Sunday, February 20, 2011

ethical conflict in the anti-malware domain

forgive my silence over the last little while. motivation to blog sometimes isn't easy to find. as time wears on, fewer and fewer things get under my skin enough to drive me to rant (is that what it means to mellow with age?). but since you're reading this i think you can guess what this post infers.

five years ago i wrote a post about what i perceived as an ethical conflict in the anti-'rootkit' domain. it detailed the actions of two of the most notorious names in stealthkit research, jamie butler and greg hoglund, and how they were profiting from making a particular niche of the malware problem more popular (and thus, inevitably a bigger problem).

one of the things i pointed out was that symantec was working with a start-up company (komoku) that had jamie butler (author of what was at one time one of the most widely deployed stealthkits around) as it's chief technology officer. i thought the fact that an anti-malware company was in bed with a company that hired such a high profile malware writer deserved at least a moment of reflection, considering the hard-line stance anti-malware companies take on hiring malware writers themselves. at the end of the day, mind you, that start-up was focused on prevention so maybe the argument could be made that mr. butler had or was trying to reform in some way. (mr. butler has since moved on to mandiant, along with his disciple {the FU2 to butler's FU} peter silberman)

when i read earlier this past week that another anti-malware company (mcafee) had been working with greg hoglund's company (hbgary) i thought it an interesting historical footnote but paid little attention to it beyond that (though, if i had remembered that mcafee had once been pointing fingers at rootkitDOTcom, maybe the hypocrisy would have stood out more). after all, little attention seemed to be paid to such connections five years ago so why should this time be any different? well, that was before i knew what hbgary was in to.

apparently, on top of the legitimate work that one can find out about by visiting the hbgary website (which of course i won't link to), it appears that hbgary also writes and sells malware for fairly large sums of money. the customers for their malware include the government/military but might not stop there. even if that set of customers does stop there, hbgary appears to be in the high-end commercial malware business.

so where does that leave mcafee? it leaves them in bed with commercial malware writers. while AV companies have been proclaiming for decades that they don't and won't hire malware writers, apparently they don't have to. they can simply partner with the boutique security shops that do. clearly they are not picking their business associates as carefully as they are their actual employees.

and then there's the claim that surfaces from time to time that AV companies won't make special provisions to keep malware deployed by the authorities from getting detected. what's the point of making such a claim if you're just going to turn around and do business with the company that may very well be making said malware?

how many other AV companies, besides mcafee, were or are in bed with hbgary? how many are in bed with companies LIKE hbgary? where's their ethical high horse when it comes to partnerships? why wasn't the "malware writers need not apply" policy updated when commercial malware became the norm and presented the loophole we see before us today?

some AV companies are rewarding malware writers financially. it may not be in the ways we traditionally thought of, but with the #2 company in the industry involved in this practice (and arguably the #1 company as well, depending on where you want to draw the line), the end result is AV companies contributing to the commercial success of malware writers, and that is not ok at all.

3 comments:

emoyle said...

Great post...

What's interesting to me about this is the fact that the blackhat community is unquestionably moved ahead by the compromise overall. Even if the compromise didn't give them access to source, it certainly gives them insight into malware ideas and deployment strategies. Not good.

You and I have disagreed in the past about the specifics of how to contain this, but it's a good argument for both positions - both the "no malware authorship in the security community" position as well as the "control it and regulate it" position.

My hat is off to you.

Harry said...

I'm not sure there's any evidence of HBGary being commercially involved in writing malware, at least not in the original sense meaning that the softWARE had MALicious intent.

Perhaps we need a new term for non-malicious stealth software - weaponware, maybe?

As for their connection to rootkit research - well, research into ways of exploiting security vulnerabilities, and public disclosure of the details, often including demonstration code, is by now a well-established and accepted practice. I don't see the public release of rootkit code as fundamentally any different.

kurt wismer said...

@Harry:
software that facilitates one entity attacking another is malware. that is what HBGary created and sold to various branches of government/military. your confusion is down to the fact that you have reason to side with the attacker.

if we used the reasoning you're adopting to weasel out of calling these particular examples malware, we wouldn't be able to call commercial malware malware at all. after all, it's not malice, it's just business.

as for your inability to discriminate between vulnerability disclosure and malware disclosure, i happen to have written about that topic quite a bit. vulnerability research vs. malware research is just one of posts i've written which might enlighten you as to the differences.