NSA writes more potent malware than hacker

Is it any wonder?

Professionals do better work than amateurs - so, what's new?

But Graham is perfectly right. You don't really need to create self-replicating code, in order to test defenses against zero-day exploits. Just some exploit dropping and running a "hello world" program would have been perfectly sufficient to prove the point.

Of course they would say that...

"You don't need to write viruses to test security technologies. There's no shortage of new malware. Also you examine existing stuff and study techniques," said Graham Cluley, senior technology consultant at Sophos. ®

That's main because if I write something from Scratch, the Sophos is not going to catch it is it?

Anti-virus is always about being the second person to catch something, hoping that the first person submitted to an anti-virus vendor, and that your chosen brand of av has been updated since.

I would suspect the ones detected from the NSA batch and the ones written by the hacker, and lets face it hackers are lazy, re-use existing code and techniques, and therefor are matched in heuristic scanning.

New stuff, slips under the door...through the firewall, and pwns your box.

Great if you're with a lady, no good if you're in the jungle.

Proof, if more were needed...

... that Graham Clueless is an utter prat. Sure, I could look at techniques that are in the wild, or I could try and encompass things that never that have never been seen in the wild. Which one is the most effective against 0day ?

Back in the nineties, when the vbscript virus epidemic was on, I spent a day coding an Outlook plug-in that stopped every single one of them from infecting our systems (Yes, I know this isn't the correct way to go about it), including ones that we (and our AV vendor) had never heard of. Most of the time, with new threats the AV on both the gateway and the clients didn't even blink.

Basically, my six hours of research and coding turned out more benefit than the entire AV industry had managed to muster up to that point. Not because my code was especially good, it wasn't, but because the AV industry is run by tossers like Clueless.

The fact that someone who is regarded (presumably by default) as a luminary of the UK "IT security" industry can stand up in the media and say, essentially, that you don't need to do any R&D because VXers are doing it for you, shows that things haven't changed much since then.

Is there ANYONE else in the UK that we point the media to when they need a quote for this kind of story ? I assume not. Perhaps the reason that Mr Clueley is to busy to do any R&D is because he spends his days on the phone to the beeb talking shite ?

Re: NSW doesn't need malware, it just needs microsoft

Good first point, I think for the second (ATnT) that your fingers have been possessed by amanfromMars - it's got that ring to it...

Mastered Wizards Cause Havok...... with Ready, Aim, Fire

"Professionals do better work than amateurs - so, what's new?"

And how would you eclipse an amateur Professional and ITs ID, the Professional Amateur. For that is One Mother of a SuperEgo, Humbly Powerful in XXXXStream Memes and Extremes.

The only cure/defence against Zero-day Attack? Keep Mounting them to Surpass Industry/Intellectual Standards. .......Then you are leading in an Improving Direction ..... with others Plugging the Holes left for them.

The Microsoft Windows Way.

The holistic approach !?!

Firstly, of course Microsoft works for the authorities - it would be irresponsible not to (even if the authorities did create the problem in the first place)

Secondly, ...................... on second thoughts.

The problem has been inherent in the architecture since day one although Microsoft wasn't too bothered until other countries picked up on this and used it against them.

With digital certificates now being more blatantly used to circumvent any type of user level monitoring of who has access to local data I think maybe we should more so be asking who Microsoft has granted access to on their behalf for reasons of 'National Security' or what ever.

To be quite honest I can wait for all this to byte Microsoft on the bum, it may be on the horizon and with China already doing this (allegedly) the US doesn't actually seem too bothered - maybe the Chinese got the idea from the U.S. in the first place.

Just Some Old Malware Lying Around

Anybody here think they developed the malware just for this test?

Anybody?

Bueller?

RE: NSA doesn't need Malware, it just needs Microsoft

"Microsoft controls WGA, it can force any piece of software on any LEGITIMATE WINDOWS USER at any time, so it's the ultimate LEGITIMATE WINDOWS spying platform, they don't need malware or worms, they just need to ask Microsoft to their software on the specified CORRECTLY LICENSED WINDOWS PC, and they can remotely do it."

There. Fixed.

Great idea as long as people who pose a threat have coughed up their readies to Redmond.

@james

"Firstly, of course Microsoft works for the authorities - it would be irresponsible not to"

Um, not necessarily; if "the authorities" are breaking the law and/or constitution, it would be irresponsible to aid them in any way whatsoever, and the duty of every loyal citizen to stop them by any means possible. Try and understand: a president is not a King; they are bound by the law like the rest of us.

Re: NSA doesn't need Malware, it just needs Microsoft

You are forgetting about plausible deniability. Sure, the NSA could twist BillG's arm and get a payload inserted into an update, but it would be very hard to do it secretly. The WGA updates have pissed of a lot of techies, and are easily detected and traced.

A properly written worm on the other hand, is virtually impossible to trace back to source. The NSA (or FBI or MI5 or any other three letter agency) could easily claim the malware was written by persons unknown, and anyone suggesting otherwise would look like a conspiracy nut.

DISCLAIMER: *I'm* not a conspiracy nut, just following the premise to it's logical conclusion.

@Misha

"DISCLAIMER: *I'm* not a conspiracy nut, just following the premise to it's logical conclusion."

Ah, but then, that's what they all say, innit ?

Good Idea, no matter from where?

Wow, That holistic approach is FarSighted, James. Is IT PreCogniscent Future Perfect?

For a Virtual Ping Dynasty Flowering........?

@Steve

You are clearly just an agent of the lizard people, astroturfing to discredit me and my shocking revelations

Of course the NSA won!

Come on, do you think that the spook brain trust wouldn't have choice stuff like this? They have the Windows source code, for heaven's sakes! They've looked at the code, found that it sucks, and have been creating the very best in malware. What do you think the CIA would drop on someone's machine to get the info on them? Something from a script kiddie malware generator? Of course not. They'd use the best available!

So kudos to NSA for being the baddest malware writers out there.

NSA is no slouch

I went to grad school at a large university close to NSA headquarters, and had some NSA researchers in my classes. They were some sharp individuals.

I'm actually kind of surprised that *any* of the malware they created was detected. They must have deliberately written a series of more and more stealthy worms to find out where the security software failed. Sort like raising the bar higher and higher for the pole vault. You're expected to make it over the first few....

convicted hacker?

Wouldn't they want to hire a well regarded hacker who wasn't busted? By definition doesn't that mean they suck?

Sounds like

Sounds like to rig the results they hired a second rate script kiddie , as he got caught , so he cannot be too bright !

CIA.... Only as Good and as Bad as they have Intelligence for.

"What do you think the CIA would drop on someone's machine to get the info on them?"

A simple text e-mail, Brian, a juicy contract, Intelligence, or are they just the listeners with No Independent Original Thoughts for ProAction?

"I went to grad school at a large university close to NSA headquarters, and had some NSA researchers in my classes. They were some sharp individuals. I'm actually kind of surprised that *any* of the malware they [NSA] created was detected. "

Not nearly sharp or smart enough to write malware out of software and send it to its own Zones where it can feed on itself to its own destructive pleasures. Pushing malware and its practices into Red Zones will leave other Zones free to develop without the intrusion and conflicts.

Society too, would probably work best Zoned in such a way too....... for then you would know what to expect and what was expected.

"CIA.... Only as Good and as Bad as they have Intelligence for." and the Universal Curse on All Intelligence Services. Pooled Intelligence gives you a Bigger and Beta See to Swim in Patrol and Control.

In CyberSpace, IT is the Present Future Driver, is it not?

"NSA doesn't need Malware, it just needs Microsoft"

Y'know, I signed up just to respond to this wholly ignorant comment.

I don't use windows. The majority of "uber-geeks" probably don't use windows. The majority of "dangerous hackers" probably don't use windows. The majority of "international cyber terrorists" probably don't use windows.

Are you seeing the flaw in your theory yet?

AV and other stuff

Ian Watkinson: You clearly have no clue what AV is. You're thinking "scanner" and that's too restrictive. And Graham's point is that you can test security without doing such unethical things like creating new self-replicating malware.

Steve: You forget that the AV industry has to make products that are usable by any average Joe out there - not just by you.

Brian Miller: One doesn't need the source code to figure out that Windoze sucks. The executables are plenty enough, thank you. And the agencies don't use "the best of what's available" - they use what they develop themselves.

@Dr V. Bontchev

Is it really unethical to create such software? I would think the unethical part would be releasing it in to the wild.

Not being in IT security I am not up on the latest and greatest but what I got from the article was the NSA was testing current AV methodologies. The results look to me like current AV works against the current crop of virii being produced but obviously it is possible to create things that current AV doesn't recognize.

NSA is tasked with protecting '.gov/.mil' and appear to be trying to stay a step ahead. Of course, the black hats don't have to go down the same road that NSA did with their uber-virii but if AV can be improved to block one fork in the road before hand then it would seem to me to be a good thing.

Ambiguity knows no Friends

"Y'know, I signed up just to respond to this wholly ignorant comment.

I don't use windows. The majority of "uber-geeks" probably don't use windows. The majority of "dangerous hackers" probably don't use windows. The majority of "international cyber terrorists" probably don't use windows.

Are you seeing the flaw in your theory yet?"

Ergo windows is safe from international cyber terrorism, anonymous? Was that the wholly ignorant comment you were referring to?

Are you seeing the flaw in your theory yet?

@Dr. Vesselin Bontchev

"Steve: You forget that the AV industry has to make products that are usable by any average Joe out there - not just by you."

I don't concede that point, but even if I did, the one very important thing that I most certainly haven't forgotten is the AV industry is also supposed to make stuff that ACTUALLY WORKS.

Of course, as any fule kno, making an AV product that actually works is not a viable economic model for any company with long term goals, because you only get to sell a couple of versions into your market and then your cash flow dies.

"And Graham's point is that you can test security without doing such unethical things like creating new self-replicating malware."

Exactly, and my point is that this is complete and utter bollocks, and, in fact, is the single misapprehension that makes the AV industry suck.

As you well know, ~90% of the protection offered by the big players is *STILL* based on signature scanning, and most contemporary AV products will *STILL* not alert on 0day stuff, several (going on 10+ by now) years of constant babbling about 'heuristics' and 'behaviour analysis' and the like notwithstanding.

I find your stance that a professional security researcher ought not to engage in the 'unethical' activity of creating self replicating code hard to credit. There is absolutely no reason why this should be harmful to anyone, it's not difficult to maintain a (real or virtual) research network with an air gap for just this purpose.

If a professional security bod doesn't have the demonstrable and practical ability to create a worm or virus of her own, she is clearly not competent to defend against other people's as she is missing some of the knowledge and practice that her 'enemies' have, starting with the ability to locate novel exploitation paths.

I realise that this is an unpopular and widely derided point of view amongst the Girl Guides that populate the AV industry, and that, if you respond at all, you will no doubt wish to inform me that the skillset and the mindset of the attacker and the defender are separate and distinct. This is true to a certain extent, and many examples could be quoted, but a large, and open mind that can encompass both is better prepared.

Much of the rest of the security industry is happy with this, (millions of crap, self proclaimed "penetration testers" could indeed be wrong, but in this case, I don't think they are.), so what's up with you AV bods ?

(P.S, I haven't used F-Prot for at least a decade, so please don't take this personally if it's uber great now :-)

Ethics and security

Actually, not everyone in the AV industry believes that creating replicative malware for restricted purposes under controlled conditions is automatically unethical, and the fact that some researchers decline to do so doesn't give you the right to assume that they couldn't if they considered it appropriate. Here, though, the point that's -already- been made very clearly is that there is no absolute technical reason why this particular test had to be carried out using replicative software.

The actual nature of the ethical objections comprise one of the many issues that the industry hasn't succeeded in communicating very well, though individuals have tried, strenuously, many times. But is it worth it right now, given the anti-AV prejudices on display here?

Misc. stuff

Chuck Chandler & David Harley: I have yet to see a SINGLE, REAL-LIFE case when creation of a new self-replicating program was actually NECESSARY (i.e., unavoidable) for some good purpose. Even a single one! In each and every case that I've been presented with, either such creation could be avoided (and the stated beneficial goals could be achieved by other means), or the stated purpose was not really so "good" after all.

amanfromMars: You are wrong by relying on an unwarranted assumption and hiding behind the word "probably" without any factual arguments to support it. Judging by the data of the cybercriminals who have actually been caught, they use mostly Windoze, just like the rest of us. Yeah, I know. It must be a proof positive that the smart ones (i.e., the ones who didn't get caught) don't use Windows. Or whatever other illogical conclusion you could draw from it.

Steve: You are wrong in several ways. First of all, you're wrong that the AV industry has to make stuff that actually works. What they have to make is stuff that ACTUALLY SELLS! The AV companies are businesses - not Labs or craft shops. So, they have to make money. I can easily make a program that would be guaranteed to prevent any virus from ever infecting your computer, using one of the three theoretical models that guarantee that. Problem is, nobody will actually BUY it, because it will make the computer practically unusable - not because it will destroy its own market due to getting rid of all the viruses, as you uncorrectly suppose.

90% of all protection is NOT based on "signature scanning" - it stopped being based on that more than a decade ago, but most folks (users and virus writers alike) still haven't caught up with that. But it's true that 90% of all protection is based on known-malware detection (which is slightly different - more general and more precise). And there is a perfectly good reason for that, too. A known-virus scanner will tell the user "your computer is not infected" or "your computer has the XYZ virus, do you want me to remove it?". That's something the average luser can understand - so, known-virus scanners is something the average luser can use and will buy. That's why this is what the AV companies are making - because, as explained above, they have to be able to sell. As opposed to that, a heuristic analyzer will tell the user "The file Foo.exe is suspicious". Well, does it have a virus or not, dammit?! An integrity checker will tell the user "The file Foo.exe has been modified". Well, is is because it was infected - or is it because of Windows Update? A firewall will tell the user "The process svchost.exe tries to communicate over port 80". Well, should it be permitted or not? And so on, and so on - anything but a known-virus scanner is either too restrictive or too obscure to the user, or both. We have to make what the vast majority of the users will be willing to buy - it's that simple. Convince the idiots to learn how to use something more secure and this is what we'll start providing.

The basis of my ethical position is similar to that of the physicians. No ethical doctor will create a deadly virus if it is not *really* necessary for some obviously good purpose. It doesn't matter that he thinks that he'll be able to contain it. Yes, I know that there are researchers who create such viruses, e.g., for weapons research. It's still unetical.

Next, you're very wrong that the ability to create worms is in any way related to the ability to protect from them. In reality, creating viruses is rather trivial - any trained professional can do it without breaking a sweat. (The reason why most of the viruses around are so buggy is because they are *not* made by "trained professionals".) Compared to that, making a good (and usable!) AV program is *very* difficult and only relatively very few professionals can do it reasonably well - and only with a lot of efforts. Note that I am not saying that the AV people are unable to make viruses. I am saying that (a) it is never necessary and (b) that skillset is BY FAR insufficient for making good AV programs.