Re: Consumer Reports Slammed for Creating 'Test' Viruses

[Drsolly <drsollyp () drsolly com>]

On Sat, 19 Aug 2006, Blue Boar wrote:

> Drsolly wrote:
> > I've noticed a lot of bad feeling against the AV companies. People think 
> > they write the viruses,
>
> *I* don't think that, generally speaking.  (I seriously doubt that no 
> one, ever, working for an AV company hasn't written or modified some 
> malware.  But generally, no, I don't believe they are creating the malware.)
>
> However, that is a HUGE reason why AV people are so paranoid about 
> creating malware, because of 20 years of people waiting to pounce the 
> moment there is a hint that they do.

Not so. We felt the same in 1990. I was there.
 
> > people think that AV products should be made so they don't need updates. 
>
> *I* don't think that.  I think that AV relies almost entirely on 
> signature updates.  However, if there is going to be any claim for 
> detection for unknown malware, then that claim is fair game for testing.

I agree, but the testing has to be more realistic than "create a bunch of 
variants".
 
> I don't think I'm particularly worrying about the ethical question, I'm 
> trying to find out why the test is not valid, strictly for determining 
> functionality.
>
> I DO think that many people from the AV companies let the ethical 
> question strongly impact their logical arguments.
>
> Here's where I left off, trying to find out why my virus would be 
> different from anyone else's:
>
> > > Drsolly wrote:
> > > > No, I'm saying that there's an Intelligent Designer behind the 
> > > > viruses, and your purpose isn't the purpose of the virus authors, and 
> > > > you would design different viruses from the ones they would design.
> > > OK, I'm not sure what would be qualitatively different about me the
> > > virus author, versus the natural self-selected population of virus
> > > authors, but at least I understand your position better.  For the
> > > record, I wasn't trying to hint that I could write some
> > > uber-polymorphic-super virus.  I'm under the impression that I could
> > > write some 80's-style file infecter, and as long as it's original, it
> > > wouldn't be detected.

That's where we left off, and I wasn't going to continue the thread, 
but since you've brought it up again, well, then I'll answer that.

You could do what you suggested, and write 5,000 new and original 80's
style file infectors, show those to a dozen AV products, and discover that
they detect just 1% of your new viruses.

The BIG BIG flaw in that test, is that 80's style file infectors (which
means viruses that work under Dos, of course, there were no PE infectors
then) simple are not a threat today, because I doubt if you'll find one
computer in a million that is still running Dos (or one in a thousand that
even runs products in a Dos box, ever). And the same 80's Dos viruses
won't work under Windows; if you want to see why, get a bunch of Dos file
viruses, and try to run them under Windows.

So, your test would "expose" the AV products as useless against new 
viruses, and your test would be completely wrong, because you wronte the 
Wrong Sort of Viruses.

AV product testing is *difficult*. I'm not saying it's impossible, but 
newbies to the game, pretty much invariably get it badly wrong. Like I 
said, I could tell you some very ugly stories ...

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.