[ISN] AV vendors shun MS bounty hunters

From: InfoSec News (isn@private)
Date: Sun Nov 09 2003 - 22:32:10 PST

  • Next message: InfoSec News: "[ISN] White House rewriting core security policy document"

    http://www.theregister.co.uk/content/56/33866.html
    
    By John Leyden
    Posted: 07/11/2003 at 18:14 GMT
    
    Anti-virus vendors are resisting any involvement in Microsoft's scheme
    to offer rewards for the arrest and conviction of virus writers.
    
    This week Microsoft placed two $250,000 bounties on the heads of the
    virus authors responsible for unleashing the infamous Sobig and
    Blaster worms this summer. The application of Wild West-style rewards
    on computer crimes is part of a wider Anti-Virus Reward Program,
    initially funded with $5 million from Microsoft.
    
    Thus far this is a Microsoft-only initiative, but Redmond is
    encouraging "other corporations to consider ways to partner with law
    enforcement in deterring this illegal and destructive activity".
    
    
    Once Upon a Time on the Net
    
    So are anti-virus vendors (never shy of praising law enforcement when
    virus writers are convicted) willing to join Sheriff Steve Ballmer's
    anti-virus posse?
    
    The answer would appear to be that, rather like the citizens in High
    Noon, AV vendors are sitting this one out.
    
    Sophos said it had "no plans" to offer financial rewards for
    information leading to the arrest of virus writers. Symantec declined
    to comment. Network Associates and MessageLabs both welcomed
    Microsoft's initiative but neither expressed any desire to become more
    closely involved.
    
    Paul Wood, chief information security analyst at MessageLabs, said he
    welcomed Microsoft's initiative as a way of deterring virus writers.
    
    Microsoft was motivated in launching the initiative by the adverse
    publicity generated by recent viral outbreaks which has "damaged its
    credibility", he said. "Microsoft has to be seen doing something."
    
    Microsoft has a clear financial incentive for making things difficult
    for virus writers, but the AV vendors have no such motivation.  
    High-profile viruses stimulate AV software sales, particularly to
    consumers, despite the increasingly apparent shortcomings of the AV
    scanner model.
    
    
    The Good, the Bad and the Ugly
    
    Leaving aside arguments about the possible effectiveness of
    Microsoft's program, MessageLabs' Wood agrees that it is hard to
    imagine the AV industry getting rid of a problem it was created to
    solve.
    
    Doubtless, the vast majority of participants in the AV industry mean
    well, and we've never bought into the urban myth that AV companies are
    in any way involved in writing viruses, but we question their
    incentives to introduce technologies that clamp down on viral
    outbreaks.
    
    David Emm, AVERT marketing manager at McAfee Security, said that
    technical researchers at AV firms have to go without sleep during
    viral outbreaks.
    
    Maybe that's part of the problem. From years of experience we'd note
    that we never speak to happier people in the IT industry than AV
    marketing folk in the middle of a viral epidemic.
    
    McAfee's Emm makes a decent fist of arguing that AV technology has
    come on in leaps and bounds in recent years (better management,
    heuristics etc.); even so, the security crisis is getting worse. To
    Network Associate's credit, the firm is revisiting the concept of
    behaviour blocking- technology. This, along with scanning for viruses
    on the Net before they reach users' in-boxes, seems to represent the
    best way forward.
    
    "Behaviour analysis has come on leaps and bounds, so that it's no
    longer a burden on user. User desktops can be tied down by an admin
    more effectively using more sophisticated tools than we had ten years
    ago," Emm told El Reg.
    
    
    Unforgiven
    
    Back to Microsoft’s bounty on virus writers, Emm reckond it id too
    early to say if it will be effective.
    
    "It hard to say whether virus writers would have scruples about
    dobbing in [informing on] a friend. Lack of scruples it one area
    doesn't always translate into another area," he said.
    
    "But I think it will make virus authors more careful about bragging
    about their exploits. There's kudos to creating viruses in certain
    circles and Microsoft's reward might make people think twice about
    sounding off," said Emm.
    
    Against this, Emm noted that the authors of Sobig and Blaster have
    kept a much lower profile than traditional virus authors.
    
    
    A Fistful of Dollars
    
    Emm reckons that the funding of Microsoft’s initiative with $5 million
    is evidence of its serious intent. "It's a lot of money for a simple
    publicity stunt," he said.
    
    The bounty might "oil the wheels" of the criminal justice system, Emm
    said. Although he predicts increased co-operation between participants
    in the AV community and the police, Emm detects little willingness in
    the AV community as a whole that this will "translate further along to
    bounties and rewards".
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Mon Nov 10 2003 - 03:13:11 PST