Posted by: David Harley | April 3, 2010

Badware: Where Does It Come From?

I’ve been hearing for as long as I’ve been researching malware that Macs don’t have virus…sorry, wrong blog… that it’s the antivirus companies that write all the viruses. In fact, I wrote about that perception (and the reasons why the AV industry has such a bad press in general) at some length in Virus Bulletin in 2006, in an article called “I’m OK, You’re Not OK“.

Leaving aside the fact that viruses are a pretty small part of the problem these days, my friend David Perry sometimes makes a point in presentations by asking people in the industry how many of them have been asked “don’t you guys really write all the malware?” Inevitably, a cluster of old-timers will inevitably respond by raising a worldweary hand. I sometimes think the lowest point of my career to date was in 2008, when I was about to be anaesthetized before major surgery and the surgeon who was going to rearrange most of my internal organs asked me what I did for a living. “I work for an antivirus company,” I said. “Ah. I have a theory about antivirus companies…..” he responded. I’m pleased I survived the operation, for more than one reason, but principly because that would have been an awful note on which to be launched into the afterlife… Perhaps I should have asked that surgeon if he spent his time outside the operating theatre creating biological pathogens in order to ensure the profitability of the healthcare industry, but I suppose it would have been rash to risk irritating someone who was about to apply a number of very sharp instruments to my person.

Neil Rubenking, veteran author, security journalist and tester of anti-malware products (and a member of the AMTSO Advisory Board, by the way) has evidently heard this one too. In an April 1st blog for PC Mag, he “revealed” that the security industry really does write all the malware, and that AMTSO is rewriting its “Fundamental Principles of Testing” accordingly. I didn’t see Neil’s blog immediately, but when I did, I took advantage of the opportunity to respond with a little (belated) fakery of my own over at ESET. All very amusing, but what does have to do with testing, I hear you ask?

In fact, the antivirus industry has, traditionally, taken a very harsh view of the writing of malware – especially replicative malware – for any purpose, to the extent that not only do mainstream companies decline to employ anyone who has ever done so, but some researchers have gone to extreme lengths to avoid writing anything that could be described as a virus, even to prove a concept under laboratory conditions in order to improve the protective effectiveness of their products. That antipathy extends to the creation of new malware or variants for malware testing purposes, and it’s shared by AMTSO members who aren’t vendors. Indeed, the first principle defined in that document explicitly condemns the practice, and another AMTSO document on “Issues involved in the “creation” of samples for testingmakes that position much clearer.

So it would be a monstrous act of hypocrisy for the industry to take that stand if it were really writing creating malware. However, we don’t, and I can prove it.

A myth laid to rest

In fact, Neil does raise an interesting point: where many viruses were poorly coded and tested, the general standard of malware coding has been higher since it became an “industry” in its own right, though I think that commercial incentive has more to do with that than anything else. However, there are clearly exceptions to that rule, as can be seen from the execrably implemented fake antivirus program described here.

David Harley FBCS CITP CISSP

Advertisements

Responses

  1. […] as malware? If not, does that make it acceptable? (In general, I think not, but you might find one of my AMTSO blogs a better starting point for considering that argument, or the AMTSO documentation […]

  2. […] Neil, that admission about the antivirus companies writing all the viruses was supposed to be off the record. Yes, I am in the process of rewriting the AMTSO […]

  3. […] All of which gave me the opportunity to indulge in a little belated and barbed fakery of my own at http://www.eset.com/blog/2010/04/02/april-1st-your-questions-answered. (Which you’ll have to visit if you want the links I didn’t include above and don’t want to wind your way through acres of search engine suggestions.) And some more serious thinking on the myth of the AV industry writing the viruses at the AMTSO blog here. […]


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Categories

%d bloggers like this: