Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Hacking Techniques :: avindu~1.txt

How the A/V Industry works - Renderman's efforts to get an explanation why BO2K is "Bad" while PCAnywhere is "Good"

                         How the A/V Industry Works

     By: Renderman,

     What do I remember most about DEFCON 7? The mosh pit of
     Anti-Virus employees at the release of BO2K. Several dozen A/V
     people from different companies, risking life, limb and large
     insurance deductibles to get their company the first samples of
     BO2K was one of the funniest things I remember. At the time it
     made sense to risk injury to get a copy, the media would reward
     the first company with a BO2K detection signature with immense
     amounts of free advertising, after all this was the latest and
     greatest Trojan/backdoor, right? Well, after seeing Dildog's
     presentation and the following open challenge to M$ to recall SMS
     server, the general description of BO2K changed. After initially
     trying BO2K on an isolated test machine to make sure I didn't
     screw myself, it has now become my primary method of remote
     administration on a multiple system 9X/NT network because it is
     just a damn good program. My opinion now; the anti-virus industry
     people didn't need to be there. This was a well designed remote
     control product that happened to be written by hackers, and as
     with any tool, in the wrong hands it can be dangerous.

     In the months following defcon , products such as Softeyes
     (, and Investigator from Winwhatwhere
     (, and other products that are
     designed to do much of what the A/V industry says makes a program
     malicious are not scanned for. When a products can advertise
     "watches and records everything about every window that gains the
     focus. It records every keystroke, program name, window title,
     URL, User and Workstation and the optional 'Silent Install'
     feature will run the installation silently and invisibly" and not
     be scanned for, it begs the question, how do you decide? Also you
     may recall the problems that the folks over at NetBus had when
     they went commercial and started charging for their product. They
     had a hard time shedding the image of a hacking tool. This really
     rattled a lot of peoples cages because the logic that was in use
     by the people who are saying certain programs are malicious does
     not make sense when you add these new programs to the mix. Just
     looking at C|net's technology terror guide (Technology Terrors)
     you can see the number of products that aren't on any A/V list
     that are as dangerous, if not more, than BO2K.

     This whole thing boils down to the question; how do A/V companies
     decide what criteria makes a piece of code worth being scanned

     Well, rather than rant on like others might do, I went to the
     source. I looked on A/V sites for a policy statement or a set of
     internal guidelines. Nothing found. So I sent a mail like any
     other customer to the customer support department (and if it
     existed, the A/V research department as well) of the major A/V
     companies, Symantec, NAI, AVP, Computer Associates, and Panda
     Software. There were others that could also qualify, but these
     are what you find most on store shelves. To all the companies I
     sent the same letter:

          Dear Sir/Madam,

          With recent events in the virus industry, it has become
          apparent to myself and many others that there seems to
          be a definite bias when is comes to how companies like
          yours determine what should and should not be scanned

          By what policy do you decide what should be scanned for
          and eliminated and what is 'legitimate'? After an
          examination of your web site, no policy statement could
          be found. Can you clarify by what criteria makes a
          product malicious or a legitimate product?



     As you can see, the letter states my conundrum and the
     clarification I need, and I don't try to hide who I'm mailing as.
     I waited a couple weeks for the responses to accumulate and
     re-sent some that I did not receive responses from. In over two
     weeks I only received 3 responses.

     First was a very quick response from Symantec customer support
     from a gentleman who really was having a really bad day and I
     think and was not happy to see me. Here is his message with my
     comments inserted

          I can assure you that Symantec has absolutely no bias
          towards any legitimate software developers (What makes
          a software developer legitimate, is there a license I'm
          not aware of? I thought anyone could code?) Arguments
          by some hackers that certain hacker tools are actually
          legitimate commercial software are themselves extremely
          biased to the point of not making any sense (I agree we
          are biased to a point just as you are, but what makes
          something a hacker tool or a mis-used administration
          tool?) A good news recent story about this subject is
          available for reading at this web page,
 Both Symantec
          management and management at other Anti-Virus
          developers are quoted in this article about this
          subject. We really would not have anything further to
          add to these comments on this subject. (The article
          does not really answer what I was asking.)

          Best regards,
          (name omitted)

     After not answering my original question, I responded because I
     thought they still had something they could add. This time I went
     and asked exactly how they decide what should and should not be
     detected and give an example:

          Interesting article you reference, but it still does
          not answer my question.

          What is your companies policy on determining what
          should and should not be detected in your Anti-Virus

          What is defined by your company as legitimate software
          developers? Are independent developers not in the same
          boat as large companies such as yourselves?

          What is preventing Back Orifice 2000 from being a
          legitimate tool? In the article you specified it says
          "anyone with the other half of the Back Orifice
          software (the administration tool) can control the
          victims PC from anywhere on the Internet". Can not the
          same be said for your product pcAnywhere?

          I really appreciate you trying to clear this question
          up for me.


     The bit about pcAnywhere was meant to try and get my point across
     that the differences between good and evil code are blurred. I
     myself have taken over the computers of friends (with permision)
     who use PC Anywhere with out passwords and the affect is just the
     same as using BO2K.

     His response was less than pleasant, but interesting. Again, here
     is a transcription with my comments:

          I'm afraid that this is not at all a legitimate
          question that you ask here. (I'm a customer, I want to
          know so I can know if your product will protect me from
          anything that can be bad.)

          You know, you aren't even giving me the common courtesy
          of identifying yourself. (ummm, I signed my name at the
          bottom, that usually is all people do. The support
          center never stated anything about needing my full
          information in order to receive customer support.)

          Symantec Operates our discussion groups as a support
          resource for our customers to use to get help from us.
          They are not meant for engaging in debates like this.
          (Whoa, hold on, I really am a customer of Norton A/V,
          and I'm asking a question, how do you decide what to
          scan for? This is a customer inquiry.)

          pcAnywhere in not designed to be to installing silently
          and secretly in the background on a system. It was also
          not announced at a hackers convention. (So if it
          announces it's presence but formats your drive without
          asking it's OK? Since when does the location of
          announcement mean anything about the product itself?)

          (name omitted)

     After that, I let him get back to blowing off other customers

     MS announced DirectX 2 at a conference done along the theme of
     ancient Rome. Does this mean DirectX is a technology for guys in
     robes and olive branches? I think not. Fortunately this response
     from Symantec was not indicative of all the responses I received.

     NAI customer support responded quickly as well, this time with a
     definite different tone.

          If a program reproduces itself, we call it a virus. If
          it does something that the user does not expect, we
          call it a trojan. If it is harmless and funny we call
          it a joke. (Not a bad though short summary.)

          There are other categories that could be considered
          such as Hack tools, BackDoors, worms and Password
          Stealers. (Now it gets weird. Does L0phtCrack count as
          a password stealer, or a hacktool, or as just another
          damn good program?)

     NAI wasn't clear but I was getting closer.

     NAI also sent the 3rd and final response that really got me

          Thanks for your question. The criteria although not
          obvious, is simple among researchers. The detection's
          are mainly customer driven, that is if a client
          requests detection of a particular problem then it is
          taken into account. Many of the detection's received
          come from shared collections, collections that are
          shared among A/V vendors. Some of the detection's are
          from samples received from customers and others are
          from sites referred to us from customers who feel there
          is a valid threat.


          (name omitted)
          Sr Virus Support Analyst
          AVERT - a division of nai
          //* We eat viruses for breakfast, lock and load *//

     Ding, Ding, Ding, We have a winner. The last line "others are
     from sites referred to us from customers who feel there is a
     valid threat." So, the A/V industry uses a common database and
     submissions from customers..... I'm a customer and I want
     Investigator, softspy, pcAnywhere and SMS scanned for. I submit
     to you samples of each to add to your databases. There is no way
     to get BO2K off the lists, the media just won't have it. But by
     using the normal submission procedure for suspicious files, it
     may be possible to add other programs of similar features to the
     database and make the A/V industry re-think itself.

     I encourage everyone who has legitimate access to any program
     that can be used maliciously, submit it to the A/V industry
     through their virus submission e-mail addresses. A hacker's
     version of a letter writing campaign. 1 person submitting these
     programs will be labeled a crackpot, many on the otherhand will
     have an effect.

     I for one want a level playing field. If there is a program on my
     system that can record my keystrokes, passwords, bank account
     numbers and ship it off anywhere without telling me, I want to
     know about it.

     If a person wanted to use a trojan for nefarious purposes they
     need just be a little creative. Just spend the $100 or so on
     Investigator or a similar program, use something like Silk Rope
     to wrap the executable with some benign little program and deploy
     at will. This is a common tactic used to deploy trojans but with
     this method, not a word will be uttered by any A/V product and
     the attacker can go along on his merry way unfettered. So unless
     the A/V industry changes it's position on what makes a piece of
     code malicious, smart trojan users will fly on by using
     'legitimate' products. But why should they scan for those
     products? After all, they weren't released at a hacker convention


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH