College Classes On Malware Writing Still Piss Off Anti-Virus Firms

from the security-through-obscurity dept

Over five years ago, we wrote about a college that was starting to offer a new computer science class in writing computer viruses. And, of course, various anti-virus companies went ballistic, claiming how dangerous it was. Yet, as we pointed out at the time, anti-virus companies don't have the greatest track record in actually stopping viruses -- so it seemed only reasonable to teach people to better "think like the enemy." Anyway, it appears not much has changed. Theodp writes in to let us know about an article in Newsweek about a very similar course being taught at Sonoma State University by George Ledin, where students are tasked with creating their own malware.

Once again, various security companies are condemning the technique, even sinking so low as to compare Ledin to A.Q. Khan, the Pakistani scientist who sold nuclear technology to North Korea. They even insist they won't hire his students -- which seems particularly short-sighted. As Ledin points out, it appears that this is really more about the security companies wanting to keep the world more scared than they need to be of malware, so as to pretend that they're the only ones who can solve the "problem" -- when the truth is they're not very effective at it. He complains that anti-virus firms keep their code secret (thank you, DMCA). He points out that if they were willing to open it up, and let lots of folks work on improving it, it would get much, much better. All he's trying to do is help more people understand the enemy without first having to work at one of those companies that's been so ineffective in stopping malware -- in the hopes that maybe some of his students can actually come up with a better soltuion.


Reader Comments (rss)

(Flattened / Threaded)

  1.  
    identicon
    Anonymous, Aug 4th, 2008 @ 1:58am

    It's the beginning of the end.

    The Anti-virus companies are just trying to protect their primarily fear-based monopoly on the market. This is just another example of the growing trend towards open source solutions. When the businesses and the public realize that viruses are just clusters of code and not some demonic force the anti-viruses are goingto be in quite a pickle.

     

    reply to this | link to this | view in thread ]

  2.  
    identicon
    Anonymous Coward, Aug 4th, 2008 @ 2:05am

    Funny that Theodp hasn't posted anything on TD since January, but still is quick to tell TD about a malware class.

     

    reply to this | link to this | view in thread ]

  3.  
    identicon
    Spicy Tomato, Aug 4th, 2008 @ 2:11am

    Re:

    Yeah, now that you mention it, what happened to Theodp?

     

    reply to this | link to this | view in thread ]

  4.  
    identicon
    Anonymous Coward, Aug 4th, 2008 @ 2:13am

    Re: Re:

    Maybe he was eaten alive by bloggers.

     

    reply to this | link to this | view in thread ]

  5.  
    identicon
    Attack of Killer Tomatos, Aug 4th, 2008 @ 2:14am

    Re: Re: Re:

    Or a Spicy Tomato!

     

    reply to this | link to this | view in thread ]

  6.  
    identicon
    Anonymous Coward, Aug 4th, 2008 @ 2:16am

    Re: Re: Re: Re:

    Well, maybe there's some truth to that. I *do* like pepper.

     

    reply to this | link to this | view in thread ]

  7.  
    icon
    Mike (profile), Aug 4th, 2008 @ 2:33am

    Re:

    Funny that Theodp hasn't posted anything on TD since January, but still is quick to tell TD about a malware class.

    Actually, he regularly submits stuff, some of which we post, some of which we don't. But there have been plenty since January, so not sure where you got your "stat" from.

    http://www.techdirt.com/search.php?site=&q=theodp

     

    reply to this | link to this | view in thread ]

  8.  
    identicon
    Second Class TD contributor, Aug 4th, 2008 @ 2:35am

    theodp does have a lot of insight.

    My guess is that it's one of "The Mas"'s co-workers. As such, he too good for us common folk. He/She just shares their ideas with "The Mas" these days.

    Ho hum. Trollin along...

     

    reply to this | link to this | view in thread ]

  9.  
    identicon
    Kamu, Aug 4th, 2008 @ 2:49am

    Why not...

    Why not have 1 half develop malware, and the other half develop an anti virus sort of application (on second thought, that may be quite difficult.) and then see who wins. Then the teams can switch.

     

    reply to this | link to this | view in thread ]

  10.  
    identicon
    bobbknight, Aug 4th, 2008 @ 2:50am

    What?

    "The Anti-virus companies are just trying to protect their primarily fear-based monopoly on the market."

    WTF?

    Monopoly, what monopoly, where is this bill gates of the anti-virus.
    How come "MY" anti-virus is free?
    How come "MY' anti-malware is free?

     

    reply to this | link to this | view in thread ]

  11.  
    identicon
    sid, Aug 4th, 2008 @ 3:22am

    Why not ledin starts his own open source antivirus project

    May be he can start that and come up with a gr8 product like firefox or openoffice which serves the purpose as well as has a great potential for extension via contribution from coding entusiasts...

     

    reply to this | link to this | view in thread ]

  12.  
    identicon
    theodp's shadow, Aug 4th, 2008 @ 3:57am

    Re: Re:

    Possibly they also checked http://www.techdirt.com/search.php?site=&q=theodp&searchin=commentname before posting...

    Where's my man, theodp??? His friends down here in the trenches miss him!

     

    reply to this | link to this | view in thread ]

  13.  
    identicon
    James, Aug 4th, 2008 @ 4:42am

    Interesting..

    Before the days of the internet I surmised that AV companies actually were the ones TEACHING classes on such things so they'd have a purpose.

     

    reply to this | link to this | view in thread ]

  14.  
    identicon
    Anonymous Coward, Aug 4th, 2008 @ 5:09am

    what about ClamAV?

    ClamAV is an open-source anti-virus program. The Windows version is called ClamWin. I tried it briefly and it wasn't that great.

     

    reply to this | link to this | view in thread ]

  15.  
    icon
    Ferin (profile), Aug 4th, 2008 @ 5:11am

    must be something in the water

    Why is it people seem to think if you hide something and don't teach people about it somehow the problem will go away? It's like these morons think saying "Don't do that, it's bad" and refusing to educate people about an issue is gonna make everythign all right. Cripes, haven't they learned enough from the lame attempts as such an approach with sex education?

     

    reply to this | link to this | view in thread ]

  16.  
    identicon
    Nagolod, Aug 4th, 2008 @ 5:43am

    Maybe if malware-curious students can try their skills for an proper school assignment they won't feel the need to test their stuff in the open field of the internet.

    Given that AV/security companies make their living from fighting malware, sometimes I wonder whether they might have a secret "branch" that actually funds or develops malware itself. This way, they make sure they don't run out of business, while at the same time aid their "effectiveness" claims by developing thing the cure together with the disease... Hey, maybe that is the real reason why they are pissed off?

     

    reply to this | link to this | view in thread ]

  17.  
    identicon
    jonnyq, Aug 4th, 2008 @ 6:23am

    Re: what about ClamAV?

    ClamAV sucks by itself.

    I once used ClamAV in conjuction with WinPooch and that worked ok, but I never tweaked it enough to turn off the annoying stuff.

    You need to install something else on top of Clam to make it useful, like a resident scanner.

    That said, I'm a Linux user these days.

     

    reply to this | link to this | view in thread ]

  18.  
    identicon
    Anonymous Coward, Aug 4th, 2008 @ 6:27am

    Re: It's the beginning of the end.

    "fear-based monopoly on the market..."

    It is definitely a fear-based market, but it is certainly not a monopoly. There are way too many players in the market to call it that.

     

    reply to this | link to this | view in thread ]

  19.  
    identicon
    Haywood, Aug 4th, 2008 @ 6:32am

    The only thing keeping big AV alive now............

    Is inertia and product placement. People used to associate AV protection with Norton and McAfee, they were Hertz and Avis, there was nowhere else to go. In their day, they were great, but they lost focus & started pushing all in one security packages. This lead to bloat and resource hogging, most want to be free from virus and malware, but few are willing to give up a good portion of their processing power for it. Enter the lean mean & free group, like the free versions of Avast and AVG.
    The biggest threat to computer security is IMO; the trial versions included on retail computers. Once the trial runs out, the average user just keeps on going with no shield at all. I've repaired quite a few of these. Once they get so laden that they take an hour to boot up fully, they come crying for help, & I clean it up give them a good free AV and firewall & never hear from them again.

     

    reply to this | link to this | view in thread ]

  20.  
    icon
    chris (profile), Aug 4th, 2008 @ 6:42am

    signature based detection doesn't work

    anti virus software was fine when most attacks were highly automated and written and released by one person.

    usually that one person was not very skilled and the software was [somewhat] quickly identified and updates released to handle the outbreak.

    malware today is far more complex, and has been for about 4 years.

    in the last couple of years, malware has taken a different turn. it's not nearly as automated, it's written/modified by teams of professionals who are financed by criminal organizations or rogue nations, and its intent is to do more than annoy.

    the result are releases and variants that are re-tooled manually and aren't identified before widespread release. they often slip right by anti-virus software because the user gets suckered into installing it: i.e. vundo, virtumonde, or any of the numerous phony anit-virus or anti-spyware packages that end up on machines. the signatures are at best not detected, and at worst ignored by the user.

    there is a reason there are hundreds of thousands of zombies in the the storm and kraken botnets: using anti-virus software to protect your computer from tampering is like giving your child antibiotics to protect them from kidnappers.

     

    reply to this | link to this | view in thread ]

  21.  
    icon
    chris (profile), Aug 4th, 2008 @ 6:55am

    Re: must be something in the water

    Why is it people seem to think if you hide something and don't teach people about it somehow the problem will go away?

    half the reason is that people are happy being ignorant and half the reason is that the "protectors" of the world (cops, feds, security vendors) want to keep their clients and the competition as ignorant as possible.

    people always freak over youtube videos on lock picking, or TV shows that teach people about how the drug trade works, because they don't understand that all information is good.

    there is this stupid idea that you can protect people by burying information. that's ridiculous. you protect people by putting information out in the open where anyone, good or bad, can find and fix the problem.

    the criminals already have the information. they already know how to pick locks, or make crystal meth, or sneak metal onto an airplane. the rest of us need this information too, so we can figure out how to protect ourselves effectively.

     

    reply to this | link to this | view in thread ]

  22.  
    identicon
    Anonymous Coward, Aug 4th, 2008 @ 8:35am

    If the AV corporations don't hire these students, they're just shooting themselves in the foot. Do they think that everyone lives in a branded community?

     

    reply to this | link to this | view in thread ]

  23.  
    identicon
    MLS, Aug 4th, 2008 @ 8:44am

    I would like to think that companies engaged in the business of recognizing and nullifying viruses and other similar malware would be more inclined to hire people who better understand the "enemy" than those who do not.

     

    reply to this | link to this | view in thread ]

  24.  
    identicon
    Chris, Aug 4th, 2008 @ 10:08am

    We need more than AV

    I say the more educational sites doing this the better. SANS has offered this kind of training for years (www.sans.org). We need new minds and new innovations because the entire industry has become stagnant.
    AV software was fine in the 20th century as most malicious code writers were interested in little more than mass propagation. Under that model the statistical chances of an infection being identified and reported to an AV vendor (so the rest of us get a signature) were pretty favorable.
    The problem is the model has changed. Malware writers now leverage their skills to make money. Under that model spear attacks are used rather than mass propagation. This dramatically reduces the statistical chances of a useful signature being created. We've had a number of incidences where systems have been infected for 2+ years before being detected.
    So why do AV vendors refuse to adapt? One word, "money". A signature based model generates a reoccurring revenue stream month to month. What we need is better HIPS and app control technology which does not lend itself to a reoccurring revenue stream. So if they fix what ails us, AV vendors end up hurting their bottom line. Not much of a business motivation there.
    So the more bright folks we can have up to speed on malware who have learned their skills outside of the AV bubble, the more likely someone is going to hit on and actually release something that will address the current model.

     

    reply to this | link to this | view in thread ]

  25.  
    identicon
    Jake, Aug 4th, 2008 @ 10:46am

    Re: Why not...

    I suspect that's probably the eventual objective of the class. On the other hand, you can bet your bottom currency unit of choice that at least one student in every class sets his creation loose out of mischief or curiosity, which is probably what has the anti-virus companies worried.

     

    reply to this | link to this | view in thread ]

  26.  
    identicon
    Anonymous Coward, Aug 4th, 2008 @ 12:48pm

    Mu Hahaha

     

    reply to this | link to this | view in thread ]

  27.  
    identicon
    Dan, Aug 4th, 2008 @ 11:54pm

    when the major AV vendors quit padding their products with malware, spyware, rootkits and misleading renewal popups I might start to take them seriously. I am reminded of the UK univ that threatened a counter terrorism student with expulsion if he read the Alqada handbook. What was that phrase again? Oh it was know your enemy.

     

    reply to this | link to this | view in thread ]

  28.  
    identicon
    Chirag Mehta, Aug 21st, 2008 @ 8:35am

    Recruiting pipeline

    These students could in fact be great job candidates for antivirus companies. "Thinking like an enemy" is an essential trait for someone whose job is to detect malware and remove it from people's computers. Instead of whining the AV companies should just hire them.

     

    reply to this | link to this | view in thread ]

  29.  
    identicon
    دردشة, Jul 11th, 2009 @ 9:24am

    suspect that's probably the eventual objective of the class. On the other hand, you can bet your bottom currency unit of choice that at least one student in every class sets his creation loose out of mischief or curiosity, which is probably what has the anti-virus companies worried

     

    reply to this | link to this | view in thread ]

  30.  
    identicon
    softwares, Nov 11th, 2009 @ 9:45pm

    yes MR Chirag Mehta you are quite right. need strong steps.

     

    reply to this | link to this | view in thread ]

  31.  
    identicon
    Krill, Dec 4th, 2009 @ 8:03am

    These classes are a fantastic tool for future IT professionals. Let's look at this logically, if your job is the detection, avoidance and removal of any malicious code, then naturally it makes sense to know how to author and inject such code. How can you be expected to get rid of malware if you cannot recognize, deconstruct and plan for it?

     

    reply to this | link to this | view in thread ]

  32.  
    identicon
    Fred, Dec 21st, 2009 @ 8:02am

    Krill, you do make a good point, but you have to realize that these antivirus companies take a less is better approach in regards to how many people they are comfortable with having this sort of knowledge. I mean, let's face it, many college kids who see the opportunity for quick bucks are the ones that so often author these things in the first place..

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This