Security Firms Bicker Over Mobile Viruses

Fijer Nrosikjen writes to mention a ZDNet article about a claim by CA that F-Secure is just spreading FUD over mobile virus code, in order to promote its product. From the article: "CA said criminals do not have an economic incentive to develop malicious code and that the risk of such attacks spreading around smart phones is minimal because of a lack of interoperability between platforms and phone models. Network services don't allow for the fast spreading of code from phone to phone, and user interaction is required for any viruses to spread, the company added. It said F-Secure has created an atmosphere of fear, uncertainty and doubt to sell its product, undermining the relationship of trust that has been established between the industry and vendors. "

Apparently

[PunkOfLinux]

These people have never heard of viruses that can look like something else, seem useful, et cetera. And it's not that hard to make a virus that says "You're a windows mobile device, i'll download THAT code"

Re:Apparently

[kjorn]

That's interesting, a mobile phone virus that talks to you through the phone handset.

"Please upload me. Pleeeeeease."

Or perhaps they just wait until you are talking to your mom, and insert helpful phrases into the gaps in the conversation. The virus could say stuff like, "I'm gay." or "I'm straight." or "I'm pregnant." or "I want to suck on you nipples now please." or "I've got the semtex." (that would be helpful to the FBI, not you or your mom). Or it could just make random grunting noises. Mind you, half the people I talk to on the phone could already have this hypothetical virus. "Uh, uh. *grunt* Me. Trin'. To. Fink." Anyway, you get the idea.

I mean, who wouldn't want to code a virus like that?

Imagine two viruses talking to each other down the phone. Some sort of singularity would appear in the phone network.

Hope that helps - monk.e.boy

ZDNet US link

Quicker than ZDNet Asia: http://news.zdnet.com/2100-1009_22-6097733.html/

Um...

[tomstdenis]

Isn't that the essence of all security products for Windows? To either a) cover up flaws in the use cases of the OS or b) strike irrational fear into the minds of people?

Most people don't need AV software, and even when they use it, most people are still not secure because of HOW they use their computers. So this is really a case of pot calling the kettle black.

Tom

Re:Um...

[Tx]

Most people don't need AV software

WTF? Most nerds may not need AV software on their PCs. Most other people do. They do not know how to recognize and avoid malware, manually remove it and repair damage done by it, or follow good practice to avoid it in the first place. If you're arguing that they should learn, that's pie in the sky. Believe me, they need AV software.

Re:Um...

[gothzilla]

That's why there are so many people making cash hand over foot reinstalling windows for people who supposedly don't need AV. I live in a city of 25,000 people and there are 4 successful businesses that spend 90% of their time cleaning machines of viruses and reinstalling windows.

So yeah, you don't really need AV. Yeah.

Also, since when do people have to manually update their antivirus? There's this thing called auto-update. If you're talking about re-subscribing then that's different. Sure, most people don't re-subscribe, but then thats why those 4 businesses here are still in business.

You can't say cars don't really need oil changes because nobody ever changes their oil. That just makes zero sense.

Re:Um...

[lgw]

For the average user it sure seems easier to pay the AV guys than to pay the reinstall guys - cheaper too.

Thank god

[mgblst]

... that microsoft doesn't make OS for mobile phones (or at least not all of them).

Most mobiles run J2ME, and you can't do anything interesting in J2ME. You can't even get the whole screen on some mobiles, let alone use directory services. And because J2ME allows the phone creators to load on different modules to there phones (JSR-182, etc), you don't even know if you will be able to do something when you get to a phone. You would have to be very clever indeed!

Really?

[Nos.]

So I guess the only reason anyone ever wrote a virus was for monetary gain. Gee, I wonder how the first virus writers got paid before we got to the age of spyware and such.

Re:Really?

Don't confuse "economic gain" with "monetary gain". The two are often mistakenly used interchangeably. See this discussion for more information, but the basic assumption is that the perceived utility, or gain (which does not have to be monetary - it could be something as simple as public recognition, personal satisfaction, etc outweighs the cost - again, cost is not necessarily monetary, but could include effort required to write something, or learn the right language, whatever. Finally, there is utility cost involved too: what is the next best thing the person could have been doing instead of writing the code. If the other option was, say, sitting at a bar with friends, the loss of that utility is factored into the discussion about whether writing the mobile virus (or whatever) makes sense from an economics standpoint.

You probably already knew this and were just making a joke, but I see this "economic gain is equivalent to monetary gain" so many times that I finally got motivated enough to write this response...

So...

[CtrlPhreak]

These people are angry at another company for having a MARKETING department? It's just too bad this is what you do to sell computer security products to the masses, because masses of people are stupid and overly swayed by emotions.

Is CA that ignorant?

[HikingStick]

CA said criminals do not have an economic incentive to develop malicious code and...

I spend a good number of my waking hours working with tech auditors who look at financial institutions and big firms. Saying that there is no economic incentive to develop malicious code (even if only limiting the argument to mobile devices) is absurd. Script kiddies will still wreak periodic havoc, but fear the coder who can't make ends meet (especially in the former soviet block) and sells out to organized crime interests.

If anything, F-Secure is sounding a warning. Mobile viruses may not be the primary attack vector now, but with smart devices ever increasing (and a propensity of some executives to store everything on them, including passwords), it makes sense to stir up a little fear in the hope of preventing future harm.

Fear is not bad if it is founded in reality. I've seen enough reality to know that this fear is warranted.

Re:Is CA that ignorant?

[laffer1]

Both are ignorant. Any type of device could have a virus written for it. Even CA implies that. Its a warning that nothing is safe, but I don't think its time to buy software for viruses yet. Its like buying antivirus for a mac or linux desktop. There isn't anything in the wild that is going to hurt you right now. Sure there's a few token viruses but if you are patched they can't hurt you. Someday mac os and linux will be hit as bad as Windows. Why? Users are stupid. It only takes one click to get you in trouble. Most malware is concealed in something useful now.

The question is when will consumers figure out the scam. Why is it that no antivirus product I've tried for Windows has a small footprint and detects reasonably well. The closest I've seen is clam antivirus for windows and that can't remove anything. Remember when antivirus vendors pushed the new version because it was faster and sometimes smaller? What happened to that. I actually don't run with antivirus on anymore. A monthly scan is enough. I patch windows religiously and only do special scans when I download from untrustworthy sources. There is a small risk one of them will spread a virus but its unlikely.

Home users shouldn't fear this at all yet. Businesses should consider telling their users to watch what they install on their phones.

Re:Is CA that ignorant?

[Billosaur]

If anything, F-Secure is sounding a warning. Mobile viruses may not be the primary attack vector now, but with smart devices ever increasing (and a propensity of some executives to store everything on them, including passwords), it makes sense to stir up a little fear in the hope of preventing future harm.

And let's not forget that as people demand there mobile phones to be more things and be able to interface with other computers, the possibility of using a person's mobile phone as a backdoor through security into a system rises. Comapnies are having a hard enough time defending against USB drives that may be seeded with virii; IT security's workload will double if they also have to start taking into account mobile phones that can connect to networks via Bluetooth so people can access work email, voice messages, etc.

People may want to call this FUD, but paranoia is the order fo the day when it comes to network security.

Re:NAME ONE! That wasn't it!

[Nos.]

And its relatively easy to keep a box patched, run anti-virus and anti-spyware, yet old exploits are still being used to turn desktops into zombies. Just because people can do it, doesn't mean they do.

The pot doesn't even know what a kettle is!

[spyrochaete]

For what it's worth, I have ZERO faith in CA. My one brush with their products has tarnished my opinion of them forever. I think they're completely inept.

While writing an article comparing small\medium business spyware solutions I installed a trial of eTrust Pest Patrol Corporate. Their crappy demo detected spyware (that none of the 4 other products detected, suspiciously) but informed me that only the pay version would remove it. I uninstalled the product but the eTrust right-click dialogs remained in Explorer. I called their tech support and they said they don't support product demos. I eventually found the registry key pertaining to the Explorer extension, emailed the info to them, and chewed them out.

I suspect CA is in the business of FUD, including spreading FUD about its competitors. Then again, nearly the whole antivirus industry is that way. Free clients ftw!!

If anyone cares, I blogged about the history of Norton\Symantec and how they've made a successful business with their increasingly inferior products.

Re:The pot doesn't even know what a kettle is!

[SSpade]

Pestpatrol. A word synonymous with incompetence in my mind.

They listed one of my applications (Sam Spade - an elderly windows whois / traceroute client, basically) as a security risk. I started to get phone calls about it from users (I have quite a lot of users, so a few of them were bound to be running pestpatrol).

I called the company responsible for pestpatrol several times, and they told me many things that turned out not to be true ("It's not listed", "We can certainly remove it", "Traceroute is a major security risk for enterprise customers.", "We have removed it", "Oh, when we said we'd removed it we meant, uh....", "We'll remove it within six weeks...").

The sheer level of corporate and technical incompetence involved was staggering (and I've dealt with some spectacularly incompetent companies). The idea that anyone would rely on them for anything security related is scary. (To be fair, I believe that I dealt with them early on in their buyout process, so it's conceivable that they've picked up some basic business practices from their new owner since then, but it's not something I'd bet the security of my network on).

I had a phone virus.

[celardore]

I looked it up on the net, and out what it was. Can't remember off the top of my head though. It's purpose was to spread itself to other Nokia bluetooth enabled devices, and apparently in the early hours of the morning it would call premium rate numbers.

Trouble was, it hammered the battery with its constant bluetooth searching that it would only last a few hours before dying. Plus the constant "bluetooth busy" symbol on the phone was a dead giveaway.

Funilly enough, it was F-Secure that I used to get rid of it.

CA should know.

[GomezAdams]

If anyone knows about criminal activities for fun and profit it'd have to be CA.

User interaction == and your point is?

[lonesome+phreak]

"user interaction is required for any viruses to spread" So? We recently had a virus at my work (a large fortune 500 company) that required you to open up a zip file, put in a supplied 6-digit password from the email into the application the zipfile opened, and run the executible application. We still had people do this, because they thought it was "secret pictures" or something from their co-workers.

A virus could require you to bleed onto the keyboard by stabbing yourself in the hand. If it promised nude pics and said it was from someone you know, there are enough people out there that will run it to give me a headache.

why I use open source

[psbrogna]

After listening to the fud exchange between these two parties I just realized the major reason I use OSS.

It's been said that people use OSS because it's free, more secure, performs better, architected better ... all things I do take into consideration.

However I think I like OSS most because there's no marketing department intruding into my life and in many cases lying to me.

Let's all raise our glasses to this wonderful phenomenon.

No financial incentive for viruses?

[collectivescott]

Are these guys kidding? This is a mobile phone, there's plenty of financial incentives for viruses. Mainly in the form of 900 numbers or text messages. Check out this Symbian virus: http://www.newscientist.com/article.ns?id=dn6273&l pos=home1

Sir Edmund Hillary Quote:

[mpapet]

Reporter asks Hillary: "Why did you climb Everest?"

Hillary: "Because it's there"

Same story, different environment.