Badware: Where Does It Come From?

I’ve been hearing for as long as I’ve been researching malware that Macs don’t have virus…sorry, wrong blog… that it’s the antivirus companies that write all the viruses. In fact, I wrote about that perception (and the reasons why the AV industry has such a bad press in general) at some length in Virus Bulletin in 2006, in an article called “I’m OK, You’re Not OK“.

Leaving aside the fact that viruses are a pretty small part of the problem these days, my friend David Perry sometimes makes a point in presentations by asking people in the industry how many of them have been asked “don’t you guys really write all the malware?” Inevitably, a cluster of old-timers will inevitably respond by raising a worldweary hand. I sometimes think the lowest point of my career to date was in 2008, when I was about to be anaesthetized before major surgery and the surgeon who was going to rearrange most of my internal organs asked me what I did for a living. “I work for an antivirus company,” I said. “Ah. I have a theory about antivirus companies…..” he responded. I’m pleased I survived the operation, for more than one reason, but principly because that would have been an awful note on which to be launched into the afterlife… Perhaps I should have asked that surgeon if he spent his time outside the operating theatre creating biological pathogens in order to ensure the profitability of the healthcare industry, but I suppose it would have been rash to risk irritating someone who was about to apply a number of very sharp instruments to my person.

Neil Rubenking, veteran author, security journalist and tester of anti-malware products (and a member of the AMTSO Advisory Board, by the way) has evidently heard this one too. In an April 1st blog for PC Mag, he “revealed” that the security industry really does write all the malware, and that AMTSO is rewriting its “Fundamental Principles of Testing” accordingly. I didn’t see Neil’s blog immediately, but when I did, I took advantage of the opportunity to respond with a little (belated) fakery of my own over at ESET. All very amusing, but what does have to do with testing, I hear you ask?

In fact, the antivirus industry has, traditionally, taken a very harsh view of the writing of malware – especially replicative malware – for any purpose, to the extent that not only do mainstream companies decline to employ anyone who has ever done so, but some researchers have gone to extreme lengths to avoid writing anything that could be described as a virus, even to prove a concept under laboratory conditions in order to improve the protective effectiveness of their products. That antipathy extends to the creation of new malware or variants for malware testing purposes, and it’s shared by AMTSO members who aren’t vendors. Indeed, the first principle defined in that document explicitly condemns the practice, and another AMTSO document on “Issues involved in the “creation” of samples for testing” makes that position much clearer.

So it would be a monstrous act of hypocrisy for the industry to take that stand if it were really writing creating malware. However, we don’t, and I can prove it.

In fact, Neil does raise an interesting point: where many viruses were poorly coded and tested, the general standard of malware coding has been higher since it became an “industry” in its own right, though I think that commercial incentive has more to do with that than anything else. However, there are clearly exceptions to that rule, as can be seen from the execrably implemented fake antivirus program described here.

David Harley