June 7, 2006

Can the malware industry be trusted?

Author: Joe Barr

Commentary: Internet security is big business. Microsoft Windows and Office vulnerabilities have made major contributions to making it -- and keeping it -- that way. Today, players like McAfee, Symantec, and dozens of other firms fight for a share of a market worth tens-of-billions of dollars a year. I would like to think that this industry displays the same high degree of ethical standards and integrity shown by other first-responders: our police forces, firefighters, and paramedics. Sure, there are bad apples in the bunch now and then, but on the whole they are a admirably honest and trustworthy group. I don't think nearly as highly of the computer security industry.

Here's why.

Put a stake in its heart

Remember Dan Geer, the widely respected security guru who used to be CTO at @Stake? He's been in the news again recently. The last time I saw that much news about Geer, it was when he was fired by @Stake after presenting an assessment critical of Microsoft and "monoculture."

@Stake, I presume, is proud of having maintained a good relationship with Microsoft by firing Geer for daring to speak the truth. The irony comes from the fact that the recent headlines concerning Geer -- about the MS Word vulnerability -- proved him to be dead-on in the report he was fired for delivering. Obviously, @Stake valued their relationship with Microsoft more than they did the security of their clients. Word up, as they say.

It's that very trait -- the need to lick Microsoft's boots to play in their ecosystem -- which accounts for a lot of the corruption, lies, deceit, false claims, false viruses, and false alarms which emanate regularly from this false security industry. But no need to dwell on @Stake being cherry red with embarrassment over being shown up as idiots and servile buffoons. There are plenty of other examples to talk about.

US-Cert: Count this way

Every year, US-Cert produces huge fireworks in the security trade press with their annual summary of misinformation about security flaws. The idiots in the press repeat the lie verbatim and the lie becomes real. What is the lie? That Unix/Linux is less secure than Windows. Granted, only the stupidest dolts in the universe -- and the trade press -- are going to buy that crap, but they put it out there anyway.

Here's the problem. The summary gives a total for flaws found in Windows and another total for flaws found in Unix and Linux. Last year, those totals were 812 for Windows and 2,312 for Unix/Linux. As usual, those two misleading numbers once again got trumpeted and cited as evidence that Windows is more secure than Unix or Linux on every Windows-leaning news site in the known universe.

Why is it misleading? Well, say that a vulnerability occurs in the Linux kernel. There are dozens Linux distributions, and when the vulnerability is found, eventually it will get patched in each and every one of them. Now, guess how many times it gets counted. That's right, not just once, but once for each distribution.

US-Cert knows about the problem of the super-inflated malware numbers in their summary, but they refuse to correct it or to comment on it. They also know that it misleads consumers and encourages them to stay on an inferior platform -- one which is infamous for its chronic malware infestations -- rather than switching to Mac OS X or Linux, both of which are more secure by design. Since they refuse to comment on the issue, the reason why they don't correct it is something probably known only to Homeland Security and their private sector partners in the US-Cert combine.

Apple OS X: Mea culpa

The SANS Institute, -- a name which sounds all officious and possibly not profit oriented, but which is owned by the mysterious but definitely for-profit Escal Institute of Technology -- recently did an unusual update to its Top 20 list of vulnerabilities.

They issued their "update" in order to trumpet the assertion that Apple OS X is now just as exposed and vulnerable to malware as Windows. The timing of the release of this unusual "update" is suspicious, coming as it did on the eve of the new advertising campaign by Apple which plays up the fact that Apple is pretty much immune to the types of malware infestations that plague Windows. Previous updates to this list have usually come in the fall: November, 2005; October, 2004; October, 2003; and October, 2002.

The SANS Institute announcement seemed to be designed to destroy -- or at least bring into question -- the idea that Apple OS X is more secure than Windows. In a document sent to members of the press prior to the teleconference, the SANS Institute wrote:

During the past few months, Apple Safari browser users faced their first zero-day attack. A zero-day attack is one that causes damage to users even before the vendor makes a patch available. In this case, Safari users who just browsed a malicious web site found their computers automatically downloading and executing a malicious file. The user made no error other than to visit the web site. Apple patched Safari to fix this flaw, but almost immediately had to issue a second patch to stop another attack involving email attachments. The experts involved in the 2006 Top 20 Spring update agree that OS/X still remains safer than Windows; but its reputation for offering a bullet-proof alternative to Windows is in tatters. As attackers are increasingly turning their attention to the platform, OS/X vulnerabilities are being discovered at a rapid pace, which could erode this safety in the future.

I covered the SANS teleconference event for NewsForge. Because of my recent experiences with a Kaspersky Lab disinformation campaign against Linux, my ears were tuned for false claims being made against Linux. But I didn't pay much attention to the fact that SANS was launching a similar attack against Apple. I am ashamed to say it, but just like all the other idiots in trade press, I simply reported what had been said. My apologies to all Apple users, and Apple. It won't happen again.

Imagine my surprise in the days that followed the teleconference as I read story after story by Mac-aware journalists and analysts which questioned or challenged the SANS Institute and similar findings by others in the malware business.

On May 9, The Mac Observer reported that Yankee Group analyst Andrew Jaquith accused McAfee of engaging in "scaremongering" in a report entitled "The New Apple of Malware's Eye: Is Mac OS X the Next Windows?" In Jaquith's view, McAfee was attempting to frighten Mac users into buying malware protection they just happen to sell.

Other Apple-related news sites picked up the theme as well, as one might expect. But what's this, a defense of Apple by BusinessWeek's Arik Hesseldahl? In response to The SANS Institute claim that Apple's security rep was now in tatters, he wrote on May 4:

Tatters? Well, let's look at the record. As you may remember from a few months ago, there were indeed not one but two Mac security teapot tempests. Astute readers of this column and its accompanying blog will remember that in March, there was the "hacked Mac Mini" contest (see BW Online, 3/08/06, "Apple Finding the Root of the Problem"). Entrants were challenged to find a way to upgrade limited-access privileges to those of someone with so-called root status, a position that would let them wreak pretty much untrammeled havoc on a computer. Someone pulled it off. Though the contest proved little, the misguided press still went a little nuts.

That observation about the "misguided press" points out the reason that malware vendors beat their drums so loudly and so often: the trade press blindly accepts whatever the security firms utter as being the gospel. I know, I know. Mea culpa, too.

Hesseldahl went on to write about an AP story which seems to have been the precipitating factor in The SANS Institute's decision to push its "Apple fatally flawed" rhetoric. He said: "The story coincided with the disclosure that six newly discovered so-called zero-day bugs targeting Mac OS X were found by Tom Ferris, a security researcher who publishes a blog concerning vulnerabilities he has found. Zero-days are exploits or vulnerabilities that cause damage in the wild before being disclosed to the vendors of the targeted software. While they were directed at the Mac operating system, there's no evidence these vulnerabilities have actually done any damage."

From Russia with malice

Kaspersky Lab, a Russian Internet security company which operates around the globe, including here in the USA, has been spreading FUD about malware targeting Linux for years. I've cited this example from 2001 before, but here it is again, and it still appears on their Web site. Hey, maybe the SANS Institute used it as a template for their anti-Apple effort. I quote:

Predictions regarding a world epidemic of Linux-viruses have come true in the first quarter of 2001. The latest incidents caused by the Ramen Internet-worm and its numerous modifications, as well as the multi-platform virus Pelf (Lindose) and other Linux-targeted malicious code, have proved that this operating system, (previously considered as the most protected software), has fallen victim to computer viruses.

After finding that page on the Web, and after watching Torvalds patch the Linux kernel so that some very old code that Kaspersky Lab was trying to pass off as a "new cross-platform virus" would run on the latest versions of the Linux kernel, I decided to keep an eye on other claims Kaspersky Lab was making about malware on Linux.

Figure 1: Alleged Linux viruses - 2005

Checking their Web site, I found a new report entitled 2005: *nix Malware Evolution and decided to take a look. A graph (see Figure 1) purporting to illustrate a dramatic increase in all types of malware for Linux between 2004 and 2005 showed an incredible -- literally -- jump from 4 to 91 Linux viruses.

I found that intriguing because I've been using Linux exclusively on the desktop since 1999, and reading and writing about it for longer than that, and I was completely unaware of _any_ Linux viruses beyond a few lame "proof of concept" samples, similar to the one previously mentioned that caused Torvalds to patch the kernel so that it could run correctly on the most recent versions of the kernel, which don't really do anything remarkable other than demonstrate the ability to run on both Windows and Linux. Yet Kaspersky was claiming that 87 new Linux viruses were discovered last year.

I asked Kaspersky Lab if they had any documentation to back up that claim. Jennifer Jewett, a public relations person representing Kaspersky, told me "the documentation sighting the viruses is included in the Encyclopedia on Kaspersky's Viruslist site: http://www.viruslist.com/en/viruses/encyclopedia."

I searched the encyclopedia for Linux viruses and came up with an astounding 972 hits. But just the barest hint of an analysis of those hits reveal that the number would break an industrial-strength bogusity-meter. A few low-lights of my analysis:

  • The first 256 items are completely undocumented.
  • Only 21 --less than 3% -- are described at all.
  • Of the 21 that are described, 2 are duplicates.
  • One of the 21 is a Windows virus, not Linux.
  • Almost all of the 21 are programs modifying files in accordance with standard *nix permissions.

I went back to Kaspersky and told them my results. Jewett then put me in touch with Kaspersky's Senior Technical Consultant, Shane Coursen. I repeated my request to Coursen for documentation on the 91 claimed viruses. He told me he would have to check with the report's author, Konstantin Sapronov, in Russia. A few days later I received a list containing the 91 alleged Linux viruses. The list contained nothing but the names, no documentation.

I checked the first one on the list. Naturally, there was no information about it in the Kaspersky encyclopedia, but it did suggest searching for it under other names from other vendors, so I did. That led me to this page on the McAfee site, where I learned that it had been discovered in 2003. Since McAfee didn't provide any further information on the virus, I kept looking. That's how I came across the Virus Pool Project. One thing there really caught my eye.

The site's reason for being is explained like this: "I always found virus names rather confusing. Mainly because there are so many of them for one and the same virus. By indexing them and making it possible to search them I hope people will be able to help others."

Perhaps confusion is why, of the 972 hits found in Kaspersky's encyclopedia, only 21 are documented. Out of curiosity, I decided to check the list of 91 names against the list of the 21 documented viruses in the encyclopedia.

I found a total of 10 matches from the list of 91. Remember, Kaspersky claims 87 of the viruses were found in 2005. Of the 10 that matched, two were found in 2000, four were discovered in 2001, three in 2002, and one in 2003. None of 87 alleged new Linux viruses are documented or substantiated by Kaspersky in any way whatsoever.

Coursen responded via email to my initial analysis of the list by saying:

1st) Other vendors' names are going to be different than Kaspersky names in most cases. The industry does its best to coordinate names, but as you can imagine, with the speed at which new viruses appear, it is a very difficult thing for us to accomplish in all cases. And unfortunately, even if you can find the same name between two different vendors it does not mean the description is discussing the same variant; sometimes the description doesn't even discuss a virus from the same family!

2nd) When McAfee adds a description on their site, it doesn't always match the date they added actual detection. As for Kaspersky, McAfee and others, descriptions usually appear well-after detection is added, if at all. (Which is why Kaspersky adds both dates to its descriptions -- when then detection is added and when the description is published.)

3rd) In the case you mention above, where McAfee added detection for something that looks to be the same virus back in 2003 -- well, that's a bit of an odd one, but very explainable: If #2 reason above doesn't explain it, then we can try this....(since it is more likely the case)

AV companies may add a record to detect a virus, but then receive a new variant of the same family some time later. In such a case it may be necessary to modify the existing detection signature. So, what you end up with is a signature that was added some time ago (could be years, even), but that was modified just recently. It is my guess that recently-updated signatures would probably show up in Konstanstin's stats.

After this story was submitted, and the week following another black-eye for Microsoft security in the form of malevolent macros in MS Word, Kaspersky Lab issued another headline-grabbing but bogus alert for a proof-of-concept of the same type of attack on MS Word's largest competitor, OpenOffice.org. Was the timing once more just a coincidence? I don't think so.

But all I am sure of is this: Kaspersky Lab is making claims about malware and Linux which they cannot substantiate. Period. They did it in 2001 and they are doing it again now. They were asked for documentation on the alleged viruses and they delivered nothing at all. Another thing I am sure of is that they aren't the only ones doing it, and Linux is not the only victim of their crimes.

Why they do it

The answer, of course, is money. Security firms look on more secure alternatives to Windows as a threat to their bottom line. It is in their best interest to slow down the migration of users from Windows to any alternative platform, simply because any alternative platform is going to a better job of providing security than Microsoft has done, or seems capable of doing.

If they can't stop the attrition, and the growth of the Apple and Linux markets are showing that they can't, they can also try to position themselves to be in the new markets, even if they are not as lucrative for them as the Windows culture. So by inventing and/or exaggerating threats to the alternatives, they can slow down their growth and try to establish some cred in them at the same time.

Conclusion

The Windows economy is a tough arena to play in. You have to keep Mister Gates happy to survive, and even then, there isn't any guarantee that your niche in the market won't be gobbled up by the next release of Windows. Of course, sometimes the little fish try to bite back. That is what Symantec is trying to do now to prevent Vista swallowing them whole.

It may be that if you do business with Microsoft on a regular basis, you get used to working in an ethics-free environment, and you begin to practice the same black business arts as the master. Whatever the cause, what I see happening in the malware business today reflects Microsoft's own ethics-free practices. I'm not convinced there is an honest firm in the whole mess. So in my humble opinion, the answer to the question, "can the malware industry be trusted?" is a resounding "No!" What do you think?

Category:

  • Security