Vulnerability Development mailing list archives
Re: Another new worm??? (long)
From: pierre () DATARESCUE COM (Pierre Vandevenne)
Date: Wed, 21 Jun 2000 18:19:47 +0200
While I ultimately disagree with what Dan Schrader said, I don't think he fully deserves the harsh reaction he got. First, let's look back for a few seconds. The "non-disclosure" policy about viruses is rooted in the past, a shady past where some early anti-virus developers were accused of releasing or sponsoring the development of viruses, where books or magazine articles teaching how to write a virus were widely available, where major publications such as PC Magazine commissioned the writing of a new virus for testing purpose... The "Little black book of computer viruses" was advertised in mainstream magazines. In French speaking countries, translations and adaptations were published by major editors ( "C'est décidé, j'écris mon virus" ) and a guy called Burger was doing the same thing in Germany. This was also the time where anti-virus vendors would visit prospects with floppies full of so-called viruses to demonstrate they were caught by their own products and not the competition (in most cases, these files were false alerts of the hyped product btw - the main problem was that the customer had to test and eventually disassemble to check - of course, he never did.) At that time, a few anti-virus developers came up with some truly sincere ethical rules : basically that they wouldn't, under any circumstance, be associated with virus writing or virus spreading. Mainstream anti-virus companies stopped their sales person's pissing contests and fired any techie known to have had a "viral" history. Ultimately, a standard test file (eicar.com) was developed to test the installation of anti-virus programs (not the performance!) and any spreading of real virus was a capital crime. Of course, this set of rules was almost immediately perverted in the sense that it was used as a barrier to entry in the emerging anti-virus business. One had to have connections, to think along the lines of this informal structure to be admitted as an "anti-virus researcher", to gain access to the virus samples needed to develop a scanner that would perform well in tests as 90 to 95% of the viruses were "laboratory samples", never seen in the wild, never a real world threat. Parenthese here : an anti-virus that detects 100% of the viruses in the wild and 0% of the laboratory samples at any given time is better than an an anti-virus that detects 90% of the in-the-wild viruses and 100% of the lab samples... sure, but tell that to the average magazine reader... A second perversion of the system also occurred naturally : accurate information about viruses was hard to obtain outside those circles. Consider for example a virus so buggy that it can't reproduce more than once, a virus that takes approximately one minute to infect a system, that locks up in a good percentage of those attempted infections and that, it should be reminded today, did not spread by e-mail or network in any way... Got a mental picture of that crippled virus ? Shouldn't even be worth a line in the news, right ? WRONG :-) this virus is called Hare_Krishna and had his hour of glory in the first pages in most media during the summer of 96 ( was supposed to activate on the 22nd of August amongst other dates ). Of course (and that was good news), the virus was a flop on floppies. Today, self-proclaimed specialists, who got their "titles" mainly through accelerated study of 50 slides long powerpoint presentations (heck, the market is increasing, you've got to hire people), regularly publically declare absurdities, echoed by the press and the governmental agencies, trying to cope, but at the mercy of manipulation since real accurate information is so scarce. Examples : Reno talking about a virtually non-existent virus in the aftermath of LoveLetter, LoveLetter headlines such as "52 people might have collaborated to write the code" ( slightly more than 100 vbs lines, yeah sure ), or the FBI going into Red Alert mode about a slightly new variant of Subseven... Then, of course, as Blue Board said,
thereby forcing people to buy AV software for protection. I get the distinct impression that they don't share with each other as well. I'll leave that for you to comment on if you like.
There is a part of that as well... sure. And as Bennet said,
In security there is no such thing as "overanalysis," also, last I checked sending a link to a web site doesn't necessarily spread a virus.
Closing the market to potential new competitors, patently false hype, media and governmental agencies manipulations, misleading customers when a free solution might be more effective, eventually flawed analysis: these are all the consequences of an obscurity policy. But to be fair, we should look at the other side as well. The main problems of viruses and worms is of course that they SPREAD without control. Assume I give a virus to John Doe, for analysis and that I have misjudged his abilities, he executes it by mistake, sends it to his address book, then from there to the outside world... Ouch. Imagine you are the IT security manager of that John Doe and that your own boss isn't too happy that your main customer's mail servers are down ? Hmmmmmmm. Of course, I shouldn't have given the virus to John Doe, but given it to you. But, isn't that the "distribution limited to recognized experts" principle, slightly disguised and at a lower level. Besides, how could I tell you are better than John Doe ? Maybe you aren't and have a bigger address book ? <G> Then, let's consider another example, the CIH virus. PE Header infection, EEPROM corruption and Hard disk trashing... You might know it under its other name - Tchernobyl. Is it a good idea to share information about that virus ? I don't think so. The PE header infection mechanism will only help virus writers, the "characteristics" of the virus will not help you intercept it, the details of the EEPROM trashing routine are of no use whatsoever, some 60% of the world's EEPROMs are used in an extremely seriously flawed way from a security point of view and giving vandals the tools to wreak havoc is not the best way to address the problem... The problem is not an easy one and does not have an absolute answer. The benefit and the harmful consequences are to be carefully balanced. When in doubt, we use policies and guidelines, we all use them implicitly, don't we ? Dan sticks strictly to his guidelines and his industry's set of ethical standards (and probably doesn't complain if they work in his favor, but that is normal). For this reason, he does not deserve the flak he gets. "First do no harm." is a decent guideline. Now, think about this - if we have 10000 people on this list, 4999.5 are below the average competence level, 4999.5 are above <G>. You can't say OK to one side and fuck off to the other side. Guidelines make it easy socially as well :-). Of course, it would probably have helped if Dan had not written his message in a patronizing, almost arrogant, tone. For this he deserves the flak. As far as I am concerned, I think that the guidelines are still valid ( clearly in the CIH case ) but that they must be abandonned for all the script viruses/worms : why ? Because in that case the advantages of full disclosure clearly outweight obscurity 1) script viruses/worms spread in source code or in a form that is close to it. They are easy to detect (at a basic level), easy to understand and it is easy to block their diffusion with simple means when you understand what they attempt. 2) virtually anyone who can use a search engine can find the source of a script virus anyway. 3) the world needs to understand that these things aren't complex at all, that no super-hacker is needed to write them and that if the system is vulnerable to them, that is because the system is intrinsically weak. This is the major issue we should be adressing. 4) the anti-virus companies, going against the tide of open everything will appear more and more as crooks trying to get advantage of the poor uneducated user - they also have to gain here. 5) many things I can't think of just right now :-) To address the risk of inadvertantly running the virus (this is the main problem), it could for example be split, or slighty edited, or commented. An overall blind ban is clearly out of date... Some random thoughts : - IDS people, mail admins, etc... should not fall for arrogancy themselves. True LoveLetter is easy to block, but so were the first DOS viruses, easily detected by a trivial byte string. But they quickly evolved and, with encryption and polymorphism, they became harder and harder to deal with (until the emulator came into the picture). What we are seeing today as far as worms are concerned is _not_ top of the line. I am willing to bet that there will be a time where basic information will not be as useful as it is now. - the IEEE likes to talk about ethical standards for sofwtare engineering. The need is even more dire in the computer security field, where threats are often inflated when there is a potential gain and solutions omitted when they contradict economical interests (imagine a world where the vaccine for the polyomyelitis would be killed at birth by prothesis manufacturers) BIAS disclosure - I am connected to the a-v industry but also to other security industries. --- http://www.datarescue.com/idabase/ida.htm IDA Pro 4.1 - Yes, we have done it again !
Current thread:
- Re: Another new worm???, (continued)
- Re: Another new worm??? Ron DuFresne (Jun 19)
- Re: Another new worm??? PS Howe (Jun 19)
- Re: Another new worm??? Alexander Kiwerski (Jun 19)
- Re: Another new worm??? Zoa_Chien (Jun 19)
- Re: Another new worm??? Alexander Kiwerski (Jun 19)
- Re: Another new worm??? Dan Schrader (Jun 20)
- Re: Another new worm??? Blue Boar (Jun 20)
- Re: Another new worm??? Bennett Todd (Jun 20)
- Re: Another new worm??? ~jim (Jun 20)
- Re: Another new worm??? Justin Randall (Jun 20)
- Re: Another new worm??? (long) Pierre Vandevenne (Jun 21)
- Re: Another new worm??? Joe Gee (Jun 20)
- Re: Another new worm??? Dan Schrader (Jun 21)
- Re: Another new worm??? Bennett Todd (Jun 21)
- Re: Another new worm??? (technical) Pierre Vandevenne (Jun 22)
- Re: Another new worm??? (technical) Bluefish (Jun 23)
- Re: Another new worm??? (technical) Pierre Vandevenne (Jun 23)
- Re: Another new worm??? (technical) Max Vision (Jun 23)
- Re: Another new worm??? (technical) Pierre Vandevenne (Jun 23)
- Re: Another new worm??? (technical) Max Vision (Jun 23)
- Re: Another new worm??? (technical) Pierre Vandevenne (Jun 23)
- Re: Another new worm??? Bennett Todd (Jun 21)