NSA writes more potent malware than hacker
Spooky project plots zero day defences
A project aimed at developing defences against malware that attacks unpatched vulnerabilities involved tests on samples developed by the NSA.
The ultra-secretive US spy agency supplied network testing firm Iometrix with eight worms as part of its plans to develop what it describes as the industry's first Zero-day Attack Test Platform.
Richard Dagnell, VP of sales and marketing at Iometrix, said the six month project also featured tests involving two worm samples developed by a convicted hacker. The potency of the malware supplied by the NSA far exceeded that created by the hacker.
"We hired someone to create worms from scratch. A freelancer, who did the same sort of work for NASA, and was imprisoned for seven years for hacking offences," Dagnell said.
Iometrix's Zero-day Attack Test Platform detected both of the samples of malicious code developed by the hacker, but only three of the eight malware samples supplied by the NSA. Dagnell said the six month project was offered to the firm out of the blue and came to an end in March. Although not wholly successful the detection of half the attacks thrown against Iometrix's platform showed its work was progressing along the right lines, Dagnell added.
Other security experts were more skeptical about whether it was taking the right approach.
"You don't need to write viruses to test security technologies. There's no shortage of new malware. Also you examine existing stuff and study techniques," said Graham Cluley, senior technology consultant at Sophos. ®
Chuck Chandler & David Harley: I have yet to see a SINGLE, REAL-LIFE case when creation of a new self-replicating program was actually NECESSARY (i.e., unavoidable) for some good purpose. Even a single one! In each and every case that I've been presented with, either such creation could be avoided (and the stated beneficial goals could be achieved by other means), or the stated purpose was not really so "good" after all.
amanfromMars: You are wrong by relying on an unwarranted assumption and hiding behind the word "probably" without any factual arguments to support it. Judging by the data of the cybercriminals who have actually been caught, they use mostly Windoze, just like the rest of us. Yeah, I know. It must be a proof positive that the smart ones (i.e., the ones who didn't get caught) don't use Windows. Or whatever other illogical conclusion you could draw from it.
Steve: You are wrong in several ways. First of all, you're wrong that the AV industry has to make stuff that actually works. What they have to make is stuff that ACTUALLY SELLS! The AV companies are businesses - not Labs or craft shops. So, they have to make money. I can easily make a program that would be guaranteed to prevent any virus from ever infecting your computer, using one of the three theoretical models that guarantee that. Problem is, nobody will actually BUY it, because it will make the computer practically unusable - not because it will destroy its own market due to getting rid of all the viruses, as you uncorrectly suppose.
90% of all protection is NOT based on "signature scanning" - it stopped being based on that more than a decade ago, but most folks (users and virus writers alike) still haven't caught up with that. But it's true that 90% of all protection is based on known-malware detection (which is slightly different - more general and more precise). And there is a perfectly good reason for that, too. A known-virus scanner will tell the user "your computer is not infected" or "your computer has the XYZ virus, do you want me to remove it?". That's something the average luser can understand - so, known-virus scanners is something the average luser can use and will buy. That's why this is what the AV companies are making - because, as explained above, they have to be able to sell. As opposed to that, a heuristic analyzer will tell the user "The file Foo.exe is suspicious". Well, does it have a virus or not, dammit?! An integrity checker will tell the user "The file Foo.exe has been modified". Well, is is because it was infected - or is it because of Windows Update? A firewall will tell the user "The process svchost.exe tries to communicate over port 80". Well, should it be permitted or not? And so on, and so on - anything but a known-virus scanner is either too restrictive or too obscure to the user, or both. We have to make what the vast majority of the users will be willing to buy - it's that simple. Convince the idiots to learn how to use something more secure and this is what we'll start providing.
The basis of my ethical position is similar to that of the physicians. No ethical doctor will create a deadly virus if it is not *really* necessary for some obviously good purpose. It doesn't matter that he thinks that he'll be able to contain it. Yes, I know that there are researchers who create such viruses, e.g., for weapons research. It's still unetical.
Next, you're very wrong that the ability to create worms is in any way related to the ability to protect from them. In reality, creating viruses is rather trivial - any trained professional can do it without breaking a sweat. (The reason why most of the viruses around are so buggy is because they are *not* made by "trained professionals".) Compared to that, making a good (and usable!) AV program is *very* difficult and only relatively very few professionals can do it reasonably well - and only with a lot of efforts. Note that I am not saying that the AV people are unable to make viruses. I am saying that (a) it is never necessary and (b) that skillset is BY FAR insufficient for making good AV programs.
Ethics and security
Actually, not everyone in the AV industry believes that creating replicative malware for restricted purposes under controlled conditions is automatically unethical, and the fact that some researchers decline to do so doesn't give you the right to assume that they couldn't if they considered it appropriate. Here, though, the point that's -already- been made very clearly is that there is no absolute technical reason why this particular test had to be carried out using replicative software.
The actual nature of the ethical objections comprise one of the many issues that the industry hasn't succeeded in communicating very well, though individuals have tried, strenuously, many times. But is it worth it right now, given the anti-AV prejudices on display here?
@Dr V. Bontchev
Is it really unethical to create such software? I would think the unethical part would be releasing it in to the wild.
Not being in IT security I am not up on the latest and greatest but what I got from the article was the NSA was testing current AV methodologies. The results look to me like current AV works against the current crop of virii being produced but obviously it is possible to create things that current AV doesn't recognize.
NSA is tasked with protecting '.gov/.mil' and appear to be trying to stay a step ahead. Of course, the black hats don't have to go down the same road that NSA did with their uber-virii but if AV can be improved to block one fork in the road before hand then it would seem to me to be a good thing.