Antivirus companies support virus writers?

[JavaJones]

OK, the headline is somewhat sensationalized. Sorry, I couldn't resist. I know it sounds crazy, and believe me I don't buy into this, at least not until I see real evidence. But I found some of the points in this blog post to be interesting, if not entirely "compelling" as he claims:
http://dmytry.blogsp...es-main-driving.html

I know the subject has been discussed before; I've even seen it mentioned here on DC in past AV discussions I think. It wouldn't be the first time unethical corporate behavior was responsible for billions of unnecessary spending by consumers. And with the ready availability of obviously less scrupulous off-shore development resources, easily contracted relatively anonymously, it seems all too easy for this to be happening. As opposed to the situation with other businesses like the car tire slashing example given in the post above, where the barrier to accomplishing the stated goal of increasing demand for the product/service would be much higher. Here it's relatively low. Pay some off-shore contractor $10/hr to write virus variants with existing kits = millions of viruses for pennies a piece.

It sounds crazy, but really what's the barrier to this? Legality and morality. If you don't think you'll get caught, legality doesn't matter, and that really seems to be the case with a lot of bad corporate behavior, from "cooking the books" to toxic waste disposal, and much more, some a lot more (physically) harmful than viruses. And morality? Well, since when have corporations had morality? Hmm...

- Oshyan

[KynloStephen66515]

Ethically, it would be wrong to commission such software for your companies own benefit, but would you really put it past up and coming developers? Create an anti-virus suite, make your Google tags specifically designed to target the removal of a virus you are having released, then charging the end user to remove it, because you know you will be the only one (to start with) who can remove this effectively.

IMO this type of thing possibly does occur, but until real proof is given, I am happy sitting on the fence, watching both sides.

[app103]

I don't believe this is happening, and for one reason:

A shortage of viruses written for the OS that is run by the people with the least amount of sense and the most money to burn: Mac OSX

If an antivirus company was doing this kind of shady thing, don't you think they would have a Mac version of their product and they would be paying people to write stuff targeted at that platform, where they could get away with charging twice the price for their antivirus, and skip providing a basic free version?

And it's not that OSX is so secure that people can't write malware for it, which seems to be the common myth spread by OSX users. And with recent increase in popularity, it's an untapped market for any unscrupulous antivirus vendor that might be doing as this article suggests.

Plus if any of the whole idea of increasing a demand for security products by creating the attacks made any sense, then I guess you could say the same is going on with offline security firms that provide armed guards for banks. Are they staging bank robberies in order to increase the demand for security guards?

Or home security...do they pay people to rob houses in order to sell more alarm systems?

Highly unlikely.

[KynloStephen66515]

Although I agree with the fact it is highly unlikely, it is still technically possible that this happens and does go on in some circles.

As an example, there was a computer repair company who basically ran their entire operation on repeat calls, this was because when they fixed a clients computer, they also installed a piece of software onto the target machine which rendered it useless until the correct 'removal tool' was used.

The company DID get caught, but after about 2 years of operating like this.  I will try and find the official news story for this (it was a company local {about 40 miles} to myself).

Certainly proves that this does happen, but on what scale, is anybodies guess.

[Bamse]

Who funds all those "tests" you run into when looking for the "best" security software?   Is an inbred hysteric industry focused more on marketing than consumer security already, so if conditions suggest help is needed why not produce fuel as well?

Might say NEVER when it comes to bigger companies who have much to lose but there are others. At least one, from China, has been proven to have zero ethics since they stole database from other well known program. Was highly popular at Cnet, any download site. Got caught so we know. Actually still popular but just shows how much you can get away with. Memory is short so risk not that high! Even less if a company is fairly unknown, can't easily be investigated, and try to conquer new markets. Mcafee, Trend etc. can lose it all if they tried something similar. Can't move to China and set up new company in a day.

If one of the old companies get caught I think it would be a rotten apple - will never be proved it was officially decided to fund certain "external consultants" which in fact live in the underworld, heh. Marketing show they have no ethics already but still I would not believe idea of own malware farms. Conspiracy theory, but outside of A-team I would not be so surprised.

[CoderOmega]

Or home security...do they pay people to rob houses in order to sell more alarm systems?

-app103 (February 12, 2010, 05:54 PM)

Where I live, they don't pay people, they do it themselves. Sad but true.
Well not all of them happily.
Oh and the police get a commission for letting the thieves go to.

[JavaJones]

The OSX point is definitely a good one against the assertion of the original article. But there may be other reasons for that... The example of physical security companies doing bank robberies falls a lot more into my point about the tire slashing example though. It's a helluvalot harder and more risky to stage robberies to inflate the value of your security service (although I believe even this sort of thing *has* been done in the past!), than it is to anonymously pay cheap virus writers to iterate off of existing virus toolkits in a foreign country outside of our legal jurisdiction and unlikely to ever "whistle blow" to anyone relevant and within ear shot. It just involves a whole lot more headache than the digital equivalent. I bet I could go jump on a rent-a-coder type site right now and find someone willing to do this for a couple hundred bucks within 24 hours. Hehe.

- Oshyan

[Bamse]

You can and those people will have tons of tools for Windows, very few for OSX. I don't see why OSX would be attractive or lack of focus proves companies do not fiddle with Windows based malware makers. If X company decide to move in on potential new OSX market it make sense but risk of getting caught is skyhigh. Oh look at all these attacks, where do they come from? So nice our product protects against them all! Way easier to get away with in Windows world

[f0dder]

app: you do have a point about OSX, but I also think Bamse has a point that it'd be a bit more high-profile and thus carry a potential risk for getting caught - which there's almost zero risk of with Windows, considering the flood of malware that's already written for it. And while OSX certainly has enough security flaws for exploiting, the entry barrier is a bit higher... there's so much more existing crap to pick from on Windows, and a much larger potential user base.

[Dmytry]

The OSX point is definitely a good one against the assertion of the original article. But there may be other reasons for that... The example of physical security companies doing bank robberies falls a lot more into my point about the tire slashing example though. It's a helluvalot harder and more risky to stage robberies to inflate the value of your security service (although I believe even this sort of thing *has* been done in the past!), than it is to anonymously pay cheap virus writers to iterate off of existing virus toolkits in a foreign country outside of our legal jurisdiction and unlikely to ever "whistle blow" to anyone relevant and within ear shot. It just involves a whole lot more headache than the digital equivalent. I bet I could go jump on a rent-a-coder type site right now and find someone willing to do this for a couple hundred bucks within 24 hours. Hehe.

- Oshyan

-JavaJones (February 12, 2010, 08:10 PM)

For OS X, imho you have all the same reasons which make malware writers not write many viruses for OS X, plus a few extra reasons such as higher risk to get caught, difficulty of hiring third world workforce for mac work (you can bet Apple would work hard to investigate where the viruses come from, should there suddenly be surge of OS X viruses along with marketing campaign for an antivirus). For the rentacoder remark - heh, i've been browsing rentacoder jobs once, and seen more than a few jobs almost certainly involving development of trojan software (private description, required ability to work with gmail, yahoo, facebook etc accounts, network programming experience, and you have to be located in former eastern Soviet block).

What actually prompted my quite angry blog post is an assertion by antivirus company spokeman that there's more virus software being written today than legitimate software.

For whenever it is happening  - look up rogue anti-virus software. It is happening all the time on small scale. The only question, is it happening on large scale. I think yes. I do not believe that a big company would take a lot of hit should they be discovered doing this. Companies routinely break the law in a very nasty way. Look up pfizer off label use. You can enter any other big pharmaceutical company instead of pfizer and see the very same thing. Willful law-breaking in a case where it could not be concealed, but the fine is smaller than revenue from the illegal operation. I do not think anything would happen to McAfee should anything like this be discovered. I guess a huge enough fraction of their users already believe firmly that they make viruses and this is the case of racketeering.
Think about it, back in the mafia days, would you *not* pay to 'security' firm if you know for sure they're the mafia whom are doing the very break-ins that you need protection from? In terms of cyber-crime, it's those mafia days today, with just about every normal user having experienced some form of cyber crime first hand.

[f0dder]

Welcome aboard, Dmytry

For the rentacoder remark - heh, i've been browsing rentacoder jobs once, and seen more than a few jobs almost certainly involving development of trojan software (private description, required ability to work with gmail, yahoo, facebook etc accounts, network programming experience, and you have to be located in former eastern Soviet block).

-Dmytry (February 18, 2010, 05:25 AM)

Nasty - that's pretty much as blatantly obvious as "trojan writers wanted" :/

[Stoic Joker]

Thanks for stopping in, Dmytry

I've been harboring much the same ill feelings toward AV companies for years. I'm an advocate for common sense, it's twice as effective, uses (wastes) no system resources, and is free.

[f0dder]

I've been harboring much the same ill feelings toward AV companies for years. I'm an advocate for common sense, it's twice as effective, uses (wastes) no system resources, and is free.

-Stoic Joker (February 18, 2010, 07:04 AM)

And unfortunately doesn't protect you against drive-by exploits on hacked legitimate sites :/ - the only thing I've been hit by the last 10+ years. (I still don't run any AV software, though ).

[Bamse]

Which reminds me that same company I mentioned getting cheated by the one from China recently unblocked a hacker site which also host a bit of hiring On a scriptkiddie level but still. "I need help hacking this guys Facebook..." and so on. They have 150000 members and hacker admin made sure they became aware of this He would flame their product unless... Claims to be "hacker" in the good way - which is obviously bogus. He simply complained at their forum and CEO promptly removed the block. Took 20 min. The guy who manage the actual blocking disagreed but were overruled. I chose to think marketing on steroids since this was done in public (though nobody take notice!). Marketing and money can do much harm to some people. Also why I would not exclude the possibility of some eager employee at Mcafee, Symantec or where ever doing some action on the side. He/She hire a bunch of fools to produce new threat and person magically find cure and get promotion. Something like that. There is a thin line between black and white when it comes to security. Employees at security companies have the option and know-how of going black.

Forgot, the hacker vs. highly recommended security company incident gets worse. Every member of that hacker forum got a 50% discount all through February. As a "lets be friends, we made a mistake" present. Unbelievable or in their words "Pwnd "

[Dormouse]

I see no sign that any reputable or major company does anything more than talk up the dangers of new threats or get OEMs to install tiresome free trials. Setting up an automatic subscription to any company is a bit risky in that companies in all industries have continued charging for periods after the contract has been ended. Over the last decade, I've used F-Secure, Kaspersky and now Online Armor (and AVG and Avast on machines where free seems sufficient); they've never pushed me to extend licenses beyond warning that the subscription was coming to an end (and the free ones occasionally listing the advantages of a paid for version). It's a pretty competitive market place and they'd find it hard to recover from being found out doing anything to sponsor malware.

[Crush]

I do believe most viruses are created and spreaded by antivirus producers. The amount is too big to make me believe there are hundret thousands of hobby-anarchists with virus-coding expertise out there and other things as written in the linked artikle like the virus design that also shows there are other reasons to virus creators than creating malfunctions, heavy damage or getting personal informations. How is it possible that these companies have the signs and copies of new viruses often hours before it has been spreaded wide ranged? The solutions for new ones are out there faster than light. This is too good to be true.

Nearly all virus signs are collected/created by only a few companies that sell them for money to other antivirus software creators (64-Bit chains, the names and informations how to delete them).

A few weeks ago I´ve seen a report from a hacker convention and one hacker explained a new way for system intrusion to open the full remote computer access. In a following interview he made a big party and told that he already has signed extremely good payed contracts with a lot of "antivirus firms" worldwide to licence his intrusion system. I wonder why?

I know of some programs that enforce false alarms in AV progs. Even by supporting the sourcecode and all possible informations they resisted to include the professional program of a friend in the white list - they expected payment to do so. This is a disturbing behaviour for someone who should be a servant to computer users and hasn´t been called the god of what´s a virus and what isn´t.

The explanation is simple: If there is a market that can create its own reason for existance for financial interest it will be done. There are a lot of examples and lobbies besides antivirus software that do the same in their branch. If there is a way to raise the profit there is no frontier - legal or illegal - for the most companies. You can find these "black sheeps" everywhere in all imaginable industries.

[Stoic Joker]

I've been harboring much the same ill feelings toward AV companies for years. I'm an advocate for common sense, it's twice as effective, uses (wastes) no system resources, and is free.

-Stoic Joker (February 18, 2010, 07:04 AM)

And unfortunately doesn't protect you against drive-by exploits on hacked legitimate sites :/ - the only thing I've been hit by the last 10+ years. (I still don't run any AV software, though ).

-f0dder (February 18, 2010, 07:06 AM)

True, but AV software can't "protect" you from a hacked legitimate site either. Drive-bys ... part of Common Sense (these days) involves reduced permissions & UAC which is a combo that even works on the 0 day stuff the AV types haven't had time to respond to yet.

[wraith808]

I've been harboring much the same ill feelings toward AV companies for years. I'm an advocate for common sense, it's twice as effective, uses (wastes) no system resources, and is free.

-Stoic Joker (February 18, 2010, 07:04 AM)

And unfortunately doesn't protect you against drive-by exploits on hacked legitimate sites :/ - the only thing I've been hit by the last 10+ years. (I still don't run any AV software, though ).

-f0dder (February 18, 2010, 07:06 AM)

It is also not feasible when you have young children using the computer.  They only go to sites which I approve, but even the advertising on some of those sites is suspect and a prime candidate for someday having a drive-by.

[f0dder]

True, but AV software can't "protect" you from a hacked legitimate site either. Drive-bys ... part of Common Sense (these days) involves reduced permissions & UAC which is a combo that even works on the 0 day stuff the AV types haven't had time to respond to yet.

-Stoic Joker (February 18, 2010, 09:35 AM)

UAC is nice, and I depend on a combo of UAC and FireFox with adblock+noscript - obviously noscript won't help me if a legitimate whitelisted site is hacked, though. And UAC wouldn't have protected me against the NTVDM local privilege escalation if I had been on a 32bit system.

OTOH an antivirus product (or rather, HIPS) depending not just on stupid static analysis but some decent kernel-mode hooks wcould add an extra layer of protection.

[Stoic Joker]

True, but AV software can't "protect" you from a hacked legitimate site either. Drive-bys ... part of Common Sense (these days) involves reduced permissions & UAC which is a combo that even works on the 0 day stuff the AV types haven't had time to respond to yet.

-Stoic Joker (February 18, 2010, 09:35 AM)

UAC is nice, and I depend on a combo of UAC and FireFox with adblock+noscript - obviously noscript won't help me if a legitimate whitelisted site is hacked, though. And UAC wouldn't have protected me against the NTVDM local privilege escalation if I had been on a 32bit system.

-f0dder (February 18, 2010, 09:54 AM)

Bad enough we're going off on a tanget, now I gota dice through which context we're in. Neither of us is a typical/average user and it's pointless to drag through the move countermove NTVDM exploit could be avoided by killing unused 16bit subsystem vs. Joe average has no Idea what/how/where that is/is done nonsense. ...As it's nowhere near the threads topic.

OTOH an antivirus product (or rather, HIPS) depending not just on stupid static analysis but some decent kernel-mode hooks wcould add an extra layer of protection.

Sure (layers are good), and it would even be an effective one if the AV sales drones would stop hyping it as a Magic Bullet.

[Dmytry]

Well, i don't think antivirus software is a correct approach to the problem in first place. Blacklisting bad software or whitelisting good software is stupid (and whitelisting is just good ol racketeering as the developer has to pay to get whitelisted)

Think about an application like a web browser, and what sort of access it needs to your hard drive.
Basically, it has to be able to:
0: access network.
1: read and write inside it's own configuration folder
2: read the files you choose through system's standard file open dialog.
3: write to locations you choose through system's standard save dialog.
It is entirely possible to lock down file access *extremely* tight without *ever* nagging the user with extra dialog, relying on the dialogs which already are presented to the user.  But it has to be done on the system level.
Of course, there would still be privilege escalation exploits and such - but those have to be dealt with by *patching* not by blacklisting.

[Bamse]

I am not sure it will move you an inch but most AV companies are actually obsessed with finding new ways of protection. Even Symantec has "Stops threats unrecognized by traditional antivirus techniques" in their feature list. Probably why they bought PC Tools (Threatfire). More is better since more is needed is how they design software. Since there are new demands is it not nice of them to deliver? HIPS, Behavior blocker, quarantine if unknown stuff. Avast just got a build-in sandbox. Must not forget "web" scanners (web is evil as you have been told), a common feature and where you get the most false positives as well. There are loads more. Just take a look at their web sites.

In their defense I would say that tools usually work better if settings, features and limitations are known to user. Installing one of the bigger packages on a computer used by a person with a history of doing the opposite of common sense will not be a smooth experience. Not possible to fix stupidity/lack of knowledge, experience with software. Or may be it is but then you need to handpick and spend time setting things up. Must have the perfect setup. Many tools will have password locking of settings for the same reason. User must be protected against user! Jumping at any random advertised package using default settings can go wrong.

I don't think majority believe Mcafee produce malware. More like they and other "reputable" brands are protecting and let them use computer as they wish. Have way too much convenient faith in "being protected". Increase requirements, annoy usability and in many cases there will be a user vs. security problem. Some are more likely to ignore features/msg. from AV or simply turn stuff off than educating them self on what the problem really is. Also why many reject UAC which is harmless/easy compared to 3rd party "proactive" stuff. Takes very little to annoy. I have heard IT people saying the first they do for their "clients" is to turn off UAC and make them admin. How it is and partly why there will continue to be work for AVs.

Are you referring to Software Restriction Policy on Windows Dymtry? Sure you can lock program and activities down, much is possible with already available build-in features, but what type of user are you thinking of? Must be a very interested one. Same problem as with firewall in Vista/7. Sure it does "outbound" control, why bother with notoriously buggy 3rd party software? Well try set it up then. There are probably more I don't know about but fact is on Windows such "deep" defenses are not made for everyone. Practically hidden, not meant for public consumption.

[Dmytry]

"Even Symantec has "Stops threats unrecognized by traditional antivirus techniques" in their feature list"
Even small brand rogue scareware has this sort of stuff in their feature list.
 Just what the hell is that supposed to mean? No it does not stop brand new malware, never did, and never will, because anyone who makes malware (except possibly the antivirus vendor) tests the malware against the antivirus software to make it pass. Heck, everyone who makes software has to do this because of false positives! If by a chance antivirus flags some new malware in development as malware - the chance exists for any new software - well, I suppose the author will simply swap a few functions around, fiddle with compiler's optimization options, maybe screw a little with UPX source code or not use UPX, and it'll pass.

From where i'm standing, we don't need separate piece of software to protect from the browser exploits and similar things; any decent browser gets patched before the
antivirus in any case. What do regular users really need antivirus software for is software piracy. Software piracy is not practical without having a good antivirus. (Ofc you can't pirate the antivirus itself because it phones home all the time to get updates). If there's someone who profits big time from piracy, that's not piratebay. That's our glorious 'good guys' the antivirus vendors.

"Are you referring to Software Restriction Policy on Windows Dymtry"
No i'm not referring to software restriction policy, or any implemented method, for that matter. I'm making an observation:
Almost none of the applications I or you use, except for a couple special utilities (file search tools, and such which layman user may not even have), read from or write to files and locations that aren't either
a: in software's own folder, or
b: are chosen by user through the file dialog AS OF NOW WHEN THERE IS NO SECURITY.
This is the un-enforced convention which large majority of good software nonetheless obeys.
Nobody's interested in enforcing this; they're interested in blacklisting, because blacklists have to be up to date (=subscription services), they're interested in whitelisting, because that will let them extort money out of software developers - those developers whom actually make anything of value - they're interested in showing a ton of scary popups, they're interested in  'heuristics' (tricks that aren't guaranteed to work, and do not work), because those generate a lot of false positives (extortion from honest developers again, though fortunately this is not so bad because you can always work-around false positive by fiddling with the code - same applies for true positives for real malware). But they're not interested in doing anything relatively quiet that'd work. Our only hope is that microsoft eventually sorts security out.

[f0dder]

If by a chance antivirus flags some new malware in development as malware - the chance exists for any new software - well, I suppose the author will simply swap a few functions around, fiddle with compiler's optimization options, maybe screw a little with UPX source code or not use UPX, and it'll pass.

-Dmytry (February 19, 2010, 08:04 AM)

That will stop pattern-based and code analysis heuristics (stuff that analysis before the malware runs), but it won't stop HIPS functionality that looks at the actions running code performs. As long as a new nasty privilege escalation bug isn't discovered, a decent HIPS will be able to block the malware. I don't know if there's any decent HIPS around, though, since I haven't been running anti-malware stuff for years

What do regular users really need antivirus software for is software piracy. Software piracy is not practical without having a good antivirus.

-Dmytry (February 19, 2010, 08:04 AM)

I disagree - drive-by exploits are a reality, and it's not like you're likely to get infected by piracy... as long as you have better sources than google searches.

[Bamse]

As I understand it your observations are in family with SRP then. More like a new Windows which educate user in a different way right? You are overestimating desire for change and understanding for a safer logic though. Will never happen. Windows Vista and upwards is it. Optional UAC shows how MS think, may be how they must think. Windows is not Linux but ultimate freedom

Non-signature based detection is not just a hoax. You are right about piracy being the obvious reason for AVs. Well dig in to that area and you will learn how AVs work. Or just install Threatfire or similar tool and test. Anything with no use of blacklists. When it pops up after whatever AV has approved you should read warning carefully. Norton also use a block/qurantine by default policy towards unknown files btw. Cloud feature... I think you are underestimating their features a bit. Must always remember that increasing requirement to user is almost not an option. There are limits to what they will ask the average Windows user to do.

Btw, you can use cracked security software and many do. I don't use cracked software but keep me updated. Can't remember a popular security program that is not available for "free".

f00der posted, well he is right about "drive-by" though that usually means an exploited plugin, pdf, flash. Browsers are not a target them self. "Drive-by" a really cute buzzword loved by paranoid people since it means WHATEVER amount of common sense you have, you can still be screwed! = BUY a sucurity package, you MUST. Almost entirely BS but don't forget pdf, flash though. Due to my attempt to keep up with warez scene all I will say is those people know zero about security and do not care. Very likely you get infected by using "good" sources. The other day I almost saw a moderator get infected in real time. He asked about why the hell a certain popular site redirected him to some weird stuff. I checked and it was a nasty pdf exploit. Like only just listed on malware domains, days or more like only few hours old. He replied that then good he just got updated to 9.3 or something. Hmm that was flash dummy. He went FU#% and deleted the thread. This is the level. Or go to some of the very big warez forum, pick random threads and check properly. Tons and tons of stuff is infected and nobody cares that much. Majority probably don't even know their computer is hosed. If they figure it out they just install new free Windows, who cares... Really not difficult to understand how stuff gets spread around.

If by good sources you mean more private networks then you could be right. Something with invites or ? I would not know but do believe in "safe" cracking. Popular sites/forums are full of junk and typical member is clueless. They are just normal Windows users