How the Anti-Virus Industry Works

RenderMan
10/28/99
www.AntiAV.com

What do I remember most about DEFCON 7? The mosh pit of Anti-Virus employee's at the release of BO2K. Several dozen A/V people from different companies, risking life, limb and large insurance deductible to get their company the first samples of BO2K was one of the funniest things I remember. At the time it made sense to risk injury to get a copy, the media would reward the first company with a BO2K detection signature with immense amounts of free advertising, after all this was the latest and greatest Trojan/backdoor, right? Well, after seeing Dildog's presentation and the following open challenge to M$ to recall SMS server, I began to re-think my initial description of BO2K. After trying BO2K on an isolated test machine to make sure I didn't screw myself, it has now become my primary method of remote administration on a multiple system 9X/NT network because it is a damn good program. My opinion now; the anti-virus industry people didn't need to be there. This was a well designed remote control product that happened to be written by hackers, and as with any tool, in the wrong hands it can be dangerous.

In the months following defcon , products such as Softeyes ( http://www.softeyes.com ), and Investigator from winwhatwhere ( http://www.winwhatwhere.com/ ), and other products designed to do much of what the A/V industry makes a program malicious are not scanned for. When a products can advertise 'watches and records everything about every window that gains the focus. It records every keystroke, program name, window title, URL, User and Workstation' and 'The optional "Silent Install" feature will run the installation silently and invisibly' and not be scanned for, it begs the question, how do you decide? This really rattled a lot of peoples cages because the logic that was in use by the people who are saying certain programs are malicious does'nt make sense when you add these new programs to the mix.

This whole thing boils down to the question; How do A/V companies decide what criteria makes a piece of code worth being scanned for?

Well, rather than rant on like others might do, I went to the source. I looked on A/V sites for a policy statement or a set of internal guidelines. Nothing found. So I sent a mail like any other customer to the customer support (and if it existed, the A/V research department as well) of the major A/V companies, symantec, NAI, AVP, computer associates, panda software. There were others that could also qualify, but these are what you find most on store shelves. To all the companies I sent the same letter:

Dear Sir/Madam,
With recent events in the virus industry, it has become apparent to myself and many others that there seems to be a definate bias when is comes to how companies like yours determine what should and should not be scanned for.

By what policy do you decide what should be scanned for and eliminated and what is 'legitimate'? After an examination of your web site, no policy statement could be found. Can you clarify by what criteria makes a product malicious or a legitimate product?

Thanks

RenderMan
www.antiav.com

As you can see, states my conundrum and the clarification I need, and I don't try to hide wh IoaI'm mailing as. I waited a couple weeks for the responses to accumulate and re-sent some that I did'nt receive responses from. That was over 2 weeks. I only received 3 responses.

First was a very quick response from symantec customer support from a gentleman who really was having a really bad day and I think and was not happy to see me. Here is his message with my comments inserted

I can assure you that Symantec has absolutely no bias towards any legitimate software developers

What makes a software developer legitimate, is there a licence I'm not aware of? I thought anyone could code?

Arguments by some hackers that certain hacker tools are actually legitimate commercial software are themselves extremly biased to the point of not making any sense

I agree we are biased to a point, but what makes something a hacker tool or a mis-used administration tool?

A good news recent story about this subject is available for reading at this web page, http://www.msnbc.com/news/287542.asp . Both symantec management and management at other Anti-Virus developers are quoted in this article about this subject. We really would not have anything further to add to these comments on this subject.

The article does'nt really answer what I was asking.

Best regards,
(name ommitted)

After not answering my original question, I responded because I thought they still had something to add. This time I went and asked exactly how they decide what should and should not be detected and give an example:

Interesting article you reference, but it still does not answer my question.

What is your companies policy on determining what should and should not be detected in your Anti-Virus scans?

What is defined by your company as legitimate software developers? Are independent developers not in the same boat as large companies such as yourselves?

What is preventing Back Orfice 2000 from being a legitmate tool? In the article you specified it says "anyone with the other half of the back orfice software (the administration tool) can control the victims PC from anywhere on the internet". Can not the same be said for your product PCAnywhere?

I really appreciate you trying to clear this question up for me.
RenderMan
www.AntiAV.com

The bit about PCAnywhere was meant to try and get my point across that the differences between good and eveil code are blurred. I myself have taken over the computers of friends who use PC anywhere with out passwords and the affect is just the same as using BO2K.

His response was less than pleasant but interesting. Again, here is a transcription with my comments:

I'm afraid that this is not at all a legitimate question that you ask here.

I'm a customer, I want to know so I can know if your product will protect me from anything that can be bad

You know, you aren't even giving me the common courtesy of identifying yourself.

ummm, I signed my name at the bottom, that usually is all people do. The support center never stated anything about needing my full information in order to receive customer support.

Symantec Operates our discussion groups as a support resource for our customers to use to get help from us. They are not meant for engaging in debates like this.

Whoa, hold on, I really am a customer of Norton A/V, and I'm asking a question, how>do you decide what to scan for? This is a customer inquiry.

PcAnywhere in not designed to be to installing silently and secretly in the background on a system. It was also not announced at a hackers convention.

So if it announces it's presence but formats your drive without asking it's OK? Since when does the location of announcement mean anything about the product itself?

(name ommited)

After that, I let him get back to blowing off other customers with questions.

Ms announced some DirectX technologies at a conference done along the theme of ancient rome. Does this mean DirectX is a technology for guys in robes and olive branches? I think not. Fortunatly this was not indicitive of all the responses I received.

NAI customer support responded quickly as well, this time with a definite different tone.

If a program reproduces itsself, we call it a virus. If it does something that the user does not expect, we call it a trojan. If it is harmless and funny we call it a joke.

not a bad (though short summary)

There are other categories that could be considered such as Hack tools, BackDoors, worms and Password Stealers.

Now it get's weird. Does l0phtcrack count as a password stealer, or a hacktool, or as just another damn good program?

NAI was'nt clear but I was getting closer.

NAI also sent the 3rd and final response that really got me thinking.

Thanks for your question. The criteria although not obvious, is simple among researchers. The detections are mainly customer driven, that is if a client requests detection of a particular problem then it is taken into account. Many of the detections received come from shared collections, collections that are shared among AV vendors. Some of the detections are from samples received from customers and others are from sites referred to us from customers who feel there is a valid threat.

Regards, (name ommited)
Sr Virus Support Analyst
AVERT - a division of nai
//* We eat viruses for breakfast, lock and load *//

Ding, Ding, Ding, We have a winner. The last line "others are from sites referred to us from customers who feel there is a valid threat." So, the A/V industry uses a common database and submissions from customers..... I'm a customer and I want Investigator, softspy, pcAnywhere and SMS scanned for. I submit to you samples of each to add to your databases. There is no way to get BO2K off the lists but by using the normal submission procedure for suspicious files, it may be possible to add other programs of similar features to the database. I for one want a level playing field. If there is a program on my system that can record my password and ship it off without me knowing, I want to know about it.

If a smart hacker wanted to use a trojan for nefarious purposes they need just be a little creative. Just spend the $100 or so on Investigator, use something like silk rope to wrap the executable with some benign little program and deploy at will. This is a common tactic used to deploy trojans but with this method , not a word will be uttered by any A/V product and the attacker can go along on his merry way un fettered. So unless the A/V industry changes it's position on what makes a piece of code malicious, the smart trojan users will fly on by using "legitimate" products. But why should they scan for those products? After all, they were'nt released at a hacker convention :-)

RenderMan
10/28/99
www.AntiAV.com
Webmaster@AntiAV.com


Return to Main