Our case:

In the earlier days of computing, malicious code was easy to spot, it did something bad to a system (either intentionally or unintentionally) and had no redeeming value in its existence. I remember my first computer job was to go around and clean viruses like 'Monkey' off of school hard drives 3 times a week. Back then it was easy and virus scanners fit onto a 720k floppy. The landscape has changed significantly over the last 10 years.

Just as the computer was making inroads into the home market about 10 years ago, viruses began to flourish and cause trouble. During this time many companies took it upon themselves to solve this problem, thus was born, the Anti-Virus industry. In the early days it was easy to see when a program was malicious, either by file destruction or problems with system operation. Find them and kill them was the way to go. The waters get a bit muddier as time progresses. Enter 1995 and the release of Windows 95 and the beginning of the Internet wave that has caught an entire economy in it's wake. New operating system on 90% of the world's home computers with security taking a back seat to user-friendliness and a lot more files to play with and abuse. Pig in shit situation for virus writers if you ask me. As this was happening, Anti-Virus became even more prevalent and became even more necessary. Zip to current day and just about every new PC is shipped with a basic version of a virus scanner and Anti-Virus makers are reporting huge profits and finding and killing the latest viruses in an incredibly efficient manner.

Enter the problem: what makes one Anti-Virus software package different from the next? Answer: Nothing. All the products out there use almost the same list to scan. Each product has it's own little bell's and whistles and auto-update features but at heart they are all doing the same thing. This creates the problem of these companies trying to out do each other to find the latest piece of malicious code and market that they now find 2 more viruses than their competitor. Unfortunately in this process these companies tend to just copy each other's lists and don't think about what they are doing. As a result, 'innocent' programs are starting to get caught in the middle and crushed.

In the beginning there were not as many features in computers as there are now, this limited the types of malicious code. With today's 'modern' technology there are a host of other features in systems that viruses are taking advantage of for their purposes. When is a program malicious is the main question. The phrase: 'It's not a bug, it's a feature!' seems to apply here, when do features become malicious? Case in point is netbus. Originally written to be used as a trojan horse to quietly seize control of a computer from an unwilling user, it was bought and re-made as a low cost shareware remote administration tool and was now a companies product for sale. Initially this new version (now product) did very well for the first few months, it even got the '5 cow' rating on the popular tucows shareware site. Then the Anti-Virus companies began listing this new version in their scans. Now people who have legitimately bought this product are being forced by the Anti-Virus companies to fight their virus protection to use it. Ultraaccess.net (the folks who market netbus) attempted to state their case that this was a product that had features that 'could' be malicious but were not meant as such. Their calls were not returned and no one in the industry would listen (though it has been reported to me that Symantec refuses to talk to Ultraaccess anymore, but NAI has moved netbus into the 'remote admin' section, right next to PC anywhere). Now this would make sense in an ideal world, a program that could stealthily be installed and run that allowed a person to take control of a remote computer should most definitely be detected. However, when other products on the market, such as softeyes (www.softeyes.com) and WinWhatWhere (www.winwhatwhere.com) list almost the exact same features as netbus and operate in a similar fashion, it proves that we do not live in an ideal world. Another interesting note is that many of the major Anti-Virus vendors also have remote administration products of their own and charge a lot for them, (feature for feature they are surprisingly similar to 'trojan horses' like netbus) strangely enough these are not detected the same as netbus.

Back Orifice brought the issue of what makes a virus to the forefront. It's release in 1998 with much fanfare brought the 'trojan horse' programs to the public's attention. Its newest incarnation, Back Orifice 2000, released with much more fanfare (as I can personally attest) took the issue of anti-virus abuses to the media and the public attention. Cult of the Dead Cow, who released BO2K, publicly challenged Microsoft to recall their remote administration product SMS (systems management server) because it had the same features as Back Orifice and other 'trojan horse' type programs. Their statement even included a page on the microsoft website saying that SMS could be made to be 'silent installing' and 'silent running', both key features in the 'trojan horse' category of virus scanning.

How we started:

I was in attendance at the BO2K release at Defcon 7, and Dildogs and TweetyFish's statements stuck with me (watch the video), though I don't know why (at the time I was not in the best of condition, chemically speaking). Several months after the con, I tried BO2K and found that it was a REALLY good program for the price (free) and it has become my primary form of remote access to my windows boxes at home. It began to bug me as to the logic used by the Anti-Virus vendors in listing what were 'bad' and what was 'good' as I had found BO2K to be 'good'. After mailing the customer service / tech support of most of the Anti-Virus vendors as to their policy on what was listed (and getting a very curt response from one) I found that they give almost no thought to it and listed what their customers wanted to see. This made no sense as many of the programs not scanned for were just as dangerous in the wrong hands as those programs that are scanned for. Dr. Mudge from L0pht put it best: "you can use a hammer to build a house, or you can use it to bash someone's head in". That doesn't mean we need to restrict hammers.

Our Goal here at AntiAV.com is not pro-virus, far from it, we merely want the industry to take responsibility and accountability for what they list and to list EVERYTHING that fits into the category. Most scanners have 3-4 types of code they scan for, Virus, Macro, Trojan (sometimes they will break it down further). What we want to see is an additional category of 'Program' in all scanners that lists programs that are present that are not all bad. Listing that something not normally scanned for, like softeyes, is loaded and watching me type in my credit card number would be a VERY useful thing. Programs like that don't need to be listed as 'trojan' or anything else, but just bringing it to the attention of the user so they know it's there. (As it sits, my main virus scanner reports 3 pages of viruses on my system. As a security consultant by day, many are tools I use on a regular basis or need to experiment with to know how to protect against them. Just because they are reported doesn't mean they are doing anything bad).

The other thing we would like to see is some way of talking to all the Anti-Virus vendors at once and to have a way of mediation when a program is thought to be in-appropriately listed. As in the case of netbus, where symantec refused to return phone calls and Ultraaccess.net has a product that their customers can't use because their Anti-Virus software is fighting them. As well, since all the vendors use each others definitions there is no way to just use another product. This spells bad news for Ultraaccess.net's sales opportunities.

The Anti-Virus industry has done a great many things for protecting users from malicious code, but they have grown in recent years into something that has far too much power over our computers. They literally have the power to crush competing product or to help other companies gain a competitive edge. What if Time-Warner instead of filing suite against napster just went to Symantec and had them list napster as something to be 'cleaned' from a system. Since there is no major regulations as to what is allowed to be scanned for, these companies can list whatever they want and since all these companies list what everyone else is, they can do what they want. The only thing keeping them from really abusing things is possibly the fact they haven't thought of it, or that they haven't finished studying the effect on their sales. Since all new PC ship with a virus scanner installed, we have a case where an industry has as an enormous amount of power over the software we run and almost no checks or balances to make sure there are no abuses. Hopefully things can be made to change before we have to choose their control over our software or facing a whole internet of programs that want to destroy us.


Return to Main