new virus threat of any sort. It isn't a breakthrough. It's a
consequence of being infected, not a new method of being infected.

Two weeks ago, we ran a story about a cross-platform virus
<http://features.slashdot.org/articles/02/06/02/1749237.shtml?tid=99> . Like
this one, it didn't really exist in the wild. Like this one, it was mainly a
PR ploy (by Symantec, in that case). But we thought it had at least some
minimal technical interest as a bit of code that would run under Windows or
Linux.

McAfee and Symantec (and all the other AV vendors out there) are waging a PR
war to "discover" ever more news-worthy viruses to defend against. To get
maximum coverage, your new virus needs to do something unique or different
-- make your computer turn green, or infect something previously
uninfectable, or whatever it might be. Compare this to Klez, a very basic
virus similar in most ways to viruses that have gone before, which is still
out there looting and pillaging tens of thousands of computers every day,
but isn't ideal for AV vendors because they don't have a monopoly on the
cure.

The press is catching on
<http://www.cnn.com/2002/TECH/internet/04/24/virus.hype/index.html> , to
some tiny extent at least, that most virus alerts are fictitious and just
designed to drum up business for the vendors. But it's far easier to
repurpose a vendor's press release and call it a story than to dig into real
threats that exist on the Internet, and the causes of those threats. Today,
like last year and the year before and five years ago, there are major
email-borne virus threats out there. (There are still old-school viruses out
there too, transmitted by sneaker-net or by downloading suspicious software
<http://www.kazaa.com/> , but email is clearly the way to go for the
discriminating virus creator.) All the real email virus threats share a few
distinguishing characteristics:


They only affect Microsoft Windows. If you aren't running Windows, you are
safe. 
They're usually transmitted by email. If you know enough on your own, or
you've had a half-hour class in "Email 101", you should be able to avoid
executing random files received by email.
They auto-execute in Microsoft Outlook or Outlook Express. Microsoft has
finally made some progress, after many years, in reducing the vulnerability
of their flagship email programs. So if you have a recent or fully-updated
version of these programs, you may not be as vulnerable as people running
older versions. Nevertheless, this was (and still is, since so many people
don't have recent or fully-updated versions) a primary vector. And that's
really it. If you don't run Windows, you're safe. If you have basic email
skills, you're safe. If you don't run Outlook, you're safe. That's the story
of modern viruses, and fortunately or un-, it's a pretty boring one.

McAfee, and Symantec, and everyone else involved in the anti-virus FUD
business: lay off. I mean that literally, as in, "Lay off the people you
employ for the purpose of drumming up new virus threats." Lay off the public
relations people you employ to say things like, "We may have to rethink
about distributing JPGs." Lay off the BS. There's a real market for your
product, people who (for whatever reason) are using Windows and/or Outlook,
and haven't received the half-hour training course necessary to avoid
viruses. You can market to them based on your fast responses to real virus
threats - you don't need to manufacture any more.









------ End of Forwarded Message