McAfee Avert Labs has been advertising a "Malware Experience" session for the "Focus 09" security conference, which offers attendees the chance to "to work with a Trojan horse, commandeer a botnet, install a rootkit and experience first hand how easy it is to modify websites to serve up malware."

Actually, this text has been modified: it originally said to "create" a Trojan horse. It would appear that this was a matter of poor choice of expression rather than a sign of the company's veering into real malware creation, which has always been a "no-no" among established AV companies. I'm guessing that after Michael St. Neitzel's thoughtful blog generated some animated discussion (yes, I did join in...), someone with a clue at McAfee administered some corrective action. Yes, there really are people with a clue there. :)

An apparently official comment clarifies their position, reassuringly.

The interesting thing, though, is that the comments to Michael's blog have illustrated once more the gulf between the views of the mainstream vendors and others both in and out of the security community as to whether it's useful, ethical, misleading, inappropriate etc. to create malware, either for testing or for educational purposes.

Of course, the McAfee session isn't directly associated with the use of malware creation for testing purposes, which is a discussion that the Anti-Malware Testing Standards Organization (AMTSO) will have high on the agenda at our Prague meeting in October. But it is a perfect illustration of how sadly the anti-malware industry has failed to make clear its objections (which are well-founded, in my humble opinion, but the important thing is to actually voice them) to the rest of the world.

The AMTSO paper up for discussion in Prague is the industry's opportunity to fix that shortcoming once and for all: I sincerely hope we make the best of it.

(Thanks to Andreas Clementi, Michael St. Neitzel and Alex Eckelberry for drawing my attention to this issue.)

David Harley
Director of Malware Intelligence