The Anti-Virus Industry Scam
Richard Forno

15 February 2004
Copyright (c) 2004 by Author.  Permission granted to reproduce with credit.

Source URL with contextual URL references:

One has to wonder how the anti-virus industry sleeps well at night. On one
hand, it purports to serve the world by defending our computers and networks
from any number of electronic critters and malicious code. On the other
hand, sometimes its "cure" is worse than the problem its companies and
products allegedly treat. Add to that a decades-old concern over business,
market share, and publicity, and you have all the ingredients for a confused
industry, product, and service. This situation regularly benefits the
antivirus software industry and victimizes its customers.

Let's start with malicious code outbreaks in general. Unlike hurricanes and
tsunamis, there is no standard way of naming malicious code -- and thus is
the greatest problem facing the antivirus industry. Gone are the days when
simple names like "Jerusalem", "Michaelangelo" and "Stoned" were accepted
and used by all antivirus vendors and their products. Today, what one
company calls "Worm_Minmail.R" another calls "W32.Novarg" -- someone else
calls it "[EMAIL PROTECTED]" and another may classify the same thing as
"W32/MyDoom."   What is needed is a return to industry-wide nomenclature for
malicious code that can be used by all vendors in describing their products
and making the reporting, analysis, and resolution of such outbreaks easier
and more productive for customers and researchers alike.

Then there's the matter of marketing and mindshare. First and foremost,
antivirus vendors are in business to make money, and it behooves them to
capitalize on as much free publicity as they can. Thus, with each new
outbreak we see vendors stumbling all over themselves to be the "first to
detect and defend" against the latest malicious code and probably explains
why there's no longer a standard outbreak naming scheme after nearly two
decades. From press releases to interviews on television, radio, and
newspapers, antivirus industry executives race to establish their companies
and products as the most vigilant and capable on the market, an activity
often made more amusing when backed by questionable, if not fabricated,
statistics and predicted damage assessments (usually in the billions of
dollars) from each outbreak -- and almost always followed by a pitch
espousing the cost-effective security that only their products provide.

As a result of antivirus industry marketing, customer ignorance, and
easily-exploitable operating systems and enterprise servers, it's rare to
find a wired organization without antivirus software on their mail servers
or corporate gateways. These sensors are on constant prowl for the latest
malicious code attack and are intended to defend their host network from
future outbreaks based on existing attack signatures. In other words, these
products only defend what they know how to defend; meaning that unless a
network administrator keeps his antivirus software current (sometimes on a
daily basis) it's quite easy for the "next best" attack to create havoc on
his allegedly-protected network, much to the satisfaction of the antivirus
industry. Then the game begins afresh - while costs mount for customers and
profits rise for antivirus software vendors.

More to the point -- in the case of e-mail-borne outbreaks, when these
sensors detect a piece of malicious code, they generate an error message
back to whomever the server *thinks* sent the message, obviously ignoring
the fact that the majority of such alleged users had absolutely nothing to
do with the outbreak or that their e-mail address was harvested (or
spoofed)  from someone else's inbox as they got infected.  Accordingly,
large segments of the Internet receive automatically-generated virus alert
messages blaming them for something they likely didn't do; a situation made
worse when receiving different alerts from different products that use a
different name for the same attack!

Not only is there no standard nomenclature for "virus detected" messages
from antivirus servers but these "virus detected" messages themselves often
function as surrogate attack mechanisms. Sometimes this message is a clear
warning in plain text, and other times it's full of cryptic jargon.
Incredibly, some products even return a warning message with the malicious
code still attached -- meaning a greater chance of propagating the outbreak
it's trying to mitigate! (Security consultant Brian Martin provides a
fantastic discussion of this issue at Attrition.Org.)

Handling the sheer volume of such server-generated "virus detected" messages
can be a daunting task. Early in the recent Novarg incident, I received 319
such messages during a twenty-four hour period, including many that were
still infected with the worm. Now imagine a user on a pokey dial-up line or
a CIO supporting an enterprise with thousands of users on high-speed
networks and with systems that never sleep.  Of course, users may be tempted
to filter all server error messages, but that's not a reliable solution
because doing so would also block legitimate mail server error messages
(e.g., if the intended recipient has moved or has a full mailbox.) Ergo,
we're stuck with a large number of diverse-yet-related server error messages
that clog bandwidth and require a dedicated amount of time to develop and
test custom filters while allowing other legitimate error messages to pass.

How many such "virus detected" messages must be received before a malicious
code event becomes a denial of service one? How about when antivirus
software sends a "virus detected" message containing the detected malicious
code (and spreads the outbreak) to a third party? At what point does the
antivirus software become more of a problem for the Internet than the
original outbreak? Should antivirus servers also exhibit responsibility to
the Internet community at large by not propagating detected malicious code
elsewhere? Even if we're not directly attacked, the collateral damage from a
malicious code outbreak costs us time and money to remedy. (Antivirus
vendors take note.)

If antivirus products were built with customers in mind, all would generate
a similar message that could be filtered by customer system administrators
to help reduce the amount of "noise" and collateral damage experienced
during a malicious code outbreak. Martin discusses fifteen different "virus
detected" messages that he encountered during the Novarg incident -- had
there been a standard message, users and system administrators would have a
far easier time addressing the outbreak itself instead of also dealing with
a sizable volume of hard-to-filter e-mail detritus.  If anyone wants to help
draft a RFC on this, please contact me -- we can help bring order to this
vendor-instituted chaos. (As it is, a few power users have written
Unix-based procmail rules to remedy this, but it's not an easy solution for
the average user.)

Finally, there's the ethics of the antivirus industry. Martin shows several
vendors blatantly advertising their products in their server-generated
"virus detected" messages, and also using malicious code outbreaks to hawk
their overall product lines through unsolicited e-mails (e.g., spam) bearing
a subject line of "Security Advisory" and the name of the latest outbreak. 
Is this "advisory" really for the benefit of the internet community or the
antivirus product vendor? It's like an airline releasing post-September-11
advertisements saying "Security Alert: Hijackings can be prevented -- come
fly with us, our cockpit doors are reinforced and the best in the industry!"

The Novarg incident clearly underscores the need for reform in the antivirus
industry.  A few industry-wide reforms, such as those mentioned in this
article, will go a long way toward making the antivirus industry both more
reputable and useful for its customers while truly improving security on the
Internet. These changes are not difficult to implement and can be done on
the cheap. Unfortunately, absent such changes, as recent events show, the
antivirus industry will continue contributing significantly to internet
security problems instead of helping reduce them.

# # # # #

Richard Forno is a Washington, DC-based security consultant and author of
"Weapons of Mass Delusion." His home in cyberspace is at

You are a subscribed member of the infowarrior list. Visit for 
list information or to unsubscribe. This message may be redistributed freely in its 
entirety. Any and all copyrights appearing in list messages are maintained by their 
respective owners.

Reply via email to