These are quick first looks and trend and threats


Read More >>
Written by the security and AV professionals from team K7, meant for the general audience
Read More >>
These are usually articles that go into internals of a virus or deal with security issues
Read More >>
Senior managers speak on areas of interest to them, inside and outside the industry
Read More >>

Posts Tagged ‘misconceptions’

Why a malcode conference is a bad idea

Tuesday, August 31st, 2010

There seems to be an idea, fostered almost entirely by non malware experts, that writing malicious software is a necessary part of defending against it. This is a nonsense, long debunked by serious researchers, and yet it not only continues to rear its ugly head, but, as InfoWorld reports (http://mobile.infoworld.com/device/article.php?CALL_URL=www.infoworld.com/t/malware/network-security-no-good-can-come-malware-convention-609), has now spawned a conference.

The MalCode conference, to be held in Pune, India (maybe because India seems to have no legislation against such software?) is supposedly there to provide a platform for security researchers to meet malware writers and learn from them.

This, apart from being wildly optimistic that any actual learning will take place (unless it is potential malcoders learning to write more malcode), is a breathtakingly ignorant statement.

Let’s just think about this for a second – malware is very often extremely buggy, often failing to run, it might only run on a single platform, and if using an exploit to spread, relies fully on those platforms that expose the vulnerability.
Most malware uses pretty much similar techniques to spread and run, and in reality the most ‘difficult’ part of analysis is in getting through the packing techniques that are used – and much of that can be automated.

Antivirus software (or Anti-malware software to be more complete) on the other hand, is some of the most complex you can imagine.

  • It must work on a range of platforms, at a very low level where it must avoid interfering with or crashing other processes.
  • It must intercept every single file system call, and be able to search through the memory and network traffic of a machine.
  • It must be able to examine every piece of code that gets loaded, and in less time than it takes you to blink your eye, it must decide whether that code is (or is a possibly altered version of) one of millions of pieces of malware.

Not only that, it must do all of this without affecting the performance of the system, without causing interference to the user, and it must do it in such a way that if the code is legitimate (think of how many billions of pieces of code there are in the world) that code must be allowed to run, and if not, must be prevented from running.

Further, it is the only type of commercial software in the world that is updated so frequently; sometimes as often as every 5 minutes. These updates must not disrupt the system (though inevitably, they sometimes do, which is part of the reason we have technical support departments), must be as accurate as the rest of the software, and must work well with the rest of the system.

Far from being a group of people desperate to know how malware writers work, anti-malware researchers number some of the worlds most skilled reverse engineers, cryptographers, software analysts, software designers and programmers.

Not only that, but anyone who thinks that the several hundreds of thousands of new malware samples we see every day (often many of these are just auto-generated, slightly altered versions of the same things) are not enough of a ‘research platform’ for any self-respecting Anti-malware company, is truly delusional.

We have enough malware, we know how to detect it just fine, and the last thing we want is more being written, and certainly the last thing we need to waste time on is going to a conference with people who are part of the problem rather than part of the solution. Security researchers are not necessarily Anti-malware experts, and vice-versa, it’s good to remember that.

Our industry, in the last 25 years or so, has developed some of the most complex software on the planet, and has done so within a strict code of conduct – NO legitimate anti-virus researcher has ever needed to write a virus. Indeed, to openly do so would be grounds for dismissal and would make such a person unemployable within the wider industry. On the few occasions where malware writers have been inadvertently employed, as soon as the employer has found out about the malware writing, the employee has been dismissed.

Quite simply put, it is never necessary to write malicious software to be able to defend against it. Indeed, any developer working for K7 Computing who wrote such terribly poor code as exists in much malware wouldn’t last long at the company anyway. We employ, and need, highly skilled, hard working and dedicated developers, not sloppy kids with nothing better to do than write malware.

These are just a few reasons why this conference is such a bad idea, but there is one reason it is a good idea ; maybe it’s a great opportunity for law enforcement to go and round up the malware writers stupid enough to turn up, and put them out of our harm’s way.

Andrew Lee
CTO K7 Computing