Mind boggler

[kurt wismer]

When you say "they took a harder line with it" you're proving my
point. You're suggesting they did know it was a commercial program and
they did take intent into account. It's just that they decided to go
ahead and alert on it in this case.

as it happens, this doesn't prove your point... if they take intent into
account then a program that was intended to be legitimate would not get
detected as a virus...

intent is therefore not part of the process by which they classify
things as virus or non-virus... at best it is occasionally used by some
when deciding whether to add detection...

Nonsense. For one thing, probably the majority of samples are
collected by honeypots all over the world. I once read a Kaspersky
article on their methods. They also cruise the web, probably focussing
on porn, warez sites, and other "rich" sources. The suspicious samples
they collect by such means are extremely likely to be of malicious
intent and they need go no further in judging intent.

in other words they've done nothing to judge intent at all... picking
likely sources for malware is not the same as judging the intent of a
suspected malware sample...

Insofar as fast reaction times go, they will of course have to "shoot
first and ask questions later", so to speak. If suspicious samples
they provide detection for turn out later to be commercial products
or other programs having legit uses (or other false alarms), they make
appropriate corrections later.

if it self-replicates then it is not a false alarm at all, regardless of
any 'legit' uses... nor are those legit uses alone reason enough to
exclude it from detection...

diskcopy, for example, is not excluded because it has legit uses... it
is excluded because the environment in which it can be said to
self-replicate is not a credible real-world environment... everything
can be a virus if given the right environment, but only ones that are
viruses in real-world environments are worth detecting as such...

You know there's a history of av
vendors even false alarming on other av vendor's products.

there's a huge difference between a false alarm caused by a false
classification by the vendor and a false alarm caused by unencrypted
virus signatures...

If malware could be strictly detected heuristically, it would be nice
but that's not the real world and you know it. Intent is built into
the concept "malware" and is always involved, regardless of the type
of malware. Antivirus products are designed to alert users to
"unwanted" or "undesirable" programs. As such, subjectivity
is inherent, and human judgements are always ultimately involved.

now we're getting into strawman territory... up until now no one has
given any indication that they were talking about malware in general, it
was viruses in particular that was the topic of this discussion... what
holds true for viruses and virus classification and detection does not
necessarily hold for malware in general...

 

[Art]

as it happens, this doesn't prove your point... if they take intent into
account then a program that was intended to be legitimate would not get
detected as a virus...

The flaw in your logic is that you assume what isn't necessarily true.
Now, in this particular case I have no idea why that particular legit
program was/is detected as a virus. I'm taking your word for it that
it was legit or had legit uses. I don't know for a fact that it was
even known by av vendors at the time detection was first provided
that it was legit. But since you seem to know it is, certainly later
on at some point so did the av vendors that apparently continued
providing detection. So it seems we have a case where legit intent is
known but detection is still provided nevertheless. Which disproves
your assumption.

intent is therefore not part of the process by which they classify
things as virus or non-virus...

Of course not. Never said it did.

at best it is occasionally used by some
when deciding whether to add detection...

Looks to me like it's used far more than occasionally by Frisk, for
example, who specifies a requirement for intentional replication.

Intent is a mult-faceted term which enters into the picture at
different levels. When analyzing code, one might conclude that
that there seems to be intent by the author to create purposely
replicative code. The proof of the pudding would be a viability
test of one kind or another. If the replication isn't accidental or
due to a bug, it becomes clear that the author intended a virus.
Things being what they are in the av industry (no "good" virus")
malicious intent is further added to the intent pot. Which reminds
of the odd situation with koh. Apparently, the "no good virus"
rule won out over "legit purpose" and koh is detected. But
intent is always involved and considered when it comes to
what to detect and what not to detect. The "no good virus"
rule has intent written all over it since it implies "bad" or
malicious intent be associated with every virus.

in other words they've done nothing to judge intent at all... picking
likely sources for malware is not the same as judging the intent of a
suspected malware sample...

When a honeypot gets hit with uninvited guests, I think it's safe to
assume malicious code of some kind or another are the culprits ...
without any further investigation ... at least for the time being.

if it self-replicates then it is not a false alarm at all, regardless of
any 'legit' uses... nor are those legit uses alone reason enough to
exclude it from detection...

Agree to both statements ... the first one because of the "no good
virus" rule ... and the second because nowdays especially av vendors
are alerting on some commercial sw that can be used for nefarious
purposes.

diskcopy, for example, is not excluded because it has legit uses... it
is excluded because the environment in which it can be said to
self-replicate is not a credible real-world environment... everything
can be a virus if given the right environment, but only ones that are
viruses in real-world environments are worth detecting as such...

I use copy programs for cloning one drive to another which copy
themselves or replicate themselves in a legit environment. Why aren't
they detected as viruses?

there's a huge difference between a false alarm caused by a false
classification by the vendor and a false alarm caused by unencrypted
virus signatures...

I thought that old problem no longer exists.

now we're getting into strawman territory... up until now no one has
given any indication that they were talking about malware in general, it
was viruses in particular that was the topic of this discussion... what
holds true for viruses and virus classification and detection does not
necessarily hold for malware in general...

My comment applies to viruses since they are part of the "malware"
class. Viruses are subjectively assumed to be "unwanted" or "bad"
by the vast majority of computer users. In that sense they are no
different from any other malware.

Art

http://home.epix.net/~artnpeg

 

[Art]

Art wrote:
On Sun, 26 Feb 2006 13:56:59 -0500, "Jake Dodd" <[email protected]>
[snip]
In the real world you can't have detection-as-virus on every
code sequence that copies in a self-replicative way, since
situations arise where legit programs do that. The av researchers
are forced to take the legit intent of diskcopy.com (for example)
into account and make special provisions to _not_ alert on it.
Fine, but they don't have to redefine virus to do that.
'Fraid they do. I see a big difference between formal virus
definitions and practical definitions.
including intent is highly *impractical*... they may make exceptions in
exceptional cases but generally intent must be left out of the
equation... there are too many viruses created each day for them to ever
hope to divine the intent of them all...

??? There was nothing said there about intent.

sure there was, in the deepest quote... then on the outer quote
practicality was mentioned...

Labeling and actually providing detection are two different things
entirely.

non-sequitur - the detection algorithm uses the label... using the
formal definition cannot produce false alarms...

in fact, using any definition cannot product false alarms, by
definition... anything that meets the definition would be a true alarm
according to the definition being used...

So using Kurt's "any definition is ok" av users will never suffer from
false alarms. LOL! Sounds like snake oil to me

the key part of a false alarm is that it is *false*, that it is a result
that contradicts the definition...

But will it fly in Missouri?

actually i'm not... the question marks are there because the halting
problem has absolutely nothing to do with whether av vendors use the
formal virus definition or not...

I never said it did. I said any attempt to find all viruses is doomed
to failure. That's why you bring up the halting problem isn't it?

they use the formal definition for classification and in rare,
exceptional cases they may make exceptions when deciding whether or not
to add detection...


??? you implicitly reference the halting problem and and say that using
the formal definition would run into problems with the halting problem

Nope. Never said that.

(which it would not) and when i explain why the halting problem isn't
relevant i'm the one who's confused?

You confuse yourself by reading things into what I say that I don't
say.

[snip]
Why can't they say it is a non-malicious virus? Why can't they even
conceive of a virus that wasn't created with bad intent? When they
start screwing around with definitions that were already in place,
they confuse people. Already.com is an unintentional virus, but is
a virus.
The consesus view of av industry professionals (and my own view
as well) is that there is no such thing as a "good" virus. Vesselin
Bonchev (now at FSI) wrote a classical paper on the subject which
is discussed here:
there's a fairly big difference between bontchev's narrowly specified
"good virus" and simply a non-malicious (or unintentional) virus...

Whoops. You used the "u" word "uninintentional". You see? You keep
proving my point. Intent is always considered.

intent is rarely considered... there aren't enough hours in the day to
allow them such a luxury...

It's truly unfortunate that you can't see your own
self-contradictions.

Art
http://home.epix.net/~artnpeg

 

[Jake Dodd]

I use copy programs for cloning one drive to another which copy
themselves or replicate themselves in a legit environment. Why aren't
they detected as viruses?

Because the detectors (the AV industry) only want to detect the viruses
that are 'malware'. These legit viruses break your so-called "no good
virus" rule - so they have to change the definition they use for virus to
include malicious intent which is not a program function.

They should leave definitions alone and create a new techword if they
really feel they need one - 'virus' was already taken.

 

[Jake Dodd]

Or maybe it's a hybrid virus-worm.


Well, now you're suggesting a different issue than what I thought you
were. If you're saying that a sample of some code submitted to a av
lab and analyzed appears to be a intended <whatever> but actually
works as <something else> then indeed it will and should be
categorised as <something else> and not as <whatever>

Exactly! What it is, is based on what it actually does, and not some
subjective opinion on what it (actually the author) meant (it) to do.

Already.com was a unique case where intent wasn't _necessarily_
determined by code analysis. According to the writeup, intent was
determined by the author's description of what his product is supposed
to do (apparently). So it was a commercial (or free) program marketed
with good intentions (presumably) that happended to have a nasty bug.
Or at least, we should assume good intensions and not accuse him or
her of knowing about the "bug" and purposely spreading malicious code.
That's the way Kaspersky's little writeup came across to me. Innocent
unless proven guilty. Plus, since Kaspersky analysts called it a bug,
I think they did believe it was a bug.

So, it wasn't intended to be malware, but it "still" was a virus because it
did what viruses are defined to do. It even "infected" a program file with
itself by overwriting it - if you happened to have a suitably named file
in the CWD. I don't subscribe to the whole "infecting" thing either, it
was just another way to make non-malicious viruses not fit the definition
they wanted to use. They are trying to use the word 'virus' to encompass
'malware viruses' because that is what they want to deal with and the
word 'virus' has so much appeal that they want to keep using it.

Which brings me back to my point. I can just see Eugene Kaspersky
yelling at his analysts to always consider the whole situation ...
how program code is distributed and spread is just as important
as the technical analysis. They have a special category nowdays
for "questionable" commercial software they alert on. Stuff that
is sold but which may used for nefarious purposes such as commercial
keyloggers and port scanners. It's absolutely not merely a matter
of analysing code.

But a virus is a virus because it causes itself to be replicated. That is,
it's function is to replicate it's function. It does this, or it doesn't - so
it is or it isn't. They should stop redefining 'virus' to fit their mold.

'Fraid they do. I see a big difference between formal virus
definitions and practical definitions. If they worked with purely
formal defs, they'd be false alarming something fierce.

Not really, if the only way to replicate were to make a system call
such as Copy_self_now, then alerting to that call in a program
would be a true positive (if indeed that call was present) even
if the program had a legitimate reason to use that call.

The problem is that they want to define a virus by something other
than by what it does.

The consesus view of av industry professionals (and my own view
as well) is that there is no such thing as a "good" virus. Vesselin
Bonchev (now at FSI) wrote a classical paper on the subject which
is discussed here:

http://www2.warwick.ac.uk/fac/soc/law/elj/jilt/1997_3/kelman1/

Read it, don't like it.

They can say that there is no good malware virus, but that would be
redundant. Those viruses that steal processing time are malware due,
at a minimum, to the theft of that processor time. Viruses that ask for
permission to infect and encrypt or compress files don't fit that mold.

 

[Art]

Because the detectors (the AV industry) only want to detect the viruses
that are 'malware'. These legit viruses break your so-called "no good
virus" rule - so they have to change the definition they use for virus to
include malicious intent which is not a program function.

They should leave definitions alone and create a new techword if they
really feel they need one - 'virus' was already taken.

How about "malicious replicator"? I tend to agree with you, though I
have reservations about your "good virus" where you mean a "real"
virus in the sense of multiple replication capabilities. I'm reminded
of something Nick Fitzgerald said here concerning when he was editor
of the Virus Bulletin. He claimed that any test virus used as a sample
had to be capable (when tested for viability) of N number of
replications or it wouldn't be considered a valid sample. Now, I don't
recall whether N was at least two or if a minimum of three were
required. But I've long felt that such a requirement is very
interesting and significant. Exceptions would be dangerous
over-writing viruses (and perhaps others) which cause file damage.
But something that merely copies itself harmlessly once or twice
and it ends there is hardly malicious or "malware" IMO. I do view
av as anti-malware products, meaning that I think they should only
alert on code that most all users wouldn't want on their PCs. And most
users wouldn't care if there is some harmless and rather lame virus
that causes no problems (I would think). Since I believe av vendors
do strive for that goal, I lose interest in theoretical considerations
and definitions very quickly ... and I view it all pragmatically. To
put it crudely, basically I don't give a shit what you call it. If
it's malware it's just malware and who cares what form it takes.

Art
http://home.epix.net/~artnpeg

 

[kurt wismer]

[snip]
If they worked with purely
formal defs, they'd be false alarming something fierce.
no, they wouldn't - that's the point of a functional definition... you
can't have a false alarm under that methodology - it is labeled a thing
because it performs the necessary functions that define that thing...
Labeling and actually providing detection are two different things
entirely.

non-sequitur - the detection algorithm uses the label... using the
formal definition cannot produce false alarms...

in fact, using any definition cannot product false alarms, by
definition... anything that meets the definition would be a true alarm
according to the definition being used...

So using Kurt's "any definition is ok" av users will never suffer from
false alarms. LOL! Sounds like snake oil to me [/QUOTE]

because you're not getting it... any definition is not ok, but the
definitions themselves cannot lead to false alarms... a false alarm
happens when an alarm is raised on something not covered by the
definition - that much doesn't depend on exactly which definition is used...

[snip]

I never said it did. I said any attempt to find all viruses is doomed
to failure. That's why you bring up the halting problem isn't it?

why would you bring up detection of all viruses in the context of
deciding which definition to use for classification if not to imply some
relationship between that and using the formal definition? was it a
tangent?

[snip]

Nope. Never said that.

"If they worked with purely
formal defs, they'd be false alarming something fierce. And
as Kurt Wismer loves to point out, the halting problem applies
to any attempt to find all possible viruses."

if these two sentences weren't meant to go together, if they aren't
related to the same thought, why'd you put them together and join them
with an "and"?...

You confuse yourself by reading things into what I say that I don't
say.

and by expecting the normal conventions of inference to apply...

 

[kurt wismer]

//vil.nai.com/vil/content/v_98035.htm[/url]
i like how they say it "pretends" to be a security feature by encrypting
your information... it does encrypt it, and so long as you enter in the
same password you chose when you installed it it will also give you
access to the info decrypted in real-time...

i think they took a harder line with it because of some similarity with
an existing virus (it's not unheard of for some less clueful security
folks to try and use malware techniques in security apps) and some
programming bugs that made it 'dangerous'...
When you say "they took a harder line with it" you're proving my
point. You're suggesting they did know it was a commercial program and
they did take intent into account. It's just that they decided to go
ahead and alert on it in this case.

as it happens, this doesn't prove your point... if they take intent into
account then a program that was intended to be legitimate would not get
detected as a virus...

The flaw in your logic is that you assume what isn't necessarily true.[/QUOTE]

i don't think so... if the result is the same as it would have been if
there was no intent to be legitimate then the intent to be legitimate
had no effect on the decision...

Now, in this particular case I have no idea why that particular legit
program was/is detected as a virus. I'm taking your word for it that
it was legit or had legit uses.

you can think of it as being similar to pgpdisk...

I don't know for a fact that it was
even known by av vendors at the time detection was first provided
that it was legit.

there aren't too many viruses that ask for permission to install
themselves... and it would be kinda hard to miss... these are things
they would have discovered while analyzing - before adding detection...

But since you seem to know it is, certainly later
on at some point so did the av vendors that apparently continued
providing detection. So it seems we have a case where legit intent is
known but detection is still provided nevertheless. Which disproves
your assumption.

it proves my contention that the virus programmer's intent is not the
significant criterion you make it out to be...

Of course not. Never said it did.


Looks to me like it's used far more than occasionally by Frisk, for
example, who specifies a requirement for intentional replication.

i think you've misinterpreted the use of "intent" in frisks
definition... consider these two scenarios:
1) a program contains code to specifically make copies of itself..
2) a program contains code to make copies of something and under certain
conditions that something it copies might be itself...

the intent frisk was talking about is what is present in case 1, and
that kind of intent is not subjective... it's non-coincidental
self-replication...

[snip]

I use copy programs for cloning one drive to another which copy
themselves or replicate themselves in a legit environment. Why aren't
they detected as viruses?

because the copy programs aren't self-replicating... they're making
copies of what you tell them to, which simply happens to include the
copy programs...

 

[Art]

it proves my contention that the virus programmer's intent is not the
significant criterion you make it out to be...

And the reason it isn't in the case of viruses is Bonchev's paper
which went to great lengths to show there is no such thing as a "good"
virus. That just occurred to me this morning. I think the intent of
Bonchev's paper was to justify detection of all viruses.

Years ago when I first read his paper, I wondered why this high tech
individual would concern himself in such detail with what appeared to
me to be a strictly moral issue. The paper seemed to me to have a
"preaching" undertone ... and in my case, preaching to the choir.

Now it dawns on me that his intent was probably to do away with
programmer intent and pave the way for the av industry to not have to
deal with the question in the case of viruses.

The malicious or "undesirable" or "unwanted" or "bad" intent of all
viruses has been proclaimed by a respected authority and assumed
by the overwhelming majority of users. You can't say intent isn't
involved since it's a industry mantra that viruses are written with
bad intent, even though some may not.

I'm done. Go ahead and have the last word.

Art
http://home.epix.net/~artnpeg

 

[Offbreed]

You can't say intent isn't
involved since it's a industry mantra that viruses are written with
bad intent, even though some may not.

<G> "Intent" does not impress me, and has not since I was a teenager too
many years ago. I had to throw a screaming fit to get some well meaning
idiot to get the hell out of the way, I really did know what I was doing
and he did not.

"You don't have to /yell/," he says, with a quivering chin.

I'm sure you can think of any number of other examples, outside the
computer world.

 

[Jake Dodd]

How about "malicious replicator"?

Malicious virus would have been fine, the problem was with their insistence
that the term virus always imply maliciousness. They wanted "virus" to mean
just that sort of virus they would be dealing with. They don't care that there
might be another branch of computer science that dealt with viruses of another
sort.

I tend to agree with you, though I
have reservations about your "good virus" where you mean a "real"
virus in the sense of multiple replication capabilities.

I was referring to the "good virus" article you posted the link to. The AVers
don't want any non-malicious viruses to fall under their definition of virus, and
that article assumes theft of processor time even though a virus program might
be wanted by the user - and so no theft. Kurt supplied one such virus, and I
hear there is one similar that compresses, rather than encrypts, to save the users
precious storage space.

I'm reminded
of something Nick Fitzgerald said here concerning when he was editor
of the Virus Bulletin. He claimed that any test virus used as a sample
had to be capable (when tested for viability) of N number of
replications or it wouldn't be considered a valid sample. Now, I don't
recall whether N was at least two or if a minimum of three were
required. But I've long felt that such a requirement is very
interesting and significant.

To ensure a valid sample, they allow several generations and take one
of the middle ones as a sample. If I were a virus sample, they would have
to know both my parent and grandchild exist. The grandchild proves my
ability to produce viable offspring, while the parent proves that I am not
an initial germ and am in fact a child of what might may or may not have
been an intitial germ.

In short, they want to be testing with samples that are proven to be recursive
as well as proven not to be some special form like an initial injector or dropper
trojan whos payload replicates.

Exceptions would be dangerous
over-writing viruses (and perhaps others) which cause file damage.
But something that merely copies itself harmlessly once or twice
and it ends there is hardly malicious or "malware" IMO.

They're not defining malware here, they're growing valid samples. The
validity does touch on the fact that a virus must produce a "functional"
copy of it's function IOW recursion. If I produce a child that is in turn
unable to reproduce, I have not passed that function along and so I
am not to be considered a virus. My parent may have been, but that
is inconsequential. I need (at least) a grandchild to prove my worthiness.

I do view
av as anti-malware products, meaning that I think they should only
alert on code that most all users wouldn't want on their PCs.

With viruses they thought they would be able to do something about
it because ... here was a programmed function that they figured no
legitimate program would have need for. They could just as well
have decided (in view of polymorphic decryptors) that no legitimate
program would ever need to decrypt itself on the fly and bannish
decryptors to the malware dungeon. Then they would be an article
"why good on-the-fly decryptors/decompressors are still a bad idea"

 

[Art]

Malicious virus would have been fine, the problem was with their insistence
that the term virus always imply maliciousness. They wanted "virus" to mean
just that sort of virus they would be dealing with. They don't care that there
might be another branch of computer science that dealt with viruses of another
sort.

I understand your POV now. I'm not sure it would be a good idea though
for av to purposely not alert on allegedly useful and unharmful
viruses. They'd really be sticking their necks out. What if they allow
one that runs wild and causes problems? Why should the av vendors
be put in the position of practically guaranteeing that some goofy
virus is safe and stable? Not that it's the same set of problems
necessarily, but I'm reminded at how shocked the creator of one of
the early internet worms was at his "success" and the wide damage and
lost money his little experiment caused.

Sorry, but I'm not sold on your POV

Art
http://home.epix.net/~artnpeg

 

[Jake Dodd]

I understand your POV now. I'm not sure it would be a good idea though
for av to purposely not alert on allegedly useful and unharmful
viruses.

What they decide to alert or not alert on doesn't matter to me, although
it probably would if I wrote a legit program that used virus code. My
objection is that they mess with the already defined 'virus' and say that
certain things that act like viruses are not viruses just because of some
idea they have about intent or just how (or if) it attaches itself to code
areas to ensure future execution.

They'd really be sticking their necks out. What if they allow
one that runs wild and causes problems? Why should the av vendors
be put in the position of practically guaranteeing that some goofy
virus is safe and stable? Not that it's the same set of problems
necessarily, but I'm reminded at how shocked the creator of one of
the early internet worms was at his "success" and the wide damage and
lost money his little experiment caused.

Yes, and in their defense I can see that it would be just a little change in
code that could change a nice application using virus code (like the koh
example) into a malicious virus that doesn't ask for permission first and
becomes a malicious cryptoviral extorter.

 

[kurt wismer]

Art wrote:
[snip]

The malicious or "undesirable" or "unwanted" or "bad" intent of all
viruses has been proclaimed by a respected authority and assumed
by the overwhelming majority of users. You can't say intent isn't
involved since it's a industry mantra that viruses are written with
bad intent, even though some may not.

i most certainly can say it's not involved... if the intent of all
viruses is believed to be the same then intent becomes a non-sequitur...

intent *was* considered, once - in a way that applies to all viruses
past, present, and future - and that was the end of it..