Consumer Reports Creates Viruses to Test Software 241
Maximum Prophet writes to mention an MSNBC article about a Consumer Reports plan to test anti-virus software by creating viruses. Security companies are objecting, on the grounds that it's a generally accepted practice not to create viruses for any reason. From the article: "Consumer Reports didn't create thousands of new viruses from scratch. Rather, it took a handful of existing viruses and created hundreds of slight variants, changing the malicious programs just enough to evade detection by an antivirus program with a list of known threats. That's a common trick in the virus writing world; it's standard for a successful virus to inspire dozens of variants. "
Of course they are... (Score:5, Insightful)
Re: (Score:3, Informative)
I wish I still had mod points, that is the funniest thing I've read today!
Re: (Score:3)
Who won ?
Re:Of course they are... (Score:5, Funny)
The viruses.
Re:Of course they are... (Score:5, Funny)
Why does Consumer Reports hate America?
Re:Of course they are... (Score:5, Insightful)
Re:Of course they are... (Score:4, Insightful)
The vulnerabilities do exist; they're just not being exploited nearly as much. Of course, run-of-the-mill signature-based antivirus software is equally flawed, as Consumer Reports has shown and security geeks have already known.
Re:Of course they are... (Score:5, Insightful)
Of course, Consumer Reports is almost certainly responsible enough to address this issue and point out to people that it's really a reason why they need to be updating their virus definitions as frequently as is practical.
The real thing is (Score:5, Interesting)
That's what they are afraid of. Not that it will be revealed their software does nothing, it does work, just that there is cheaper software that works better.
Re:The real thing is (Score:5, Interesting)
Because it's not 100% (Score:5, Insightful)
There's no magic bullet, there's no "buy this once and be secure forever" kind of solution, but there are better and worse ones out there. Bitdefender and AVG (probably others those are just the two I know) are reasonably good at stopping new, unknown variants. Synametc, well not so good.
Re: (Score:2)
Which could be why it was one of the top-ranked AVs in the CR tests (if my memory serves me correctly; I have the magazine at home).
Re: (Score:3, Informative)
Let's call a spade a spade here (Score:2, Interesting)
For the one machine I have at home that has to use winbloze I use 98 and have since, well, 98. Although it has in typical MS fashion shit itself a few times it has NEVER become infected. Not once.
Other than an ill fated XP experiment here briefly t
Re: (Score:2)
Re: (Score:3, Interesting)
Not even close to true, although it is the only current operating system with those characteristics and frankly, if you're installing XPSP2, that's not true either, because you're firewalled by default. Still, I've actually seen it happen to Win2k...
You have made a sp2 slipstream CD, yes?
Re: (Score:3, Funny)
And think of all the furry kittens that would die!
Re: (Score:2)
Testing security only emboldens the terrorists!
And think of all the furry kittens that would die!
Yeah, but think of all the hairy software that's dying out there every day!
Re:Of course they are... (Score:5, Insightful)
Re: (Score:2)
Re:Of course they are... (Score:4, Funny)
Re:Of course they are... (Score:5, Insightful)
I also had to quote this sentence because it's so silly. It's generally accepted practice by people who don't create viruses. Obviously a lot of people are creating viruses whether blackhat or whitehat or greyhat. Now where's my MAD magazine?
Re:Of course they are... (Score:5, Insightful)
It was generally accepted practice for 50 years not to crash perfectly good cars. Until we started learning that we could protect the occupants of said cars better by finding out where the weak points were...by crashing perfectly good cars.
What are Symantec. et al afraid of?
Re:Of course they are... (Score:5, Funny)
Re: (Score:2)
That huge flaw will be found out and consumer will demand change.
Re:Of course they are... (Score:5, Funny)
Yes, it's one of the French benefits.
Conspiracy! (Score:3, Funny)
Re: (Score:3, Funny)
Well, it is a conspiracy, but not the one you think. This is actually about the Masons, who are secretly behind the publishing deal for Dan Brown's upcoming book. I mean, what world-dominating secret society wouldn't want a piece of that action? Once their Masonware attack is launched, all web traffic will go through a link that tacks their affiliate code onto inbound Amazon
Re: (Score:2)
Re:Conspiracy! (Score:5, Funny)
On the other hand, ever notice the hypnotic patterns made by the Shriners in their little cars? Did you really think that NO CARRIER
Re:Conspiracy! (Score:4, Funny)
They're also in a race against Dom DeLuise, Jamie Farr dressed as The Sheik, Jackie Chan in a Mitsubishi supercar that can go underwater and some babes in a Countach. Wait, I might have that mixed up.
Anyway, in a post-9/11 world, at least we know they're definitely in a race against terror. Or is that a war against terror? No, that's a war against drugs. Oh I can never remember these things. I should turn on Fox News and let them tell me what we're fighting for again.
Re: (Score:2)
Re: (Score:2)
Re: (Score:3, Funny)
1st comment?! (Score:5, Insightful)
You know you're in trouble when Consumer Reports is pointing out that your software is worthless. As just about every /.er knows, pattern / signature based detection is all too easily circumvented. Unfortunately it's pretty much all we have. It has been my experience that enabling Heuristic based detection (in Symantec Corporate AV) at any level other than the default just leads to too many false positives.
Re: (Score:2)
No it isn't, we also have "capabilities" or whatever they're called, where your application is granted by the OS only those rights/abilities it actually needs. This approach has the potential to protect your system from anything short of a kernel-level exploit (like the wifi thing going on now.)
It is their property (Score:4, Insightful)
Re: (Score:3, Funny)
Oh wait a minute, maybe that is who they hired. Never mind.
Crying Wolf? (Score:3, Informative)
Seriously, it's not like these will ever exist outside of a lab, right? And if they do, the AV companies won't have any problem finding the source code, will they?
Isn't that kind of like telling the insurence institue that they can't change their car crash tests because car makers designed their cars only for specific crash tests? Gee, better not create anything that a car might
Re: (Score:2)
Sure, but the lock on the cabinet was made by the same people who made the locks on those FEMA trailers.
Isn't that what Morris claimed about the worm? (Score:2)
Seriously, it's not like these will ever exist outside of a lab, right?
And as I recall that's what Morris claimed about the internet mail worm, too: That he was experimenting with it on a set of local computers and it got out accidentally due to a connection he wasn't aware of or hadn't properly shut off.
(The timing of when it got out (when most of the relevant people for fightin
Corporate Honesty (Score:3, Insightful)
Re:Corporate Honesty (Score:5, Informative)
It could be fun to watch an anti-virus software company face CR in court. It would be at least as entertaining as the SCO soap opera. Maybe
If the accept liability (Score:5, Interesting)
Catching them after they are out is easy. The consumer really has so very little to go on from a "trusted source" in regards to virus scanning that the obscurity benefits the AVG companies. With a little more light on the subject we all benefit, all except the AVG companies. Guarantee that whomever CR picks is going to parade that around regardless of their stance before testing occurs.
Again, if CR is willing to accept liability for one of their tests getting out into the wild then I say go for it! Perhaps they should register their "new toys" with someone for backup? Of course that makes for another hole too.
Speaking as one who has been burned... (Score:4, Interesting)
If they can guarantee containment, of course, a virus is completely harmless to the rest of the world. The problem comes when containment is breached because of something you didn't think of - and the problem with things you didn't think of, is that you didn't think of them [grin].
Simon (now a thoroughly-reformed character, honest guv)
Re:Speaking as one who has been burned... (Score:5, Insightful)
How hard is it to unplug a network cable in your world? Don't use a machine with a WiFi card. Low level wipe the drives from a bootable CD when you're done. Not really rocket science.
Re: (Score:2)
Re: (Score:2, Funny)
Re:Speaking as one who has been burned... (Score:4, Insightful)
So, we had a general routine to write a !boot (an autoexec-on-read-the-media) file, and hadn't considered the sequence of events of:
So, even though we knew exactly what it was capable of, we hadn't considered the actions of one of those infected, and *that* caused us problems. It's not the capabilities that changed, it's the environment. You don't tend to find that out until you've hit the problem, or you would have dealt with it in the source code - that's all I'm saying...
Oh, and I'm sure they'll take a more-responsible attitude than we had, we *were* 1st-year students...
Simon.
Re: (Score:3, Funny)
1. Put five computers without CDRW, DVDRW, floppy or USB drives in small room. (And physically crush, mangle, destroy, or clog with superglue any
Re: (Score:2)
It's just like working with an RL virus. You've got to take precautions unless you want to catch it yourself.
Re: (Score:2)
Re: (Score:2)
Hey, if it's good for AV products... (Score:5, Funny)
Be sure to read our other Consumer Reports articles, where we:
- and -
Thanks, Consumer Reports. Thanks bunches.
Re:Hey, if it's good for AV products... (Score:5, Funny)
Hey, there has to be something out there that security penetration testers can moonlight in, right?
Steve Martin Philanthropy (Score:2)
Re:Hey, if it's good for AV products... (Score:5, Insightful)
Re: (Score:2)
Creepy, but fine.
Re: (Score:2)
This is easily resolved. Don't test in a country with a constitution similar to the U.S. Or use terrorists, since they're obviously not the people mentioned in the U.S. Constitution, as defined by the current administration. Either way.
Re: (Score:2, Troll)
Thanks bunches.
Re: (Score:2)
Now I want a job at consumer reports!
Claims shouldn't be verified (Score:5, Insightful)
Nitpick (Score:2)
Re: (Score:2, Funny)
That's rich... (Score:2)
There's no good reason to object to this (Score:5, Insightful)
2) Why not vet your software against somebody else's test suite? If CR wants to function as an extension of Symantec's R&D, let 'em. It's a win-win.
The horror! Real world testing without pr spin! (Score:2, Insightful)
Symantec et al. are stupid (Score:5, Interesting)
You mean they aren't already doing this internally? If not... what the hell are they doing all day? If they're just being reactive without testing their software against possible variants then their software isn't really useful. Though frankly I find antivirus software to be a cure worse than the disease. A 1/100 chance I'll get a virus that does bad things to my computer, or a 100% chance that my computer will run like crap due to NAV.
Solution? Backup all my documents (mostly pics) to a dvd monthly and trust my Linux box firewall/router/proxy to keep the bad bits out.
Re: (Score:2)
Perhaps it's your "pics" which cause the viruses.
Re: (Score:2)
According to the article...
Universally, companies say they won't hire former virus writers, and they follow gentleman's agreements to share discovery of dangerous programs with each other
Which in my mind means that they are basically self-flaggelating each other. No particular surprise there, companies in other security industries have similar issues of arrogance regarding what they do, their processes and pro
eicar already has a test file (Score:3, Interesting)
http://www.eicar.org/anti_virus_test_file.htm [eicar.org]
Eicar file is of limited use (Score:4, Informative)
Not a big deal (Score:3, Insightful)
What's the big deal here? A bunch of Windows computer with antivirus software running in a closed off network as to benchmark some programs. Happens with games, office software etc... nothing to see here, please move along.
Of course this way you also get stories (hoax, urban legends) like the one about Symantec releasing virusses to sell their software...
Re: (Score:2)
Aren't you thinking of "V for Vendetta"?
Re: (Score:2)
Good Idea (Score:5, Insightful)
Its been a long time since someone outside of Norton has talked about how good a Norton product is, but they've been in the game for such a long time that they are trusted by the general public to do their job. I wonder how many would uninstall if Consumer Reports said that their product was utter crap? Or rather, how many would try to uninstall only to find that the uninstaller is broken too?
How well did they do it? (Score:5, Insightful)
As a CR subscriber, I am utterly amazed that they even had the IDEA to construct a test like that, much less actually find capable programmers and do it. Perhaps that security company cold-called them and suggested it?
CR's technology reviews are often wrong in ways that would be laughable if they weren't so influential. Off the top of my head:
Has anyone here heard of this "Independent Security Evaluators" biz? I wonder how many of the viruses were still functional (not just infectious) after twiddling.
Re: (Score:2)
In CR's defense this is a problem for virtually every print magazine. The internet has made it possible to publish reviews of hardware before it even reaches the store. Between the testing time and the lag time up to printing and distribution months may have passed.
Outdated hardware (Score:4, Interesting)
Re: (Score:2)
At least it wasn't a three-digit percentage....
Mac Viruses & Spyware (Score:3, Interesting)
This would be like studying the mechanisms of natural selection by way of a survey. Hey, whaddyaknow, turns out there's no such thing as evolution, a s
Re:Mac Viruses & Spyware (Score:2)
Over on GardenHoseDot they are saying exactly the same thing - CR's survey of garden hoses makes the mistake of confusing kinks with twisted loops. They
Re: (Score:2)
What Virus Detection Co's dont want you to know (Score:2)
This one is REALLY obvious. Consumer reports is going to prove that these security products can't detect things they haven't seen before and the Virus detection companies don't want you to know their dirty little secret, i.e. this stuff only works after the cow is out of the barn, i.e. a virus has already been seen in the wild, measured, and characterized.
Anti-virus doesn't work (Score:2, Insightful)
Re: (Score:2)
That's weird. Is it just the demo version? I've never had any anti-virus software ever detect ANY viruses (false positive or not) on ANY machine I've ever worked on since the old days of floppy viruses.
What kinds of things were you doing to trigger it?
Real Engineering (Score:2, Insightful)
It's the duty of every engineer (those that can rightfully call themseleves engineers) to protect the public.
Clearly, classical antivirus software is not protecting us. Kudos to these folks for pointing out what should be the painfully obvious.
How else do you test against new virus varients? (Score:2)
All these years I've assumed that AV Companies created hundreds of virus varients in a closed lab somewhere so that they could proactively test their product against against new probable varients? How does McAfee anticipate new threats? Do they wait for a new virus to be released into
Results (Score:2)
Here are the scores:
BitDefender Standard - 87
Zone Labs ZoneAlarm Antivirus - 85
Kaspersky Labs Anti-Virus Personal - 82
Norton Antivirus - 80
Norton Antivirus for Macintosh - 80
McAfee ViruScan - 77
Trend Micro PC-cillin Internet Security - 75
Alwil Avast! Antivirus - 68
F-Secure Anti-Virus - 66
Panda Software Titanium AV - 64
CA/eTrust EZ Antivirus - 57
PC Tools AntiVirus - 41
However, I don't have a lot of faith in CR's ability to rank high tech items.
Re: (Score:2)
Bravo, Consumer Reports (Score:5, Insightful)
1. They pay their own way. They purchase *all* of the products that they test and destroy, since cozying up to get sample products would tarnish their credibility.
2. They don't accept any advertising dollars within their magazine, since that might bias their reporting and tarnish their credibility.
3. They take a strong stand on protecting consumers beyond just good product recommendations. They do editorials and special reports on subjects that
When my gift subscription runs out, I plan on purchasing my own. Not only because I find the product articles useful and interesting; but because the Consumer's Union does other good things with my money.
Re: (Score:2)
Seriously, I don't care if my stereo's power cord comes wrapped in its own plastic bag.
I generally like CR, but it seems like every time they review something I personally know about, they screw it up. It's possible that my area of interest, technology, is the only glaring hole in their testing ability, but that seems somewhat unlikely.
Scare Marketing (Score:2)
Consumer Reports knows this also. This article is probably going to be geared to cause controversy. They can splash on their cover "What you don't know about your AV software!" and scare the crap out of every AOL Mom with a $499 Dell Desktop. This is just a type of marketing and it sells magazines. If I was a major AV producer I would be calling foul to
It's not "plan to", CR already did it. (Score:3, Informative)
TFA says "Consumer Reports recently conducted one of the most thorough tests ever of antivirus programs. But to really put these security programs through the paces, the magazine hired a firm to create 5,500 new viruses, using them to test the antivirus software products for their ability to detect unexpected threats."
By the way: "In the results, McAfee scored in the middle of the pack. BitDefender and Zone Labs scored at the top, in part for the two program's abilities to detect new viruses."
Consumers Union and Linux (Score:2)
You would think that the advantages of Linux and BSD would make it a natural choice for an organization that tries to help the consumer to get the best deal available. All I have seen are discussions about whether a PC or a Mac is best. It is as if the Consumers Union is in the bizarro universe.
brilliant (Score:2)
I want to read the report now. If they really didn't want this report publicised, the correct response is "whatever".
Let me get this straight. (Score:5, Interesting)
From the article: "I understand .. if you want to test a car's performance, you test the car put on road with lots of bumps on it," Marcus said. "But when you are talking about malicious code, there's a threat to public. There are professionals who know how to handle viruses. It should be left to them." (emphasis added)
Well, that's why Consumer Reports hired computer security professionals [securityevaluators.com] to work with on this. Maybe they're just mad that CR didn't ask them to be the security consultants... oh wait, that might be a conflict of interest for the product review. Tough.
Not planning. (Score:3, Insightful)
Consumers Reports is the most trusted amoung consumers. They put products through their paces and ensure they work well. With that said, yes Consumer Reports create viruses. They already have done so for testing lastest virus programs. Consumer Reports September 2006 issue has said this. They have rated Bit Defender as the best. The issue specifically said they created new viruses to test how well they did against new viruses not already in the signature lists.
People like Igor Muttik are just scared their crappy anti-virus software sucks. Mcafee ranked #6 in the Sept 2006 issue. And even if a CR virus got loose, CR can release the viruses details to venders immediately. The virus wouldn't last more than couple days.
Exposes shortcomings in AV software (Score:3, Interesting)
What they should be doing more heuristic scanning, identifying malware by characteristics rather than looking for particular malware signatures.
This is a fundimental weakness in most existing AV software. Certainly this is harder to because legitimate software can do similar things to malware. That doesn't change the fact that AV companies should be concentrating more on this. This is particularly true as most "successful" worms get modified and re-released. As a result it should be possible for the AV companies to detect the altered worms.
Consumer reports is doing us all a service here by exposing this weakness. Provided they ensure the worms don't get out I'm all for it. This is a perfectly valid way of testing the malware. In addition FTA they are doing what most malware writers do anyway: altering the worm just enough so that it is likely to get past the signature based scanning software.
Shame on you McAfee.
Re: (Score:2)
CR isn't identifying new exploits. All they're doing is the old virus-writer trick of tweaking a virus by shuffling the order of routines around or changing strings (banners or other displayed text) to change the virus enough to make existing signatures not match anymore. In short, CR's testing the ability of AV software to actually detect viruses, not just do a simple grep for a known byte sequence and return a yes/no based on whether it was found or not.
We won't get into stealthed polymorphic viruses tha