Anti-virus industry: white knight or black hat?

Who protects the protected from the protector?

  • alert
  • submit to reddit

High performance access to file storage

Opinion One has to wonder whether the anti-virus industry sleeps well at night. On one hand, it purports to serve the world by defending our computers and networks from any number of electronic critters and malicious code. On the other hand, sometimes its "cure" is worse than the problem its products allegedly treat. Add to that the decades-old concerns over business, market share and publicity, and you have all the ingredients for industry, product and service confusion. This situation regularly benefits the anti-virus software industry at the expense of its customers.

Let's start with malicious code outbreaks in general. Unlike hurricanes and tsunamis, there is no standard way of naming malicious code. Gone are the days when simple names like "Jerusalem", "Michaelangelo" and "Stoned" were accepted and used by all anti-virus vendors. So, we might have the same threat labelled "Worm_Minmail.R", "W32.Novarg", "MyDoom.A@m" or "W32/MyDoom" by competing companies. What we need is a return to industry-wide nomenclature for malicious code; used by all vendors and facilitating the reporting, analysis, and resolution of such outbreaks.

Marketing and mindshare

Then there's the matter of marketing and mindshare. First and foremost, anti-virus vendors are in business to make money. Naturally, it behooves them to seek as much free publicity as they can. Thus, with each new outbreak we see vendors stumbling all over themselves to be the first to detect and defend against the latest malicious code - a likely explanation as to why there's no longer a standard nomenclature. From press releases to media interviews, anti-virus industry executives race to establish their companies and products as the most vigilant and capable on the market.

This frenetic activity is often eyebrow-raising when backed by questionable, if not fabricated, statistics and predicted damage assessments - invariably backed by a company pitch espousing the cost-effective security that only their products provide.

As a result of such marketing strategies - combined with customer ignorance and easily-exploitable OSes and servers - it's rare to find a wired organization without anti-virus software protection. These sensors are on constant prowl for the latest malicious code attack and are intended to defend their host network from future outbreaks based on existing attack signatures. In other words, these products only defend what they know how to defend; and if a network administrator doesn't keep his anti-virus software current (sometimes on a daily basis), it's quite easy for the "next best" attack to create havoc. Then the game begins afresh. Costs mount for customers and profits rise for anti-virus software vendors, much to their satisfaction.

You've got mail

In the case of e-mail-borne outbreaks, when these sensors detect a piece of malicious code, they generate an error message back to whomever the server *thinks* sent the message. This obviously ignores the fact that the majority of such alleged users had absolutely nothing to do with the outbreak or that their e-mail address was harvested (or spoofed) from someone else's inbox. Accordingly, thousands of Internet users receive automatically-generated virus alert messages blaming them for something they likely didn't do - a situation made worse when receiving different alerts from different products that use a different name for the same attack.

Not only is there no standard nomenclature for "virus detected" messages from anti-virus servers but such messages themselves often function as surrogate attack mechanisms. Sometimes this message is a clear warning in plain text, and other times it's full of cryptic jargon. Incredibly, some products even return a warning message with the malicious code still attached, meaning a greater chance of propagating the outbreak it's trying to mitigate. Security consultant Brian Martin provides a fantastic discussion of this issue at Attrition.Org.

Handling the sheer volume of such server-generated virus detected messages can be a daunting task. Early in the recent Novarg incident, I received 319 such messages during a twenty-four hour period, including many that were still infected with the worm. Now imagine a user on a pokey dial-up line or a CIO supporting an enterprise with thousands of users on high-speed networks and with systems that never sleep. Of course, users may be tempted to filter all server error messages, but that's not a reliable solution because doing so would also block legitimate mail server error messages. Ergo, we're stuck with a large number of diverse-yet-related server error messages that clog bandwidth and require a dedicated amount of time to develop and test custom filters while allowing other legitimate error messages to pass.

Denial of service

How many such virus-detected messages must be received before a malicious code event becomes a denial of service attack? How about when anti-virus software sends a virus detected message containing the detected malicious code, and spreads the outbreak, to a third party? At which point does the anti-virus software become more of a problem for the Internet than the original outbreak? Should anti-virus servers also exhibit responsibility to the Internet community at large by not propagating detected malicious code elsewhere? Even if we're not directly attacked, the collateral damage from a malicious code outbreak costs us time and money to remedy. Anti-virus vendors take note.

If anti-virus products were built with customers in mind, all would generate a similar message that could be filtered by customer system administrators to help reduce the amount of "noise" and collateral damage experienced during a malicious code outbreak. Martin discusses fifteen different "virus detected" messages that he encountered during the Novarg incident. Had there been a standard message, users and system administrators would have had a far easier time addressing the outbreak itself instead of also dealing with a sizeable volume of hard-to-filter e-mail detritus. If anyone wants to help draft a RFC on this, please contact me: we can help bring order to this vendor-instituted chaos. As it is, a few power users have written Unix-based procmail rules to remedy this, but it's not an easy solution for the average user.

Security Advisory

Finally, there's the ethics of the anti-virus industry. Martin shows several vendors blatantly advertising their products in their server-generated virus detected messages, as well as using malicious code outbreaks to hawk their overall product lines through unsolicited e-mails (e.g. spam) bearing a subject line of "Security Advisory" and the name of the latest outbreak. Is this advisory really for the benefit of the internet community or the anti-virus product vendor?

The Novarg incident clearly underscores the need for reform in the anti-virus industry. A few industry-wide reforms, such as those discussed above, will go a long way toward making the anti-virus industry both more reputable and useful to its customers while truly improving security on the Internet. These changes are not difficult to implement and can be done on the cheap. Unfortunately, without such changes, the anti-virus industry will continue contributing significantly to internet security problems - instead of helping reduce them.

© 2004 by Author. All Rights Reserved. Permission granted to redistribute this article in its entirety with credit to author.

Richard Forno is a Washington, DC-based security consultant and author of "Weapons of Mass Delusion". His home in cyberspace is at http://www.infowarrior.org.

High performance access to file storage

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
German space centre endures cyber attack
Chinese code retrieved but NSA hack not ruled out
NSA denies it knew about and USED Heartbleed encryption flaw for TWO YEARS
Agency forgets it exists to protect communications, not just spy on them
Heartbleed exploit, inoculation, both released
File under 'this is going to hurt you more than it hurts me'
prev story


Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
HP ArcSight ESM solution helps Finansbank
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.