Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

Consumer Reports Creates Viruses to Test Software

Posted by Zonk on Fri Aug 18, 2006 12:40 PM
from the trial-by-fire dept.
Security Software
Maximum Prophet writes to mention an MSNBC article about a Consumer Reports plan to test anti-virus software by creating viruses. Security companies are objecting, on the grounds that it's a generally accepted practice not to create viruses for any reason. From the article: "Consumer Reports didn't create thousands of new viruses from scratch. Rather, it took a handful of existing viruses and created hundreds of slight variants, changing the malicious programs just enough to evade detection by an antivirus program with a list of known threats. That's a common trick in the virus writing world; it's standard for a successful virus to inspire dozens of variants. "
+ -
story
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Consumer Reports Creates Viruses to Test Software 50 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • Of course they are... (Score:5, Insightful)

    by Theaetetus (590071) <danrose@@@gmail...com> on Friday August 18 2006, @12:42PM (#15935977) Homepage Journal
    Security companies are objecting, on the grounds that it's a generally accepted practice not to create viruses for any reason.
    Well, yeah. Plus, you'll expose all the weaknesses in their software. Testing security only emboldens the terrorists!

    • Re: (Score:3, Informative)

      by Guysmiley777 (880063)
      Testing security only emboldens the terrorists!

      I wish I still had mod points, that is the funniest thing I've read today!

    • Re:Of course they are... (Score:5, Funny)

      by Anonymous Coward on Friday August 18 2006, @12:53PM (#15936070)
      Testing security only emboldens the terrorists!

      Why does Consumer Reports hate America?

    • Re:Of course they are... (Score:5, Insightful)

      by Lulu of the Lotus-Ea (3441) <mertz@gnosis.cx> on Friday August 18 2006, @01:01PM (#15936125) Homepage
      Plus the fact that the anti-virus companies don't like the competition from Consumer Reports; after all, it's those companies that themselves create most of the "proof-of-concept" viruses to scare potential buyers (especially to create scares of vulnerability on OSX, Linux, BSD, etc... where no real vulnerability exists).

      • Re:Of course they are... (Score:4, Insightful)

        by Schraegstrichpunkt (931443) on Friday August 18 2006, @04:06PM (#15937293) Homepage
        (especially to create scares of vulnerability on OSX, Linux, BSD, etc... where no real vulnerability exists).

        The vulnerabilities do exist; they're just not being exploited nearly as much. Of course, run-of-the-mill signature-based antivirus software is equally flawed, as Consumer Reports has shown and security geeks have already known.

    • Re:Of course they are... (Score:5, Insightful)

      by Bastian (66383) on Friday August 18 2006, @01:04PM (#15936154)
      Of course, this isn't really why they are objecting. Whatever McAfee and Symantec say, writing proof-of-concept exploits seems like standard practise to me. My best guess is that their fear is that this might cut into their profits because Consumer Reports is going to make the non-geek public more aware of the limitations of antivirus software. This could make them decide, "Well, if it can't protect me from all the viruses, especially not the new ones, than maybe it's not worth the money."

      Of course, Consumer Reports is almost certainly responsible enough to address this issue and point out to people that it's really a reason why they need to be updating their virus definitions as frequently as is practical.

      • The real thing is (Score:5, Interesting)

        by Sycraft-fu (314770) on Friday August 18 2006, @01:27PM (#15936307)
        AV software WILL protect you from new viruses... Just not McAfee and Symantec's crap. Well I suppose I should rephrase: Their software can protect you, but not very well, not as well as others. Bitdefender appears to do the best job at finding viruses that it doesn't have in it's DB. AVG also seems to do a pretty good job.

        That's what they are afraid of. Not that it will be revealed their software does nothing, it does work, just that there is cheaper software that works better.

        • Re:The real thing is (Score:5, Interesting)

          by Intron (870560) on Friday August 18 2006, @02:16PM (#15936590)
          If their software defended you from new viruses, why would you subscribe to get database updates? Do you expect them to only sell their software to you once?

          • Because it's not 100% (Score:5, Insightful)

            by Sycraft-fu (314770) on Friday August 18 2006, @03:16PM (#15937015)
            Bitdefender doesn't catch all new viruses, updates are still important, it's just very good at finding new variants. That's what CR is testing here. Say a virus comes out that your software knows about but a variant comes along that it doesn't yet: Can it catch that? For some (like Sophos) the answer is no never, they check against a database and if it's not there you are SOL. For some like Bitdefender the answer is usually. They have a heuristic checking that works pretty well.

            There's no magic bullet, there's no "buy this once and be secure forever" kind of solution, but there are better and worse ones out there. Bitdefender and AVG (probably others those are just the two I know) are reasonably good at stopping new, unknown variants. Synametc, well not so good.
    • Testing security only emboldens the terrorists!

      And think of all the furry kittens that would die!

    • Re:Of course they are... (Score:5, Insightful)

      by Hoi Polloi (522990) on Friday August 18 2006, @01:09PM (#15936183) Journal
      I hear the Yale company is still furious over the time Consumer Reports tried a bunch of random combinations on their locks.

    • Re:Of course they are... (Score:5, Insightful)

      by telbij (465356) * on Friday August 18 2006, @01:17PM (#15936230)
      Security companies are objecting, on the grounds that it's a generally accepted practice not to create viruses for any reason.


      I also had to quote this sentence because it's so silly. It's generally accepted practice by people who don't create viruses. Obviously a lot of people are creating viruses whether blackhat or whitehat or greyhat. Now where's my MAD magazine?

    • Re:Of course they are... (Score:5, Insightful)

      by vought (160908) on Friday August 18 2006, @01:20PM (#15936256)
      that it's a generally accepted practice not to create viruses for any reason

      It was generally accepted practice for 50 years not to crash perfectly good cars. Until we started learning that we could protect the occupants of said cars better by finding out where the weak points were...by crashing perfectly good cars.

      What are Symantec. et al afraid of?

      • Re:Of course they are... (Score:5, Funny)

        by Jesus_666 (702802) on Friday August 18 2006, @03:04PM (#15936921)
        Well, one of these new virii could leave the laboratory and get into the wild. With a bit of bad luck, that virus could be a dangerous mutation - I'm not talking Melissa dangerous, I'm talking H5N1 dangerous. Just one tiny mutation and the virus could jump over to humans, creating a worldwide pandemia as people's immune sytem collapse, unable of keeping up with polymorphic virii that inject their own code into the header of the genetic sequence so that they're uncleanable without working from known-clean marrow. And you know what could be even worse? Worms. If they add a self-propagation mechanism to their new killer virus it would infect random bystanders without the need for a regular infection vector! Those people aren't developing weapons of mass destruction, they're creating doomsday devices! Somebody must put an end to this before it's too late!

  • Conspiracy! (Score:3, Funny)

    by susano_otter (123650) on Friday August 18 2006, @12:43PM (#15935981) Homepage
    Clearly this is all just a cover. The Templars are using Consumer Reports as a cover to train a stable of elite Black Hat hackers, with which to take over the world. They're in a race against Communist China, the Russian Mob, and the NSA.
    • The Templars are using Consumer Reports as a cover to train a stable of elite Black Hat hackers, with which to take over the world.

      Well, it is a conspiracy, but not the one you think. This is actually about the Masons, who are secretly behind the publishing deal for Dan Brown's upcoming book. I mean, what world-dominating secret society wouldn't want a piece of that action? Once their Masonware attack is launched, all web traffic will go through a link that tacks their affiliate code onto inbound Amazon

    • Re:Conspiracy! (Score:4, Funny)

      by darkitecture (627408) on Friday August 18 2006, @01:03PM (#15936143)
      Clearly this is all just a cover. The Templars are using Consumer Reports as a cover to train a stable of elite Black Hat hackers, with which to take over the world. They're in a race against Communist China, the Russian Mob, and the NSA.

      They're also in a race against Dom DeLuise, Jamie Farr dressed as The Sheik, Jackie Chan in a Mitsubishi supercar that can go underwater and some babes in a Countach. Wait, I might have that mixed up.

      Anyway, in a post-9/11 world, at least we know they're definitely in a race against terror. Or is that a war against terror? No, that's a war against drugs. Oh I can never remember these things. I should turn on Fox News and let them tell me what we're fighting for again.

    • I see you have a more recent copy of Illuminati than I do.

  • 1st comment?! (Score:5, Insightful)

    by dave562 (969951) on Friday August 18 2006, @12:44PM (#15935984) Journal
    And I'm not even a subscriber?!

    You know you're in trouble when Consumer Reports is pointing out that your software is worthless. As just about every /.er knows, pattern / signature based detection is all too easily circumvented. Unfortunately it's pretty much all we have. It has been my experience that enabling Heuristic based detection (in Symantec Corporate AV) at any level other than the default just leads to too many false positives.

  • It is their property (Score:4, Insightful)

    by Anonymous Coward on Friday August 18 2006, @12:44PM (#15935991)
    Consumer Reports destructively tests many things. Why should it matter what they do to their own computers? As long as they don't release these viruses into the wild, there is no problem.
    • But think of all of the 1337 Hax0rs that Consumer Reports is depriving of employment?!

      Oh wait a minute, maybe that is who they hired. Never mind.

    • FTA: "'Those viruses exist right now only on a CD in a sealed container in a locked cabinet in our computer lab,' Beckford said."

      Seriously, it's not like these will ever exist outside of a lab, right? And if they do, the AV companies won't have any problem finding the source code, will they?

      Isn't that kind of like telling the insurence institue that they can't change their car crash tests because car makers designed their cars only for specific crash tests? Gee, better not create anything that a car might

  • Corporate Honesty (Score:3, Insightful)

    by recordMyRides (995726) on Friday August 18 2006, @12:44PM (#15935992) Homepage
    Security companies are objecting, on the grounds that they do not want the gaping holes in their software revealed to the public by Consumer Reports.

    • Re:Corporate Honesty (Score:5, Informative)

      by jc42 (318812) on Friday August 18 2006, @03:44PM (#15937190) Homepage Journal
      Heh, funny. But Consumer Reports does have a bit of a history of being sued by companies after serious problems with products were published by CR. CR also has a history of easily winning the few cases that actually go to court. Actually, the companies usually drop charges, after CR makes it clear that they'd be happy to demonstrate the problems in court. CR also often publishes their communications with such companies, which is not really good for sales.

      It could be fun to watch an anti-virus software company face CR in court. It would be at least as entertaining as the SCO soap opera. Maybe /. readers should be contacting the companies and encouraging them to sue CR. Think of all the /. articles that this could generate.

  • If the accept liability (Score:5, Interesting)

    by Shivetya (243324) <shivetya.archonon@com> on Friday August 18 2006, @12:44PM (#15935993) Homepage
    for one of their viruses getting out then by all means I think Consumer Reports should be allowed to continue.

    Catching them after they are out is easy. The consumer really has so very little to go on from a "trusted source" in regards to virus scanning that the obscurity benefits the AVG companies. With a little more light on the subject we all benefit, all except the AVG companies. Guarantee that whomever CR picks is going to parade that around regardless of their stance before testing occurs.

    Again, if CR is willing to accept liability for one of their tests getting out into the wild then I say go for it! Perhaps they should register their "new toys" with someone for backup? Of course that makes for another hole too.

  • Speaking as one who has been burned... (Score:4, Interesting)

    by Space cowboy (13680) * on Friday August 18 2006, @12:44PM (#15935994) Journal
    (See my Journal entry [slashdot.org] for the gory details) ... I would sincerely recommend they don't play with fire. There are too many ways that self-replicating programs can go wrong... or too-right, as in my case :-(

    If they can guarantee containment, of course, a virus is completely harmless to the rest of the world. The problem comes when containment is breached because of something you didn't think of - and the problem with things you didn't think of, is that you didn't think of them [grin].

    Simon (now a thoroughly-reformed character, honest guv)

    • Re:Speaking as one who has been burned... (Score:5, Insightful)

      by Guysmiley777 (880063) on Friday August 18 2006, @01:02PM (#15936138)
      If they can guarantee containment

      How hard is it to unplug a network cable in your world? Don't use a machine with a WiFi card. Low level wipe the drives from a bootable CD when you're done. Not really rocket science.

      • Re:Speaking as one who has been burned... (Score:4, Insightful)

        by Space cowboy (13680) * on Friday August 18 2006, @01:21PM (#15936264) Journal
        We weren't trying to contain it, in our case - we *wanted* to see if it would work as well as we thought it would. The problem came because we *didn't* think about the consequences of someone using a floppy - we were focussed on the network aspects.

        So, we had a general routine to write a !boot (an autoexec-on-read-the-media) file, and hadn't considered the sequence of events of:
        • someone writing the virus to a floppy
        • Us wanting to get rid of the virus
        • That person bringing the floppy back into the lab and re-infecting the network.
        • Oh sh*t!

        So, even though we knew exactly what it was capable of, we hadn't considered the actions of one of those infected, and *that* caused us problems. It's not the capabilities that changed, it's the environment. You don't tend to find that out until you've hit the problem, or you would have dealt with it in the source code - that's all I'm saying...

        Oh, and I'm sure they'll take a more-responsible attitude than we had, we *were* 1st-year students...

        Simon.

  • Hey, if it's good for AV products... (Score:5, Funny)

    by TripMaster Monkey (862126) * on Friday August 18 2006, @12:45PM (#15935997)

    Be sure to read our other Consumer Reports articles, where we:
    • Test the efficacy of burglar alarms by attempting to break into consumers' homes,
    • Test the efficacy of the 'morning after' pill by creating unwanted pregnancies,
        - and -
    • Test the skill of your local emergency room doctor by randomly stabbing people outside the hospital.

    Thanks, Consumer Reports. Thanks bunches.

    • Re:Hey, if it's good for AV products... (Score:5, Funny)

      by krell (896769) on Friday August 18 2006, @12:48PM (#15936034) Journal
      "Test the efficacy of the 'morning after' pill by creating unwanted pregnancies"

      Hey, there has to be something out there that security penetration testers can moonlight in, right?

    • Re:Hey, if it's good for AV products... (Score:5, Insightful)

      by ifrag (984323) on Friday August 18 2006, @12:57PM (#15936102)
      I'll take a stab at that first example of attempting to break into [a] home, since that's the only one that's comparable to what it seems they are doing. If CR wants to setup a test home in which to practice breaking in that's fine, it's their property and they can do with it what they want. It's a test scenario... saying they'd go out and break into consumer homes is not a good parallel. Consumer Reports is (hopefully) not going to create any public security risk in their process if it really is self contained. As long as it stays within their little "sandbox" I don't see what the problem is. The second two examples deal with people instead of objects so it obviously doesn't make for an easy expendable test case.

    • Claims shouldn't be verified (Score:5, Insightful)

      by Hoi Polloi (522990) on Friday August 18 2006, @01:16PM (#15936217) Journal
      Soon they'll propose testing car safety by doing test crashes! Or testing fire retardants by trying to set them on fire. Damn those Consumer Reports fools!

  • There's no good reason to object to this (Score:5, Insightful)

    by cagle_.25 (715952) on Friday August 18 2006, @12:47PM (#15936020) Journal
    1) Virus writers will write exactly the same code, unless the boys at Consumer Reports are dedicated enough to come up with truly innovative virus variations. So there's no fear that someone out there will "get ideas."

    2) Why not vet your software against somebody else's test suite? If CR wants to function as an extension of Symantec's R&D, let 'em. It's a win-win.
  • Security companies are objecting, on the grounds that it's a generally accepted practice not to create viruses for any reason.

    You mean they aren't already doing this internally? If not... what the hell are they doing all day? If they're just being reactive without testing their software against possible variants then their software isn't really useful. Though frankly I find antivirus software to be a cure worse than the disease. A 1/100 chance I'll get a virus that does bad things to my computer, or a 100% chance that my computer will run like crap due to NAV.

    Solution? Backup all my documents (mostly pics) to a dvd monthly and trust my Linux box firewall/router/proxy to keep the bad bits out.

  • eicar already has a test file (Score:3, Interesting)

    by Anonymous Coward on Friday August 18 2006, @12:53PM (#15936066)
    You can use these files to test if your AV program is working

    http://www.eicar.org/anti_virus_test_file.htm [eicar.org]

    • Eicar file is of limited use (Score:4, Informative)

      by bbernard (930130) on Friday August 18 2006, @01:24PM (#15936285)
      The eicar test-virus file is a great way to see how your computer/av-suite will react to a virus. However, it's not an effective test to see how the heuristics systems and such react. It's non-destructive, and every AV vendor makes sure that they can "catch" it. That's nice for making sure that your AV is running, or that your AV on some workstation reports back to the management computer that it caught a virus, but not for testing the ability of AV software to find new viruses that don't necessarily have definitions written for them yet.

  • Not a big deal (Score:3, Insightful)

    by guruevi (827432) <evi@NospAM.smokingcube.be> on Friday August 18 2006, @12:55PM (#15936083) Homepage
    That is exactly what virusscanner sellers do. They create new virusses, mutate them and test them out. Of course they don't do that in a internet or network-connected environment. In all cases this should be in a lab environment completely closed off from the exterior world.

    What's the big deal here? A bunch of Windows computer with antivirus software running in a closed off network as to benchmark some programs. Happens with games, office software etc... nothing to see here, please move along.

    Of course this way you also get stories (hoax, urban legends) like the one about Symantec releasing virusses to sell their software...

  • Good Idea (Score:5, Insightful)

    by Apocalypse111 (597674) on Friday August 18 2006, @12:55PM (#15936087) Journal
    This is a very good idea, IMO. I mean, for years the major security companies have been using fear tactics to push their software. For an almost equal amount of time, security-concious geeks have been critical of this software. Having a trusted, disinterested third-party like Consumer Reports put it to the test sounds like the perfect solution to this situation.
    Its been a long time since someone outside of Norton has talked about how good a Norton product is, but they've been in the game for such a long time that they are trusted by the general public to do their job. I wonder how many would uninstall if Consumer Reports said that their product was utter crap? Or rather, how many would try to uninstall only to find that the uninstaller is broken too?

  • How well did they do it? (Score:5, Insightful)

    by frankie (91710) on Friday August 18 2006, @12:59PM (#15936111) Journal

    As a CR subscriber, I am utterly amazed that they even had the IDEA to construct a test like that, much less actually find capable programmers and do it. Perhaps that security company cold-called them and suggested it?

    CR's technology reviews are often wrong in ways that would be laughable if they weren't so influential. Off the top of my head:

    • monitor reviews with photo display tests, where it was obvious to me that no one involved had ever heard of the phrase "gamma correction"
    • claim that a two-digit percentage of Macs were infected with spyware
    • a seemingly uncanny ability to review hardware obsoleted by newer versions in the interim between testing and publication

    Has anyone here heard of this "Independent Security Evaluators" biz? I wonder how many of the viruses were still functional (not just infectious) after twiddling.

    • Even in the latest issue (September 2006), they persist in assessing the rate of Mac OS X spyware and virus infections by conducting a survey, an annual gaffe on their part. Rather than checking around and discovering that no such malware exists in the wild, they assume that computer users are able to judge for themselves the cause of computer difficulties.

      This would be like studying the mechanisms of natural selection by way of a survey. Hey, whaddyaknow, turns out there's no such thing as evolution, a s

      • Outdated hardware (Score:4, Interesting)

        by DragonWriter (970822) on Friday August 18 2006, @01:49PM (#15936453)
        CR's model which provides its independence also means it doesn't tend to have the chummy, early access relationship many other outlets have with manufacturers. Them actually doing really substantial tests also means that they tend to take longer than some other outlets. OTOH, I've rarely been led astray by a CR review on anything, computer related or not, so I'm pretty happy with them despite their limitations.

  • Bravo, Consumer Reports (Score:5, Insightful)

    by osgeek (239988) on Friday August 18 2006, @01:33PM (#15936344) Homepage
    I casually perused CR here and there, but I'd never really known much about them until a relative gifted me with a subscription. Here are a few things I like about them:

    1. They pay their own way. They purchase *all* of the products that they test and destroy, since cozying up to get sample products would tarnish their credibility.
    2. They don't accept any advertising dollars within their magazine, since that might bias their reporting and tarnish their credibility.
    3. They take a strong stand on protecting consumers beyond just good product recommendations. They do editorials and special reports on subjects that /.ers care about, like RFID and general privacy protection; taking strong pro-consumer stances that you don't see in other national publications.

    When my gift subscription runs out, I plan on purchasing my own. Not only because I find the product articles useful and interesting; but because the Consumer's Union does other good things with my money.

  • It's not "plan to", CR already did it. (Score:3, Informative)

    by djan (121552) on Friday August 18 2006, @01:40PM (#15936385)
    The /. summary says that "plan to test anti-virus software by creating viruses."

    TFA says "Consumer Reports recently conducted one of the most thorough tests ever of antivirus programs. But to really put these security programs through the paces, the magazine hired a firm to create 5,500 new viruses, using them to test the antivirus software products for their ability to detect unexpected threats."

    By the way: "In the results, McAfee scored in the middle of the pack. BitDefender and Zone Labs scored at the top, in part for the two program's abilities to detect new viruses."

  • Let me get this straight. (Score:5, Interesting)

    by Dekortage (697532) on Friday August 18 2006, @02:43PM (#15936764) Homepage

    From the article: "I understand .. if you want to test a car's performance, you test the car put on road with lots of bumps on it," Marcus said. "But when you are talking about malicious code, there's a threat to public. There are professionals who know how to handle viruses. It should be left to them." (emphasis added)

    Well, that's why Consumer Reports hired computer security professionals [securityevaluators.com] to work with on this. Maybe they're just mad that CR didn't ask them to be the security consultants... oh wait, that might be a conflict of interest for the product review. Tough.

  • Not planning. (Score:3, Insightful)

    by kahrytan (913147) on Friday August 18 2006, @02:54PM (#15936860) Homepage

    Consumers Reports is the most trusted amoung consumers. They put products through their paces and ensure they work well. With that said, yes Consumer Reports create viruses. They already have done so for testing lastest virus programs. Consumer Reports September 2006 issue has said this. They have rated Bit Defender as the best. The issue specifically said they created new viruses to test how well they did against new viruses not already in the signature lists.

    People like Igor Muttik are just scared their crappy anti-virus software sucks. Mcafee ranked #6 in the Sept 2006 issue. And even if a CR virus got loose, CR can release the viruses details to venders immediately. The virus wouldn't last more than couple days.

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.