Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security Software

The Internationalization of Malware 81

Ant brings us a write-up from a former malware analyst about the difficulties in fighting malware as it expands beyond English-language targets and into societies with different standards for privacy and security. Quoting: "One of the most fascinating facets of the increasing internationalization of malware is the cultural assumptions around such software. What is considered malware in the US may be commonly accepted in China or Japan, and this is largely due to the society that it exists in. Anti-cheating rootkits are very common in games released in these countries. What is considered to be invasive in the North American or European world is acceptable there. These anti-cheating rootkits would hook into the kernel space in a very invasive way, and have the behavioral characteristics of malware such as hooking into the keyboard driver. This made it very difficult from a purely technical standpoint to distinguish them."
This discussion has been archived. No new comments can be posted.

The Internationalization of Malware

Comments Filter:
  • by Anonymous Coward on Sunday July 06, 2008 @09:45AM (#24074731)
    Oh lord, what's next, people being executed for blogging?
  • Unicode! (Score:2, Informative)

    by ztransform ( 929641 )
    I was going to post a reply but slashdot can't handle unicode :(
  • by crossmr ( 957846 ) on Sunday July 06, 2008 @09:49AM (#24074747) Journal

    The country lives and dies on activeX. Trying to do anything other than read basic text on most korean websites requires the installation of several activeX controls, which means IE only for a lot of sites. And if you want to create an account on one as a foreigner and don't have your foreign registration with immigration you can just give them copies of your passport..

  • Define it (Score:4, Insightful)

    by Anonymous Coward on Sunday July 06, 2008 @09:50AM (#24074751)

    Malware is supposed to do Bad Things to your computer/information. If it's hooking into the kernel, it may not necessarily be malware, per se. It may just be doing business in the entirely wrong place.

    • Re:Define it (Score:5, Interesting)

      by Bieeanda ( 961632 ) on Sunday July 06, 2008 @10:20AM (#24074923)
      Are Bad Things intentional effects, or can they include weird, destructive side effects as well?

      I installed NCSoft's 'Exteel', a localized version of a Korean game, complete with the Game Guard nanny app that's nigh-ubiquitous when it comes to Korean games. While it probably wasn't intentional, Game Guard did disable the interface for my uninterruptible power supply when it ran, and wouldn't allow the service to reactivate until after it shut itself down.

      • Never mind that it's been easily bypassed by actual botting programs it was supposed to stop.

        See Lineage II for example.

        • Re: (Score:3, Informative)

          by nog_lorp ( 896553 )
          Botting programs aren't all it is intended to stop. As a matter of fact, botting is not preventable, it can only be limited in power. You could always hook up a device that would give keyboard input, and pass the video through it. What they do a fairly good job of stopping (making very difficult at least) is getting read/write access to the memory, forcing bots to rely on interpreting pixel data, which is rather unreliable, and preventing many hacks that result from those games having bad client/server sepa
          • Buggy game architecture in both cases. Not to mention that it doesn't block all macro keyboards - just redo you macros and you're done.

            My point was that Lineage II was the poster example of a worldwide failure in Gameguard. In Lineage II it's primarily for the following:

            a) The low hanging fruit
            b) Those who threaten the botting - see NCNA.

    • by StarkRG ( 888216 )

      If it's doing business in the wrong place then it is malware.

      I can't think of a really good example because I'm stoned off my ass sitting here, nude, in my apartment. I'm glad I've got internet at home, because sitting in the library, nude and stoned; which, by your logic, doesn't make me bad, just doing my business in the wrong place.

    • Is violating my security policy a bad thing?

      If it hooks the keyboard driver and has a network connection, is it protecting my keystrokes to the level I consider necessary?

  • by Anonymous Coward

    I hear in some countries they kill women who commit adultery. In some countries families depend on the kids finding work in factories. It's all relative. You have to look at cultural background before you judge someone for child labor or killing a woman, right? Can't call a rootkit a rootkit if it's acceptable somewhere else. It's all relatively fucked up.

    • by sveard ( 1076275 )

      While trying to respond insightful you've made a mental jump from something rather innocent such as a rootkit, to a grave insult on basic human rights. I'd rather compare the relative status of malware to something as "looking a person in the eyes", which is considered rude in Western civilisations, but not in East Asian ones.

      • by Teun ( 17872 )

        "looking a person in the eyes", which is considered rude in Western civilisations, but not in East Asian ones.

        I am very 'Western' and this statement makes you look 'Weird'.

        Averting eye contact is considered a sign of untrustworthiness, and not only in western societies!

        (Staring at someone is an other thing).

    • by DarkOx ( 621550 )

      You have to look at cultural background before you judge someone for child labor or killing a woman, right?

      No I don't have to look at cultural background to say the subjecting children to dangerous and long working conditions or killing women who are not killers themsevles, or perhaps fighting in war, is wrong. I am not a moral relativist. When it comes to right an wrong there ARE some absolutes.

       

      • Re: (Score:1, Insightful)

        by Hurricane78 ( 562437 )

        Nope. Simple example. Have a small town of 50 people. If they all (even the kids) agree, that killing and eating someone who stole something from you, then you are oppressing them when you try to ban it.

        What's the problem is, if some people (e.g. the one stealing) disagree with others, and still are forced to take part (e.g. the one being oppressed).
        Laws are just a book of things, that a group agreed upon.

        And this is the most basic argument against big (e.g. world, state) governments and punishments (e.g. j

      • You have to look at cultural background before you judge someone for child labor or killing a woman, right?

        No I don't have to look at cultural background to say the subjecting children to dangerous and long working conditions or killing women who are not killers themsevles, or perhaps fighting in war, is wrong. I am not a moral relativist.

        Nice couple of straw men you slip into the argument there.

        The question originally was about "child labor", not about "child labour under dangerous and long working condit

    • by Teun ( 17872 )
      An interresting comment, at least as interresting as the mod that gave it a -1, Offtopic.

      I could imagine +1 Funny or +1 Sarcastic but don't at all understand the Offtopic...

    • and i heard that in some countries they lobotomized 12 year old children for eyeballing their stepmothers, and that only 40 years ago.
      it is really relatively fucked up.

  • by sakdoctor ( 1087155 ) on Sunday July 06, 2008 @09:54AM (#24074775) Homepage

    Or is it lack of awareness. Add south Korea to that list because is currently seems acceptable to have about 10 useless browser bars attempting to take over and uninstall the competitors bar in internet explorer.

    Awareness didn't come overnight in North American or European either.

    • Re: (Score:1, Funny)

      by Anonymous Coward

      Obligatory "awareness hasn't come in NA, either" comment.

    • Re: (Score:2, Offtopic)

      Comment removed based on user account deletion
    • by Anonymous Coward on Sunday July 06, 2008 @12:03PM (#24075513)

      1. Most people dont know about it. For example the South Korean nProtect Gameguard is included over 80% of online games in Asia. Only after something went wrong and the games wont load, I investigated it and found out that it acted like a rootkit, then I stopped playing online games altogether.

      2. It was marketed as "anti-cheat". It wasnt supposed to be malware, right?!

      3. Online-Games companies are sick and tired of fending off cheaters themselves. On top of that you have online-cash suppliers that deploy millions of bots to collect cash, selling items, inflating prices and selling online-cash to gamers. So they turned to these "anti-cheat" software.

      4. Selling online-cash is lucrutive. That is why so many malware target gamers' account. Cheating tools are rigged with trojan that wont be recognised by virus scanner, they wait for a few months and then start to steal your stuff.
      Gamers like us are really pissed to see entire army of bot all over the map on every server.

      5. On average, anti-cheat is about 50-60% effective, but they update it weekly. It also present a challenge. It is effective to stop a gamer to cheat, however, the cash-suppliers are in the cracking contest since it is highly lucrutive.

      6. The anti-cheat tools like Gameguard is language-natural, it will look for cheating tools based on Unicode/Wide-char strings, in theory it will work for any online-games. Not to mention Punk-buster is also in the same league. Just that Gameguard is particularly nasty with hiding, extremely intrusive and difficult to un-install.

      What is happening is ugly and convoluted. Especially when 90% of "characters" are bots. It is very easy to spot a bot, especially when the entire group is in action. I even had fun luring big bosses (some mmorpg has big boss on each map) to ruin their party. Some mmorpg even supply their official version of "automated tools" to run your own bots, just to keep the players in the game. What fun left when the entire map is occupied by bots, and the game is basically reduced to a chatroom with only a handful of human players?

      It might happen to WOW, only a matter of time.

  • by petes_PoV ( 912422 ) on Sunday July 06, 2008 @10:01AM (#24074807)
    The main differentiator between an invasive monitor and malware is whether the author (or organisation employing it) uses it covertly, or if they make the user aware of what will happen.

    If a piece of software makes it clear, before you purchase it, that it will install monitoring software on your machine and/or it would phone home then that's one thing. You have the option of not buying it.

    If this situation only becomes apparent after the package has been installed, then (IMHO) that's not an acceptance practice.

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      No, that's a culturally influenced point of view. In other cultures, where it's normal that software performs "hidden" functions, the package would not need to make the user aware of that fact prior to the purchase, or afterwards. It would just be software that does what software does. Bring that software into a western country and it's a lawsuit waiting to happen.

      What people don't understand about the internet is that the person on the other side of the net isn't just a clone of yourself with a funny accen

      • by Jurily ( 900488 )

        No, that's a culturally influenced point of view. In other cultures, where it's normal that software performs "hidden" functions, the package would not need to make the user aware of that fact prior to the purchase, or afterwards. It would just be software that does what software does.

        Yes, it's culturally influenced, but in my case, it's that of Free Software. It's one where you don't take over someone's computer in order to prevent them from cheating in a game. It's one, where if a package does "hidden" things and I gain knowledge of it, I won't trust it not doing anything else "hidden", thus I nuke it from orbit, it's the only way to be sure.

        Let me repeat that to be clear: a package that does something "hidden" can not be trusted to play nice. Period.

    • At a guess, you couldn't get away with a warning on a clinical trial consent form that says "may cause neutropenia". You have to explain what neutropenia is and how it can affect the patient, otherwise you're getting uninformed consent. The ethical standard is "informed consent".

      What fraction of software users understand the implications of "monitoring software"? One of my colleagues had a client who wanted to install a piece of software I won't name which enrolls users in surveys of online behavior. My col

  • by grizdog ( 1224414 ) on Sunday July 06, 2008 @10:02AM (#24074825) Homepage

    While most people probably don't consider them malware, a lot of people find internet ads intrusive and obnoxious and we install popup blockers to get away from some of them. But the advertisers wouldn't pay for them if someone wasn't reading them and clicking on them.

    More to the point, there is a huge difference in what people care about regarding their computers. Many of my friends think I "put up" with a lot because I use Linux and install things relatively methodically, always keeping control of my system. I think they "put up" with a lot, because they have no idea what is running on their computers and what the machines might be doing with their information.

    It concerns me that the anti-privacy people have time on their side, because after a few more years, they will just point out how so many people haven't been enjoying much privacy anyway, so what's the big deal?

    • by MasaMuneCyrus ( 779918 ) on Sunday July 06, 2008 @11:43AM (#24075391)

      I'm currently living and Japan and would like to note that for all of the notoriously computer-ignorant people in America, Japan's computer ignorancy problem is ten-fold. Computers simply aren't used as a part of every day life in Japan as they are in America, and there aren't even basic use classes is most schools through college. IE6 is still the big web browser, and the most important factor in buying a computer (which is terribly overpriced because of Japan's tendency to use only Japan-made products for everything) is how cute it is.

      • In other words... (Score:5, Insightful)

        by DrYak ( 748999 ) on Sunday July 06, 2008 @01:00PM (#24075943) Homepage

        ...a computer in Japan is just another appliance.

        They buy it as they would buy a second TV set for the kitchen, or a vacuum cleaner or table-top cooling fan, etc.

        Nobody in his/her right mind care of the stats of a vacuum cleaner, except complete nerds.

        Computers are slowly drifting toward that situation.

        GSM phone have already reached that point almost worldwide - the only thing most people care is if there's "Apple iPhone" written on it.
        And there are often enough articles on /. about remote cellphone's mic tapping, remote GPS polling, etc... to show that there slightly more than "what's written on the case" about a phone.

        • > Nobody in his/her right mind care of the stats of a vacuum cleaner, except complete nerds.

          Pardon? You lost me at this point.

          If no-one cared about the specification of a vacuum cleaner, Dyson would be an angry man with a long-lapsed patent.

          There are few examples of true commodity items in the real world, other than food. Even a desk fan's box displays its specification so that customers can determine if it will cool a room of size X.

          Can you really remember an occasion when you were content t

    • >It concerns me that the anti-privacy people have time on their side, because after a few more years, they will just point out how so many people haven't been enjoying much privacy anyway, so what's the big deal?

      My understanding of legal theory in the US
      - I am not a lawyer
      - I have never been to law school
      - Don't make decisions based on what I say
      - If you really need to know a point of law ask a lawyer
      - What do you call someone who gets legal advice on Slashdot? "Inmate".
      is that in gray situations of comm

  • by know1 ( 854868 ) on Sunday July 06, 2008 @10:29AM (#24074961)
    I was extremely pissed off with the whole sony rootkit debacle, which was covert. I was even more pissed off when they bought one of my favourite music production programs Acid Pro and I checked it for the tell-tale signs of the rootkit (the processes that are started with $SYS$ are hidden from the process list) and found it present in that too. If anyone uses this product then the last rootkit free version is Acid Pro 4. Just a heads up.
    • Very interesting, never heard of this one. But it is really plausible because another division of Sony also implemented a rootkit, sold on a USB stick that utilized a fingerprint reader. It used the rootkit to hide the stored fingerprint information... It got detected by AV's anti-rootkit technologies.

      Fool me once...

          well...

      • by know1 ( 854868 )
        I know, I wouldn't trust them as far as I could throw them. Really pissed off too as I loved the fact that they used linux as the operating system for the playstation in all its guises. I would really have liked to trust this company. However, I will not be buying anything from sony again.
  • Malware to me is anything that adversely effects the security of the computer system and the network. Which is why when I talk about viruses spyware or anything else along those lines I just group them all under malware.

    Best defense against malware is safe browsing habits and knowing more about the internet and what it has to offer. As well as keeping up with system updates, and anything else you have on your computer. Make sure you have a good enough firewall, so in the event that you do get infected

  • I just finished installing the QQ 2008 Beta version, and kept having to make exceptions for about half of the .exes. Avast! aborted the download twice. My anti-virus software also seems hellbent on gutting PPStream and PPlive. True, the update files do behave exactly like Trojans- but they are good Trojans! I like TFA suggestions for teaching security software to recognize the difference between legit software and trojans, but asking malware analysts to become fluent in non-Roman languages that don't hav
    • Indeed. QQ is a prominent example of what I was discussing in my posting. What was especially irksome about this was that there were actually variants of QQ that were in and of themselves trojans or malware using QQ as a vehicle. Also, earlier versions of QQ were much more intrusive. So I had to use many tricks in the book to figure out if it was authentic or not. One thing that helped was when QQ began to sign their binaries, though I still viewed them with great suspicion
    • With Japanese, technical stuff in a field you're familiar with tends to be easier than newspapers, in my experienc. Japanese does have katakana, and Chinese doesn't have anything comparable, so when they convert technical words to Chinese, it's not nearly as straightforward. But you still have the advantage of context, that you probably won't have for most of the newspaper. So I suggest, if you've just automatically assumed and not bothered trying, give it a try.

  • That is -- eliminate the malware, and WARN users that what the aforementioned companies were doing is not proper behavior.
    • by v1 ( 525388 ) on Sunday July 06, 2008 @11:45AM (#24075407) Homepage Journal

      The best response in this aspect seems to be a little of what is so irritating in windows, the barrage of popups. This is probably one of the most sensible bitter pills in windows. OK if the software manufacturers are going to be completely retarded or write malware, we are going to harass the user continually as long as the software is running. Since we cannot make them change, and only the consumer's dollar is going to help.

      Sucks to be us, but that's what it takes to make developers clean up their act. Give them the choice to do it right or turn their software into something totally obnoxious.

      Lets say windows had a way to detect the root kit. Code it in. Make a popup come up every 5 minutes that the rootkit was detected. Cannot be disabled. (period) First thing the developers would do is mod it to hide better. A small war starts. Microsoft being the OS author, WILL win that war eventually. And the enraged customers will force them to remove the rootkit. (all the while the devs are blaming MS of course) Such is life. I wish they'd do that. It'd be messy, but effective.

      There are other fun responses to someone rootkitting your os. Make intelligent, targeted updates, that do something like wreck the registration scheme of the rootkitter. Do something that forces the customer to call the vendor for help. Make it such a sever PITA to the developer that they stop doing it.

      Or simply target the error message. Imagine this popup once an hour: "Windows has detected the installation of ROOTKIT_SUPERSHOOTER3v4. This software has damaged your Windows installation and compromised the security of your computer and your personal information. Please contact the software vendor SuperCoders (link/phone number) for assistance in repairing your Windows installation, or perform an erase and install to repair the damage." That would rock.

      • by drsmithy ( 35869 )

        Lets say windows had a way to detect the root kit. Code it in. Make a popup come up every 5 minutes that the rootkit was detected. Cannot be disabled. (period) First thing the developers would do is mod it to hide better. A small war starts. Microsoft being the OS author, WILL win that war eventually. And the enraged customers will force them to remove the rootkit. (all the while the devs are blaming MS of course) Such is life. I wish they'd do that. It'd be messy, but effective.

        You're kidding, right ? W

        • Re: (Score:2, Interesting)

          by gujo-odori ( 473191 )

          There was an interview/article not too long ago in which Microsoft basically said that UAC was intended to do just that - be really annoying and cause users to bother vendors to code better software. The big flaw in that plan is that most users are A) Don't care (or know) nearly enough to act on that, even if they understood what it was, and B) Microsoft didn't make it expressly clear that that's what it was for (probably to avoid angering third-party vendors) so that the minority of users who do know and c

          • The fact that it was *supposed* to be an annoying piece of crap that didn't really help with security only makes it worse.

            Well, I guess it just goes to show that Microsoft can't win. for years they've been criticized because their software doesn't do what they intended it to, and now that they've written something that does exactly what they intended we're complaining about that!

  • by 4D6963 ( 933028 ) on Sunday July 06, 2008 @10:51AM (#24075051)

    What is considered malware in the US may be commonly accepted in China or Japan [...] These anti-cheating rootkits would hook into the kernel space in a very invasive way, and have the behavioral characteristics of malware such as hooking into the keyboard driver

    Indeed. And if you look back in history, you will find documented examples in medieval Japan of samurais making alliances with kernel-space rootkit developers to repel Mongol invasions. But it actually goes back to the roots of Zen Buddhism which de-emphasized the attachment to privacy and instead favoured experimental realisation, including with various sorts of early meditation-space thought-loggers.

  • Many people I know don't care for their computer's privacy because they say they don't have any important information in them. But then I ask them if the same applies for their homes and private properties and whether they would let the police or anybody in without a warrant... of course they say no.

    I think is up to us to make this kind of people realize that computer privacy is something that really matters and prevent this kind of stuff from happening.
  • This made it very difficult from a purely technical standpoint to distinguish them."

    Sounds like a difference between what they do and how they do it.

    I prefer to limit both, rather than one or the other. If all you limit is what they do, you wind up with invasive root kits in games. If you limit how they do it, then you end up with malware that simply finds another way to do more evil.

    Just one or the other is pointless.

    • That is indeed what it is. "What they do" vs "how they do it". There is also "why they do it".

      "What they do" is very easy to measure using a piece of monitoring software that looks at behavioral characteristics. "How they do it" is also concievable, such as if we take a look at if it is using DirectX to do these calls, and we can identify it as a game.

      But "why they do it" is difficult, if not nearly imposible to quanitfy using automatic detection methodologies. And that's why there are malware a
  • "Look how weird this people think, thats obviously malware!"

    Thats a big laught, but then sometimes, some people, could consider i.e. Windows itself malware, and could be so deep in our culture that should be ok if we dont stop thinking on that.
  • In the 70s and 80s it was common for games to bypass the operating system and talk directly to the hardware, for copy protection, to prevent cheating, for performance, for all kinds of reasons. Many of them booted directly and completely ignored the OS. Over the years these games were the first to break when new software and hardware came out, and badly behaved games got a bad reputation. Other countries haven't been through the experience of having badly behaved software rot because it couldn't be updated for new systems... yet.

    It's a learning experience. They will learn.

  • by Opportunist ( 166417 ) on Sunday July 06, 2008 @03:25PM (#24077009)

    It does what I want: No malware. It does not: Malware.

    Simple as that. It doesn't depend on technology. A plain vanilla keylogging trojan that phones home is, technically, in no way different than any other web application. Aside of doing what I don't want to happen.

    The only essential difference between benign programs and malware is that malware exhibits a behaviour that I, as the owner of the machine and the one who should be calling the shots, do not want to happen.

    So a "cheating rootkit" isn't a trojan. It does what the user wants it to do, it disguises from anti-cheat programs, and to do that it has to do the same trojans do to hide from anti-virus programs. Basically, any sensible AV tool is a trojan by that definition. It has to do the same to avoid being kicked offline by a trojan that gets past its initial scan. A lot of today's (real) malware actually does that. They search for AV processes and try to stop them, they try to keep the AV update routine from connecting to the internet and so on. An AV tool that doesn't dig itself into the system won't be able to defeat more creative malware.

    • I consider a lot of the stuff that anti-virus software does to be over the line into malware, and I consider game software that installs a rootkit to scan for cheats to be malware.

      • Most game software comes with malware these days. They install "special" drivers that should ensure you use an original copy of the game instead of a CDR or such. What bothers me about this practice is that it slows the system down with a driver that you don't benefit from. If they did at least remove the driver again when you get rid of the game, it would be a different matter. Most games, sadly, "forget" to remove their copy protection, cluttering your system with it.

        It gets downright ugly when you instal

        • by argent ( 18001 )

          Most game software comes with malware these days.

          Which is why I stick to open source games, pretty much.

          This is working in my interest, since I do not want a potential trojan being able to disable my protection against it.

          Security is like sex: once you're penetrated, you're ****ed.

          If the malware's launched itself, the antivirus software has already failed. If it "has to" put in checks for rootkits inside the kernel because it can't block malware at input, then it's broken as designed.

          I don't use antivirus s

          • The square of the circle for AV kits is identification of malware. There is no "such and such is malware because it does this or that" book. Mostly it's a liability thing, more than one AV vendor has already been sued by some overzealous company because they too readily identified something as malware. Most of those suits were by rather questionable companies, but let's not digress.

            It's hard to predict malware. Heuristics proved to produce a far too large number of false positives while not hitting even clo

            • by argent ( 18001 )

              The square of the circle for AV kits is identification of malware. There is no "such and such is malware because it does this or that" book.

              Indeed. As I implied, any realistic behavioral definition of malware would classify antivirus software as malware. The only useful thing antivirus software can do is to perform signature checks on data before it is executed. For this to be reliable, the computer software has to be designed so that execution of new code can not happen until it has been scanned. For THAT

  • If there were truly a way to install software on a computer that prevented people from using hacks and aimbots and the like in FPS games, I'd be all for it. Unfortunately such a thing will never happen, because as long as people can gain access to the memory registers, they can hack whatever software is running on the box. In the past I thought that a bootable CD/DVD with the game on it might be the way to go, but as soon as the game needs to be patched then that concept fails.

    Does anyone else out there h

Avoid strange women and temporary variables.

Working...