Oldest AV myth/question answered

Or maybe by the darkside, you mean Mcafee.

 

trjam

Hi, there's Millions of $ being be made by the bad guys, oh and girls too !

All those constant every changing Rogue AV's for one. Plus all the banking/credit card phishes scams etc. Not to mention Keyloggers etc etc.

 

Oh, I see your point. Hope the money and girls are good because I dont think there are either in lockup. Well, a type of girl maybe.

 

I agree with the Inspector, wrong thing being taught here. If anything show people how to use their respective computers better...

 

I have a much better example.

Eyal Dotan and Eric Detoisien have been presenting their new malware at the Blackhat Conference Europe in 2004, under the name "Old win32 Code For A Modern, Super-Stealth Trojan".

What's better, they also let the "ready-to-compile" source code of their trojan (named "Casper") to be distributed through the website of the conference and on the personal website of Eyal's co-author. A version is still available on the website of the conference archives as I write these lines (as per forum policy, I can't paste the link, but everybody can verify via google).

The same malware, or an earlier version of it, had previously been described in the "Virus bulletin" in June 2003, under the title "The scalable stealth trojan: an upcoming danger", as well as in french IT conference (JSSI) and magazine (MISC).

At the time, Eyal Dotan was working for the company that developed the Viguard antivirus. He later developped buffer zone.

See also:

https://www.wilderssecurity.com/showpost.php?p=186895&postcount=5

 

Tweakie, that "super stealth trojan" you mentioned is hopelessly outdated. Have a look at Sinowal, Rustock, Zbot... The malware evolved alot.
And it seems, ViGuard did not...

 

I remember he had said that.He said some staff wrote some small viruses and had fun,later some other vendor asked them for cleaning tools.

 

The malware 'industry' is absolutely huge now it's gone way beyond the old script kiddie nuisance model.Do we really want a whole new generation of malware authors being created in these tough economic times,when legitimate jobs in the I.T. industry are at a premium.

http://www.cs.auckland.ac.nz/~pgut001/pubs/malware_biz.pdf
http://sunbeltblog.blogspot.com/2009/07/botnets-what-they-do-and-how-much-money.html

 

as far as i remember people was asking for removal tools from drweb because the other vendors didnt detect it yet. drweb told them to go to their vendor and get them to create a removal tool.

 

why would people do that when they could have just downloaded cure-it?

 

Yes,it is.But some of the viruses are exploited by Dr Web.Dr Web's staff want to know if other vendors can detect and remove the virus to have fun.

 

I wondered the same thing.

 

I know: it was just to answer the question of IC: "Do AV Vendors write own malware?". And it's from 2003-2004. But it did not trigger any perceptible reactions from the professionals of the AV industry, at the time.

Still, I'd be curious to know if parts of "Casper" have been incorporated in real "in the wild" (or formerly ITW) malwares. BTW, would you as an AV professional have a way of answering this kind of questions by using automated classification tools (e.g. by comparing call graphs a la Bindiff/VxClass, by generic signatures based on invariant "static" parts of the code a la Norman DNA matching, possibly in combination with something like clustering by compression, by comparing sequences of API calls or by any other means) ?

CPU power being still much cheaper than brain power, I guess quickly associating a new malware with its "ancestors" is an essential task in any modern virus lab...

 

sometimes i wonder why there aren't more reactions from the av industry when this sort of thing happens. eeye's complicity in the bootroot fiasco didn't generate much of a response either (and eeye has/had an anti-malware product known as blink).

then again, there's also the time the creator of rootkit unhooker created and distributed a rootkit - i gather he later got hired by microsoft, who we all know has an anti-virus product now.

glad to have heard about that viguard/bufferzone example, btw. that was a new one for me. one more reason to not use bufferzone, i guess.

 

With the condition that he will discontinue all rootkitting/antirootkitting and concentrate on virtualizing technology.

 

EP_XOFF recently updated the excellent Rku ARK so his antirootkitting days arn't over yet

 

...and similarly I did'nt know about bootroot. Methinks professional organizations (Eicar, etc.) should maintain a "Hall of shame" to remind their members about these examples.

Assuming that's the reason Stefan talked about Sinowal (aka Mebroot), does it also mean that Rustock and Zbot contain code coming from "security research" or were these names mentionned only because rustock and sinowal were discovered at the same time ?

 

Wow! I can't believe it. How can you all think well some of you that anti-virus software developers are to blame for this mess. I remember when I was using the first Norton NAV for DOS then moving up to Windows 3.0 to Windows 3.1 because of the first generation of virus started to form. Most of these forms of virus started with programmers who didn't have anything better to do just started creating bad scripts and programs to screw-up users 99% Microsoft systems because they didn't like Microsoft.

Today just not the virus you have to deal with got so many to fight off. But most of us programmers who try to come up with ways to block the threat back then never thought it could be a huge business as it is today. Norton (Symantec) and McAfee were the major players. Today you got India, China, Russia, UK and everyone else with their own type of software to help you defend off the pest before it does damage to your system.

The idea of these new companies and the prior one getting together to create the newest threat is hog wash!

 

hall of shame? interesting idea. i've considered ways of keeping track of the bad actors i've heard about over the years and that seems like a great way to do it. thanks for the idea.

 

hi
As many industries, the av market in general and McAfee in particular are not a land of flowers...

It is known that McAfee has offensive training course
http://www.mcafee.com/us/about/press/corporate/2008/20080219_080000_n.html
https://mcafee.edu.netexam.com/
I would recommend the SANS exams instead of McAfee school http://www.sans.org/security-training/courses.php
I see no ethical scandal about that, i am comvinced that You know nothing about Security if you have not practised Insecurity
(insecurity can be the manipulation of malwares, the pentesting, intrusion and compromission of one of your LANs computers etc.)
And of course, no need to be a malware coder to understand them or to be a good attacker (network and web appication domains are from my point of view more important

There is a few free and paid attack patform/framework, and if METASPLOIT is popular, Immunity Canvas is known to be more effective http://www.immunitysec.com/products-canvas.shtml
Unike Inspector Clouseau i have no feet in the antimaware industry, and by this way hope to be more objective...
So i will add more anti ethical practises done by the av industry.

-"Incestuous relationships" between some av editor and some av test campanies
Except for a very few ones, av testing has been an heresia for any independent expert, and a marketing vector for some campanies in order to sell more and more license.

-"Incestuous relationships" between US security agencies and US based av campanies.
Fully demostrated for Norton with the Magic Lantern, and not transparent for McAfee and some other editors
http://news.cnet.com/2100-7348-6197020.html?tag=tb
http://www.schneier.com/blog/archives/2007/07/detecting_polic.html
http://www.zdnet.com.au/insight/sec...-the-government-/0,139023764,339280166,00.htm
http://yro.slashdot.org/article.pl?sid=07/07/17/199223

-"Incestuous relationships" between some av editors and some malwares coders
Here an old french article that pointed out a famous ruusian and french editor (use google translation)
http://www.acbm.com/olivier-aichelbaum/fcsv.html
l
-An av is not ABSOLUTELLY necesary for a high level of security.
The heart of av marketing is to convince you that their product is needed for your computer life security.

The info of Tweakie is interesting, but as pointed out by Stephan K. . this trojan is quite outdated.
I have used it in the past as a test file for my HIPS methodology http://security.over-blog.com/article-3074511.html
There is much more interesting and advanced stuffs in the french Defcon and BH sessions!

And for fun, i guess that McAfee has the ability to take its revenge by acquiring Sunbelt one day...if itself is not already acquired by MST...

rgds

 

Argh. The perfect example of trash journalism.

This "relationship" was actually suggested by Danielle Kaminsky, the aunt of Eyal Dotan, that used to work for/with Dodata/Tegam, the editor of Viguard.

She wrote a report about the "relationships between malware writers and antivirus companies" that she sent to a french association working on IT-security related maters (CLUSIF). It was later discovered that the pdf file of this report had actually been created by....Marc Dotan himself, the CEO of Tegam!

Then, while there was a trial involving Guillaume Tena (known as Guillermito) and Tegam, she managed to involve Olivier Aichelbaum in that story, pretending to betray one of her former sources.

(Sorry: all links point to pages in french.)

Note also that there has been one trial involving Tegam vs. Roland G. (one of the guy cited by Olivier Aichelbaum in his Kaspersky<->malware writers article), because Tegam's CEO sent a letter to the direction of the french national research organization accusing him of working for Kaspersky and with "terrorists known from FBI and french government agencies". Tegam lost and had to pay 2200€ to Roland Garcia.

Olivier Aichelbaum also filed a complaint against Roland Garcia (libel action). This complaint has been rejected by french justice.

All these elements tend to prove that this "Incestuous relationship" you are talking about was just a vast marketing campain from Tegam. Given the situation of Tegam today (bankruptcy), I would say it did not work...

It all depends on who is between the chair and the keyboard - and how much time and effort he's willing to spend in his computer's security. And for most, it is necessary. As a matter of fact, I consider myself as "computer litterate", I tend to keep all my software up-to-date, to practise "safe-hex" as much as possible, I can use IDA, OllyDbg, Sysinternal's stuff, etc. (to some extent) whenever necessary, I know probably more than 99% of computer users about viruses, trojan horses, windows API and programming, but I use windoes most of the time and I still feel the need for an antivirus. BTW, I do use one, right now.

Of course it is! It was published in 2003! But that's not the point. The question was about antivirus editors that distribute malware (or worse in that particular case, malware source code): what does it says regarding the AV professional that have such practices...

 

I disagree. Most of the normal users don't have the knowledge (and they don't want to take classes on how to defend their own pc with IDA Pro and/or a kernel mode remote debugger)

We don't have to go that way again to argue that AV is 100 percent protection. It's not. And never will. However... If normal users would just drop their antivirus program TODAY i make a bet with you that i won't see you here tomorrow. Not because your machine or mine would be infected but because we probably couldn't reach this forum here due to ridiculous increased general internet traffic produced by millions of infected zombie machines that spam the computers that already spamming others...

 

If they were to drop their AVs overnight they would really learn something about security. You can really learn from your mistakes. And you don't need a 'kernel mode debugger'. Understanding the attack vectors/'threat gates' is much more important than using an AV.

Without an AV, they would need to figure out how to stay secure.
Many, if not most people, just rely on their AV which gives them a false sense of security.

Besides, the people on this forum know how to stay secure without an AV, even if they use one.

 

So tell me then what is worse: Having AV protection, even given the fact it's not 100 percent secure, or having amateurs thinking their system is secured just because they had a 20 min crash curse read on some random website on how to secure their system. And let's keep it realistic. People do download stuff. So how will they make sure the downloaded file is lets say not virut-infected and run it. You simply can't without dragging this file into a disassembler or having to deal with the consequences of infection later.

I repeat it AGAIN: The average computer user is NOT WILLING TO SPEND A HUGE AMOUNT OF TIME TO LEARN. If they would we wouldn't have the problem of malware at all. History proves user education doesn't work quite well as expected. And having said that that's also the problem why users rather go with AV than with HIPS or whatever where THEY (the user) have to make decisions.

 

Or not willing to spend much effort only to make normal computer use fluent, like me.

I have evaluated my probabilities of getting infected, and just simply don't see the HIPS being worth it with all the configuring and maintaining. I could spend a lot of time giving permissions to legimate actions, configuring rules and complicating my use of the computer and preparing for something that probably never happens.

Having AV only is not just a "newbie solution." I don't need max protection to stay clean and the AV is troublefree and effortless.