Sunday, October 04, 2009

mcafee and malware creation

if you hadn't already heard, mcafee plans to teach a class on "malware experience" at a 4 day security conference they're holding this coming week. there were only a couple of reactions to it that i saw, notably david harley's post at threatblog and michael st. neitzel's post on the sunbelt blog. the sunbelt post in particular drew the attention of mcafee's dave marcus who clarified exactly what was going to be going on - to the extent that the controversy around the promise of showing attendees how to create new malware seems to have died a quiet death.

i could have weighed in when i first read about this but the wheels of change had already started to turn and i wanted to see where things went before i said anything. the end result, however, seems to be mcafee has placated people's concerns with hollow promises that instead of teaching people how to make malware from scratch, they'll instead be using an existing toolkit to create the malware. the implication is that since this toolkit produces malware that is already detectable (at least as far as mcafee's product goes) then they aren't really contributing to the malware problem. if you're detecting the distinct aroma of a barnyard right now, you're not alone.

there are a couple of problems here so lets go through them one at a time. the first is the simple fact that mcafee is in the anti-malware business. i've said this before and i'll say this again - if you're anti-X you shouldn't go around making X's and you sure as hell shouldn't encourage others to do so. the company's namesake reputedly got into trouble with the rest of the industry by offering such encouragement in the form of financial incentives (paying for new viruses). now in this new case it's all going to be done inside a closed environment to prevent undesirable consequences so there should be no problems, right?

wrong. the work in the classroom will take place in a closed environment, but i have no doubt that some of the attendees will subsequently play the home version of the game, running malware toolkits on their own environments and creating malware in less secured environments (you can't really believe that they'll learn everything they need to to handle malware safely in those 4 hours the class will run). a class like this encourages precisely this behaviour. it makes it seem ok for less experienced people to handle malware, and to that end even people who never attended the class will also play the home game if such behaviour is endorsed.

think that sounds far-fetched? it isn't, there are already well intentioned but ultimately unqualified people playing with malware and inadvertently contributing to the malware problem. it's been going on for years. sarah gordon covered this in her paper "The Generic Virus Writer II". that's a pill that the technologically inclined don't want to swallow, they think they understand malware well enough to prevent unintended consequences, but the reality is that most people lack the wisdom to appreciate the extent of their own ignorance.

finally, given the probable result of people playing the home game with the same malware toolkit used in the class, should they contribute to the malware problem they will do so in a way that benefit's mcafee because their product already detects all the output of the toolkit. they will be breeding demand for their product in an absolutely unethical way - by teaching people just enough to cause problems that their product can fix (others may as well, but it's impossible to know at this point).

mcafee is behaving irresponsibly and unethically, and i'm struck by how things seem to have gone full circle with them. while others seem to have let them off the hook because they're using a toolkit instead of teaching how to create malware from scratch, as far as i'm concerned the only difference is the sophistication of the malware creators they are going to produce. mcafee will be teaching a new breed of script kiddie and tarnishing the industry's reputation once again. congratulations on being part of the problem, mcafee folks.


David Harley said...

I don't know that McAfee is off any hooks. Even assuming that the session they're offering is OK after all (and I agree with most of your points), the fact that they said what they did in the first place sends a grim message. The fact that they changed it doesn't alter the fact that there are people there who feel that it's an acceptable message.

Unfortunately, that feeling isn't confined to McAfee. There are lots of people who don't understand old school objections to malware creation for "good" purposes, and some of them work in the industry. Though not usually as researchers...

There's a lot more to be said on this topic. And I hope to say some of it in the next week or two, but not necessarily in the Threatblog. :)

kurt wismer said...

"I don't know that McAfee is off any hooks."

you speak further in the paragraph about sending the wrong message. if people didn't mean to send the message that mcafee was off the hook then why are they not still holding mcafee's feet to the fire right now? when controversy comes to an end, even when there's no clear resolution, the implication is that it's not an issue anymore.

"There's a lot more to be said on this topic. And I hope to say some of it in the next week or two, but not necessarily in the Threatblog. :)"

well, that's nice, but the conference starts tomorrow. the window of opportunity to get them to change their tune is almost closed.

Unknown said...

I'm going to abuse the whole splintering discussion effect of blogs and say I posted a reaction on my own blog. :)

In short, it's a strange line to draw about teaching hacking techniques to groups of people who may or may not be quality anti-hacker folks. I basically am not sure I'd judge McAfee too closely on this one...but I'm certainly not passionately defensive about this stance either. :)

kurt wismer said...

you make some points in your post that i feel need a response - for those interested in where that discussion is going, here's the link mcafee course teaches students how to create/use malware and here's my response:

"I guess the point of 1 and 2 is that I'm not sure McAfee is introducing any new enablement with their course. If the labs/slides were made public, I would have more of an issue with it."

it's not always about enablement. sometimes it's about endorsement. the fact that mcafee will be using an existing malware toolkit means that yes people could do this without mcafee's help, but mcafee is contributing to the idea that it's ok to 'play' with malware.

"As defenders, we do need to stay abreast of these techniques."

in the general sense this is true, but when was the last time knowing how to create malware aided you in defending your systems and networks from that malware? the fact is it doesn't. this kind of information is only useful if you're building anti-malware tools and the people hired for that purpose get plenty of training.

there aren't a lot of anti-malware tools out there that you can add your own information to, even if you were to learn something from creating new malware.

needing to stay abreast of attack techniques doesn't mean needing to create new malware yourself. you don't need to create your own DDoS tool to stay abreast of DDoS attack techniques.

Cd-MaN said...

@kurt: great to see you blogging again. BTW, the blog seems to be back in the Google indexes.

The issue is also discussed at the technical info blog. The author endorses this practice stating that it is similar to the penetration testing curses (where you also learn how to use "hacker" tools). The analogy is flawed in my opinion (as I also state on his blog), because you can and should learn how malware works by studying existing samples, rather than creating new ones.

Also, an other concern of mine is that there is a big probability that the generators will be carefully selected such that the resulting samples will be detected by McAfee and not by many others. This will give the participants a skewed sense that somehow the McAfee AV is "perfect".

kurt wismer said...

i have been struggling with the question of how to explain why malware creation is wrong - people really don't understand and so it doesn't surprise me that the blog you linked to thought mcafee's idea was a good one.

i'm considering going back to the beginning, where we learned it originally (or at least back to a time when we were starting to learn it). i'm thinking maybe if i show that the old guard didn't always feel the way they currently do about malware creation, that the current philosophy was one arrived at through trial and error, maybe the journey will open some people's eyes (since simple logic has failed to do so).

however, a foolish consistency is the hobgoblin of little minds so i suspect even then there will be some who resist anything that threatens to change their minds.