Slashdot Mirror
Antivirus Vendors Headed for Court
SkiifGeek writes "A showdown between Rising Tech, a Chinese Antivirus vendor, and Kaspersky Lab in a Chinese court could have implications for software vendors that misidentify system files and files from their competitors as being malicious."
I work as a virus analyst for one of the major antivirus vendors. False positives, which we simply refer to as FP's, are a nasty fact of life, especially as detection becomes more based upon bahavioural analysis; and when software developers name their new application explorer.exe with a default Windows icon....
We had a customer send in a Window Portable Executable file which was flagged as containing a virus released in the early 90's (though the exact name escapes me). Very strange. What was stranger was that when analysed, it contained a plethora of code sequences of worms, trojans and viruses, completely ad verbatim. We then realised we were in fact looking at one of the main dll's of the Rising Sun engine! A false positive fix was not issued, as we reasoned that if a buffer overflow/wrongful jump occured, this malicious code could actually execute. Ie, a user could actually be infected by the cowboy AV scanning method.
Anyway, to this story I laugh and simple say to Rising Sun: learn to code an engine before bringing in lawyers. Oh, and flat file unoptimised code matching is hilariously primitive.
PS, unfortunately, there is no conspiracy this time: just badly thought out design and implementation.
Apparently ALL anti-virus software gives false positives. Most of the users have little technical knowledge, and the software makers want to give the impression their software is more useful than it really is. I've seen numerous false positives on systems I use. One "virus" was a text file, with a .TXT extension, and
nothing in it but documentation!
But why is anti-virus software so important? Apparently only because Microsoft profits more when its software is full of bugs and malware, and Microsoft is very adversarial toward its customers.
The true cost of a Microsoft operating system is perhaps 10 times its retail cost, because of the heavy maintenance expenses.
Microsoft's anti-customer behavior: Here are some paragraphs I wrote to someone having problems with temp files taking gigabytes of drive space.
On one computer I checked, temp files were stored in 49 different places, and that includes only temp file folders made by the Windows operating system and not temp file folders made by application software.
Why doesn't Microsoft provide a utility to find all the temporary file folders and delete the files when starting or shutting down the computer? Apparently because the company is heavily engaged in adversarial behavior. Most people don't know that temporary files are a problem, and they certainly don't know where to find them; that was a challenge even for me. The temp files sometimes take so much space that there is not enough free space, and the file system begins running much slower.
The file defragmentation program won't run when there is limited free space. A fragmented file system is much slower. And most people don't even know that the defragmentation program exists, or why they should run it. So, their computers become imperceptibly slower and slower until they buy a new computer.
That's apparently why Microsoft software has so much malware, also. At present, there are 30 known vulnerabilities in Windows XP alone that haven't been fixed. There are 7 known vulnerabilities in the latest version of Microsoft Internet Explorer browser the the company has not fixed.
Some people say Microsoft software is targeted more often because there are so many copies in use. However, it is well known how to write secure software. Apparently Microsoft managers don't let their programmers finish their work.
Many people who don't know how to keep Microsoft products running buy new computers. Every time someone buys a new PC, they buy a new copy of the Microsoft operating system, even if they already owned a copy. So Microsoft makes more money if the company has defective products.
Microsoft gives each new version of Windows a new name, and many people think the new version is a new product. Somehow it has been arranged that people pay the full amount for new versions, instead of an upgrade price.
The New York Times article Corrupted PC's Find New Home also makes that point.
Note that the Apple operating system, OS X, and the Open BSD operating system have very few vulnerabilities. (The Open BSD web site says 2 in 10 years.) So it is possible to make a secure operating system. The volunteers that make the Open BSD system do security reviews of software to make sure vulnerabilities are not released to customers.
We use Microsoft operating systems because of historical reasons, and because it is expensive to change. In actuality, the business very seldom uses software that runs only under Microsoft Windows, and that is only in specific departments, where it would be easy to provide a second computer.
At the AV vendor I've worked for, when they get a report from another AV vendor of a false positive on that other vendor's product, they would investigate and get an update out within 24 hours to fix it.
Unfortunately, some vendors are not this fast. I've seen Spybot take years to fix false positives that have been brought to their attention.
Most are somewhere between these two. Generally, it goes like this. Company A notices that company B's product has a false positive on A's files. A contacts B about this, using B's public contact information, which generally is meant for the general public. So, A's complaint might end up in the support system, and might get kicked around there for a while as the support people try to figure out what to do with it. Eventually, it reaches some manager who has got a bunch of stuff on his plate, directly from his superiors, so he doesn't give this high priority.
A notices it is taking a long time, so looks for a better way to contact B. If A and B are reasonably big and in the same country or region, it will probably turn out someone high in A's management knows someone high in B's management, or knows someone who knows someone high in B's management who can introduce them, and then there is a high level request from A to B. That has a decent chance of getting results.
If no such contact can be found, or it fails to get action, then A calls the lawyers, and they write a letter to B's lawyers. That should get some attention at B, and whatever manager the first request got stuck at gets prompted to do something.
If nothing happens then, it is lawsuit time. When a lawsuit is actually filed, THAT gets the attention of B, all the way up to the top, and then things happen. (And the people who failed to act earlier get in a lot of trouble...companies do not like it when they get sued, even if the actual purpose of the suit is just to get someone's attention to fix a problem).
I suspect that a good percentage of lawsuits filed in the software industry (in general, not just AV) are to get the attention of upper management in the defendant to get some simple problem resolved that has fallen through the cracks.
A lesson here for anyone starting a company is to hire some top management people who are well-connected. If your Director of Engineering or CTO or Chief Scientist or whatever, in a situation like this, can say, "Hey...B's CTO went to my school and we were in the same fraternity...I can get his number, call, give the secret Alpha Delta Smegma pass phrase, and I'm sure he'll get the problem taken care of", that's great. The tech industry, just like the other industry groups, has its old boy's network, and you want to have someone who is connected to that.
Secure software doesn't mean "software that has no security holes". It means "software that is designed so that failure doesn't create security holes". Secure software is, by default, inherently safe. Secure software provides feedback on errors. Secure software can not be unlocked except from the "outside". Secure software provides interfaces and protocols with no paths leading to elevated privileges. Secure software provides fault isolation and user-visible and managable layering.
...) more privileges than the application itself normally provides, then:
Secure software may have bugs that lead to exploitable vulnerabilities, but fixing these bugs will not break third-party components that depend on public interfaces and protocols exposed by the software, because the privileges exposed by the vulnerability are never intended to be exposed.
For example, if an interface in a secure application provides an object (file, script, applet, web page,
(1) That interface is disabled by default. Ideally, there is no code path in the application that leads to that interface.
(2) Enabling that interface requires a deliberate premeditated action by the user or administrator. Ideally, this action involves a plug-in or other component in a distinct repository from the one that the application normally uses, and running a new instance of the application (or a new shell around the application) that has access to that repository.
(3) Enabling that interface in one instance of the application does not enable it in any other instance.
(4) An instance of the application with that interface enabled can not be accessed by any request to an instance of the application with that interface disabled.
(5) The mechanism by which a user launches the modified instance of the application is clearly distinct.
(6) The modified instance of the application does not include a mechanism to load new objects through protocols that are normally used to access untrusted data, except using addresses (URIs, file paths, etcetera) that are provided by the application itself, or by launching a new instance of itself without any unsafe interfaces enabled.
The poster child for applications that violate these rules is Internet Explorer. In Internet Explorer, it is possible for a webpage to request an applet it provides be installed and run, through a mechanism called "ActiveX".
(1) It is enabled by default.
(2) It is not possible to launch IE in a way that prevents access to ActiveX plugins already installed.
(3) There is only one pool of plugins for IE. Worse, there is one pool of plugins shared among all applications that use the HTML control.
(4) You can't disable it, all you can do is tell IE to avoid "unsafe" controls, and even then the default behavior for "unsafe" controls is risky.
(5) There's no distinct instance of IE... rather there's a set of heuristics for the HTML control to use to try and guess whether the document being viewed should be considered "safe" or not.
(6) The HTML control makes the decision as to whether to load an object, not the application.
Most browsers have *some* shortcomings in this area, but few to anywhere near the extent of IE, and none are designed so that fixing these shortcomings will break working applications until they are redesigned to access the browser through a new API.
I'd have to disagree. Getting infected is still for the "dumb and lazy", only the threshold is now a lot closer to the "smart and proactive" side of the meter than it used to be. Antivirus software is a losing proposition: It's not useful unless it's _ahead_ of the virus writers, it increasingly suffers from false positives, and if it identifies crap from a wealthy company it can be forced to ignore it. Even without considering the fact that all most successful antivirus packages on the market are crap (for reasons outlined in this excellent essay by Bruce Schneier), antivirus software isn't a good enough solution. The best solution is to run a system which doesn't respond to data received over the network in a way which the operator wouldn't want. This is simply too inconvenient for the vast majority of people (especially those people who couldn't begin to understand what they want their computer to do in any detail). This is however quite possible to achieve even today, for example by running a linux/unix system with all network listening services turned off (except sshd with a decent policy and passwords), running firefox with the noscript extension (or even better, a text-mode browser such as elinks). I've actually managed to do without antivirus software on my windows machines for years, by simply keeping up with the latest updates, turning off most services, running firefox, and knowing what software is safe to download and run (open-source windows software primarily). My point is that the solution to the security problem is to stop messing around with crappy reactionary solutions like antivirus software, and instead focus on programming and using systems which were designed to be secure from the beginning (like OpenBSD), and don't do stupid things you wouldn't want them to. This would however require users to be trained to use computers properly if they can't figure it out themselves, not unlike how users of cars must be trained in order to keep them safe on roads, and can have their licenses revoked when they demonstrate lack of ability or care. Making software which is both secure and reasonably convenient to use is a hard problem, but it's one which should be pursued.
The idea that an "anti-virus" program that does signature checking against a (almost continuously) updated database of virus signatures is probably a good source of "genetic material" for a virus will eventually occur to someone who does malware.
And, just for grins, its catalogued. So, to use that genetic material, the virus sinply needs the key (and the knowledge that a particular anti-virus program is installed). That is probably denser than trying to keep the infection information with the virus itself.
In other words, target Kaspersky "protected" systems (or any other "anti-virus" vendor" specifically.
Why? Hell, I would do it just because it would amuse me to no end!
Just another "Cubible(sic) Joe" 2 17 3061