From: Richard Loosemore (rpwl@lightlink.com)
Date: Tue Oct 18 2005 - 14:20:36 MDT
Phil Goetz wrote:
>>McAfee might not publish the code to computer viruses but they are
>>freely available elsewhere. I wouldn't be surprised if McAfee
>>mirrored these virus code repositories for their own understanding,
>>and to help them make a better product.
>
>
> I don't support releasing the flu genome - but the parallel with
> computer viruses doesn't support my position. I spent several
> days trying to acquire a computer virus library for a grant proposal
> in which I had to show that I had one available. Only a relatively
> small number of computer viruses (dozens) are publicly available in
> only a few places. However, vast libraries of computer viruses exist
> (up to 50,000 in a library), in two places: at antivirus software
> companies, and in the hands of virus-writers and virus fans who
> trade viruses the way people used to trade software.
>
> The demographics of these groups are interesting.
> Antivirus software companies exist primarily in the same countries
> in which virus-writers live in large numbers, and antivirus
> professionals frequently interact with, know, or are virus-writers.
> Not a single antivirus company has been established in the US
> since the 1980s AFAIK; several dozen have sprung up overseas,
> primarily in Eastern Europe. Virus research conferences in the US
> are irrelevant academic meetings, since the people who actually write
> antivirus software, other than McAfee and Symantec/Norton and one
> other I forget, no longer bother to attend US meetings.
> I don't know why this happened, so I don't know if real-world
> virus/antivirus research may develop similar demographics.
>
> - Phil
You know, I am not sure I believe much of this.....
I used to be an anti-virus software developer (for some outfit whose
name I forget, which was then bought by Dr Solomon's software, which
then became part of some conglomerate whose name I forget).
I attended the primary AV conference in the late 90s, and believe me
most of the AV folks were there, from all over the world. It certainly
was not an irrelevant academic meeting at that time. Maybe it's changed
since then, I don't know.
As for the stuff about "antivirus professionals frequently interact
with, know, or are virus-writers" this is an urban myth, as far as I can
tell, and it used to piss us off a lot. Antivirus professionals are, in
my experience, unusually ethical people who are waging a war against the
bad guys, and take it very seriously.
I can put this in perspective, with a little evidence. The large
proportion of viruses seem to come from places like Indonesia (no AV
companies out there), and one thing we would see time and time again was
virus code that was dreadfully, hideously badly written. It would just
break our hearts to look at virus code where we could tell what the bozo
was trying to do but we could see that he completely screwed it up.
This was true of 99% of the cases: the virus writers were pathetically
incompetent. Looking at their code, we used to joke that *we* could
have written the code properly. We often talked about how we could have
written a sleeper virus that spread itself around the world and lurked
for several months, then erased hard drives on half the world's
computers; such a thing is entirely possible, almost trivial.
Any one of us AV people could have written several hundred extremely
effective, devastating viruses by just taking those bollixed examples
coming out of Indonesia and fixing them up.
So why are there not any really well-written, devastating viruses?
Because the AV people are NOT the switch-hitters that people think they
are! They do not moonlight as virus writers.
It's a shame: it makes such a good story to believe that the AV folks
are helping the virus writers in order to line their own pockets. It's
just that it isn't true.
Just my halfpenny's worth.
Richard Loosemore.
This archive was generated by hypermail 2.1.5 : Tue Feb 21 2006 - 04:23:13 MST