Antivirus Vendors Headed for Court

SkiifGeek writes "A showdown between Rising Tech, a Chinese Antivirus vendor, and Kaspersky Lab in a Chinese court could have implications for software vendors that misidentify system files and files from their competitors as being malicious."

It Could Be Rising Tech Really Is Malicious

[NeverVotedBush]

China and Russia both are big time into state-sponsored computer/network infiltration. In a country like China, it wouldn't be surprising at all that the government would co-opt companies - especially anti-virus companies - to make them help the Chinese government open back doors, exfiltrate data, etc.

The very last piece of software I would ever install on my own computers would be a Chinese or Russian anti-virus package. Sure, it may finger other viruses, but it might also allow free access to the "right" people.

I know this sounds somewhat like tinfoil hat territory, but the SANS organization is frequently publishing articles about state-sponsored hacking/attacks. Why give them an easy pass? A perfect easy pass to use your system in electronic warfare against any country - especially the USA? It is at least something to be aware of and to consider.

Rising Star antivirus? Who's star is rising? China's? And by what means?

Re:It Could Be Rising Tech Really Is Malicious

[El_Muerte_TDS]

And on the other side of the pond you've got companies that are for sale. For all you know Symantec allows certain backdoor software distributed by the MPAA/RIAA.

How much can you trust companies like that?

Re:It Could Be Rising Tech Really Is Malicious

[l0ne]

ClamAV is really the way to go. Fully open. Fully accountable for. And if a definition is malicious, you can alter or remove it with relative ease.

Re:It Could Be Rising Tech Really Is Malicious

[NeverVotedBush]

I never said the American ones were good. I only said that I wouldn't install the Chinese or Russian ones. The simple reason being that China and Russia both are big into network infiltration and the USA is a prime target. I don't believe in handing over a back door. I have no clue if Kaspersky or Rising Tech are fronting or providing back doors for their respective governments. Maybe they are and maybe they aren't. But there is a very real possibility that they are.

And you say your virus checkers of choice have detected "ALL" viruses? How do you know? Ask anyone who knows anything about AV software and they will tell you that the new ones are frequently missed completely because their behaviors or signatures are unknown. Until your AV company of choice puts in new definitions, you simply do not see them -- even though you may be infected and possibly infecting others. You even cite such an example yourself. If Kaspersky was to decide not to include a signature - say for a Russian government botnet back door - then you don't know it's there.

The fact is (and please go look at SANS or other websites that report such news) that China, Russia, and actually just about every country in the world have discovered that you can use the Internet for lots of military and economic gain. You can pull out sensitive data. You can set up systems so that if you ever need or want to, you can cripple infrastructure. You can wreck economic havoc. The USA especially uses the Internet for lots of things. Imagine the chaos that would come if you could shut it down with a single command. Trust me - they have.

Countries like Russia and China can go lean on companies to put in whatever hooks they want. I'm not saying they are in Kaspersky's software but I would not ever bet against it.

Re:It Could Be Rising Tech Really Is Malicious

[Ravon+Rodriguez]

Like it or not, people have to use Windows. You may get away with open source substitutes for a lot of applications, but the fact is that it's extremely hard (or even impossible in a lot of cases) to run most games using something like Wine or Cedega. Not to mention that even Ubuntu, hailed as the easiest used implementation of Linux to date, is not quite ready for the grandmother test. So, while it may not be ideal to use a Windows system, it's necessary. That being the case, it also becomes important to keep a good virus database to thwart the fucktards who like to make life miserable for the rest of us.

might as well be selling rocks ..

[rs232]

For all the good the AV industry does, they might as well be selling rocks.

Re:might as well be selling rocks ..

[ploxiln]

I'd have to disagree. Getting infected is still for the "dumb and lazy", only the threshold is now a lot closer to the "smart and proactive" side of the meter than it used to be. Antivirus software is a losing proposition: It's not useful unless it's _ahead_ of the virus writers, it increasingly suffers from false positives, and if it identifies crap from a wealthy company it can be forced to ignore it. Even without considering the fact that all most successful antivirus packages on the market are crap (for reasons outlined in this excellent essay by Bruce Schneier), antivirus software isn't a good enough solution. The best solution is to run a system which doesn't respond to data received over the network in a way which the operator wouldn't want. This is simply too inconvenient for the vast majority of people (especially those people who couldn't begin to understand what they want their computer to do in any detail). This is however quite possible to achieve even today, for example by running a linux/unix system with all network listening services turned off (except sshd with a decent policy and passwords), running firefox with the noscript extension (or even better, a text-mode browser such as elinks). I've actually managed to do without antivirus software on my windows machines for years, by simply keeping up with the latest updates, turning off most services, running firefox, and knowing what software is safe to download and run (open-source windows software primarily). My point is that the solution to the security problem is to stop messing around with crappy reactionary solutions like antivirus software, and instead focus on programming and using systems which were designed to be secure from the beginning (like OpenBSD), and don't do stupid things you wouldn't want them to. This would however require users to be trained to use computers properly if they can't figure it out themselves, not unlike how users of cars must be trained in order to keep them safe on roads, and can have their licenses revoked when they demonstrate lack of ability or care. Making software which is both secure and reasonably convenient to use is a hard problem, but it's one which should be pursued.

F--- the article

[acidrain]

Rising Tech announced on the 30th of May that they were planning to sue the Beijing office of Kaspersky for unfair competitive practices (though it isn't known whether this suit was brought to court).

This is a few scraps of slap talk dredged up from the bowels of the net. It isn't even a lawsuit or a comment by a legal professional, let alone an injunction or any kind of legal ruling.

Also, anti-virus software on Windows is so invasive that running two different scanners at the same time is just plain crazy. I imagine root kits and virus scanners do a lot of the same things. They all make a total mess of your OS. And not being a monopoly, I can't see how Kaspersky has an obligation to play nice with others.

Kaspersky aren't the only ones

I work as a virus analyst for one of the major antivirus vendors. False positives, which we simply refer to as FP's, are a nasty fact of life, especially as detection becomes more based upon bahavioural analysis; and when software developers name their new application explorer.exe with a default Windows icon....

We had a customer send in a Window Portable Executable file which was flagged as containing a virus released in the early 90's (though the exact name escapes me). Very strange. What was stranger was that when analysed, it contained a plethora of code sequences of worms, trojans and viruses, completely ad verbatim. We then realised we were in fact looking at one of the main dll's of the Rising Sun engine! A false positive fix was not issued, as we reasoned that if a buffer overflow/wrongful jump occured, this malicious code could actually execute. Ie, a user could actually be infected by the cowboy AV scanning method.

Anyway, to this story I laugh and simple say to Rising Sun: learn to code an engine before bringing in lawyers. Oh, and flat file unoptimised code matching is hilariously primitive.

PS, unfortunately, there is no conspiracy this time: just badly thought out design and implementation.

Happened to me too

[Spacejock]

I have a website with a bunch of my own freeware apps available. On two separate occasions I've had a number of emails from users of major AV software asking me what the hell I was playing at trying to install trojans on their PCs. In both cases it was false positives, one from NAV and the other from the company mentioned in this article (which is what prompted me to post). Each time they eventually got around to correcting their definitions, but sure as anything it'll happen again. And in the meantime, how many dozens or hundreds of people assumed I was one of them there nasty spammer trojan virus people trying to infect their PC?

Why should the onus be on ME to check THEY haven't stuffed up? You can't install and run all the different brands of AV software on one PC, unless you install a bunch of virtual machines with one AV prog on each, and then you'd have to update the definitions daily.

False positives trick users. MS is adversarial.

[Futurepower(R)]

Apparently ALL anti-virus software gives false positives. Most of the users have little technical knowledge, and the software makers want to give the impression their software is more useful than it really is. I've seen numerous false positives on systems I use. One "virus" was a text file, with a .TXT extension, and nothing in it but documentation!

But why is anti-virus software so important? Apparently only because Microsoft profits more when its software is full of bugs and malware, and Microsoft is very adversarial toward its customers.

The true cost of a Microsoft operating system is perhaps 10 times its retail cost, because of the heavy maintenance expenses.

Microsoft's anti-customer behavior: Here are some paragraphs I wrote to someone having problems with temp files taking gigabytes of drive space.

On one computer I checked, temp files were stored in 49 different places, and that includes only temp file folders made by the Windows operating system and not temp file folders made by application software.

Why doesn't Microsoft provide a utility to find all the temporary file folders and delete the files when starting or shutting down the computer? Apparently because the company is heavily engaged in adversarial behavior. Most people don't know that temporary files are a problem, and they certainly don't know where to find them; that was a challenge even for me. The temp files sometimes take so much space that there is not enough free space, and the file system begins running much slower.

The file defragmentation program won't run when there is limited free space. A fragmented file system is much slower. And most people don't even know that the defragmentation program exists, or why they should run it. So, their computers become imperceptibly slower and slower until they buy a new computer.

That's apparently why Microsoft software has so much malware, also. At present, there are 30 known vulnerabilities in Windows XP alone that haven't been fixed. There are 7 known vulnerabilities in the latest version of Microsoft Internet Explorer browser the the company has not fixed.

Some people say Microsoft software is targeted more often because there are so many copies in use. However, it is well known how to write secure software. Apparently Microsoft managers don't let their programmers finish their work.

Many people who don't know how to keep Microsoft products running buy new computers. Every time someone buys a new PC, they buy a new copy of the Microsoft operating system, even if they already owned a copy. So Microsoft makes more money if the company has defective products.

Microsoft gives each new version of Windows a new name, and many people think the new version is a new product. Somehow it has been arranged that people pay the full amount for new versions, instead of an upgrade price.

The New York Times article Corrupted PC's Find New Home also makes that point.

Note that the Apple operating system, OS X, and the Open BSD operating system have very few vulnerabilities. (The Open BSD web site says 2 in 10 years.) So it is possible to make a secure operating system. The volunteers that make the Open BSD system do security reviews of software to make sure vulnerabilities are not released to customers.

We use Microsoft operating systems because of historical reasons, and because it is expensive to change. In actuality, the business very seldom uses software that runs only under Microsoft Windows, and that is only in specific departments, where it would be easy to provide a second computer.

Re:False positives trick users. MS is adversarial.

[aerthling]

The Open BSD web site says 2 in 10 years.

It actually says 2 remote holes in the base installation in more than 10 years. If you want a full list of all the vulnerabilities in OpenBSD ever, you can count them all here: http://openbsd.org/errata41.html

Have fun.

Re:Why only Kaspersky?

[harlows_monkeys]

What are the other antivirus vendors doing (or not doing) that is avoiding this problem?

At the AV vendor I've worked for, when they get a report from another AV vendor of a false positive on that other vendor's product, they would investigate and get an update out within 24 hours to fix it.

Unfortunately, some vendors are not this fast. I've seen Spybot take years to fix false positives that have been brought to their attention.

Most are somewhere between these two. Generally, it goes like this. Company A notices that company B's product has a false positive on A's files. A contacts B about this, using B's public contact information, which generally is meant for the general public. So, A's complaint might end up in the support system, and might get kicked around there for a while as the support people try to figure out what to do with it. Eventually, it reaches some manager who has got a bunch of stuff on his plate, directly from his superiors, so he doesn't give this high priority.

A notices it is taking a long time, so looks for a better way to contact B. If A and B are reasonably big and in the same country or region, it will probably turn out someone high in A's management knows someone high in B's management, or knows someone who knows someone high in B's management who can introduce them, and then there is a high level request from A to B. That has a decent chance of getting results.

If no such contact can be found, or it fails to get action, then A calls the lawyers, and they write a letter to B's lawyers. That should get some attention at B, and whatever manager the first request got stuck at gets prompted to do something.

If nothing happens then, it is lawsuit time. When a lawsuit is actually filed, THAT gets the attention of B, all the way up to the top, and then things happen. (And the people who failed to act earlier get in a lot of trouble...companies do not like it when they get sued, even if the actual purpose of the suit is just to get someone's attention to fix a problem).

I suspect that a good percentage of lawsuits filed in the software industry (in general, not just AV) are to get the attention of upper management in the defendant to get some simple problem resolved that has fallen through the cracks.

A lesson here for anyone starting a company is to hire some top management people who are well-connected. If your Director of Engineering or CTO or Chief Scientist or whatever, in a situation like this, can say, "Hey...B's CTO went to my school and we were in the same fraternity...I can get his number, call, give the secret Alpha Delta Smegma pass phrase, and I'm sure he'll get the problem taken care of", that's great. The tech industry, just like the other industry groups, has its old boy's network, and you want to have someone who is connected to that.

Re:Don't viruses attack system files though?

[jargon82]

It's not just "windows making it easy for them" though, it's the simple fact that nearly every windows users runs as admin. We'll see what impact, if any, vista has on this, but in all previous versions it's been a mixed bag and IMO can largely be blamed on a conflict of various policies within Microsoft.

Consider, documentation on programming for the windows OS, from MS, outlines how to write without requiring admin access and generally speaking recommends this. Microsoft produced software, by and large, does not require admin access to RUN (somtimes, yes, to install, but not run). But all this aside, the accounts created during windows setup are admin and theres no push on the users to not run as admin.

All this combines to make a virus writers life easy: the unknowing users are running as admin because it came that way, the knowing users are STILL running as admin because too much windows software requires it, and only the truly dedicated take the time to get LUA to work. (at least prior to vista)

It really *is* known how to write secure software.

[argent]

Secure software doesn't mean "software that has no security holes". It means "software that is designed so that failure doesn't create security holes". Secure software is, by default, inherently safe. Secure software provides feedback on errors. Secure software can not be unlocked except from the "outside". Secure software provides interfaces and protocols with no paths leading to elevated privileges. Secure software provides fault isolation and user-visible and managable layering.

Secure software may have bugs that lead to exploitable vulnerabilities, but fixing these bugs will not break third-party components that depend on public interfaces and protocols exposed by the software, because the privileges exposed by the vulnerability are never intended to be exposed.

For example, if an interface in a secure application provides an object (file, script, applet, web page, ...) more privileges than the application itself normally provides, then:

(1) That interface is disabled by default. Ideally, there is no code path in the application that leads to that interface.
(2) Enabling that interface requires a deliberate premeditated action by the user or administrator. Ideally, this action involves a plug-in or other component in a distinct repository from the one that the application normally uses, and running a new instance of the application (or a new shell around the application) that has access to that repository.
(3) Enabling that interface in one instance of the application does not enable it in any other instance.
(4) An instance of the application with that interface enabled can not be accessed by any request to an instance of the application with that interface disabled.
(5) The mechanism by which a user launches the modified instance of the application is clearly distinct.
(6) The modified instance of the application does not include a mechanism to load new objects through protocols that are normally used to access untrusted data, except using addresses (URIs, file paths, etcetera) that are provided by the application itself, or by launching a new instance of itself without any unsafe interfaces enabled.

The poster child for applications that violate these rules is Internet Explorer. In Internet Explorer, it is possible for a webpage to request an applet it provides be installed and run, through a mechanism called "ActiveX".

(1) It is enabled by default.
(2) It is not possible to launch IE in a way that prevents access to ActiveX plugins already installed.
(3) There is only one pool of plugins for IE. Worse, there is one pool of plugins shared among all applications that use the HTML control.
(4) You can't disable it, all you can do is tell IE to avoid "unsafe" controls, and even then the default behavior for "unsafe" controls is risky.
(5) There's no distinct instance of IE... rather there's a set of heuristics for the HTML control to use to try and guess whether the document being viewed should be considered "safe" or not.
(6) The HTML control makes the decision as to whether to load an object, not the application.

Most browsers have *some* shortcomings in this area, but few to anywhere near the extent of IE, and none are designed so that fixing these shortcomings will break working applications until they are redesigned to access the browser through a new API.

Did you read it?

[www.sorehands.com]

It refers to the lawsuit that was filed on May 19th.

lso, anti-virus software on Windows is so invasive that running two different scanners at the same time is just plain crazy. I imagine root kits and virus scanners do a lot of the same things. They all make a total mess of your OS. And not being a monopoly, I can't see how Kaspersky has an obligation to play nice with others.

I agree, mostly. To have multiple anti-virus or spyware packages running resident is nuts. Running Norton is nuts too.
But running multiple scanners (different times) is not nuts.

Anti-virus software has to have information regarding virii and a package may pick up on it. There are some virii and trojans that use a modified version of Kaspersky to prevent competitors from infecting the same machine.

Interesting -- and its not a false positive

[ratboy666]

The idea that an "anti-virus" program that does signature checking against a (almost continuously) updated database of virus signatures is probably a good source of "genetic material" for a virus will eventually occur to someone who does malware.

And, just for grins, its catalogued. So, to use that genetic material, the virus sinply needs the key (and the knowledge that a particular anti-virus program is installed). That is probably denser than trying to keep the infection information with the virus itself.

In other words, target Kaspersky "protected" systems (or any other "anti-virus" vendor" specifically.

Why? Hell, I would do it just because it would amuse me to no end!

Next time, skip the anger.

[Futurepower(R)]

Acting out your anger is optional. Next time, try dealing with your anger yourself, rather than making it a problem for others.

You said, "The number of temp files or folders is nothing to do with security."

You didn't read what I said carefully. I said that, if temp files fill the hard drive, the file system becomes slower. And also, even worse, the defrag program refuses to operate. When computers become slow, many users buy a new computer.

A few temporary file locations in the Windows XP operating system:

C:\Documents and Settings\Administrator\Local Settings\Temp\
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\

C:\Documents and Settings\ user \Local Settings\Temp\ and
C:\Documents and Settings\ user \Local Settings\Temporary Internet Files\
for each value of user . On the computer that had the trouble, there are several users.

C:\Documents and Settings\NetworkService\Local Settings\Temp\
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\

C:\Documents and Settings\LocalService\Local Settings\Temp\
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\

C:\Documents and Settings\Default User\Local Settings\Temp\
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\

According to Microsoft, these may all be different:
%SystemRoot%\Temp\
%SystemDrive%\Temp\
%SystemRoot%\Tmp\
%SystemDrive%\Tmp\

In my opinion, it doesn't matter how many temp file locations defined by the operating system there are, if the number is more than, let's say, 2. I've seen computers infected with malware that uses temp file locations of other users to store files, marked read only. There is no method provided by Microsoft, that runs automatically, that deletes read only temp files in all the locations, and does that securely under OS control, so that malware cannot use those locations between computer re-starts. That's my understanding, and you haven't said differently.

Also, most users don't know to run Disk Cleanup. The point is, most users are not technically knowledgeable, and are not able to maintain Windows, and, as the New York Times article to which I linked says, they buy new computers, because that is cheaper than trying to maintain the OS.

The fundamental point: Given what I have just mentioned, I don't see that Microsoft is caring towards its customers. The company could do far, far better. Microsoft apparently doesn't do better because Microsoft managers believe it is morally acceptable to use adversarial methods to make a profit.

I didn't know I had a website. I just looked, and I can see I do. I don't have much time to make a web site, and I had forgotten that I had an index.html. Normally, I just provide links to particular articles.

Anyhow, look at this article on my "web site": Windows XP Shows the Direction Microsoft is Going. Quote:

Bruce Schneier, well-known computer security analyst, said in his November 15 newsletter that this article is "A well-written analysis of the major security/ privacy/ stability concerns of Windows XP." Mr. Schneier wrote the books Applied Cryptography and Secrets and Lies: Digital Security in a Networked World, and other books.

Back then, several years ago, I thought Bruce was being overly generous. However, soon after I published my article, which was translated into French and Spanish by readers, and other languages for which I could not find an editor to verify the translation, security vulnerabilities were found that I predicted in the article.

Re:Why only Kaspersky?

[thegnu]

I've seen Spybot take years to fix false positives that have been brought to their attention.
By "Spybot," do you mean "Patrick Kolla?" I know now he's got help, but how many years ago did these "years" occur?

Plus, it's still part of THE best passive/manual protection you can get:

1. Spybot w. Hosts list & immunize
2. Spywareblaster
3. IESPYADS
4. Firefox
5. WRT54G
6. Merijn's BugOff

I know a router probably isn't really passive, but to the PC it is. Oh, and besides the router, this is all free. My 2 cents.