By Roel Schouwenberg
Once
upon a time we were living in a world where creating malware, then
still called viruses, was a very bad thing to do. These days, people
seem much more relaxed with the idea of someone writing malware.
Over the years I’ve spent quite some time thinking about this change
and why it’s occuring. One of the major reasons for this change in
mindset is the shift in the malware landscape. Back in the 1990s,
mostly hooligans were busy writing malware. These days it’s all about
professional cyber criminals making huge amounts of money. Compared to
malware that empties your bank account that file infector suddenly
doesn’t seem that bad anymore.
That leads me to one of the other major reasons — ethics. In
general, there seems to be a disconnect between the ethical standards
of anti-virus veterans and those of newcomers to the security industry.
One could argue this most likely means that the new generation is
slowly taking over and with it brings a more current set of ethics.
Evolution is key, right?
I’m not sure this is the case. What I will say is that the new
generation has a tendency to be more pragmatic. At the beginning of the
previous decade we were encountering not even 100 new viruses a year.
Fast forward to today and we encounter up to 40,000 new samples in a
24-hour period. This makes certain dilemmas much, much harder.
Suddenly, it’s no longer so easy to turn down that person who has
written malware but is otherwise perfectly qualified.
Then again, that’s the essence of ethics. Taking a more ethical approach will always be harder than taking a less ethical one.
So why am I bringing this topic up? Less than one week after someone
who had worked at a security company introduced an open source MBR
rootkit at BlackHat we’ve come across another example of extremely
questionable ethics.
In an attempt to demonstrate how Crimeware-as-a-Service work,s some
students at the University of Michigan have set up a server that works
exactly as such. The idea behind the site is that people can upload
(detected) malware files and make them undetected by as many anti-virus
products as possible.
Here’s the description: “…is
a web service that uses an array of packers and antivirus engines as a
feedback mechanism to select the packer that will result in the optimal
evasion of the antivirus engines.”
I’m completely baffled by this so-called academic project. Why would
someone want to offer a service that makes malicious files
undetectable? For sure, it’s not to do the internet community or
anti-virus vendors a favor.
To show the future? Well, there’s no need to speed up malware
evolution. That will only help the bad guys, not the good guys. So I
really can’t see a positive outcome from this ‘project’. Next to the
fact that it’s completely unethical it may also be highly illegal.
What were they thinking? I guess the bigger question is if this project was started with support from the university.
If this project has the support from the University of Michigan then
we obviously have a bigger problem. There have been projects before
conducted in the name of academia which can be considered doubtful. But
this sets a really bad example. Personally, I think the only right
thing to do is to expell the students. Surely universities can’t allow
for or support the creation of malware.
Regardless of how the university will act, the anti-virus industry
needs to rethink its approach to the neverending issue of ethics. From
my own point of view the industry is no longer as vocal about these
issues as it once was.
Looking at more and somewhat less recent events it seems pretty clear that this is not the best approach to tackling the issue.
* Roel Schouwenberg is a senior anti-virus researcher in Kaspersky Lab’s Global Research & Analysis Team.