A couple of years ago, I underwent radical surgery. (Bear with me, even if you've heard the story before: there's a lot more to this issue than the rearrangement of some of my internal organs…)
Outside the operating theatre, as I was awaiting the tender ministrations of the anaesthetist, the surgeon came by for a word or two, and asked me what I did for a living. When I told him, he came back with the traditional response: “Ah. I have a theory about anti-virus companies…”
If you’ve spent as much time as I have in (or on the fringes of) the anti-malware industry, you’ll have heard the theory about the anti-virus industry writing all the viruses many, many times, though maybe not in such dramatic circumstances. One of my standard responses is “yes, just like policemen commit all the crimes and doctors spread diseases”, but I figured that wasn’t the best thing to say to someone who was about to probe my thoracic cavity with a selection of sharp instruments… So I fell back on equally logical but less emotional responses like "we couldn't afford the resources to generate the kind of volumes of malware that we see on a daily basis: if we could, don't you think we'd make sure we could detect them all?", or the points made succinctly by John Hawes of Virus Bulletin.
I have some theories myself about why this particular theory is so persistent: you can find one or two of them in an article I wrote for Virus Bulletin four years ago. And it doesn't help when a security company's marketing department makes specious (or at best unprovable) claims about detecting stuff no-one else does.
But I can’t recall an uglier example than the story published in the Epoch Times about allegations that an AV company in China wrote custom malware and then bribed an official to send out a a virus warning advising the public to download their software in order to deal with it.
Well, I've been hearing some strange stories about rivalries and dirty tricks in the Chinese AV industry for a while, but I really can't comment authoritatively on the truth or otherwise of these allegations in that region/market. And while the story by Li Ping of Epoch Times clearly states that "Chinese Antivirus Companies Create the Viruses They Kill", it stops short of suggesting that such activities are considered legitimate business strategy outside China (whatever the truth may be behind the Great Wall).
But I do find it enraging that these stories will inevitably be seen as "proving" once again that the AV industry routinely follows practices that the research community as a whole finds ethically repugnant, and I assure you that virus labs all over the world have not established R&D groups specifically in order to create new viruses, whatever the situation might be with Rising Antivirus or Eastern Micropoint, the companies named by Li Ping.
In fact, poachers turned gamekeeper are not uncommon in the security industry as a whole, and it's all too common for aspirant virus-writers whose notoriety is not necessarily matched by their technical skill to be hired by companies on the remote borders of malware detection and filtering, but the "real" AV industry goes out of its way to avoid hiring the ethically challenged.
The really bizarre (and irritating) issue, though, is that in some cases, the same people who claim that we do engage in that sort of sharp practice will also point to our dislike of the creation of malware for testing purposes as somehow proving our incompetence. Sigh…
One thing is for sure: if this incident hurts the global security industry, it will hurt the industry in China far more, and that can't be good for its customers.
David Harley CITP FBCS CISSP
ESET Senior Research Fellow