Anti-virus industry: white knight or black hat?
Who protects the protected from the protector?
Opinion One has to wonder whether the anti-virus industry sleeps well at night. On one hand, it purports to serve the world by defending our computers and networks from any number of electronic critters and malicious code. On the other hand, sometimes its "cure" is worse than the problem its products allegedly treat. Add to that the decades-old concerns over business, market share and publicity, and you have all the ingredients for industry, product and service confusion. This situation regularly benefits the anti-virus software industry at the expense of its customers.
Let's start with malicious code outbreaks in general. Unlike hurricanes and tsunamis, there is no standard way of naming malicious code. Gone are the days when simple names like "Jerusalem", "Michaelangelo" and "Stoned" were accepted and used by all anti-virus vendors. So, we might have the same threat labelled "Worm_Minmail.R", "W32.Novarg", "MyDoom.A@m" or "W32/MyDoom" by competing companies. What we need is a return to industry-wide nomenclature for malicious code; used by all vendors and facilitating the reporting, analysis, and resolution of such outbreaks.
Marketing and mindshare
Then there's the matter of marketing and mindshare. First and foremost, anti-virus vendors are in business to make money. Naturally, it behooves them to seek as much free publicity as they can. Thus, with each new outbreak we see vendors stumbling all over themselves to be the first to detect and defend against the latest malicious code - a likely explanation as to why there's no longer a standard nomenclature. From press releases to media interviews, anti-virus industry executives race to establish their companies and products as the most vigilant and capable on the market.
This frenetic activity is often eyebrow-raising when backed by questionable, if not fabricated, statistics and predicted damage assessments - invariably backed by a company pitch espousing the cost-effective security that only their products provide.
As a result of such marketing strategies - combined with customer ignorance and easily-exploitable OSes and servers - it's rare to find a wired organization without anti-virus software protection. These sensors are on constant prowl for the latest malicious code attack and are intended to defend their host network from future outbreaks based on existing attack signatures. In other words, these products only defend what they know how to defend; and if a network administrator doesn't keep his anti-virus software current (sometimes on a daily basis), it's quite easy for the "next best" attack to create havoc. Then the game begins afresh. Costs mount for customers and profits rise for anti-virus software vendors, much to their satisfaction.
You've got mail
In the case of e-mail-borne outbreaks, when these sensors detect a piece of malicious code, they generate an error message back to whomever the server *thinks* sent the message. This obviously ignores the fact that the majority of such alleged users had absolutely nothing to do with the outbreak or that their e-mail address was harvested (or spoofed) from someone else's inbox. Accordingly, thousands of Internet users receive automatically-generated virus alert messages blaming them for something they likely didn't do - a situation made worse when receiving different alerts from different products that use a different name for the same attack.
Not only is there no standard nomenclature for "virus detected" messages from anti-virus servers but such messages themselves often function as surrogate attack mechanisms. Sometimes this message is a clear warning in plain text, and other times it's full of cryptic jargon. Incredibly, some products even return a warning message with the malicious code still attached, meaning a greater chance of propagating the outbreak it's trying to mitigate. Security consultant Brian Martin provides a fantastic discussion of this issue at Attrition.Org.
Handling the sheer volume of such server-generated virus detected messages can be a daunting task. Early in the recent Novarg incident, I received 319 such messages during a twenty-four hour period, including many that were still infected with the worm. Now imagine a user on a pokey dial-up line or a CIO supporting an enterprise with thousands of users on high-speed networks and with systems that never sleep. Of course, users may be tempted to filter all server error messages, but that's not a reliable solution because doing so would also block legitimate mail server error messages. Ergo, we're stuck with a large number of diverse-yet-related server error messages that clog bandwidth and require a dedicated amount of time to develop and test custom filters while allowing other legitimate error messages to pass.
Denial of service
How many such virus-detected messages must be received before a malicious code event becomes a denial of service attack? How about when anti-virus software sends a virus detected message containing the detected malicious code, and spreads the outbreak, to a third party? At which point does the anti-virus software become more of a problem for the Internet than the original outbreak? Should anti-virus servers also exhibit responsibility to the Internet community at large by not propagating detected malicious code elsewhere? Even if we're not directly attacked, the collateral damage from a malicious code outbreak costs us time and money to remedy. Anti-virus vendors take note.
If anti-virus products were built with customers in mind, all would generate a similar message that could be filtered by customer system administrators to help reduce the amount of "noise" and collateral damage experienced during a malicious code outbreak. Martin discusses fifteen different "virus detected" messages that he encountered during the Novarg incident. Had there been a standard message, users and system administrators would have had a far easier time addressing the outbreak itself instead of also dealing with a sizeable volume of hard-to-filter e-mail detritus. If anyone wants to help draft a RFC on this, please contact me: we can help bring order to this vendor-instituted chaos. As it is, a few power users have written Unix-based procmail rules to remedy this, but it's not an easy solution for the average user.
Finally, there's the ethics of the anti-virus industry. Martin shows several vendors blatantly advertising their products in their server-generated virus detected messages, as well as using malicious code outbreaks to hawk their overall product lines through unsolicited e-mails (e.g. spam) bearing a subject line of "Security Advisory" and the name of the latest outbreak. Is this advisory really for the benefit of the internet community or the anti-virus product vendor?
The Novarg incident clearly underscores the need for reform in the anti-virus industry. A few industry-wide reforms, such as those discussed above, will go a long way toward making the anti-virus industry both more reputable and useful to its customers while truly improving security on the Internet. These changes are not difficult to implement and can be done on the cheap. Unfortunately, without such changes, the anti-virus industry will continue contributing significantly to internet security problems - instead of helping reduce them.
© 2004 by Author. All Rights Reserved. Permission granted to redistribute this article in its entirety with credit to author.
Richard Forno is a Washington, DC-based security consultant and author of "Weapons of Mass Delusion". His home in cyberspace is at http://www.infowarrior.org.
Sponsored: Customer Identity and Access Management