One has to wonder how the anti-virus industry sleeps well at night. On one hand, it purports to serve the world by defending our computers and networks from any number of electronic critters and malicious code. On the other hand, sometimes its “cure” is worse than the problem its companies and products allegedly treat. Add to that a decades-old concern over business, market share, and publicity, and you have all the ingredients for a confused industry, product, and service. This situation regularly benefits the antivirus software industry and victimizes its customers.
Let’s start with malicious code outbreaks in general. Unlike hurricanes and tsunamis, there is no standard way of naming malicious code — and thus is the greatest problem facing the antivirus industry. Gone are the days when simple names like “Jerusalem”, “Michaelangelo” and “Stoned” were accepted and used by all antivirus vendors and their products. Today, what one company calls “Worm_Minmail.R” another calls “W32.Novarg” — someone else calls it “MyDoom.A@m” and another may classify the same thing as “W32/MyDoom.” What is needed is a return to industry-wide nomenclature for malicious code that can be used by all vendors in describing their products and making the reporting, analysis, and resolution of such outbreaks easier and more productive for customers and researchers alike.
Then there’s the matter of marketing and mindshare. First and foremost, antivirus vendors are in business to make money, and it behooves them to capitalize on as much free publicity as they can. Thus, with each new outbreak we see vendors stumbling all over themselves to be the “first to detect and defend” against the latest malicious code and probably explains why there’s no longer a standard outbreak naming scheme after nearly two decades. From press releases to interviews on television, radio, and newspapers, antivirus industry executives race to establish their companies and products as the most vigilant and capable on the market, an activity often made more amusing when backed by questionable, if not fabricated, statistics and predicted damage assessments (usually in the billions of dollars) from each outbreak — and almost always followed by a pitch espousing the cost-effective security that only their products provide.
As a result of antivirus industry marketing, customer ignorance, and easily-exploitable operating systems and enterprise servers, it’s rare to find a wired organization without antivirus software on their mail servers or corporate gateways. These sensors are on constant prowl for the latest malicious code attack and are intended to defend their host network from future outbreaks based on existing attack signatures. In other words, these products only defend what they know how to defend; meaning that unless a network administrator keeps his antivirus software current (sometimes on a daily basis) it’s quite easy for the “next best” attack to create havoc on his allegedly-protected network, much to the satisfaction of the antivirus industry. Then the game begins afresh – while costs mount for customers and profits rise for antivirus software vendors.
More to the point — in the case of e-mail-borne outbreaks, when these sensors detect a piece of malicious code, they generate an error message back to whomever the server *thinks* sent the message, obviously ignoring the fact that the majority of such alleged users had absolutely nothing to do with the outbreak or that their e-mail address was harvested (or spoofed) from someone else’s inbox as they got infected. Accordingly, large segments of the Internet receive automatically-generated virus alert messages blaming them for something they likely didn’t do; a situation made worse when receiving different alerts from different products that use a different name for the same attack!
Not only is there no standard nomenclature for “virus detected” messages from antivirus servers but these “virus detected” messages themselves often function as surrogate attack mechanisms. Sometimes this message is a clear warning in plain text, and other times it’s full of cryptic jargon. Incredibly, some products even return a warning message with the malicious code still attached — meaning a greater chance of propagating the outbreak it’s trying to mitigate! (Security consultant Brian Martin provides a fantastic discussion of this issue at Attrition.Org.)
Handling the sheer volume of such server-generated “virus detected” messages can be a daunting task. Early in the recent Novarg incident, I received 319 such messages during a twenty-four hour period, including many that were still infected with the worm. Now imagine a user on a pokey dial-up line or a CIO supporting an enterprise with thousands of users on high-speed networks and with systems that never sleep. Of course, users may be tempted to filter all server error messages, but that’s not a reliable solution because doing so would also block legitimate mail server error messages (e.g., if the intended recipient has moved or has a full mailbox.) Ergo, we’re stuck with a large number of diverse-yet-related server error messages that clog bandwidth and require a dedicated amount of time to develop and test custom filters while allowing other legitimate error messages to pass.
How many such “virus detected” messages must be received before a malicious code event becomes a denial of service one? How about when antivirus software sends a “virus detected” message containing the detected malicious code (and spreads the outbreak) to a third party? At what point does the antivirus software become more of a problem for the Internet than the original outbreak? Should antivirus servers also exhibit responsibility to the Internet community at large by not propagating detected malicious code elsewhere? Even if we’re not directly attacked, the collateral damage from a malicious code outbreak costs us time and money to remedy. (Antivirus vendors take note.)
If antivirus products were built with customers in mind, all would generate a similar message that could be filtered by customer system administrators to help reduce the amount of “noise” and collateral damage experienced during a malicious code outbreak. Martin discusses fifteen different “virus detected” messages that he encountered during the Novarg incident — had there been a standard message, users and system administrators would have a far easier time addressing the outbreak itself instead of also dealing with a sizable volume of hard-to-filter e-mail detritus. If anyone wants to help draft a RFC on this, please contact me — we can help bring order to this vendor-instituted chaos. (As it is, a few power users have written Unix-based procmail rules to remedy this, but it’s not an easy solution for the average user.)
Finally, there’s the ethics of the antivirus industry. Martin shows several vendors blatantly advertising their products in their server-generated “virus detected” messages, and also using malicious code outbreaks to hawk their overall product lines through unsolicited e-mails (e.g., spam) bearing a subject line of “Security Advisory” and the name of the latest outbreak. Is this “advisory” really for the benefit of the internet community or the antivirus product vendor? It’s like an airline releasing post-September-11 advertisements saying “Security Alert: Hijackings can be prevented — come fly with us, our cockpit doors are reinforced and the best in the industry!”
The Novarg incident clearly underscores the need for reform in the antivirus industry. A few industry-wide reforms, such as those mentioned in this article, will go a long way toward making the antivirus industry both more reputable and useful for its customers while truly improving security on the Internet. These changes are not difficult to implement and can be done on the cheap. Unfortunately, absent such changes, as recent events show, the antivirus industry will continue contributing significantly to internet security problems instead of helping reduce them.
Copyright (c) 2004 by Author. Permission granted to reproduce with credit.