Consumer Reports Creates Viruses to Test Software

Maximum Prophet writes to mention an MSNBC article about a Consumer Reports plan to test anti-virus software by creating viruses. Security companies are objecting, on the grounds that it's a generally accepted practice not to create viruses for any reason. From the article: "Consumer Reports didn't create thousands of new viruses from scratch. Rather, it took a handful of existing viruses and created hundreds of slight variants, changing the malicious programs just enough to evade detection by an antivirus program with a list of known threats. That's a common trick in the virus writing world; it's standard for a successful virus to inspire dozens of variants. "

Of course they are...

[Theaetetus]

Security companies are objecting, on the grounds that it's a generally accepted practice not to create viruses for any reason.

Well, yeah. Plus, you'll expose all the weaknesses in their software. Testing security only emboldens the terrorists!

1st comment?!

[dave562]

And I'm not even a subscriber?!

You know you're in trouble when Consumer Reports is pointing out that your software is worthless. As just about every /.er knows, pattern / signature based detection is all too easily circumvented. Unfortunately it's pretty much all we have. It has been my experience that enabling Heuristic based detection (in Symantec Corporate AV) at any level other than the default just leads to too many false positives.

It is their property

[Anonymous Coward]

Consumer Reports destructively tests many things. Why should it matter what they do to their own computers? As long as they don't release these viruses into the wild, there is no problem.

Corporate Honesty

[recordMyRides]

Security companies are objecting, on the grounds that they do not want the gaping holes in their software revealed to the public by Consumer Reports.

There's no good reason to object to this

[cagle_.25]

1) Virus writers will write exactly the same code, unless the boys at Consumer Reports are dedicated enough to come up with truly innovative virus variations. So there's no fear that someone out there will "get ideas."

2) Why not vet your software against somebody else's test suite? If CR wants to function as an extension of Symantec's R&D, let 'em. It's a win-win.

The horror! Real world testing without pr spin!

[dtolman]

No wonder the AV companies are up in arms - its a standard industry requirement to make sure that there is a PR rep assigned to each engineer to "interpret" results, whenever doing tests that shows how well the software actually works!

Not a big deal

[guruevi]

That is exactly what virusscanner sellers do. They create new virusses, mutate them and test them out. Of course they don't do that in a internet or network-connected environment. In all cases this should be in a lab environment completely closed off from the exterior world.

What's the big deal here? A bunch of Windows computer with antivirus software running in a closed off network as to benchmark some programs. Happens with games, office software etc... nothing to see here, please move along.

Of course this way you also get stories (hoax, urban legends) like the one about Symantec releasing virusses to sell their software...

Good Idea

[Apocalypse111]

This is a very good idea, IMO. I mean, for years the major security companies have been using fear tactics to push their software. For an almost equal amount of time, security-concious geeks have been critical of this software. Having a trusted, disinterested third-party like Consumer Reports put it to the test sounds like the perfect solution to this situation.
Its been a long time since someone outside of Norton has talked about how good a Norton product is, but they've been in the game for such a long time that they are trusted by the general public to do their job. I wonder how many would uninstall if Consumer Reports said that their product was utter crap? Or rather, how many would try to uninstall only to find that the uninstaller is broken too?

Re:Hey, if it's good for AV products...

[ifrag]

I'll take a stab at that first example of attempting to break into [a] home, since that's the only one that's comparable to what it seems they are doing. If CR wants to setup a test home in which to practice breaking in that's fine, it's their property and they can do with it what they want. It's a test scenario... saying they'd go out and break into consumer homes is not a good parallel. Consumer Reports is (hopefully) not going to create any public security risk in their process if it really is self contained. As long as it stays within their little "sandbox" I don't see what the problem is. The second two examples deal with people instead of objects so it obviously doesn't make for an easy expendable test case.

How well did they do it?

[frankie]

As a CR subscriber, I am utterly amazed that they even had the IDEA to construct a test like that, much less actually find capable programmers and do it. Perhaps that security company cold-called them and suggested it?

CR's technology reviews are often wrong in ways that would be laughable if they weren't so influential. Off the top of my head:

• monitor reviews with photo display tests, where it was obvious to me that no one involved had ever heard of the phrase "gamma correction"
• claim that a two-digit percentage of Macs were infected with spyware
• a seemingly uncanny ability to review hardware obsoleted by newer versions in the interim between testing and publication

Has anyone here heard of this "Independent Security Evaluators" biz? I wonder how many of the viruses were still functional (not just infectious) after twiddling.

Anti-virus doesn't work

[kirun]

If this helps wake people up to the fact that anti-virus programs simply don't work, all the better. For example, at one time or another, nearly every antivirus package has declared applications with NSIS [sourceforge.net] installers as malware. I remember having a McAfee trial on my computer, that would regularly make up infections. Yet, when a slightly updated version of a worm comes out, you're unprotected.

Re:Of course they are...

[Lulu of the Lotus-Ea]

Plus the fact that the anti-virus companies don't like the competition from Consumer Reports; after all, it's those companies that themselves create most of the "proof-of-concept" viruses to scare potential buyers (especially to create scares of vulnerability on OSX, Linux, BSD, etc... where no real vulnerability exists).

Real Engineering

[Anonymous Coward]

This is what real engineering is all about. It takes real software engineers, not code monkeys, to expost the vulnerability of a product, and report it to the consumers.

It's the duty of every engineer (those that can rightfully call themseleves engineers) to protect the public.

Clearly, classical antivirus software is not protecting us. Kudos to these folks for pointing out what should be the painfully obvious.

Re:Speaking as one who has been burned...

[Guysmiley777]

If they can guarantee containment

How hard is it to unplug a network cable in your world? Don't use a machine with a WiFi card. Low level wipe the drives from a bootable CD when you're done. Not really rocket science.

Re:Of course they are...

[Bastian]

Of course, this isn't really why they are objecting. Whatever McAfee and Symantec say, writing proof-of-concept exploits seems like standard practise to me. My best guess is that their fear is that this might cut into their profits because Consumer Reports is going to make the non-geek public more aware of the limitations of antivirus software. This could make them decide, "Well, if it can't protect me from all the viruses, especially not the new ones, than maybe it's not worth the money."

Of course, Consumer Reports is almost certainly responsible enough to address this issue and point out to people that it's really a reason why they need to be updating their virus definitions as frequently as is practical.

Re:Of course they are...

[Hoi Polloi]

I hear the Yale company is still furious over the time Consumer Reports tried a bunch of random combinations on their locks.

Claims shouldn't be verified

[Hoi Polloi]

Soon they'll propose testing car safety by doing test crashes! Or testing fire retardants by trying to set them on fire. Damn those Consumer Reports fools!

Re:Of course they are...

[telbij]

Security companies are objecting, on the grounds that it's a generally accepted practice not to create viruses for any reason.

I also had to quote this sentence because it's so silly. It's generally accepted practice by people who don't create viruses. Obviously a lot of people are creating viruses whether blackhat or whitehat or greyhat. Now where's my MAD magazine?

Re:Of course they are...

[vought]

that it's a generally accepted practice not to create viruses for any reason

It was generally accepted practice for 50 years not to crash perfectly good cars. Until we started learning that we could protect the occupants of said cars better by finding out where the weak points were...by crashing perfectly good cars.

What are Symantec. et al afraid of?

Re:Speaking as one who has been burned...

[Space cowboy]

We weren't trying to contain it, in our case - we *wanted* to see if it would work as well as we thought it would. The problem came because we *didn't* think about the consequences of someone using a floppy - we were focussed on the network aspects.

So, we had a general routine to write a !boot (an autoexec-on-read-the-media) file, and hadn't considered the sequence of events of:

• someone writing the virus to a floppy
  
• Us wanting to get rid of the virus
  
• That person bringing the floppy back into the lab and re-infecting the network.
  
• Oh sh*t!
  

So, even though we knew exactly what it was capable of, we hadn't considered the actions of one of those infected, and *that* caused us problems. It's not the capabilities that changed, it's the environment. You don't tend to find that out until you've hit the problem, or you would have dealt with it in the source code - that's all I'm saying...

Oh, and I'm sure they'll take a more-responsible attitude than we had, we *were* 1st-year students...

Simon.

Bravo, Consumer Reports

[osgeek]

I casually perused CR here and there, but I'd never really known much about them until a relative gifted me with a subscription. Here are a few things I like about them:

1. They pay their own way. They purchase *all* of the products that they test and destroy, since cozying up to get sample products would tarnish their credibility.
2. They don't accept any advertising dollars within their magazine, since that might bias their reporting and tarnish their credibility.
3. They take a strong stand on protecting consumers beyond just good product recommendations. They do editorials and special reports on subjects that /.ers care about, like RFID and general privacy protection; taking strong pro-consumer stances that you don't see in other national publications.

When my gift subscription runs out, I plan on purchasing my own. Not only because I find the product articles useful and interesting; but because the Consumer's Union does other good things with my money.

Re:Of course they are...

[Anonymous Coward]

biased.
IMHO this tic for tac will go on forever. Malware writers write virus, trojan horses, worms, etc and the security companies will need to meet and exceed these malware writers. Then malware writer learn the new product and find hole and the security plug thoese hole and on it goes. Security companies like most for-profit companies just want to rest on their laurels and not invest in new development and just rake in the money of the products they sell. However reality always proves otherwise where malware writers and/or other security companies that want to show that company A is not invulnerable or should not be complacent about their products. Security companies, and other companies, should invest in research and development so they are always ahead of the malware writers. What Consumer Reports is doing is okay as long they tell the consumers what they are doing so we and the security companies are allow to respond (without PR-ese) so they can fix their products and we have an way to defend against whatever they have found.
There are limits to this in any civilized society which one should not resort to terrorism or similar means to get an end game. Putting an IED into one hated rear-end will result into something similar to be placed in yours.

Re:Of course they are...

[ElleyKitten]

What are Symantec. et al afraid of?

The fact that they suck?

Re:Hey, if it's good for AV products...

[Anonymous Coward]

Even though rated as funny, I think these items are a red-herring. The items you list affect people. The viruses would (hopefully) only affect the computers in limited network created by Consumer Reports, it will not affect people at all.

However, I think that CR is stretching a bit and their testing criteria and conclusions could be off. If none of the AV software can catch their viruses, it doesn't mean that they are worthless. If all of the AV software can catch their viruses, they can't conclude that the AV software is going to catch other viruses. Is some works and some done, they also can't conclude that one is better than the other in catching viruses, except in their particular testing scenario (their created viruses). The testing realm is almost infinite. You can't even use statistics to say which AV software is more likely to catch a virus, because of the multitude of possible ways to create a virus.

Not planning.

[kahrytan]

Consumers Reports is the most trusted amoung consumers. They put products through their paces and ensure they work well. With that said, yes Consumer Reports create viruses. They already have done so for testing lastest virus programs. Consumer Reports September 2006 issue has said this. They have rated Bit Defender as the best. The issue specifically said they created new viruses to test how well they did against new viruses not already in the signature lists.

People like Igor Muttik are just scared their crappy anti-virus software sucks. Mcafee ranked #6 in the Sept 2006 issue. And even if a CR virus got loose, CR can release the viruses details to venders immediately. The virus wouldn't last more than couple days.

Because it's not 100%

[Sycraft-fu]

Bitdefender doesn't catch all new viruses, updates are still important, it's just very good at finding new variants. That's what CR is testing here. Say a virus comes out that your software knows about but a variant comes along that it doesn't yet: Can it catch that? For some (like Sophos) the answer is no never, they check against a database and if it's not there you are SOL. For some like Bitdefender the answer is usually. They have a heuristic checking that works pretty well.

There's no magic bullet, there's no "buy this once and be secure forever" kind of solution, but there are better and worse ones out there. Bitdefender and AVG (probably others those are just the two I know) are reasonably good at stopping new, unknown variants. Synametc, well not so good.

Re:Of course they are...

[Schraegstrichpunkt]

(especially to create scares of vulnerability on OSX, Linux, BSD, etc... where no real vulnerability exists).

The vulnerabilities do exist; they're just not being exploited nearly as much. Of course, run-of-the-mill signature-based antivirus software is equally flawed, as Consumer Reports has shown and security geeks have already known.