back to article Project Zero bod says antivirus black market is growing

Google troublemaker Tavis Ormandy, whose credits include turning up security vuln in popular antivirus products, reckons he's identified an active market in antivirus exploits. In June, the Google Project Zero security bod found trivial bugs in the ESET tool, and earlier this month, he served a similar dish to Kaspersky. In …

  1. Aslan

    Just wow,

    How is one supposed to maintain a secure system? Installing the latest updates and not using unneeded services is a start, but there's always holes in software, and so security software at a minimum, antivirus, is always necessary.

    Now look at this, the US government is planning to hijack OS and security software updates to give themselves remote access to your systems.

    http://www.tomshardware.com/news/us-government-four-backdoor-solutions,30163.html

    https://www.washingtonpost.com/world/national-security/obama-administration-ponders-how-to-seek-access-to-encrypted-data/2015/09/23/107a811c-5b22-11e5-b38e-06883aacba64_story.html

  2. WatAWorld

    Obviously the NSA doesn't like us using an AV whose management it can't control

    Maybe I'm being too cynical, but I can't help wonder if the NSA doesn't like there being a Russian AV whose management it can't easily control so it is using a US company it can control to alter the situation.

    That is just speculation.

    The prevalence of US-based mass-market world-wide unencrypted services by Gmail, Google Search, Hotmail, etc. has made life easy for the NSA. (Even now, the encryption is apparently just in transmission, not in the storage at the server end.) The NSA doesn't need foreign AV companies growing up and offering secure services to compete with those.

    1. A Ghost
      Black Helicopters

      Re: Obviously the NSA doesn't like us using an AV whose management it can't control

      Maybe I'm being too cynical, but I can't help wonder if the NSA doesn't like there being a Russian AV whose management it can't easily control so it is using a US company it can control to alter the situation.

      That is just speculation.

      Well, you wouldn't be the first to have those thoughts.

      The truth is, all our hard drives are rooted, all our os's are backdoored, all our cpu's can be reprogrammed while the computer is turned off.

      All the AV company's founders have woken up to find horse's heads on their beds. They get made offers they really can't refuse. This is not paranoia. It is fact. We are in 2015 here now and there is simply too much information out there. Did AVG or Avast pick up on Fanny? What about Stuxnet? Yup, missed that one too.

      In a way, the frameworks that are developed to circumvent all the security protections of today's hardware/os aren't even strictly viruses are they? Of course they are malware. Of a sort. But not so malicious that they encrypt your volume and ask you for cash. It's more spy ware.

      As far as I know, there aren't really any programs that will detect the full gamut of these things embedded in our software. Just give up on the hard ware. It's not possible.

      That is the narrative.

      So forget about Russian AV, forget about conspiracy theories. If you have a recent i7 cpu and your computer is turned off, but it is still plugged in via ethernet, then it can receive and transmit information, even reprogramming the chip.

      I still run several layers of security measures. But I'm not cocky. I have trouble sleeping at night sometimes when I realise all the things that can go wrong. But I do my best and try not to worry.

      1. Loud Speaker

        Re: Obviously the NSA doesn't like us using an AV whose management it can't control

        If you are worried about your I7, I have a Pentium 4 I can sell you for a reasonable price.

  3. A Ghost
    Boffin

    At the risk of being hunted down and called a spammer

    like what happened to me before when I mentioned I used a rarely used AV/AM and said it weren't bad, I was accused of all kinds of things.

    Let it be.

    I'm into all this AV/AM stuff more than your average consumer. Some call me an expert. I'm not. Hell, I'm into it more than some guys I know that code. Dur, they are so busy coding, they do not have the time for the frivolities of the latest update that will prevent their very own code being encrypted and unreadable. Not that that would ever happen to someone like that. Well, if they don't surf the net, it might never happen seeing as the vast majority of this kind of thing is based on a vector of users browsing to the wrong occasional site.

    So, AV/AM is only of limited use. Time for other tools.

    Microsoft provide one. It's called EMET. It has data execution prevention, structured exception handle overwrite protection, and address space layout randomisation.

    https://blogs.microsoft.com/cybertrust/2012/08/08/microsofts-free-security-tools-enhanced-mitigation-experience-toolkit/

    As I understand it, most of those are based on memory exploits and buffer overflow kind of thingies.

    Dedoimedo is big on Emet. And seeing how big he is on Linux too, I tend to believe him. Check his toots.

    Now here comes the spam bit. You will think it is spam because you never heard of it before. Because someone you don't know is recommending it. Because it's just too good to be true.

    Whatever.

    I just got a nice free shiny copy of Voodoo Shield https://voodooshield.com/ and it works in a way that is also outside the AV/AM paradigm, as EMET does.

    In fact, you don't need to buy a copy, coz the free version will do most people proud.

    It's very simple how it works. It has several modes depending on how you are using your computer. If you are installing software and messing about you have it to one level. If you have all that done and just use it for very specific tasks, you lock it down. There is also a middle 'learning mode' which is fairly intelligent.

    I won't lie, it's a pain in the arse sometimes, like when I was building a whole win7 os. But in training mode it worked out. I would recommend this more for compos already set up and with all software installed - just lock the mofo down. Anything outside the ordinary - BANNED..

    Don't know how much it costs. Don't know how many licenses you get when you buy. Don't go installing it on a comp when you are building the os.

    I talked to the dev a coupla times via mail. He gave me the free license just for providing feedback on a very well known security forum. I spread the word again to audio sites and what not.

    Point being - this program would work wonders against any 0 day. AV/AM is a loser's game. I can run totally without it, but I still use it being paranoid. I spend money on AV/AM. I also spend money on AV/AM for family members/friends. What's an extra license or two?

    I've spent as long learning about computer security as I have learning Linux. I understand both sides of the argument. No cure for stupid and opening any ol' attachment. And I've seen the best minds of my generation struck down with nasty blackmail encryption viruses too. Experts. Of course they pretty much laughed about it, having their whole system backed up in duplicate - off line HD and Cloud solution - but that was not the point - they got burnt. And if they got burned then so can you.

    Really. This is not unheard of. And this is not chaps doing research. This is chaps surfing the net and doing what they do. After taking all the precautions they take of course. They love it in a way. It proves the robustness of their solutions and they are happy to say how they got everything working back nice and normal in a matter of minutes/hours. Most of them are amateur enthusiasts as well, we aren't talking great coders here.

    Some people have a fetish for this kind of thing. I understand that. I respect that. I played a while in that garden.

    I now have almost a phobia against using the computer, let alone implementing new up to date 0 day mitigations against nasties. Like I said, Emet is a good 'un. Microsoft get it very right sometimes. (I slag them most of the time like most people). Then again, they have the documentation. All that ring '0' kind of stuff. The access to the closed APIs. Am I sounding like a conspiracy nut? I don't mean to. :-0

    But check out that Voodoo Shield program. Apart from getting a free copy, I don't work for or know the chap doing it. He's very dedicated though, and also very approachable. I dare say, if you really knew about these kind of things, you could get him to ameliorate it in some way, if you took the time to mail him.

    Typical coder. Will send you a mail asking you loads of questions, and you answer him, and you don't hear back for three days. Then it's all 'I'm sorry I was lost in the deep dark woods'. eh eh.

    Then he gives you a free copy.

    Having said that, it is a very effective deterrent, especially against low level encryption type stuff. No AV/AM would really cover that. Emet should, technically, but in practice it doesn't.

    There are so many contradictions in the security world. So much 'voodoo'. Ah.

    It's always good to have another string to your bow.

    And the great thing about solutions like Emet or Voodoo shield is that they take up absolutely no cpu time and are therefore massively efficient. This is low level stuff.

    There are probably more examples I could give of this kind of level of security, but suffice to say, any one that employed Emet (Microsoft - Free) and Voodoo Shield (Free for basic version which is all most people will need), would be covered to a deeper degree than if they just employed AV/AM alone.

    Hedge your bets. Find a free or cheap AV that wont' bog your computer down. Employ third opinion scanning tools like Hitman Pro (which are free until you actually find an infection and need to clean it).

    Apart from that, I'm sorry, I don't really know what this article was about. It was very confusingly written, with no discernible points to it. Not one of the Reg's better moments.

    Then again, it gave me room to ramble...

    1. Doctor Syntax Silver badge

      Re: At the risk of being hunted down and called a spammer

      ". It was very confusingly written"

      Takes one to know one.

  4. Triboolean
    Thumb Down

    Bad guys run exploits against antivirus programs.

    Sun to rise tomorrow. Dogs sometimes bark. Bees seen visiting flowers.

    News at 11.

    1. Anonymous Coward
      Anonymous Coward

      "Bees seen visiting flowers."

      real bees? wow, thats rare.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon