how-to block ads
|
SpannerITWks
Premium
join:2005-04-22
| reply to Cudni
Re: Our unique antivirus testing: How we did it
- An open and sincere letter to the AV etc peeps -
I clicked on the avertlabs link - »www.avertlabs.com/research/blog/?p=71 - (you can read an open letter on the AVIEN site about that).
Which gets you to here -
»www.avien.org/publicletter.htm - Public letter concerning the Writing of Viruses & How it Does Not Teach about Virus Prevention. Originally published: May 30th, 2003 Last updated: August 11, 2006 7:14 PM
" The more than 100 signatories of this public letter, all security professionals with years of experience in dealing with computer viruses, and who work in all sectors, wish to express their whole-hearted support of the following principle:
It is not necessary and it is not useful to write computer viruses to learn how to protect against them. "
Signed:
etc -
Among the people signing their names to it are a number of well known figures. Whether ALL of them who originally signed still agree with Everything on there is open to question, but let's say they do for now !
Of course you don't have to be " able " to write nasties to write code to detect them per se. But, i've got a number of nasties in my collection that ALL the vendors listed on Jottis + VirusTotal did NOT detect when i submitted them ? These included Rootkits/Trojans/Exploits/Keyloggers etc.
So how can this be if the signed statement above is Totally correct ? Either they can detect new nasties and variations, or they can't ! And based on my tests they can NOT and did NOT on those occasions.
If they Actually mean detecting whilst being run etc ok. But they do NOT All do that either, whether normally and/or heuristically. If they say don't need to know how to write nasties, and in ALL their variations/conotations, how can they Totally understand and prevent vectors etc being compromised and therfore computers getting infected. If they were 100% right about their claims, then NOBODY would EVER get infected with ANYTHING, but hey guess what, err yes that's right, they DO, and daily with ALL sorts of crap, including brand new stuff and variations.
So what Exactly do they mean when they say " It is not necessary and it is not useful to write computer viruses to learn how to protect against them. " Because if they DO know, they are NOT putting that knowledge into practice ?
Spanner
--
I Only Know What I Know, But I'm Learning all The Time - Stay Safe - Spanner intheWorks
/SpannerITWks | |
Blackbird
Built for Speed
Premium
join:2005-01-14
Fort Wayne, IN
 ·Verizon Online DSL
1 edit | I think what they mean is that CU's constructing new variants from 6 categories of known viruses only shows how various AVs will respond to new, unknown virus variants constructed using the same techniques employed by CU. Those techniques were intended by CU to create large numbers of virus variants based on existing virus structures and ideas... they were not created to exploit new-found security holes nor were they created using novel virus-structure techniques. While CU's variants may be "new", they are not necessarily representative of what many actual virus writers will do in creating their malware in the real world. Until now. Now there are 5,500 'new' viruses on CU's lab computers and some (likely) documented recipes in CU's files of how each was created from existing virus categories - all for the script kiddies and other baddies to sniff out as only they can. And we can all hope and pray that CU's internal data/info security is better than was their reasoning in following such a path in the first place.
Thoroughly understanding viruses and how they are written does not equate to actually writing them. Writing them may or may not make one more expert in combating them. One certainly does not need to commit murder (nor many other things in life and the technical world) to understand how it is done and to combat it.
edit: phrasing in middle of para 1
--
If God wanted us to work with electrons, He'd make them big enough to see... | |
SpannerITWks
Premium
join:2005-04-22
| Blackbird SR
Sure i get your murder analogy Thanx !
But people might be interested in looking @ this thread - »forum.sysinternals.com/forum_pos···003&PN=1 - to see just how cat + mouse actually works in REAL life.
Yes real life, because in there are Real Rootkit coders with Real RK's that are out there right now being used to hide nasties and being used by 3rd parties for crime. Also in there are various well known RK detector guys n girls combatting those and other RK's.
You will see how being able to write RK's and dissasemble them etc, and write detectors enables both sides to have a greater understanding of each others tactics etc. Thereby enabling them to design better RK's + detectors.
So i do believe it's definately worthwhile to as much inside knowledge as possible about how the other side Really works, because that IS what they do, every day !
Spanner
--
I Only Know What I Know, But I'm Learning all The Time - Stay Safe - Spanner intheWorks
/SpannerITWks | |
AB
Premium
join:2006-04-04
Leesburg, VA
| said by SpannerITWks  :. . . You will see how being able to write RK's and dissasemble them etc, and write detectors enables both sides to have a greater understanding of each others tactics etc. Thereby enabling them to design better RK's + detectors. So i do believe it's definately worthwhile to as much inside knowledge as possible about how the other side Really works, because that IS what they do, every day ! Sure, knowing how the other half lives, what they do, is good and will help people better understand how to fight the malware more effectively. But ya gotta write 5500 NEW variants to do that? I don't think so!
This is a disaster waiting to happen. Let's hope it won't.
And the first variant found in the wild that can be directly linked back to this research, I hope to see one massive class-action lawsuit.
And btw, is 'Consumer Reports' really the organization we want leading this research? While I understand that this is in fact a consumer issue, I'm just not so sure these are the people I want in the vanguard of this somewhat shaky business. | |
|
