Re: Another new worm??? (long)

[pierre () DATARESCUE COM (Pierre Vandevenne)]

While I ultimately disagree with what Dan Schrader said, I don't think
he fully deserves the harsh reaction he got. First, let's look back for
a few seconds.

The "non-disclosure" policy about viruses is rooted in the past, a
shady past where some early anti-virus developers were accused of
releasing or sponsoring the development of viruses, where books or
magazine articles teaching how to write a virus were widely available,
where major publications such as PC Magazine commissioned the writing
of a new virus for testing purpose... The  "Little black book of
computer viruses" was advertised in mainstream magazines. In French
speaking countries, translations and adaptations were published by
major editors ( "C'est décidé, j'écris mon virus" ) and a guy called
Burger was doing the same thing in Germany. This was also the time
where anti-virus vendors would visit prospects with floppies full of
so-called viruses to demonstrate they were caught by their own products
and not the competition (in most cases, these files were false alerts
of the hyped product btw - the main problem was that the customer had
to test and eventually disassemble to check - of course, he never did.)
At that time, a few anti-virus developers came up with some truly
sincere ethical rules : basically that they wouldn't, under any
circumstance, be associated with virus writing or virus spreading.
Mainstream anti-virus companies stopped their sales person's pissing
contests and fired any techie known to have had a "viral" history.
Ultimately, a standard test file (eicar.com) was developed to test the
installation of anti-virus programs (not the performance!) and any
spreading of real virus was a capital crime.

Of course, this set of rules was almost immediately perverted in the
sense that it was used as a barrier to entry in the emerging anti-virus
business. One had to have connections, to think along the lines of this
informal structure to be admitted as an "anti-virus researcher", to
gain access to the virus samples needed to develop a scanner that would
perform well in tests as 90 to 95% of the viruses were "laboratory
samples", never seen in the wild, never a real world threat.
Parenthese here : an anti-virus that detects 100% of the viruses in the
wild and 0% of the laboratory samples at any given time is better than
an an anti-virus that detects 90% of the in-the-wild viruses and 100%
of the lab samples... sure, but tell that to the average magazine
reader...

A second perversion of the system also occurred naturally : accurate
information about viruses was hard to obtain outside those circles.
Consider for example a virus so buggy that it can't reproduce more than
once, a virus that takes approximately one minute to infect a system,
that locks up in a good percentage of those attempted infections and
that, it should be reminded today, did not spread by e-mail or network
in any way...  Got a mental picture of that crippled virus ? Shouldn't
even be worth a line in the news, right ? WRONG :-) this virus is
called Hare_Krishna and had his hour of glory in the first pages in
most media during the summer of 96 ( was supposed to activate on the
22nd of August amongst other dates ). Of course (and that was good
news), the virus was a flop on floppies.

Today, self-proclaimed specialists, who got their "titles" mainly
through accelerated study of 50 slides long powerpoint presentations
(heck, the market is increasing, you've got to hire people), regularly
publically declare absurdities, echoed by the press and the
governmental agencies, trying to cope, but at the mercy of manipulation
since real accurate information is so scarce. Examples : Reno talking
about a virtually non-existent virus in the aftermath of LoveLetter,
LoveLetter headlines such as "52 people might have collaborated to
write the code"  ( slightly more than 100 vbs lines, yeah sure ), or
the FBI going into Red Alert mode about a slightly new variant of
Subseven...

Then, of course, as Blue Board said,

> thereby forcing people to buy AV software for protection.  I get the
> distinct impression that they don't share with each other as well.  I'll
> leave that for you to comment on if you like.

There is a part of that as well... sure.

And as Bennet said,

>  In security there is no such thing as "overanalysis," also, last I
>  checked sending a link to a web site doesn't necessarily spread a virus.

Closing the market to potential new competitors, patently false hype,
media and governmental agencies manipulations, misleading customers
when a free solution might be more effective, eventually flawed
analysis: these are all the consequences of an obscurity policy.

But to be fair, we should look at the other side as well. The main
problems of viruses and worms is of course that they SPREAD without
control. Assume I give a virus to John Doe, for analysis and that I
have misjudged his abilities, he executes it by mistake, sends it to
his address book, then from there to the outside world... Ouch. Imagine
you are the IT security manager of that John Doe and that your own boss
isn't too happy that your main customer's mail servers are down ?
Hmmmmmmm. Of course, I shouldn't have given the virus to John Doe, but
given it to you. But, isn't that the "distribution limited to
recognized experts" principle, slightly disguised and at a lower level.
Besides, how could I tell you are better than John Doe ? Maybe you
aren't and have a bigger address book ? <G>

Then, let's consider another example, the CIH virus. PE Header
infection, EEPROM corruption and Hard disk trashing... You might know
it under its other name - Tchernobyl. Is it a good idea to share
information about that virus ? I don't think so. The PE header
infection mechanism will only help virus writers, the "characteristics"
of the virus will not help you intercept it, the details of the EEPROM
trashing routine are of no use whatsoever, some 60% of the world's
EEPROMs are used in an extremely seriously flawed way from a security
point of view and giving vandals the tools to wreak havoc is not the
best way to address the problem...

The problem is not an easy one and does not have an absolute answer.
The benefit and the harmful consequences are to be carefully balanced.
When in doubt, we use policies and guidelines, we all use them
implicitly, don't we ? Dan sticks strictly to his guidelines and his
industry's set of ethical standards (and probably doesn't complain if
they work in his favor, but that is normal). For this reason, he does
not deserve the flak he gets.

"First do no harm." is a decent guideline.

Now, think about this - if we have 10000 people on this list, 4999.5
are below the average competence level, 4999.5 are above <G>. You can't
say OK to one side and fuck off to the other side. Guidelines make it
easy socially as well :-).  Of course, it would probably have helped if
Dan had not written his message in a patronizing, almost arrogant,
tone. For this he deserves the flak.

As far as I am concerned, I think that the guidelines are still valid (
clearly in the CIH case ) but that they must be abandonned for all the
script viruses/worms : why ? Because in that case the advantages of
full disclosure clearly outweight obscurity

1) script viruses/worms spread in source code or in a form that is
close to it. They are easy to detect (at a basic level), easy to
understand and it is easy to block their diffusion with simple means
when you understand what they attempt.

2) virtually anyone who can use a search engine can find the source of
a script virus anyway.

3) the world needs to understand that these things aren't complex at
all, that no super-hacker is needed to write them and that if the
system is vulnerable to them, that is because the system is
intrinsically weak. This is the major issue we should be adressing.

4) the anti-virus companies, going against the tide of open everything
will appear more and more as crooks trying to get advantage of the poor
uneducated user - they also have to gain here.

5) many things I can't think of just right now :-)

To address the risk of inadvertantly running the virus (this is the
main problem), it could for example be split, or slighty edited, or
commented.

An overall blind ban is clearly out of date...

Some random thoughts :

- IDS people, mail admins, etc... should not fall for arrogancy
themselves. True LoveLetter is easy to block, but so were the first DOS
viruses, easily detected by a trivial byte string. But they quickly
evolved and, with encryption and polymorphism, they became harder and
harder to deal with (until the emulator came into the picture). What we
are seeing today as far as worms are concerned is _not_ top of the
line. I am willing to bet that there will be a time where basic
information will not be as useful as it is now.

- the IEEE likes to talk about ethical standards for sofwtare
engineering. The need is even more dire in the computer security field,
where threats are often inflated when there is a potential gain and
solutions omitted when they contradict economical interests (imagine a
world where the vaccine for the polyomyelitis would be killed at birth
by prothesis manufacturers)

BIAS disclosure - I am connected to the a-v industry but also to other
security industries.

---
http://www.datarescue.com/idabase/ida.htm
IDA Pro 4.1 - Yes, we have done it again !