[Infowarrior] - Can the malware industry be trusted?

Richard Forno rforno at infowarrior.org
Thu Jun 8 12:57:27 EDT 2006


Title            Can the malware industry be trusted?
Date            2006.06.07 16:00
Author            Joe Barr
Topic            
http://www.newsforge.com/article.pl?sid=06/06/06/1832223

Commentary: Internet security is big business. Microsoft Windows and Office
vulnerabilities have made major contributions to making it -- and keeping it
-- that way. Today, players like McAfee, Symantec, and dozens of other firms
fight for a share of a market worth tens-of-billions of dollars a year. I
would like to think that this industry displays the same high degree of
ethical standards and integrity shown by other first-responders: our police
forces, firefighters, and paramedics. Sure, there are bad apples in the
bunch now and then, but on the whole they are a admirably honest and
trustworthy group. I don't think nearly as highly of the computer security
industry.

Here's why.

Put a stake in its heart

Remember Dan Geer, the widely respected security guru who used to be CTO at
@Stake? He's been in the news again recently. The last time I saw that much
news about Geer, it was when he was fired by @Stake after presenting an
assessment critical of Microsoft and "monoculture."

@Stake, I presume, is proud of having maintained a good relationship with
Microsoft by firing Geer for daring to speak the truth. The irony comes from
the fact that the recent headlines concerning Geer -- about the MS Word
vulnerability -- proved him to be dead-on in the report he was fired for
delivering. Obviously, @Stake valued their relationship with Microsoft more
than they did the security of their clients. Word up, as they say.

It's that very trait -- the need to lick Microsoft's boots to play in their
ecosystem -- which accounts for a lot of the corruption, lies, deceit, false
claims, false viruses, and false alarms which emanate regularly from this
false security industry. But no need to dwell on @Stake being cherry red
with embarrassment over being shown up as idiots and servile buffoons. There
are plenty of other examples to talk about.

US-Cert: Count this way

Every year, US-Cert produces huge fireworks in the security trade press with
their annual summary of misinformation about security flaws. The idiots in
the press repeat the lie verbatim and the lie becomes real. What is the lie?
That Unix/Linux is less secure than Windows. Granted, only the stupidest
dolts in the universe -- and the trade press -- are going to buy that crap,
but they put it out there anyway.

Here's the problem. The summary gives a total for flaws found in Windows and
another total for flaws found in Unix and Linux. Last year, those totals
were 812 for Windows and 2,312 for Unix/Linux. As usual, those two
misleading numbers once again got trumpeted and cited as evidence that
Windows is more secure than Unix or Linux on every Windows-leaning news site
in the known universe.

Why is it misleading? Well, say that a vulnerability occurs in the Linux
kernel. There are dozens Linux distributions, and when the vulnerability is
found, eventually it will get patched in each and every one of them. Now,
guess how many times it gets counted. That's right, not just once, but once
for each distribution.

US-Cert knows about the problem of the super-inflated malware numbers in
their summary, but they refuse to correct it or to comment on it. They also
know that it misleads consumers and encourages them to stay on an inferior
platform -- one which is infamous for its chronic malware infestations --
rather than switching to Mac OS X or Linux, both of which are more secure by
design. Since they refuse to comment on the issue, the reason why they don't
correct it is something probably known only to Homeland Security and their
private sector partners in the US-Cert combine.

Apple OS X: Mea culpa

The SANS Institute, -- a name which sounds all officious and possibly not
profit oriented, but which is owned by the mysterious but definitely
for-profit Escal Institute of Technology -- recently did an unusual update
to its Top 20 list of vulnerabilities.

They issued their "update" in order to trumpet the assertion that Apple OS X
is now just as exposed and vulnerable to malware as Windows. The timing of
the release of this unusual "update" is suspicious, coming as it did on the
eve of the new advertising campaign by Apple which plays up the fact that
Apple is pretty much immune to the types of malware infestations that plague
Windows. Previous updates to this list have usually come in the fall:
November, 2005; October, 2004; October, 2003; and October, 2002.

The SANS Institute announcement seemed to be designed to destroy -- or at
least bring into question -- the idea that Apple OS X is more secure than
Windows. In a document sent to members of the press prior to the
teleconference, the SANS Institute wrote:

    During the past few months, Apple Safari browser users faced their first
zero-day attack. A zero-day attack is one that causes damage to users even
before the vendor makes a patch available. In this case, Safari users who
just browsed a malicious web site found their computers automatically
downloading and executing a malicious file. The user made no error other
than to visit the web site. Apple patched Safari to fix this flaw, but
almost immediately had to issue a second patch to stop another attack
involving email attachments. The experts involved in the 2006 Top 20 Spring
update agree that OS/X still remains safer than Windows; but its reputation
for offering a bullet-proof alternative to Windows is in tatters. As
attackers are increasingly turning their attention to the platform, OS/X
vulnerabilities are being discovered at a rapid pace, which could erode this
safety in the future.

I covered the SANS teleconference event for NewsForge. Because of my recent
experiences with a Kaspersky Lab disinformation campaign against Linux, my
ears were tuned for false claims being made against Linux. But I didn't pay
much attention to the fact that SANS was launching a similar attack against
Apple. I am ashamed to say it, but just like all the other idiots in trade
press, I simply reported what had been said. My apologies to all Apple
users, and Apple. It won't happen again.

Imagine my surprise in the days that followed the teleconference as I read
story after story by Mac-aware journalists and analysts which questioned or
challenged the SANS Institute and similar findings by others in the malware
business.

On May 9, The Mac Observer reported that Yankee Group analyst Andrew Jaquith
accused McAfee of engaging in "scaremongering" in a report entitled "The New
Apple of Malware's Eye: Is Mac OS X the Next Windows?" In Jaquith's view,
McAfee was attempting to frighten Mac users into buying malware protection
they just happen to sell.

Other Apple-related news sites picked up the theme as well, as one might
expect. But what's this, a defense of Apple by BusinessWeek's Arik
Hesseldahl? In response to The SANS Institute claim that Apple's security
rep was now in tatters, he wrote on May 4:

    Tatters? Well, let's look at the record. As you may remember from a few
months ago, there were indeed not one but two Mac security teapot tempests.
Astute readers of this column and its accompanying blog will remember that
in March, there was the "hacked Mac Mini" contest (see BW Online, 3/08/06,
"Apple Finding the Root of the Problem"). Entrants were challenged to find a
way to upgrade limited-access privileges to those of someone with so-called
root status, a position that would let them wreak pretty much untrammeled
havoc on a computer. Someone pulled it off. Though the contest proved
little, the misguided press still went a little nuts.

That observation about the "misguided press" points out the reason that
malware vendors beat their drums so loudly and so often: the trade press
blindly accepts whatever the security firms utter as being the gospel. I
know, I know. Mea culpa, too.

Hesseldahl went on to write about an AP story which seems to have been the
precipitating factor in The SANS Institute's decision to push its "Apple
fatally flawed" rhetoric. He said: "The story coincided with the disclosure
that six newly discovered so-called zero-day bugs targeting Mac OS X were
found by Tom Ferris, a security researcher who publishes a blog concerning
vulnerabilities he has found. Zero-days are exploits or vulnerabilities that
cause damage in the wild before being disclosed to the vendors of the
targeted software. While they were directed at the Mac operating system,
there's no evidence these vulnerabilities have actually done any damage."

>From Russia with malice

Kaspersky Lab, a Russian Internet security company which operates around the
globe, including here in the USA, has been spreading FUD about malware
targeting Linux for years. I've cited this example from 2001 before, but
here it is again, and it still appears on their Web site. Hey, maybe the
SANS Institute used it as a template for their anti-Apple effort. I quote:

    Predictions regarding a world epidemic of Linux-viruses have come true
in the first quarter of 2001. The latest incidents caused by the Ramen
Internet-worm and its numerous modifications, as well as the multi-platform
virus Pelf (Lindose) and other Linux-targeted malicious code, have proved
that this operating system, (previously considered as the most protected
software), has fallen victim to computer viruses.

After finding that page on the Web, and after watching Torvalds patch the
Linux kernel so that some very old code that Kaspersky Lab was trying to
pass off as a "new cross-platform virus" would run on the latest versions of
the Linux kernel, I decided to keep an eye on other claims Kaspersky Lab was
making about malware on Linux.

    
Figure 1: Alleged Linux viruses - 2005
Checking their Web site, I found a new report entitled 2005: *nix Malware
Evolution and decided to take a look. A graph (see Figure 1) purporting to
illustrate a dramatic increase in all types of malware for Linux between
2004 and 2005 showed an incredible -- literally -- jump from 4 to 91 Linux
viruses.

I found that intriguing because I've been using Linux exclusively on the
desktop since 1999, and reading and writing about it for longer than that,
and I was completely unaware of _any_ Linux viruses beyond a few lame "proof
of concept" samples, similar to the one previously mentioned that caused
Torvalds to patch the kernel so that it could run correctly on the most
recent versions of the kernel, which don't really do anything remarkable
other than demonstrate the ability to run on both Windows and Linux. Yet
Kaspersky was claiming that 87 new Linux viruses were discovered last year.

I asked Kaspersky Lab if they had any documentation to back up that claim.
Jennifer Jewett, a public relations person representing Kaspersky, told me
"the documentation sighting the viruses is included in the Encyclopedia on
Kaspersky's Viruslist site:
http://www.viruslist.com/en/viruses/encyclopedia."

I searched the encyclopedia for Linux viruses and came up with an astounding
972 hits. But just the barest hint of an analysis of those hits reveal that
the number would break an industrial-strength bogusity-meter. A few
low-lights of my analysis:

    * The first 256 items are completely undocumented.
    * Only 21 --less than 3% -- are described at all.
    * Of the 21 that are described, 2 are duplicates.
    * One of the 21 is a Windows virus, not Linux.
    * Almost all of the 21 are programs modifying files in accordance with
standard *nix permissions.

I went back to Kaspersky and told them my results. Jewett then put me in
touch with Kaspersky's Senior Technical Consultant, Shane Coursen. I
repeated my request to Coursen for documentation on the 91 claimed viruses.
He told me he would have to check with the report's author, Konstantin
Sapronov, in Russia. A few days later I received a list containing the 91
alleged Linux viruses. The list contained nothing but the names, no
documentation.

I checked the first one on the list. Naturally, there was no information
about it in the Kaspersky encyclopedia, but it did suggest searching for it
under other names from other vendors, so I did. That led me to this page on
the McAfee site, where I learned that it had been discovered in 2003. Since
McAfee didn't provide any further information on the virus, I kept looking.
That's how I came across the Virus Pool Project. One thing there really
caught my eye.

The site's reason for being is explained like this: "I always found virus
names rather confusing. Mainly because there are so many of them for one and
the same virus. By indexing them and making it possible to search them I
hope people will be able to help others."

Perhaps confusion is why, of the 972 hits found in Kaspersky's encyclopedia,
only 21 are documented. Out of curiosity, I decided to check the list of 91
names against the list of the 21 documented viruses in the encyclopedia.

I found a total of 10 matches from the list of 91. Remember, Kaspersky
claims 87 of the viruses were found in 2005. Of the 10 that matched, two
were found in 2000, four were discovered in 2001, three in 2002, and one in
2003. None of 87 alleged new Linux viruses are documented or substantiated
by Kaspersky in any way whatsoever.

Coursen responded via email to my initial analysis of the list by saying:

    1st) Other vendors' names are going to be different than Kaspersky names
in most cases. The industry does its best to coordinate names, but as you
can imagine, with the speed at which new viruses appear, it is a very
difficult thing for us to accomplish in all cases. And unfortunately, even
if you can find the same name between two different vendors it does not mean
the description is discussing the same variant; sometimes the description
doesn't even discuss a virus from the same family!

    2nd) When McAfee adds a description on their site, it doesn't always
match the date they added actual detection. As for Kaspersky, McAfee and
others, descriptions usually appear well-after detection is added, if at
all. (Which is why Kaspersky adds both dates to its descriptions -- when
then detection is added and when the description is published.)

    3rd) In the case you mention above, where McAfee added detection for
something that looks to be the same virus back in 2003 -- well, that's a bit
of an odd one, but very explainable: If #2 reason above doesn't explain it,
then we can try this....(since it is more likely the case)

    AV companies may add a record to detect a virus, but then receive a new
variant of the same family some time later. In such a case it may be
necessary to modify the existing detection signature. So, what you end up
with is a signature that was added some time ago (could be years, even), but
that was modified just recently. It is my guess that recently-updated
signatures would probably show up in Konstanstin's stats.

After this story was submitted, and the week following another black-eye for
Microsoft security in the form of malevolent macros in MS Word, Kaspersky
Lab issued another headline-grabbing but bogus alert for a proof-of-concept
of the same type of attack on MS Word's largest competitor, OpenOffice.org.
Was the timing once more just a coincidence? I don't think so.

But all I am sure of is this: Kaspersky Lab is making claims about malware
and Linux which they cannot substantiate. Period. They did it in 2001 and
they are doing it again now. They were asked for documentation on the
alleged viruses and they delivered nothing at all. Another thing I am sure
of is that they aren't the only ones doing it, and Linux is not the only
victim of their crimes.

Why they do it

The answer, of course, is money. Security firms look on more secure
alternatives to Windows as a threat to their bottom line. It is in their
best interest to slow down the migration of users from Windows to any
alternative platform, simply because any alternative platform is going to a
better job of providing security than Microsoft has done, or seems capable
of doing.

If they can't stop the attrition, and the growth of the Apple and Linux
markets are showing that they can't, they can also try to position
themselves to be in the new markets, even if they are not as lucrative for
them as the Windows culture. So by inventing and/or exaggerating threats to
the alternatives, they can slow down their growth and try to establish some
cred in them at the same time.

Conclusion

The Windows economy is a tough arena to play in. You have to keep Mister
Gates happy to survive, and even then, there isn't any guarantee that your
niche in the market won't be gobbled up by the next release of Windows. Of
course, sometimes the little fish try to bite back. That is what Symantec is
trying to do now to prevent Vista swallowing them whole.

It may be that if you do business with Microsoft on a regular basis, you get
used to working in an ethics-free environment, and you begin to practice the
same black business arts as the master. Whatever the cause, what I see
happening in the malware business today reflects Microsoft's own ethics-free
practices. I'm not convinced there is an honest firm in the whole mess. So
in my humble opinion, the answer to the question, "can the malware industry
be trusted?" is a resounding "No!" What do you think?

Links

   1. "the news" - 
http://www.consortiuminfo.org/standardsblog/article.php?story=20060523181724
678
   2. "he was fired" -
http://www.computerworld.com/securitytopics/security/story/0,10801,85563,00.
html
   3. "annual summary of misinformation" -
http://trends.newsforge.com/article.pl?sid=06/01/05/1627242&tid=138
   4. "dozens Linux distributions" - http://distrowatch.com/
   5. "US-Cert" - http://www.us-cert.gov/aboutus.html
   6. "Top 20" - http://www.sans.org/top20/2005/spring_2006_update.php
   7. "new advertising campaign" -
http://www.macnewsworld.com/story/U12S5MXqOtPNPP/Mac-Ads-Depict-Windows-PCs-
as-Uncool-Unsafe.xhtml
   8. "SANS teleconference event" -
http://software.newsforge.com/article.pl?sid=06/05/01/186200&tid=78
   9. "reported" - http://www.macobserver.com/article/2006/05/09.5.shtml
  10. "defense of Apple" -
http://www.businessweek.com/technology/content/may2006/tc20060504_303032.htm
?campaign_id=search
  11. "Apple Finding the Root of the Problem" -
http://www.businessweek.com/technology/content/mar2006/tc20060308_032391.htm
  12. "this example" - http://www.kaspersky.com/news?id=175
  13. "Torvalds patch the Linux kernel" -
http://software.newsforge.com/article.pl?sid=06/04/18/1941251&tid=78
  14. "list containing the 91 alleged Linux viruses" -
http://www.newsforge.com/blob.pl?id=003cafa35827b90891ad982d7fcf919d
  15. "this page" - http://vil.nai.com/vil/content/v_119885.htm
  16. "Virus Pool Project" - http://www.viruspool.net/
  17. "explained" - http://www.viruspool.net/faq.cms#q3
  18. "malevolent macros in MS Word" -
http://www.eweek.com/article2/0,1895,1965042,00.asp
  19. "bogus alert" -
http://software.newsforge.com/article.pl?sid=06/06/02/2136202&tid=78
  20. "trying to do now" - http://news.com.com/2061-11203_3-6077459.html

© Copyright 2006 - NewsForge, All Rights Reserved




More information about the Infowarrior mailing list