Can I trust myself?

Another year, and another journalist proposes that the security industry discusses threats purely to sell products (http://www.newsforge.com/article.pl?sid=06/06/06/1832223). This is usually followed closely by the conspiracy theory that we actually write the viruses that we protect against. I find it interesting that this argument has cropped up every few years since the nineties.

I often wonder why this argument is so frequently recurring and apparently popular. I suppose, on the one hand, that it fits so neatly into our collective understanding about how free market capitalism works: If you can artificially create demand, you can increase your sales. But why does this same argument not crop up more often for others in security or services fields, like firemen, policemen, doctors, nurses, people who make home security alarms, airbag manufacturers, etc.

Particularly when there are (very rare) documented cases of people in some of these fields actually harming the people they are meant to help? It seems to me that in all of these cases we have:

• good, independent statistics from organizations designed to track those phenomena, so we know what the actual risk is (or it’s at least harder to lie and get away with it).
• they usually catch the bad guy, so everyone knows that the frequency with which someone is playing a scam is very low or non-existent.

But in our world, antivirus companies are the only ones who have good first-hand data about the prevalence of threats, and the attackers are almost always anonymous. How then, could we prove that these accusations aren’t true?

Unfortunately, we probably cannot. There are barely national law enforcement or governmental agencies, never mind global organizations, capable of tracking the problem on the massive scale that it actually occurs. We routinely see millions of attacks on hundreds of thousands of computers occur on a 24-hour basis, and this represents only a fraction of our customer base that has opted in to anonymous reporting. And McAfee represents only a portion of the AV marketshare. And computers with antivirus protection represent only a portion of all computers.

The internet is a remarkable tool for anonymity, even if it weren’t true that in some parts of the globe, there is no authority who will even try to help you track down a virus writer. Add privacy-minded tools like Tor to the mix, and the task quickly becomes mind-boggling.

So here’s some truth, from someone in the trenches: You don’t NEED an antivirus product. As long as:

• you use a good NAT hardware firewall/router
• you practice good, safe surfing habits all the time
• everyone else who uses your computer does the same, and has limited privileges
• you keep the operating system and applications patched on a daily basis
• you have complete control over who can exist on or connect to your computer or network (especially with wireless networks and Bluetooth)
• you have, and keep current, with existing malware trends
• you can recognize and recover from a 0-day attack that does get through
• you have no data worth anything on your computer

Most people either can’t, or don’t want to, expend this kind of effort or maintain this kind of draconian control over their computers. Frankly, most of us wouldn’t use computers or the internet nearly as much if they weren’t as open and flexible as they are. So the value of data and processing power in computers is so massive and growing so fast that there will always be LOTS of people trying to steal or exploit it. Imagine trying to protect a transparent bank from invisible attackers who could see every camera and security mechanism in the building. You would block many attacks, but sooner or later somebody will get through. Which means we’ll have a job for a long time.

So why do we talk about threats to Linux, or Mac, or Windows, or any other platform? Mostly to educate consumers and enterprises about the possible threats, so that people apply an appropriate amount of effort to preventing those threats. Naturally, we have to walk a fine line between creating a false sense of security, and crying wolf too often. The former means people will leave themselves exposed; the latter, that they will ignore real threats that will harm them.

In my position, we are frequently asked to be psychic about impending threats. If we do not start preparing solutions a year or more before the threat appears, we may be unable to protect our customers down the line. If we move too soon, we might expend a lot of effort writing code that isn’t needed. Sometimes we talk about those threats when we think it has relevance for our customers. Recently we’ve taken a lot of flak for bringing up Mac OSX viruses, largely from Mac zealots, as Kaspersky takes flak in the article above (from a Linux site) for talking about Linux threats.

Are we right or wrong about our predictions – it’s too soon to tell. I do believe that if these platforms make serious inroads into Windows marketshare, that their value will go up, and the attackers will follow. But whether that happens depends on far more factors than any threat report by any security vendor. What I am sure of is that the capacity for malware to be effective on these platforms is ample, and that pretending that this is not the case increases the risk of those doing the pretending.

Here’s an earlier example. In June of 2002, we did a press release about a (poorly-written) proof-of-concept threat that was appended to JPEG files called W32/Perrun. Despite the fact that “pure” data files like images (as opposed to files containing macros or scripts like Word docs or HTML) were commonly thought of as immune to infection, or uninteresting as a vector of malware, we took a lambasting in the press (see http://www.infoworld.com/articles/hn/xml/02/06/21/020621hnjpegvirus.html).

Fast-forward to today. There are threats for WMF, MP3, JPG, BMP, ANI, SWF, PNG and a variety of other data file formats. In fact, the most common dropper for malware today is Exploit-WMF (see http://us.mcafee.com/virusInfo/default.asp?id=regional&continent_k=0&track_by=2&period_id=3). So before you blast us for this year’s predictions, wait a few years. Whether you believe our information or not, we’re working on solutions so that you can be protected when the threat materializes.

Likewise, many of us in the AV space weren’t out there earlier this year making a lot of fuss about W32/MyWife.d (or the Kama Sutra or Blackmal worm, as it was commonly known). We knew that the prevalence was grossly over-estimated and that world meltdown was not going to occur on February 3rd. And it didn’t.

In my position, I have the privilege of working with over a hundred of the most hard-working and well-respected experts in the security field. And right now (Thursday evening US time) many of them are in the 50th or 60th hour of their work week. They are not having dinner with their families or playing with their kids. They will be working this weekend while you go to the beach. They (and their spouses) will be woken up in the middle of the night sometime soon to respond to a threat.

I’m not naive enough to think that everyone does this job out of a sense of altruism. Certainly, many researchers get a charge from the technical challenge. Some may even be completely mercenary about it, though I have yet to meet one, at McAfee, or any other antivirus vendor. If they exist, they are not too bright, because most of us could be making as much or more working fewer hours writing code for other kinds of applications. The fact is, most of us do it because we feel good about helping people. And you can’t get that from the company balance sheet.

Joe Telafici

Director of Operations, McAfee Avert Labs

The price of freedom is eternal vigilance
- Thomas Jefferson