College Classes On Malware Writing Still Piss Off Anti-Virus Firms

from the security-through-obscurity dept

Mon, Aug 4th 2008 1:28am — Mike Masnick

Over five years ago, we wrote about a college that was starting to offer a new computer science class in writing computer viruses. And, of course, various anti-virus companies went ballistic, claiming how dangerous it was. Yet, as we pointed out at the time, anti-virus companies don't have the greatest track record in actually stopping viruses -- so it seemed only reasonable to teach people to better "think like the enemy." Anyway, it appears not much has changed. Theodp writes in to let us know about an article in Newsweek about a very similar course being taught at Sonoma State University by George Ledin, where students are tasked with creating their own malware.

Once again, various security companies are condemning the technique, even sinking so low as to compare Ledin to A.Q. Khan, the Pakistani scientist who sold nuclear technology to North Korea. They even insist they won't hire his students -- which seems particularly short-sighted. As Ledin points out, it appears that this is really more about the security companies wanting to keep the world more scared than they need to be of malware, so as to pretend that they're the only ones who can solve the "problem" -- when the truth is they're not very effective at it. He complains that anti-virus firms keep their code secret (thank you, DMCA). He points out that if they were willing to open it up, and let lots of folks work on improving it, it would get much, much better. All he's trying to do is help more people understand the enemy without first having to work at one of those companies that's been so ineffective in stopping malware -- in the hopes that maybe some of his students can actually come up with a better soltuion.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: education, george ledin, malware, teaching, viruses

32 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Anonymous, 4 Aug 2008 @ 1:58am

It's the beginning of the end.
The Anti-virus companies are just trying to protect their primarily fear-based monopoly on the market. This is just another example of the growing trend towards open source solutions. When the businesses and the public realize that viruses are just clusters of code and not some demonic force the anti-viruses are goingto be in quite a pickle.
[ link to this | view in thread ]
Anonymous Coward, 4 Aug 2008 @ 2:05am

Funny that Theodp hasn't posted anything on TD since January, but still is quick to tell TD about a malware class.
[ link to this | view in thread ]
Spicy Tomato, 4 Aug 2008 @ 2:11am

Re:
Yeah, now that you mention it, what happened to Theodp?
[ link to this | view in thread ]
Anonymous Coward, 4 Aug 2008 @ 2:13am

Re: Re:
Maybe he was eaten alive by bloggers.
[ link to this | view in thread ]
Attack of Killer Tomatos, 4 Aug 2008 @ 2:14am

Re: Re: Re:
Or a Spicy Tomato!
[ link to this | view in thread ]
Anonymous Coward, 4 Aug 2008 @ 2:16am

Re: Re: Re: Re:
Well, maybe there's some truth to that. I *do* like pepper.
[ link to this | view in thread ]
Mike (profile), 4 Aug 2008 @ 2:33am

Re:
Funny that Theodp hasn't posted anything on TD since January, but still is quick to tell TD about a malware class.

Actually, he regularly submits stuff, some of which we post, some of which we don't. But there have been plenty since January, so not sure where you got your "stat" from.

http://www.techdirt.com/search.php?site=&q=theodp
[ link to this | view in thread ]
Second Class TD contributor, 4 Aug 2008 @ 2:35am

theodp does have a lot of insight.

My guess is that it's one of "The Mas"'s co-workers. As such, he too good for us common folk. He/She just shares their ideas with "The Mas" these days.

Ho hum. Trollin along...
[ link to this | view in thread ]
Kamu, 4 Aug 2008 @ 2:49am

Why not...
Why not have 1 half develop malware, and the other half develop an anti virus sort of application (on second thought, that may be quite difficult.) and then see who wins. Then the teams can switch.
[ link to this | view in thread ]
bobbknight, 4 Aug 2008 @ 2:50am

What?
"The Anti-virus companies are just trying to protect their primarily fear-based monopoly on the market."

WTF?

Monopoly, what monopoly, where is this bill gates of the anti-virus.
How come "MY" anti-virus is free?
How come "MY' anti-malware is free?
[ link to this | view in thread ]
sid, 4 Aug 2008 @ 3:22am

Why not ledin starts his own open source antivirus project
May be he can start that and come up with a gr8 product like firefox or openoffice which serves the purpose as well as has a great potential for extension via contribution from coding entusiasts...
[ link to this | view in thread ]
theodp's shadow, 4 Aug 2008 @ 3:57am

Re: Re:
Possibly they also checked http://www.techdirt.com/search.php?site=&q=theodp&searchin=commentname before posting...

Where's my man, theodp??? His friends down here in the trenches miss him!
[ link to this | view in thread ]
James, 4 Aug 2008 @ 4:42am

Interesting..
Before the days of the internet I surmised that AV companies actually were the ones TEACHING classes on such things so they'd have a purpose.
[ link to this | view in thread ]
Anonymous Coward, 4 Aug 2008 @ 5:09am

what about ClamAV?
ClamAV is an open-source anti-virus program. The Windows version is called ClamWin. I tried it briefly and it wasn't that great.
[ link to this | view in thread ]
Ferin (profile), 4 Aug 2008 @ 5:11am

must be something in the water
Why is it people seem to think if you hide something and don't teach people about it somehow the problem will go away? It's like these morons think saying "Don't do that, it's bad" and refusing to educate people about an issue is gonna make everythign all right. Cripes, haven't they learned enough from the lame attempts as such an approach with sex education?
[ link to this | view in thread ]
Nagolod, 4 Aug 2008 @ 5:43am

Maybe if malware-curious students can try their skills for an proper school assignment they won't feel the need to test their stuff in the open field of the internet.

Given that AV/security companies make their living from fighting malware, sometimes I wonder whether they might have a secret "branch" that actually funds or develops malware itself. This way, they make sure they don't run out of business, while at the same time aid their "effectiveness" claims by developing thing the cure together with the disease... Hey, maybe that is the real reason why they are pissed off?
[ link to this | view in thread ]
jonnyq, 4 Aug 2008 @ 6:23am

Re: what about ClamAV?
ClamAV sucks by itself.

I once used ClamAV in conjuction with WinPooch and that worked ok, but I never tweaked it enough to turn off the annoying stuff.

You need to install something else on top of Clam to make it useful, like a resident scanner.

That said, I'm a Linux user these days.
[ link to this | view in thread ]
Anonymous Coward, 4 Aug 2008 @ 6:27am

Re: It's the beginning of the end.
"fear-based monopoly on the market..."

It is definitely a fear-based market, but it is certainly not a monopoly. There are way too many players in the market to call it that.
[ link to this | view in thread ]
Haywood, 4 Aug 2008 @ 6:32am

The only thing keeping big AV alive now............
Is inertia and product placement. People used to associate AV protection with Norton and McAfee, they were Hertz and Avis, there was nowhere else to go. In their day, they were great, but they lost focus & started pushing all in one security packages. This lead to bloat and resource hogging, most want to be free from virus and malware, but few are willing to give up a good portion of their processing power for it. Enter the lean mean & free group, like the free versions of Avast and AVG.
The biggest threat to computer security is IMO; the trial versions included on retail computers. Once the trial runs out, the average user just keeps on going with no shield at all. I've repaired quite a few of these. Once they get so laden that they take an hour to boot up fully, they come crying for help, & I clean it up give them a good free AV and firewall & never hear from them again.
[ link to this | view in thread ]
chris (profile), 4 Aug 2008 @ 6:42am

signature based detection doesn't work
anti virus software was fine when most attacks were highly automated and written and released by one person.

usually that one person was not very skilled and the software was [somewhat] quickly identified and updates released to handle the outbreak.

malware today is far more complex, and has been for about 4 years.

in the last couple of years, malware has taken a different turn. it's not nearly as automated, it's written/modified by teams of professionals who are financed by criminal organizations or rogue nations, and its intent is to do more than annoy.

the result are releases and variants that are re-tooled manually and aren't identified before widespread release. they often slip right by anti-virus software because the user gets suckered into installing it: i.e. vundo, virtumonde, or any of the numerous phony anit-virus or anti-spyware packages that end up on machines. the signatures are at best not detected, and at worst ignored by the user.

there is a reason there are hundreds of thousands of zombies in the the storm and kraken botnets: using anti-virus software to protect your computer from tampering is like giving your child antibiotics to protect them from kidnappers.
[ link to this | view in thread ]
chris (profile), 4 Aug 2008 @ 6:55am

Re: must be something in the water
Why is it people seem to think if you hide something and don't teach people about it somehow the problem will go away?

half the reason is that people are happy being ignorant and half the reason is that the "protectors" of the world (cops, feds, security vendors) want to keep their clients and the competition as ignorant as possible.

people always freak over youtube videos on lock picking, or TV shows that teach people about how the drug trade works, because they don't understand that all information is good.

there is this stupid idea that you can protect people by burying information. that's ridiculous. you protect people by putting information out in the open where anyone, good or bad, can find and fix the problem.

the criminals already have the information. they already know how to pick locks, or make crystal meth, or sneak metal onto an airplane. the rest of us need this information too, so we can figure out how to protect ourselves effectively.
[ link to this | view in thread ]
Anonymous Coward, 4 Aug 2008 @ 8:35am

If the AV corporations don't hire these students, they're just shooting themselves in the foot. Do they think that everyone lives in a branded community?
[ link to this | view in thread ]
MLS, 4 Aug 2008 @ 8:44am

I would like to think that companies engaged in the business of recognizing and nullifying viruses and other similar malware would be more inclined to hire people who better understand the "enemy" than those who do not.
[ link to this | view in thread ]
Chris, 4 Aug 2008 @ 10:08am

We need more than AV
I say the more educational sites doing this the better. SANS has offered this kind of training for years (www.sans.org). We need new minds and new innovations because the entire industry has become stagnant.
AV software was fine in the 20th century as most malicious code writers were interested in little more than mass propagation. Under that model the statistical chances of an infection being identified and reported to an AV vendor (so the rest of us get a signature) were pretty favorable.
The problem is the model has changed. Malware writers now leverage their skills to make money. Under that model spear attacks are used rather than mass propagation. This dramatically reduces the statistical chances of a useful signature being created. We've had a number of incidences where systems have been infected for 2+ years before being detected.
So why do AV vendors refuse to adapt? One word, "money". A signature based model generates a reoccurring revenue stream month to month. What we need is better HIPS and app control technology which does not lend itself to a reoccurring revenue stream. So if they fix what ails us, AV vendors end up hurting their bottom line. Not much of a business motivation there.
So the more bright folks we can have up to speed on malware who have learned their skills outside of the AV bubble, the more likely someone is going to hit on and actually release something that will address the current model.
[ link to this | view in thread ]
Jake, 4 Aug 2008 @ 10:46am

Re: Why not...
I suspect that's probably the eventual objective of the class. On the other hand, you can bet your bottom currency unit of choice that at least one student in every class sets his creation loose out of mischief or curiosity, which is probably what has the anti-virus companies worried.
[ link to this | view in thread ]
Anonymous Coward, 4 Aug 2008 @ 12:48pm

Mu Hahaha
[ link to this | view in thread ]
Dan, 4 Aug 2008 @ 11:54pm

when the major AV vendors quit padding their products with malware, spyware, rootkits and misleading renewal popups I might start to take them seriously. I am reminded of the UK univ that threatened a counter terrorism student with expulsion if he read the Alqada handbook. What was that phrase again? Oh it was know your enemy.
[ link to this | view in thread ]
Chirag Mehta, 21 Aug 2008 @ 8:35am

Recruiting pipeline
These students could in fact be great job candidates for antivirus companies. "Thinking like an enemy" is an essential trait for someone whose job is to detect malware and remove it from people's computers. Instead of whining the AV companies should just hire them.
[ link to this | view in thread ]
دردشة, 11 Jul 2009 @ 9:24am

suspect that's probably the eventual objective of the class. On the other hand, you can bet your bottom currency unit of choice that at least one student in every class sets his creation loose out of mischief or curiosity, which is probably what has the anti-virus companies worried
[ link to this | view in thread ]
softwares, 11 Nov 2009 @ 9:45pm

yes MR Chirag Mehta you are quite right. need strong steps.
[ link to this | view in thread ]
Krill, 4 Dec 2009 @ 8:03am

These classes are a fantastic tool for future IT professionals. Let's look at this logically, if your job is the detection, avoidance and removal of any malicious code, then naturally it makes sense to know how to author and inject such code. How can you be expected to get rid of malware if you cannot recognize, deconstruct and plan for it?
[ link to this | view in thread ]
Fred, 21 Dec 2009 @ 8:02am

Krill, you do make a good point, but you have to realize that these antivirus companies take a less is better approach in regards to how many people they are comfortable with having this sort of knowledge. I mean, let's face it, many college kids who see the opportunity for quick bucks are the ones that so often author these things in the first place..
[ link to this | view in thread ]