nettime's_roving_reporter on Fri, 19 Nov 1999 23:09:35 +0100 (CET)


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

<nettime> How the A/V Industry Works


<http://www.hackernews.com/orig/avindustry.html>

[A/V = antivirus]

                         How the A/V Industry Works
                                      
By: Renderman,
Www.Hackcanada.com
RenderMan@Hackcanada.com

What do I remember most about DEFCON 7? The mosh pit of Anti-Virus
employees at the release of BO2K. Several dozen A/V people from
different companies, risking life, limb and large insurance
deductibles to get their company the first samples of BO2K was one of
the funniest things I remember. At the time it made sense to risk
injury to get a copy, the media would reward the first company with a
BO2K detection signature with immense amounts of free advertising,
after all this was the latest and greatest Trojan/backdoor, right?
Well, after seeing Dildog's presentation and the following open
challenge to M$ to recall SMS server, the general description of BO2K
changed. After initially trying BO2K on an isolated test machine to
make sure I didn't screw myself, it has now become my primary method
of remote administration on a multiple system 9X/NT network because it
is just a damn good program. My opinion now; the anti-virus industry
people didn't need to be there. This was a well designed remote
control product that happened to be written by hackers, and as with
any tool, in the wrong hands it can be dangerous.

In the months following defcon , products such as Softeyes
(http://www.softeyes.com), and Investigator from Winwhatwhere
(http://www.winwhatwhere.com/), and other products that are designed
to do much of what the A/V industry says makes a program malicious are
not scanned for. When a products can advertise "watches and records
everything about every window that gains the focus. It records every
keystroke, program name, window title, URL, User and Workstation and
the optional 'Silent Install' feature will run the installation
silently and invisibly" and not be scanned for, it begs the question,
how do you decide? Also you may recall the problems that the folks
over at NetBus had when they went commercial and started charging for
their product. They had a hard time shedding the image of a hacking
tool. This really rattled a lot of peoples cages because the logic
that was in use by the people who are saying certain programs are
malicious does not make sense when you add these new programs to the
mix. Just looking at C|net's technology terror guide (Technology
Terrors) you can see the number of products that aren't on any A/V
list that are as dangerous, if not more, than BO2K.

This whole thing boils down to the question; how do A/V companies
decide what criteria makes a piece of code worth being scanned for?

Well, rather than rant on like others might do, I went to the source.
I looked on A/V sites for a policy statement or a set of internal
guidelines. Nothing found.. So I sent a mail like any other customer to
the customer support department (and if it existed, the A/V research
department as well) of the major A/V companies, Symantec, NAI, AVP,
Computer Associates, and Panda Software. There were others that could
also qualify, but these are what you find most on store shelves. To
all the companies I sent the same letter:

  Dear Sir/Madam,
  
  With recent events in the virus industry, it has become apparent to
  myself and many others that there seems to be a definite bias when
  is comes to how companies like yours determine what should and
  should not be scanned for.
  
  By what policy do you decide what should be scanned for and
  eliminated and what is 'legitimate'? After an examination of your
  web site, no policy statement could be found. Can you clarify by
  what criteria makes a product malicious or a legitimate product?
  
  Thanks
  
  RenderMan
  www.Hackcanada.com
  
As you can see, the letter states my conundrum and the clarification I
need, and I don't try to hide who I'm mailing as. I waited a couple
weeks for the responses to accumulate and re-sent some that I did not
receive responses from. In over two weeks I only received 3 responses.

First was a very quick response from Symantec customer support from a
gentleman who really was having a really bad day and I think and was
not happy to see me. Here is his message with my comments inserted

  I can assure you that Symantec has absolutely no bias towards any
  legitimate software developers [*What makes a software developer
  legitimate, is there a license I'm not aware of? I thought anyone
  could code?*] Arguments by some hackers that certain hacker tools
  are actually legitimate commercial software are themselves
  extremely biased to the point of not making any sense [*I agree we
  are biased to a point just as you are, but what makes something a
  hacker tool or a mis-used administration tool?*] A good news recent
  story about this subject is available for reading at this web page,
  http://www.msnbc.com/news/287542.asp. Both Symantec management and
  management at other Anti-Virus developers are quoted in this
  article about this subject. We really would not have anything
  further to add to these comments on this subject. [*The article does
  not really answer what I was asking.*]
  
  Best regards,
  (name omitted)
  
After not answering my original question, I responded because I
thought they still had something they could add. This time I went and
asked exactly how they decide what should and should not be detected
and give an example:

  Interesting article you reference, but it still does not answer my
  question.
  
  What is your companies policy on determining what should and should
  not be detected in your Anti-Virus scans?
  
  What is defined by your company as legitimate software developers?
  Are independent developers not in the same boat as large companies
  such as yourselves?
  
  What is preventing Back Orifice 2000 from being a legitimate tool?
  In the article you specified it says "anyone with the other half of
  the Back Orifice software (the administration tool) can control the
  victims PC from anywhere on the Internet". Can not the same be said
  for your product pcAnywhere?
  
  I really appreciate you trying to clear this question up for me.
  
  RenderMan
  www.Hackcanada.com
  
The bit about pcAnywhere was meant to try and get my point across that
the differences between good and evil code are blurred. I myself have
taken over the computers of friends (with permision) who use PC
Anywhere with out passwords and the affect is just the same as using
BO2K.

His response was less than pleasant, but interesting. Again, here is a
transcription with my comments:

  I'm afraid that this is not at all a legitimate question that you
  ask here. [*I'm a customer, I want to know so I can know if your
  product will protect me from anything that can be bad.*]
  
  You know, you aren't even giving me the common courtesy of
  identifying yourself. [*ummm, I signed my name at the bottom, that
  usually is all people do. The support center never stated anything
  about needing my full information in order to receive customer
  support.*]
  
  Symantec Operates our discussion groups as a support resource for
  our customers to use to get help from us. They are not meant for
  engaging in debates like this. [*Whoa, hold on, I really am a
  customer of Norton A/V, and I'm asking a question, how do you
  decide what to scan for? This is a customer inquiry.*]
  
  pcAnywhere in not designed to be to installing silently and
  secretly in the background on a system. It was also not announced
  at a hackers convention. [*So if it announces it's presence but
  formats your drive without asking it's OK? Since when does the
  location of announcement mean anything about the product itself?*]
  
  (name omitted)
  
After that, I let him get back to blowing off other customers
questions.

MS announced DirectX 2 at a conference done along the theme of ancient
Rome. Does this mean DirectX is a technology for guys in robes and
olive branches? I think not. Fortunately this response from Symantec
was not indicative of all the responses I received.

NAI customer support responded quickly as well, this time with a
definite different tone.

  If a program reproduces itself, we call it a virus. If it does
  something that the user does not expect, we call it a trojan. If it
  is harmless and funny we call it a joke. [*Not a bad though short
  summary.*]
  
  There are other categories that could be considered such as Hack
  tools, BackDoors, worms and Password Stealers. [*Now it gets weird.
  Does L0phtCrack count as a password stealer, or a hacktool, or as
  just another damn good program?*]
  
NAI wasn't clear but I was getting closer.

NAI also sent the 3rd and final response that really got me thinking.

  Thanks for your question. The criteria although not obvious, is
  simple among researchers. The detection's are mainly customer
  driven, that is if a client requests detection of a particular
  problem then it is taken into account. Many of the detection's
  received come from shared collections, collections that are shared
  among A/V vendors. Some of the detection's are from samples
  received from customers and others are from sites referred to us
  from customers who feel there is a valid threat.
  
  Regards,
  
  (name omitted)
  Sr Virus Support Analyst
  AVERT - a division of nai
  //* We eat viruses for breakfast, lock and load *//
  
Ding, Ding, Ding, We have a winner. The last line "others are from
sites referred to us from customers who feel there is a valid threat."
So, the A/V industry uses a common database and submissions from
customers..... I'm a customer and I want Investigator, softspy,
pcAnywhere and SMS scanned for. I submit to you samples of each to add
to your databases. There is no way to get BO2K off the lists, the
media just won't have it. But by using the normal submission procedure
for suspicious files, it may be possible to add other programs of
similar features to the database and make the A/V industry re-think
itself.

I encourage everyone who has legitimate access to any program that can
be used maliciously, submit it to the A/V industry through their virus
submission e-mail addresses. A hacker's version of a letter writing
campaign. 1 person submitting these programs will be labeled a
crackpot, many on the otherhand will have an effect.

I for one want a level playing field. If there is a program on my
system that can record my keystrokes, passwords, bank account numbers
and ship it off anywhere without telling me, I want to know about it.

If a person wanted to use a trojan for nefarious purposes they need
just be a little creative. Just spend the $100 or so on Investigator
or a similar program, use something like Silk Rope to wrap the
executable with some benign little program and deploy at will. This is
a common tactic used to deploy trojans but with this method, not a
word will be uttered by any A/V product and the attacker can go along
on his merry way unfettered. So unless the A/V industry changes it's
position on what makes a piece of code malicious, smart trojan users
will fly on by using 'legitimate' products. But why should they scan
for those products? After all, they weren't released at a hacker
convention :-)

RenderMan
www.Hackcanada.com
RenderMan@Hackcanada.com

These pages are Copyright © 1999 Hacker News Network All Rights
Reserved. 

#  distributed via <nettime>: no commercial use without permission
#  <nettime> is a moderated mailing list for net criticism,
#  collaborative text filtering and cultural politics of the nets
#  more info: majordomo@bbs.thing.net and "info nettime-l" in the msg body
#  archive: http://www.nettime.org contact: nettime@bbs.thing.net