In association with heise online

29 August 2006, 19:22

Thou shalt not create new viruses

This commandment is viewed in the anti-virus community as an unbreachable taboo. Anyone who offends against this will be dealt with - they are no longer one of the good guys. This self-imposed restriction, in itself a sensible measure, is however currently being used by anti-virus manufacturers to talk up a storm against independent tests.

ConsumerReports - an American consumer testing organisation - is currently the subject of concerted criticism. They dared to modify known viruses on a grand scale for an anti-virus software test. The fact that these did not find their way into the wild doesn't seem to matter to the critics.

Experts from McAfee, Sophos and Kaspersky are queuing up to heap ever greater condemnation on this supposed taboo-busting. McAfee's Igor Muttik self-righteously asks, "Shall we all write viruses to find the best antivirus?" Graham Cluley from Sophos joins in with, "With over 185,000 viruses in existence was it really necessary for this magazine to create 5,000 more?". Both apparently fail to notice that they sound like Mercedes dealers complaining about the 'elk test' – arguing that there are enough real accidents to analyze the safety measures of their cars.

It is clearly necessary nowadays to test anti-virus software using new malware! Known viruses no longer represent any great danger for users with anti-virus software - pretty much every product will recognise them reliably. The real danger lies with the estimated 250 new malware programs that are released every day. And recognising these as a threat is where many anti-virus products still fail miserably.

It is in fact shockingly easy to modify an existing virus so that it is no longer recognised by an anti-virus scanner from its signature alone. What woke me up to this fact was when I created a "new virus", unrecognisable to many anti-virus scanners, from what was at the time the relatively new, "I love you" virus, simply by finding and replacing variable names. Regular tests in c't using trivial CIH, Optix and RDBot variants confirm this result even today. Naturally this is something the anti-virus industry does not want to hear. They're happier grabbing hold of the nearest propoganda stick by comparing, like Cluley, the testers with arsonists.

As the alternative to self-generated viruses, anti-virus manufacturers extol the virtues of 'retrospective tests', in which scanners with outdated signatures are required to recognise current viruses. This otherwise quite reasonable approach does have one decisive disadvantage - virus writers influence the results. A typical virus writer will keep modifying his new viruses until scanners ABC and DEF no longer detect them. Scanner XYZ, which he does not use, in contrast has a good chance of continuing to detect the new viruses without an update and will therefore, for this reason alone, tend to fare better in these tests. Furthermore, such tests tell you nothing about the way the program works. Only when you have tried it yourself can you realistically estimate how easy or difficult it is to trick a virus scanner. It is therefore indispensible that retrospective tests are at least verified by using self-generated malware variants.

Naturally the creation of test viruses carries with it a high degree of responsibility. On the one hand, it is essential to ensure that new viruses do not leak into the wild. On the other hand, it is important not to outdo virus writers with "even better" creations, so spurring them on or even giving them new ideas.

Whether or not the ConsumerReports test was actually carried out in a sensible manner is something I cannot evaluate, and is anyway not the issue here. I am merely saying that the commandment "Thou shalt not create new viruses" is a sensible self-imposed commitment by the manufacturers of anti-virus software, which prevents them from creating an atmosphere of threat to promote their products. In contrast, meaningful comparative testing of anti-virus software requires that testers work with self-generated virus variants. Anyone condemning such tests in general is certainly not doing so in the interests of the user.

Jürgen Schmidt

Print Version | Permalink:
  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit