Re: Should we do a security competition using live malware samples?
I've been taking serious consideration of what is proposed in this thread since shortly after the thread was started. The staff has also discussed it some in private. Unfortunately, what I have to say is not going to be what most of you want to hear. I just don't see any way that this can go forward here, as proposed. I know many of you won't understand, so, I'll try to explain my reasoning.
It's easy for those of you who are not potentially in the hot seat, to complain that we have "silly rules" about requests for malware sharing or regarding the posting of home-grown "malware testing" threads. You aren't likely to be concerned with the rules we must abide by.
One, but not the only key rule we are bound to, prevents us from endorsing or even allowing malware trading to occur here on the forum. It is based on the following principle.
Malware must not be shared with people outside the professional industry with which we are associated, i.e. the anti-virus/anti-malware industry. Paul Wilders worked in the industry for years, and long ago subscribed to this ethic. Therefore, we have our rule against the sharing of malware.
Here's a test you can do in order to see if we're alone in taking this position. Go to any one of the industry insiders who are members here, (those with the color coded, expert and specialist titles), and see if they'll send you malware samples. I'm talking about those guys from the major AV or AM companies. Try to get the guys from Avira, BitDefender, Panda, Avast, Symantec, or the AM guys from MBAM, SAS, and TH, not to mention Eset, Prevx and Returnil, to send you a sample of live malware because you want to test with it. It's extremely doubtful you'd get anything but a polite "Sorry, but I can't" reply. Heck, it might even mean their jobs if they got caught send malware samples out to unknown persons.
That same ethic is applied to us and that's the position we must take when dealing with this type of issue on the forum. Not to mention the legality question. One issue is with Webhosting contracts. Almost all professional hosting companies, certainly in The US, Canada, AU, most of the EU, and many others, have TOS and AUP on all their hosting agreements that disallow hosting or propagating malware, warez and other questionable objects. Our hosting company also has such a policy.
Sure, there are people running forums that allow malware trading, live links to malware on public posts, and maybe even host malware and warez downloads on their servers. But, it is highly likely that they are doing it in violation to their hosting agreements, and simply haven't gotten caught. (There was one case a while back that some of you will recall, where a website was supposedly hosting warez and/or had large lists of warez based links in public posts, and, an AM company reported them to their hosting company which got them taken offline. I believe they ended up moving to some other hosting company, perhaps in another country, that didn't care whether such content was hosted. Now, maybe they no longer have such content, or, maybe it was all questionable and in doubt at the time, but, that's not the point here. They were thought to be in violation of their contracted hosting and were terminated because of it. These are real rules and they "have teeth.")
So, while our rules may seem silly to some of you. And, you think, "Hey, everyone else allows this. Why doesn't Wilders Security?" It's because we try to follow the rules, whether it's likely we'd ever "get caught" for not doing so. Do we miss some requests like this though? Of course, we do.
We try to remove all requests for malware samples, but, we don't catch them all. Sure, in some ongoing thread, a member makes a post like, "Hey, can you send me that link (or sample), and I'll check it for you?" And, guess what, we missed it. Later, when the thread has moved on, it seems pointless to remove it so long after the fact. But, we do the best we can. And, when we catch a fresh one, we do remove it. If you don't think we do, just ask the many members here who've gotten royally ticked off at us because their request for a PM sample got deleted. One particular member had this happen to him in just the last 24 hours. He was not happy, to say the least.
Regarding this particular thread. Do you believe that I don't think there is some merit in the concept being proposed here? Like many of you, I think this could be useful, provided the points Sully made above were the focus - not a "competition for bragging rights" but, a helpful "what worked and what didn't" type thread where people learn from the "didn't work" and figured out how to "make it work." The problem is that this involves not just some missed malware request posting, but, involves a deliberate and scheduled malware sharing effort. At some particular point in time, some member who has found some malware, is going to either post something or PM all those involved with the link(s) to be used. This very aspect of it means that it'd have to be specifically allowed by forum mgmt, since it involves so big a coordination effort. And, that is a clear violation of the rules I mentioned above. It's simply not possible for me to allow that given what I must abide by operating this forum.
So, what am I supposed to do? Pretend it's not happening and be shocked after the fact? I'm sorry, I can't work that way. If this thread's concept moves forward to actual action, clearly that point is eventually coming. I know it. You know it. So, it simple can not be done - well, at least not using malware samples.
The only workable alternative I can see, which can be done, but, may make the testing less dramatic or exciting for people, would be to use some legal software product as the sample. A commercial keylogger, a testing simulator, or one of those suite testing toolkits some AM companies publish to show effectiveness of HIPS, firewalls and so forth. That would not break the rules involved here. Of course, as I said, maybe that makes it less exciting for those participating, weakening the purpose and making it not worth doing. Only you folks can decide if you'd want to participate in something like that, instead of live malware testing.