Can the Malware Industry be Trusted?

Joe Barr writes "Is the entire anti-virus / malware industry as rotten as it appears? I started digging into it as a result of the recent lame, unsubstantiated assertions of viral threats to Linux by Kaspersky Lab, but the practice doesn't seem to start or end with them. Who knows, maybe it's pandemic in that entire segment of the IT industry."

gee...

[grasshoppa]

An industry blowing problems up to be bigger than they seem in order to sell more product? Conspiracy!

The only real crime here is that we've let ourselves be suckered by them for as long as we have.

Re:gee...

[Tackhead]

> An industry blowing problems up to be bigger than they seem in order to sell more product? Conspiracy!

No, that's Government. (Wait, there's a difference?)

Re:gee...

[scronline]

Well, on the Windows platform it's well justified doom and gloom. But like with any corperation (read greedy) that sells a product, they are going to want to boost sales. So it's their job to state the reason(s) why their product is necessary. Many times the truth gets skewed in that process.

But regardless of the fact that ANY software producer will hype their product (As I'm sure you've seen by reading /. the words Microsoft and Yankee Group should spring to mind) you have to take that hype with a grain of salt. You can't buy into everything otherwise you're the gullible little sheep that they need/expect to survive. The aptly named Phantom console is a perfect example or even Duke Nukem Forever. However, I don't want to bash Kaspersky since after all, I prefer their AV software to any other mainstream product out there.

Either rate, Antivirus is a necessary evil. Using *NIX doesn't remove you from the responsibility of not forwarding an email virus because it's a funny joke. You may laugh, but there have been several times I've had people on Linux forwards me "jokes" with Windows viruses attached.

Re:gee...

[grasshoppa]

However, I don't want to bash Kaspersky since after all, I prefer their AV software to any other mainstream product out there

Nod32. Know it, love it.

You may laugh, but there have been several times I've had people on Linux forwards me "jokes" with Windows viruses attached.

Then that is the fault of a clueless email admin. I've setup many email servers, and I don't think a virus has ever made in past that point coming in or going out. It's quite simple really, which prompts me to call the admins in question idiots.

Re:gee...

[tnk1]

No, that's Government. (Wait, there's a difference?)

That's like saying there's no difference between the organ grinder and his trained monkey. Of course, there is a difference. One of them dances around, makes monkey noises, and steals stuff from you for the benefit of the other.

Bad title!

[Rob+T+Firefly]

Surely they mean the anti-malware industry?

Re:Bad title!

[truthsearch]

Exactly. I read the title and thought of course we can't trust the people who write malware... they write malware!!

Re:Bad title!

[gmf]

Surely they mean the anti-malware industry?

Maybe that's the same? Who knows?

Re:Bad title!

[buckhead_buddy]

Rob T Firefly wrote:

Surely they mean the anti-malware industry?

I think there's a dubious market for malware. (Okay, so my old boss might be the type to commission a new virus, but most aren't.) The anti-malware markets need a continuous set of threats to be taken seriously and though they don't write the malware themselves, it's integral to their success in business.

Advice from industry experts giving 'analysis' such as "The smarter virus writers won't deploy their security compromises until after Vista actually ships." practically tells malware developers "If you're smart, you'll hold off on deploying your next big hack until after Vista ships so that your security hole won't be patched up before then."

When their analysts actually look seriously at alternitives that will reduce the scope of malware (such as moving to Linux or Mac OS X) then we may have real separation between the markets. Until then the anti-malware camp probably the most able to profit from (and legally disclaim responsibility for) the existence of malware.

Re:Bad title!

[Rob+T+Firefly]

Next on Slashdot.. does that mugger demanding your wallet at knifepoint really have your best interests at heart? Stay tuned.

wtf?

[kunwon1]

From TFA:

Today, players like McAfee, Symantec, Norton, and dozens of other firms fight for a share of a market worth tens-of-billions of dollars a year.

If this guy doesn't know that Symantec == Norton, I don't think I have any use for his opinions on malware companies.

money

[Lord+Ender]

If you assume that every person is motivated by money alone, then you are forced to conclude that anti-malware companies have the greatest incentive to produce malware.

people DO believe this stuff

[yagu]

Agree or disagree with the points of this article (I mostly agree), there is an elephant in the middle of the room everyone ignores.

From the article (emphasis mine):

Every year, US-Cert produces huge fireworks in the security trade press with their annual summary of misinformation about security flaws. The idiots in the press repeat the lie verbatim and the lie becomes real. What is the lie? That Unix/Linux is less secure than Windows. Granted, only the stupidest dolts in the universe -- and the trade press -- are going to buy that crap, but they put it out there anyway.

"Only the stupidest dolts in the universe?" Aside from being a little insulting, it's just not true. Many intelligent people believe these reports simply because, as the article points out elsewhere, because it is repeated the lie becomes truth.

People trust "media" to the extent they don't have expertise in some subject matter. What other result would you expect? There are too many topics, too many reports, and too many things demanding attention, general consumers and lay people, appropiately (though naively), rely on integrity of reporting bodies to filter that part of their world not their specialty(ies).

Reporting organizations (e.g., CERT) have an ethical responsibility to normalize and make canonical data issued for general consumption.

Unfortunately the technology world today is Microsoft's sandbox, and seemingly if anyone wants to play, be it media, competition, and lately even government, Microsoft seems to be able to control the rules. Sigh, again.

Gadzooks!

[goldaryn]

Every year, US-Cert produces huge fireworks in the security trade press with their annual summary of misinformation about security flaws. [...] The summary gives a total for flaws found in Windows and another total for flaws found in Unix and Linux. Last year, those totals were 812 for Windows and 2,312 for Unix/Linux.

Oh ****! Quick, someone tell me how to upgrade to this "Windows" thing!

Re:Gadzooks!

[jrumney]

Last year, those totals were 812 for Windows and 2,312 for Unix/Linux.

There's a simple reason for the difference between general perception (at least on Slashdot) and the raw statistics above. If a vulnerability is found in openssh, it counts as a flaw for Linux, for BSD, and for any Unix flavours that ship openssh by default. If a vulnerability is found in the ssh client that ships with Windows... oh wait.

perceived standard?

[OffTheLip]

Microsoft has established itself as a standard so much so that even a 'unbiased' consumer organization such as Consumer Reports basically only acknowledges MS when reviewing computers and making recommendations. Apple is a player but not top tier. It's no wonder AV companies pander to MS and spread FUD. Logically, one would think that a business that exists to correct flaws in another product would lead consumers to shy away form that product but no, because MS is a standard.

Re:perceived standard?

[Penguin+Programmer]

It's no wonder AV companies pander to MS and spread FUD. Logically, one would think that a business that exists to correct flaws in another product would lead consumers to shy away form that product but no, because MS is a standard.

Wait, why on earth would an industry that exists to correct flaws in another product lead consumers away from that product? If AV companies encouraged people to ditch Windows, actually be careful on the internet and take other measures to avoid malware, and people listened to them, the companies would go out of business. No Windows, no need for a Windows anti-virus.

I think it has nothing to do with MS being a "standard," its just the fact that the AV companies need Windows to have some holes in it (and need people to exploit these holes) in order to have any selling points for their software. It's "pander to MS" or go out of business.

Re:perceived standard?

[tbannist]

I think OffTheLip was referring to the obvious point that if a product has spawned an entire industry that revolves around fixing it so that it actually works, that potential customers should be wary of using that product due solely to the existence of that industry. It implies that there are very serious problems with the original product. I do not think he meant that the industry itself should be engaging in self-destructive activities.

The only situation where this is not the case is where the customers are convinced that there is no substitute for the product under consideration.

For example, you'd never eat at a restaurent that had a stomach pump kiosk set up out front that was doing a brisk business with departing patrons, would you?

Yet people still buy an operating system that requires you to have anti-malware and anti-spyware software running constantly to prevent your computer from being exploited by others.

Title is chillingly apropos

[TripMaster+Monkey]

Not really...after all, these firms have absolutely no interest in eliminating the problem, but only in treating the symptoms. That's why they continually endorse an OS that is legendary for its security holes, while spreading FUD about more secure alternatives like *nix and MacOS, which have a chance of actually fixing the underlying problem.

Re:Title is chillingly apropos

[happyemoticon]

What bugs me about the big guys is that they've become such gigantic products. They cause as many problems with their bloat as they fix, and they still don't fix everything (especially where Ad/Spyware is concerned). And this, of course, makes them REALLY not want to fix the underlying issue: people would start noticing that their computer starts up twice as fast and generally runs much better without some cyclopean anti-everything program.

Symantec Client Security started out as an OK little product. At the time, I was very impressed that its UI was so clean. Now, they're a complicated amalgams of firewall, AV, anti-spyware, Cuisinart and dishwasher. While I realize that they sell integration, there's no reason that integration need entail poor usability and baffling complexity. I once tried to get FTP to work on a relative's computer. I found that in Norton there was no firewall rule for FTP anywhere (or it was named something weird), yet it was blocking all traffic. My only option was to completely disable their firewall (and people get pretty mad when you tell to disable something they paid for.

The reason there's such a high pressure to integrate, of course, is that these guys make big bucks off of huge corporate licenses. Many IT or business development people I've talked to have said that they won't put anything except Norton on a desktop. I can see their point, because only dealing with one company means less IT and B2B overhead. And from Norton/Symantec's point of view, if they didn't offer a fully integrated solution, then somebody else would and they'd lose the client. So, they acquire every technology they possibly can and haphazardly jam it into their suite.

While I'm posting, I will admit that the article is least partially true. At my company, we were somewhat embarassed to admit that we were sad when the first really apocalyptic adware site we'd found went offline. This wasn't because we wanted to drum up sales, but rather because they were a great test case for our technology.

Re:Title is chillingly apropos

[Y2]

more secure alternatives like *nix and MacOS, which have a chance of actually fixing the underlying problem.

How so? When replying, please consider that I'm Joe Sixpack, armed with the root password, just enough smarts to install stuff and not enough smarts to not install bad stuff.

I put it this way: Windows' application integration is built on a base of executing as instructions anything it finds which can possibly be executed. Documents and help files have embedded controls to be executed by the system, to name just one example. MS has learned that this is dangerous behavior, but their ability to move away from this model is severely hampered by the need to maintain compatibility, even basic functionality, with a mountain of installed base.

Re:Title is chillingly apropos

[99BottlesOfBeerInMyF]

Not really...after all, these firms have absolutely no interest in eliminating the problem, but only in treating the symptoms.

So look who is motivated to fix the problem. MS isn't, they aren't losing market share and they've introduced their own anti-virus to milk the situation. So who is? Well alternate OS vendors are (as you mentioned), since they can use it as a differentiator, but most of them don't really have a malware problem so they haven't put much effort into a better solution. Big, enterprise businesses are and people who sell them solutions that do multiple tasks, like network management, where malware is a small piece of the puzzle. Some of the solutions to come out of that space are surprisingly effective. "Oh, gee another random worm outbreak. Well, lets just stop that from spreading or re-entering the network using our routers to filter it. Now I'll send this list of infected hosts to operations along with a virus signature and they can clean them when someone writes an AV signature and a tool to remove this one."

Who else is motivated? Big network operators are. Worms clog pipes and launch DDoS attacks. That is fine, since they can charge for the bandwidth, but customers complain about the network congestion and a lot of people are willing to pay extra for "cleaned" pipes. Some of the solutions in that space are likewise effective; the same thing on a larger scale. At least one of the tools ups the ante by letting operators swap signatures using a centralized database.

Who else is motivated? Open source projects, like Clam AV and the like. If corporations donated a quarter of what they spend on proprietary solutions to these guys, they'd save a fortune and end up with better solutions. They could emulate the techniques employed by the two examples above and apply them on a smaller scale.

It is a pity most corporate purchasing agents did not have a course on critical thinking in high school.

Re:Title is chillingly apropos

[Oztun]

I worked for an on-site PC repair company and I would add that Norton causes more problems than spyware. I would go on more calls where PC's ran like crap because Norton products needed to be reinstalled than spyware cleanup calls. All I can say is thanks Norton for helping me pay my rent.

Can they be trusted?

[WillAffleckUW]

Sure.

OK if I install this spyware in your computer and just backup your credit card numbers for you without your permission?

Thanks.

Oh, no, that's ok, you don't have to answer. We'll do it anyway.

I trust some of the anti-malware industry

[Coopjust]

Well, I certainly don't trust the malware industry :)
Seriously, however, I never buy any peice of security software without looking for testing results and reviews.
Also, I will never use any product that makes false positives intentionally (to scare the user into using/buying the product). That's just asking for trouble.

Re:I trust some of the anti-malware industry

[goldaryn]

> Also, I will never use any product that makes false positives intentionally

Hmm, you make an interesting point. Ever notice that when you run one of these expensive security suites and you don't get any meaningful results, you always get a couple of "dangerous" cookies found, just to keep the results above zero?

The logic must be: Don't tell them it's clean. Use fud if necessary.

Fear and Protection Rackets

[RichMan]

The whole thing is a protection racket. The more they can make you afraid of the consequenses and aware of the "threat" the more you are willing to pay for protection. The whole thing is based on a vulnerable infrastructre.

If there was a solid infrastructre that was trusted the whole industry would disappear. The industry is based on the Microsoft Operating system and its designed vulnerabilities. The industry would not exist without the flaws in the Microsoft Operating systems and workflow. If Microsoft fixed its stuff, or if people migrated to a solid infrastucture the industry would disappear. I am sure the industry as a whole is looking at Linux as a big threat, it could destroy their whole reason for existing.

As a whole the Linux client is not a market for this industry. They need to make Linux/OSS users feel the threat so we will by their product.

AV for MacOSX: $59 -- Why?

[JonTurner]

Agreed, the industry is full of FUD, along with other substances.

Noticed a copy of AntiVirus for Mac OSX @ CompUSA last week. $59! Three questions:
1) Who buys this stuff?
2) Why so much?
3) Why?

To my knowledge there is only one virus in the wild for OSX and it never really made an impact. I understand that AV for Mac scans for the billions of Windows viruses, but considering that the Mac is extraordinarily unlikely to become infected, it's similarly unlikely a Mac will pass on a virus. I know it's part of being a good net citizen, but ultimately scanning email is your own responsibility. I don't scan for Linux or mainframe viruses, or iPaq scripts. Why should I scan for Windows viruses?

Or am I missing something?

Re:AV for MacOSX: $59 -- Why?

[buckhead_buddy]

Symantec AntiVirus products for Mac (in my experience) are incredibly popular among people moving from PC's to Macs: the so called "Switcher" market. It's really just a matter of having built a reputation on fear in one market and the user feeling naked without that product.

Some argue that it's not bad to have a security infrastructure in-place, even if theres very little self-propagaiting malware out there. It makes one "ready" to deal with the inevitable threats when they are discovered. It makes one confident that they will be the first ones to recognize and recover from any future infection.

That seems like a good idea until you realize that to install and remove malware means the software will need to operate with very high permissions. Installing programs like Clam or Symantec Antivirus are possibly giving hackers more potential ways to exploit your system than if you hadn't installed the anti-malware to begin with. I think there actually have been low-level, local security holes found based soleley on security software that the user has installed.

On the Mac, I think there is more harm than good done right now with anti-virus products. It's almost like feeling you must hang that lucky pair of fuzzy dice in your new car because you think it helps you not have accidents, when in fact their interference in your driving might be what causes you to have one.

What a stupid title

[guspasho]

"Can the Malware Industry be Trusted?"

Of course it can't! It's the friggin' malware industry! Their business plan centers around installing stuff on your PC that you don't want on there and didn't ask for, and abusing your PC without your permission for their own purposes. Why on God's green earth would someone like that be trusted?

Work on your public image

[gr8_phk]

From TFA "The idiots in the press repeat the lie verbatim and the lie becomes real. What is the lie? That Unix/Linux is less secure than Windows. Granted, only the stupidest dolts in the universe -- and the trade press -- are going to buy that crap, but they put it out there anyway."

idiots, dolts, crap. There is a lot of name calling in there. He sounds like a teenager complaining about her friends. I don't claim to be the most articulate person around, but this guy shouldn't be writing articles. People judge you by the words you use. I got so distracted by his name calling I had to post before finishing the article, and I'm wondering if I'll be able to reach the end or take his side given the tone.

In the news

[955301]

- The malware industry cannot be trusted to report when things are improving or a better alternative to their bread and butter os exists.

- Doctors poor at telling hypochondriac when there is nothing wrong with them.

- Car companies not reliable source of information about bicycles and public transit.

- Lawyers cannot be trusted to create legislation that doesn't criminalize everything.

- Politicians appear to be lying or misleading to get elected.

- Wolves unwilling to notify sheep in advance of attack.

Readers

[phorm]

Not all the readers would necessarily know that the two are the same, so it might be just to impress both names in their mind. That or make the 'conspiracy' larger than it seems./

Can the ****** industry be trusted?

[shodai]

No.

Yes, Rotten To The Core

[aldheorte]

Yes, the anti-virus industry is as rotten as it appears, if not more so. In talking to non-expert computer users who use anti-virus, anti-virus causes more problems than it solves. Anti-viral software with automatic updating is essentially like installing a rootkit on your computer controlled by the anti-virus vendor. With just a little bit of training, and perhaps a different email client than Outlook, as well as using Firefox instead of (or patching) IE, viruses and malware are easily avoided.

Anyone who is serious about security doesn't run anti-virus because it does not fix the root issues of vulnerability.

Thy key is that anti-virus can be sold on fear and, since the average computer user doesn't understand that there is nothing mystical about viruses and their vectors are easily identified, fear sells a product that actually makes your computer less secure and less usable. That said, there are some good free programs out there, like ClamAV and Spybot Search & Destroy to help you as a system administrator check out suspicious files or clean up a mess on a specific case by case basis (the latter only applying to Windows).

Too pejorative

[Himring]

Every year, US-Cert produces huge fireworks in the security trade press with their annual summary of misinformation about security flaws. The idiots in the press repeat the lie verbatim and the lie becomes real. What is the lie? That Unix/Linux is less secure than Windows. Granted, only the stupidest dolts in the universe -- and the trade press -- are going to buy that crap, but they put it out there anyway.

I got to that point in the article and remembered the red ink on a paper I wrote in grad school, wherein the professor said, "too pejorative to be taken as an objective analysis of the topic."

In all things academic or reporting, if you do not really have it, then at least fake objectivity....

Re:job security

[boldtbanan]

i've always thought that maybe anti-virus and anti-spyware companies would produce virus's and spyware, i mean how do you get better job security than fixing something that you broke.. and people STILL say thanks!

Yeah, like Microsoft's announced entry into the anti-virus industry. You can actually find a way to profit from your screw ups (or active sabotage if you're even more insidious).

Counterpoint

[sopwith]

Whether or not the malware industry can be trusted, anyone who calls a company a "servile buffoon" probably can't be trusted to be a impartial and logical journalist.

Things are never as extreme as they seem - there are good & bad guys (and in-between guys, and girls too! :) in both the anti-malware and journalism industries. I don't trust the Kaspersky Kooks at all, but McAffee and some of the other companies (e.g. PC Tools Software, F-Secure) do have some credibility in my book.

Then too, we know that the only way that all those evil writers can sell their stories is to make them sound melodramatic... :P

Spam filter claims are mostly bogus

[gvc]

Spam vendors and open source vendors make lots of whacko claims.

[...] extremely low false positive rate, with less than one in one million messages being a false positive.

A few years ago, Bayesian classification seemed a promising way to filter spam.

[...] best recorded levels of accuracy have included 99.991% by one avid user (2 errors in 22,786) and 99.987% by the author (1 error in 7000), which is ten times more accurate than a human being!

That translates to better than 99.984% accuracy, which is over ten times more accurate than human accuracy

In the game of cat and mouse between spammers and anti-spam vendors, spammers and hackers quickly developed new techniques to "fool" the Bayesian filtering software.


File these under UFO sightings.

No! Stay vulnerable. Please.

[xkr]

The anti-malware software industry is like the insurance industry. They want to provide their paying customers with benefit, but the last thing they ever want to do is encourage consumer behavior, law, or product changes that actually eliminate the problem, thus putting themselves out of business.

No, not really

[FishandChips]

Perhaps the question needs wider phrasing: can the IT industry - not just the malware side - be trusted? Personally I don't think so because they seem addicted to denying the consequences of their own actions or foisting the cost on the public. You can see this everywhere from the paltry, tokenish efforts to tackle malware and spam by corporations that regularly turn in billions in profits, to the Heath-Robinson-like, energy-guzzling design of the PC itself, to dumping clean up and recycling via shady deals with the Chinese. Let's not even look at moral issues like DRM and Hollywood or Chinese censors.

OTOH, no industry can be trusted. If it wasn't for some tireless public-minded advocates the auto industry would probably have us still driving deathtraps with engines designed in the 1950s or the pharma industry, for example, would have us growing three heads while being charged 50 bucks for a paracetamol.

Conspiracy? Maybe. Stupidity? Definitely.

[GregStevensLA]

Can the anti-malware industry be trusted? Can microsoft be trusted? Can the IT industry be trusted?

One thing that all of this overlooks, is that it doesn't take malice for hysteria to spread.

premise: people fear what they don't understand.
premise: most people don't understand computers.

I have a friend who fancied himself a home-taught computer expert. Armed with TweakXP, a few anti-virus tools, and a small handful of other gadgets, he was always offering to "optimize" and "fix" his friends' computers.

And lo! and behold, every single computer that was ever brought to him had "a major virus" or "a serious trojan" problem on it. Of course, there is so much media hype about viruses (and people's bad browsing habits) that this was fairly believable. However, the mere consistency of his diagnoses started making me suspicious....

Sure enough, after a few in-depth conversations, it turns out that he was using bad virus-detection software: some unknown little program that he assumed was "better than all the rest" because it "always found more" (it didn't occur to him that most of them were false positives); and moreover, it turns out he didn't even have a clear understanding of what a "virus" is.

But let me tell you: he had a stream of people in and out of his apartment that were absolutely convinced that ANY time there was EVER a problem with their machine, it MUST have been because of a virus.

Source for the most effective AV

[lightyear4]

#include
#include "OStest.h";

main(){
if((is_OSX() || is_Unixey()) && !has_slashdot_flames()){

printf ("Scanning for viruses..........!");
printf ("None found! Goodbye! \n");

}else if(is_MS_OS())

printf ("AHHH!!!!!! $@$*!@*&DU}{#$%3xfad\n");
printf ("\n");
printf ("You're screwed, sorry. \n");
printf ("\n");
printf ("caused an invalid page fault in \n");
printf ("module ORA2.EXE at 0137:0044dba7.\n");
printf ("Registers:\n");
printf ("EAX=0258f108 CS=0137 EIP=0044dba7 EFLGS=00010202\n");
printf ("EBX=00459630 SS=013f ESP=0258d840 EBP=0258f158\n");
printf ("Bytes at CS:EIP:\n");
printf ("c7 42 08 84 60 45 00 89 d1 83 c1 10 89 4a 4c 89\n");
printf ("Stack dump:\n");
printf ("0258f4f8 0258f608 00401781 5328203d 3d204449 43524f20 2929294c\n");
printf ("65722041 72697571 2e206465 204c4c44 656c6966 7325202c 6177202c\n");
printf ("6f6e2073 6f662074\n");

}
}

Good point about "Eulaware"

[Beryllium+Sphere(tm)]

Linux and OS X have a good record for resisting drive-by installs. But as TimC points out, the threat model has to include users downloading dancing cursors and weather forecasting applets with 20-page EULAs, readable three lines at a time, which bury a cryptic line or two which means "all your base are belong to us".

There are operating systems that can protect against that threat. They're not mainstream in design, and neither Linux nor OS X is among them.

>please consider that I'm Joe Sixpack

Joe Sixpack -- four digit Slashdot id -- the cognitive dissonance is too much, I can't survi