Anti-Virus Firm Admits Current Methods Can't Catch Things Like Sony's Rootkit

from the that's-a-problem,-isn't-it? dept

Last week, Bruce Schneier raised the question of why no security firm caught the Sony BMG rootkit earlier and suggested that the anti-virus firms were some how colluding with Sony BMG. At least one anti-virus firm has explained the reasoning, making it clear that it's got much more to do with how they find and classify problems, rather than any nefarious collusion between the entertainment industry and security companies. Basically, the argument is that security firms need to first be alerted to a problem before they can classify it -- and no one was complaining about the rootkit, so they never caught it. In other words, he's basically made it clear that the current method by which many security firms setup their tool is obsolete. Sony "got away" with it, because no one realized what it was doing. This isn't a new concept -- in fact, we've discussed problems with such a reactive method of dealing with malware. As long as you can do change the fingerprint of the malware for long enough, it takes time for the security firms to catch up. That's why a hybrid model that uses both a threat database and some behavioral techniques to note actions, not files, that seem risky can be much more effective. If the security firms were looking for rootkit-like behavior, it seems like they would have picked this up much earlier.

Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Bob, 21 Nov 2005 @ 8:38am

    Security

    "the argument is that security firms need to first be alerted to a problem before they can classify it"

    If this is true, then how can a security firm claim to prevent problems before they occur? The statement is contradictory to the claim.

    These firms need to be proactive, seek out and fix problems before they occur, instead of just reacting to them after the damage is done.

    I don't believe there was any collusion, but still.. there's no excuse for a failure of this magnitude.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 21 Nov 2005 @ 9:05am

      Re: Security

      It's not contradictory at all -- its the simple truth that if you're hit first with a new, advanced virus that doesn't look or 'taste' like anything the AV scanner has seen before, you're screwed. You notice things start falling apart, report it, and the next hundred million PCs get spared thanks to your glorious sacrifice upon the alter of insecurity ;)

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous of course, 21 Nov 2005 @ 10:47am

    Which Actions?

    Anti-virus programs that analyze actions are pretty old now, F-Prot by Frisk comes to mind. These might catch the installer but once a rootkit is in place it can be a difficult thing to detect. If the installer does nothing overtly bad, but you still want to try and catch it, the heuristic sensitivity becomes too great and you have to weed out the false positives. Try running F-Prot with the /paranoid switch and you can see how many clever programmers do fishy things in perfectly legitimate programs. I think it's important to use trusted sources as much as possible. Now that Sony/BMG has proved untrustworthy, they're off my Christmas list.

    reply to this | link to this | view in chronology ]

  • identicon
    LaidLaw, 22 Nov 2005 @ 12:52am

    RootKit

    Part of the problem with the rootkit debate is that in some cases, rootkits have a legatimate function. Rootkits are just like anything else, they can be used for good or bad.

    Another interesting problem in this debate (and I can't prove this yet), is that I believe that some anti-virus companies install Rootkits of their very own. Sort of, you need a Rootkit to detect another rootkit kind of issue. Can anybody actually confirm the things that I have heard?

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 4 Mar 2007 @ 7:09am

    What "legitimate function" do rootkits have? Saying they have one and then refusing to state it only makes it seem like you are providing a debate with a missing argument. Ipsedixitism.

    reply to this | link to this | view in chronology ]

  • identicon
    Fred, 23 Dec 2009 @ 7:24am

    This is why 'Rootkit Removal' is now a bullet point on so many antivirus manufacturers products and websites. The ability to remove them, though it should have been there from the beginning, is now a bragging point for them.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Techdirt Gear
Shop Now: Techdirt Logo Gear
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.