5/31/2007

When vendors get nuts

In a post recently appeared on the McAfee's Avert Labs Blog (posted by Vinoo Thomas) we were quite entertained by reading an astonishing statement in which McAfee curses against a crew of virus researchers who "dared" to send a proof of concept of a virus to McAfee's laboratories.

The concept virus is quite interesting as it is reported on the blog "
virus Bad Bunny a.k.a StarOffice/BadBunny is a multi-platform macro virus written in StarBasic and which executes on Linux, MacOSX and Windows. It is capable of infecting JavaScript, Ruby and Perl script files and also attempts to perform a denial of service attack on antivirus vendor sites by sending large ICMP packets continuously."

Pretty neat! Now, where would it be the value of such PoC? The value consists in the early-alert the antivirus vendor gets about the possible release of a new attacking vector/methodology on which, needless to say, they will base their business. Knowing in advance new attacking vectors/methodologies is crucial for the security business as the security vendors should always try to be a step-ahead of the cyber criminals. You cannot build a decent security strategy without valuing properly the messages coming from your intelligence network, and in such view warnings (or PoCs) coming from researchers are certanly the best kind of intelligence a security agency could ever dream of.

But no, McAfee dismissed the job of those researchers by reporting
Peter Ferrie’s motivating words for such virus authors. “So imagine you’re a virus writer, someone who specialises in one-of-a-kind viruses, and you want to do something that’s really new and different. What should it be? How about quitting?

Take the cue guys. Get a life!"

We have just two questions here:

1 - Assuming all virus writers would quit writing viruses, what would McAfee's shareholders say?
2 - Do McAfee really think that giving the finger to researchers would be the best motivation for them not to sell their research to the criminal market?

Think once. Even better, think twice.

8 comments:

HalfMoon said...

Cool analysis, guys! Vendors are not only getting nuts, they seems to be blind and deaf!

Anonymous said...

Hi all,
Kelly G from Homebase and john mcafees old tech cofounder(no I never made any money from McAfee)(ie I used to help manage the homebase virus collection along with patty hoffman and Aryeh Goretsky(chief moderator) AND I used to test johns products against my own internally generated and non released lab viruses..

the hyposcrisy illustrated by Mcafee NOT accepting "research" malware is indeed astonishing considering it paid the bills for us all(except me) in the early days(shoutouts to Morgan Schweers, DUDE!!)



kelly G from HOMEBASE

Aryeh Goretsky said...

Hello,

Although it is pronounced "MACK-uh-fee," the correct spelling of the security vendor's name is McAfee. You may wish to correct this in your posting.

Regards,

Aryeh Goretsky

Anonymous said...

I don't know what's funnier: the fact they put up a FOUR-YEAR-OLD BUG for sale, or the fact there's already one bid on it.

"Squirrelmail GPG Plugin Command Execution"

Google-fu tells us this "bug" is from 2003, in SquirrelMail 1.4.2. If your ISP is still using this version, unpatched at that, SWITCH.

"MKPortal SQL injection Vulnerability" has been reported by Security Focus, but is being reported as "unproven", and listed as being first "found" on this site. No bids on the auction, though.

Wasabi Labs: Scaring stupid end-lusers witless, and collecting their identities for theft purposes, one "auction" at a time. No coincidence the parent company's from ITALY.

Grow a clue-by-four people.

WabiSabi Labi said...

Ever heard about multiple vulnerabilites?

If you are concerned about us collecting your ID for "theft purposes" (where is the sense in that?), we respect your concerns and we welcome you not to use our marketplace.

And no, our parent company is not from Italy, we are a Swiss legal entity

Morgan said...

Greetings,
Heh... Thanks Kelly G, but I'm not sure what for, and whether I deserve it! :)

I've responded, specifically to the 'shareholder' line, here:
http://www.vixen.com/blog/2007/07/13/34

I've been out of the business for over a decade, but I always wished it wasn't a necessary field.

Maybe the management thought/thinks differently, because it's just money to them, but the nearly all the line employees would have been very happy if all viruses had stopped. Sure, finding another job's a pain, but the world would have been a slightly better place.

As for 'researchers' who write viruses...bleh.

It never paid the bills at McAfee Associates. It was the real viruses, Stoned, Brain, Jerusalem, Disk Killer, and Michelangelo viruses that destroyed people's data, slowed their computers down, and basically made users lives hell, that 'paid the bills', for us to find them, and remove them. To try to help folks.

Nobody I know who worked at McAfee Associates from when I joined on, wrote even a 'concept' virus while employed there. I understand one employee pre-my tenure had (a Friday the 13th type), but when I joined (at around 8 employees), they were no longer with the company. (They were with Norton, in fact. ;) )

I whole heartedly approve of security research, but 'Vinoo' is right; when they're submitted to AV companies, it's usually far more about chest-thumping than anything else.

And if someone's going to 'sell their research to the criminal market' in the first place, they're just criminals, not researchers, and deserve the finger they get.

-- Morgan

Muard said...

great......ur point of vier is appluasible & full of courage....I have also heard about this....how business makes crazy the people...........i think anti virus comapny is actually liable for virus creating sometimes....

WabiSabi Labi said...

we think (and we hope) that it's just some metropolitan legend