Browse archive

Latest news

Targeted data stealing attacks using fake attachments

A look into the EC Council hack

New Mac spyware signed with legitimate Apple Developer ID

Ransomware adds password stealing to its arsenal

"Get free followers" scam targets Instagram users

Thoughts on the need for anonymity

Four LulzSec hackers handed prison sentences

The New Yorker launches anonymous dead-drop tool

Researchers reveal OpUSA attackers' MO

Info-stealing Dorkbot worm spreading on Facebook

Review: The Hacker's Guide to OS X

Private messages of Bloomberg clients end up online

IT security jobs: What's in demand and how to meet it

Hacking charge stations for electric cars

The Anti-Virus Industry Scam

by Richard Forno - InfoWarrior.org - Monday, 16 February 2004.

How many such "virus detected" messages must be received before a malicious code event becomes a denial of service one? How about when antivirus software sends a "virus detected" message containing the detected malicious code (and spreads the outbreak) to a third party? At what point does the antivirus software become more of a problem for the Internet than the original outbreak? Should antivirus servers also exhibit responsibility to the Internet community at large by not propagating detected malicious code elsewhere? Even if we're not directly attacked, the collateral damage from a malicious code outbreak costs us time and money to remedy. (Antivirus vendors take note.)

If antivirus products were built with customers in mind, all would generate a similar message that could be filtered by customer system administrators to help reduce the amount of "noise" and collateral damage experienced during a malicious code outbreak. Martin discusses fifteen different "virus detected" messages that he encountered during the Novarg incident -- had there been a standard message, users and system administrators would have a far easier time addressing the outbreak itself instead of also dealing with a sizable volume of hard-to-filter e-mail detritus. If anyone wants to help draft a RFC on this, please contact me -- we can help bring order to this vendor-instituted chaos. (As it is, a few power users have written Unix-based procmail rules to remedy this, but it's not an easy solution for the average user.)

Finally, there's the ethics of the antivirus industry. Martin shows several vendors blatantly advertising their products in their server-generated "virus detected" messages, and also using malicious code outbreaks to hawk their overall product lines through unsolicited e-mails (e.g., spam) bearing a subject line of "Security Advisory" and the name of the latest outbreak. Is this "advisory" really for the benefit of the internet community or the antivirus product vendor? It's like an airline releasing post-September-11 advertisements saying "Security Alert: Hijackings can be prevented -- come fly with us, our cockpit doors are reinforced and the best in the industry!"

The Novarg incident clearly underscores the need for reform in the antivirus industry. A few industry-wide reforms, such as those mentioned in this article, will go a long way toward making the antivirus industry both more reputable and useful for its customers while truly improving security on the Internet. These changes are not difficult to implement and can be done on the cheap. Unfortunately, absent such changes, as recent events show, the antivirus industry will continue contributing significantly to internet security problems instead of helping reduce them.