Computer Security Research - McAfee Avert Labs Blog

Another year, and another journalist proposes that the security industry discusses threats purely to sell products (http://www.newsforge.com/article.pl?sid=06/06/06/1832223). This is usually followed closely by the conspiracy theory that we actually write the viruses that we protect against. I find it interesting that this argument has cropped up every few years since the nineties.

I often wonder why this argument is so frequently recurring and apparently popular. I suppose, on the one hand, that it fits so neatly into our collective understanding about how free market capitalism works: If you can artificially create demand, you can increase your sales. But why does this same argument not crop up more often for others in security or services fields, like firemen, policemen, doctors, nurses, people who make home security alarms, airbag manufacturers, etc.

Particularly when there are (very rare) documented cases of people in some of these fields actually harming the people they are meant to help? It seems to me that in all of these cases we have:

good, independent statistics from organizations designed to track those phenomena, so we know what the actual risk is (or it’s at least harder to lie and get away with it).
they usually catch the bad guy, so everyone knows that the frequency with which someone is playing a scam is very low or non-existent.

But in our world, antivirus companies are the only ones who have good first-hand data about the prevalence of threats, and the attackers are almost always anonymous. How then, could we prove that these accusations aren’t true?

Unfortunately, we probably cannot. There are barely national law enforcement or governmental agencies, never mind global organizations, capable of tracking the problem on the massive scale that it actually occurs. We routinely see millions of attacks on hundreds of thousands of computers occur on a 24-hour basis, and this represents only a fraction of our customer base that has opted in to anonymous reporting. And McAfee represents only a portion of the AV marketshare. And computers with antivirus protection represent only a portion of all computers.

The internet is a remarkable tool for anonymity, even if it weren’t true that in some parts of the globe, there is no authority who will even try to help you track down a virus writer. Add privacy-minded tools like Tor to the mix, and the task quickly becomes mind-boggling.

So here’s some truth, from someone in the trenches: You don’t NEED an antivirus product. As long as:

you use a good NAT hardware firewall/router
you practice good, safe surfing habits all the time
everyone else who uses your computer does the same, and has limited privileges
you keep the operating system and applications patched on a daily basis
you have complete control over who can exist on or connect to your computer or network (especially with wireless networks and Bluetooth)
you have, and keep current, with existing malware trends
you can recognize and recover from a 0-day attack that does get through
you have no data worth anything on your computer

Most people either can’t, or don’t want to, expend this kind of effort or maintain this kind of draconian control over their computers. Frankly, most of us wouldn’t use computers or the internet nearly as much if they weren’t as open and flexible as they are. So the value of data and processing power in computers is so massive and growing so fast that there will always be LOTS of people trying to steal or exploit it. Imagine trying to protect a transparent bank from invisible attackers who could see every camera and security mechanism in the building. You would block many attacks, but sooner or later somebody will get through. Which means we’ll have a job for a long time.

So why do we talk about threats to Linux, or Mac, or Windows, or any other platform? Mostly to educate consumers and enterprises about the possible threats, so that people apply an appropriate amount of effort to preventing those threats. Naturally, we have to walk a fine line between creating a false sense of security, and crying wolf too often. The former means people will leave themselves exposed; the latter, that they will ignore real threats that will harm them.

In my position, we are frequently asked to be psychic about impending threats. If we do not start preparing solutions a year or more before the threat appears, we may be unable to protect our customers down the line. If we move too soon, we might expend a lot of effort writing code that isn’t needed. Sometimes we talk about those threats when we think it has relevance for our customers. Recently we’ve taken a lot of flak for bringing up Mac OSX viruses, largely from Mac zealots, as Kaspersky takes flak in the article above (from a Linux site) for talking about Linux threats.

Are we right or wrong about our predictions - it’s too soon to tell. I do believe that if these platforms make serious inroads into Windows marketshare, that their value will go up, and the attackers will follow. But whether that happens depends on far more factors than any threat report by any security vendor. What I am sure of is that the capacity for malware to be effective on these platforms is ample, and that pretending that this is not the case increases the risk of those doing the pretending.

Here’s an earlier example. In June of 2002, we did a press release about a (poorly-written) proof-of-concept threat that was appended to JPEG files called W32/Perrun. Despite the fact that “pure” data files like images (as opposed to files containing macros or scripts like Word docs or HTML) were commonly thought of as immune to infection, or uninteresting as a vector of malware, we took a lambasting in the press (see http://www.infoworld.com/articles/hn/xml/02/06/21/020621hnjpegvirus.html).

Fast-forward to today. There are threats for WMF, MP3, JPG, BMP, ANI, SWF, PNG and a variety of other data file formats. In fact, the most common dropper for malware today is Exploit-WMF (see http://us.mcafee.com/virusInfo/default.asp?id=regional&continent_k=0&track_by=2&period_id=3). So before you blast us for this year’s predictions, wait a few years. Whether you believe our information or not, we’re working on solutions so that you can be protected when the threat materializes.

Likewise, many of us in the AV space weren’t out there earlier this year making a lot of fuss about W32/MyWife.d (or the Kama Sutra or Blackmal worm, as it was commonly known). We knew that the prevalence was grossly over-estimated and that world meltdown was not going to occur on February 3rd. And it didn’t.

In my position, I have the privilege of working with over a hundred of the most hard-working and well-respected experts in the security field. And right now (Thursday evening US time) many of them are in the 50th or 60th hour of their work week. They are not having dinner with their families or playing with their kids. They will be working this weekend while you go to the beach. They (and their spouses) will be woken up in the middle of the night sometime soon to respond to a threat.

I’m not naive enough to think that everyone does this job out of a sense of altruism. Certainly, many researchers get a charge from the technical challenge. Some may even be completely mercenary about it, though I have yet to meet one, at McAfee, or any other antivirus vendor. If they exist, they are not too bright, because most of us could be making as much or more working fewer hours writing code for other kinds of applications. The fact is, most of us do it because we feel good about helping people. And you can’t get that from the company balance sheet.

Joe Telafici

Director of Operations, McAfee Avert Labs

The price of freedom is eternal vigilance
- Thomas Jefferson

This entry was posted on Friday, June 9th, 2006 at 2:22 am and is filed under Malware Research. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Computer Security Research - McAfee Avert Labs Blog Says:
October 31st, 2006 at 12:40 pm

[…] Hello I have written JS/Yamanner@MM Worm that has been discovered 12 June 2006. I found that in Yahoo! mail and use it to execute scripts ( collecting yahoo addresses from someone mail, sending this email using Ajax technology to them and then redirecting them into a sample site). … Finally I should mention that I don’t like to disturb no one. Since I live in iran and taking a Job in good computer companies is very hard (becaue getting Visa is very hard from US) I just want to prove that I have some abilities in web programming . And I like to work with professional team like you if there is any way to do that. Regards (intentionally censored as not to give props’ to the author) While I can’t confirm that this was indeed sent by the virus author, I can say that neither McAfee nor any other reputable Anti-Virus software vendor will be recruiting the Yamanner author anytime soon, or any other known virus author for that matter (see Joe’s blog Can I trust myself?). And speaking of denying applications, Yahoo has made a statement about Yamanner. According to the Associated Press: Yahoo Inc. said Tuesday it has contained a malicious program aimed at the millions of people who use its e-mail service, which ranks as the world’s largest. … “We have taken steps to resolve the issue and protect our users from further attacks of this worm,” Yahoo spokeswoman Kelley Podboy said. “The solution has been automatically distributed to all Yahoo Mail customers, and requires no additional action on the part of the user.” See: Yahoo Says E-Mail Worm Now Contained […]

Mark Says:
November 2nd, 2006 at 12:18 pm

We would not allow our public water utility to pump bad water to us, and then say it is our problem to clean it up.

So why is the internet any different? Clean up the viruses, malware before it makes it to the internet.

This would be such a beautiful thing for everyone.

The end user does not need to give up CPU cycles, disk space, ram, and in a lot of cases try to make a decision about what should or shouldnt be allowed thru a fire wall (when they really dont have any idea).

The ISPs would need less hardware because the bandwidth needs would be much lower. The ISP would be able to ID the IP address of incoming viruses, and take whatever action needed. If the ISPs were the only ones to have the Virus Protection Software, then it can’t be reversed engineered.

If I can add an appliance between my network and the internet that handles virus protection, then surley the ISPs can add a similar setup to stop unwanted stuff from entering the internet in the first place.

So the question is put back to the Anit-Virus Companies. Are you really working to fix what is wrong? or are you just making a profit????

Beauty Says:
November 17th, 2006 at 1:23 pm

I received an Alert notification from Avert Labs regarding a low threat thingie and then a website to download the Dat. However I can’t get it to work? It says something about it needs my detection list? HUH? Where is this? I know this is probably not the spot for this but if it’s not direct me to where I can go so that I can properly do this. UGH! I’m a sick lady and too tired to go round and round! Thank you~~Beauty

Can I trust myself?

3 Responses to “Can I trust myself?”

Leave a Reply

Archives

Categories