Malware "best practices"

Bill Sconce sconce at in-spec-inc.com
Sun Jul 23 17:00:02 EDT 2006 

QA comes to virus writing
-------------------------

Two articles, 7/19 and 7/21, via Slashdot (sorry for the long URLs):
http://www.zdnet.com.au/news/security/soa/Eighty_percent_of_new_malware_defeats_antivirus/0,2000061744,39263949,00.htm
http://www.zdnet.com.au/blogs/securifythis/soa/Why_popular_antivirus_apps_do_not_work_/0,39033341,39264249,00.htm



For what it's worth, I posted the following comments.



____________________________________________________________________
It's OK (sort of) for an operating system to be full of holes.  
Right?  If every computer OWNER makes up for it with their own
time and money, and with personal diligence, "keeping their
antivirus package up to date"?

Yeah, right.  Anyone who intends to write an exploit capable of
getting past antivirus programs can be certain of eventual success.
All they have to do is ... unit testing!  "QA", as it's called in
the respectable world.

    "Unit Test 0:  check that your new code slips by McAfee."
    
    Or Symantec.  Or Trend Micro.  Or several of them,  or all
    of them.  You simply hold off releasing your virus until it
    meets "minimum ship criteria". 

    There's no chance that the "antivirus" will stop you.  Testing
    PROVES that your virus will slip by.  Users' machines are yours
    for the taking, nyaahaaaa.  You can run as many test trials it
    takes. No one is watching; you have time.  YOU have THEIR code
    to test against.  THEY don't know you're coming.  And the best
    part: the users will get the blame.

Graham Ingram, general manager, CERT Australia, writes:
    "the bad guys, the criminals, are testing their malicious code
    against the antivirus products to make sure they are undetectable."

(Oo. Are they allowed to do that?)
    
    "the most popular brands of antivirus on the market...have an
    80 percent miss rate."
       
Eighty percent miss!  (But CERT should know -- it's what they do.)

    "That is not a detection rate that is a miss rate."

It's not possible, obviously, to to develop an antivirus to detect 
the signature or behavior of a virus which no one will see until 
after it has begun its infection.  The antivirus vendors don't stand
a chance.  Analyses in the security literature show that a truly
effective virus can take over the monoculture part of the entire
Internet before the vendors have finished their coffee.

But vendors are not unhappy.  THEY like things the way they are: bugs
are good for business.  Customer anxiety is where dollars come from. 
Not just antivirus vendors -- one OS vendor, too, has gone into the
antivirus business, turning bugs into a profit center.  (How clever
is that?)  Vendors are not about to tell customers that there's a
real fix, and that it's choosing non-buggy software.

    "This is the dilemma that is building up here and the success
    rate is becoming quite worrying"

What's should be "worrying" is that an expert could be surprised at
virus  writers' "success".  It couldn't be otherwise.  Nothing could
be more certain than eventual defeat of any "antivirus" program which
you can bring into your own lab and test against, in privacy and under 
conditions and a schedule of your choosing.  Perhaps you have to be
clever to find a bug in the underlying operating system to exploit
in the first place (or maybe not), but you only need to be persistent,
to keep working, to prove that your exploit slips by so-called 
"antivirus" programs before releasing it.

Eighty percent miss.  Is there any business transaction other than
PC software in which customers can be led to expect (and put up with)
such gloomy results?
</essay>

One piece of good news.  The miss rate will stop increasing in about
20 more points...

-Bill

More information about the gnhlug-discuss mailing list