[conspire] Lessons of twelve years ago

Rick Moen rick at linuxmafia.com
Mon Oct 23 09:53:31 PDT 2017 

Twelve years further on, and people are _still_ outsourcing their
thinking to proprietary antimalware companies proven eager to
deliberately sell them out and turn a blind eye to malware if it 
is distributed by the 'right' people.

----- Forwarded message from Rick Moen <rick at linuxmafia.com> -----

Date: Mon, 23 Oct 2017 09:45:49 -0700
From: Rick Moen <rick at linuxmafia.com>
To: lug-nuts at saclug.org
Subject: Re: [Lug-nuts] test
Organization: If you lived here, you'd be $HOME already.

Quoting linus at fullsack.com (linus at fullsack.com):

> Their reputation is. "A vast bot net".
> https://arstechnica.com/information-technology/2017/09/ccleaner-backdoor-infecting-millions-delivered-mystery-payload-to-40-pcs/

I've always been intrigued by the mental model of proprietary
anti-malware software:  'Install with superuser authority a piece of
unauditable software from people you know nothing about and have zero
reason to trust, and hope they'll do good things for you.'  I mean, 
what could possibly go wrong?  ;->

Remember the Sony malware?  The First 4 Internet XCP rootkit Sony BMG
Music Entertainment deliberately distributed on 22 million CDs to
security-compromise customers' Windows machines and modify the OSes to
prevent audio CD-ripping/copying?
https://www.schneier.com/blog/archives/2005/11/sonys_drm_rootk.html

When caught doing this, Sony attempted to defend itself by claiming it
was entitled to break into customers' machines to prevent 'piracy' 
(after first pretending it wasn't a rootkit and releasing a 'fix' that
didn't remove it), but the _really_ interesting bit was to note the role
of the anti-malware companies in this. 

I'll just quote Bruce Schneier:

  What do you think of your antivirus company, the one that didn't
  notice Sony's rootkit as it infected half a million computers? And this
  isn't one of those lightning-fast internet worms; this one has been
  spreading since mid-2004. Because it spread through infected CDs, not
  through internet connections, they didn't notice? This is exactly the
  kind of thing we're paying those companies to detect -- especially
  because the rootkit was phoning home.

  But much worse than not detecting it before Russinovich's discovery was
  the deafening silence that followed. When a new piece of malware is
  found, security companies fall over themselves to clean our computers
  and inoculate our networks. Not in this case.

  McAfee didn't add detection code until Nov. 9, and as of Nov. 15 it
  doesn't remove the rootkit, only the cloaking device. The company admits
  on its web page that this is a lousy compromise. "McAfee detects,
  removes and prevents reinstallation of XCP." That's the cloaking code.
  "Please note that removal will not impair the copyright-protection
  mechanisms installed from the CD. There have been reports of system
  crashes possibly resulting from uninstalling XCP." Thanks for the
  warning.

  Symantec's response to the rootkit has, to put it kindly, evolved. At
  first the company didn't consider XCP malware at all. It wasn't until
  Nov. 11 that Symantec posted a tool to remove the cloaking. As of Nov.
  15, it is still wishy-washy about it, explaining that "this rootkit was
  designed to hide a legitimate application, but it can be used to hide
  other objects, including malicious software."

  The only thing that makes this rootkit legitimate is that a
  multinational corporation put it on your computer, not a criminal
  organization.

  You might expect Microsoft to be the first company to condemn this
  rootkit. After all, XCP corrupts Windows' internals in a pretty nasty
  way. It's the sort of behavior that could easily lead to system crashes
  -- crashes that customers would blame on Microsoft. But it wasn't until
  Nov. 13, when public pressure was just too great to ignore, that
  Microsoft announced it would update its security tools to detect and
  remove the cloaking portion of the rootkit.

  Perhaps the only security company that deserves praise is F-Secure, the
  first and the loudest critic of Sony's actions. And Sysinternals, of
  course, which hosts Russinovich's blog and brought this to light.

Everyone else sold their customers out.  In fact, according to a
Cnet news.com story at the time (mentioned in comments to the Schneier
article), "The company's [First 4 Internet] team has worked regularly
with big antivirus companies to ensure the safety of its software, and
to make sure it is not picked up as a virus, he said."

I should add that another exception was ClamAV, the open-source malware
scanner, which IIRC also did the right thing.  And, there is also some
reason to think that even F-Secure added detection of the rootkit only
because they figured out the gig was up, not because they were acting
on behalf of their customers:
https://web.archive.org/web/20051202044828/http://www.businessweek.com/technology/content/nov2005/tc20051129_938966.htm

_______________________________________________
Lug-nuts mailing list
Lug-nuts at saclug.org
http://lists.saclug.org/cgi-bin/mailman/listinfo/lug-nuts

----- End forwarded message -----

More information about the conspire mailing list