Virus Writing Class Fails Reality Test
A recent Newsweek article discusses a Sonoma State University course in virus writing. The magazine story sensationalizes the course's impact, even going so far as to describe the course professor as "the guy who gave away the secrets to the Internet's bomb."
Huh?
The article then goes on to describe Ledin's syllabus as a "partly veiled attack on McAfee, Symantec, and their ilk, whose $100 consumer products he sees as mostly useless". Allegedly, Ledin also believes the antivirus vendors have some "hold over antivirus technology".
Huh? and Huh?
Here's the reality: signature-based antivirus scanners detect known viruses. There's no deeply kept secret about this, it's well known, established fact. So trying to "prove" this through a virus writing course is a bit like a sailing course designed to prove the world isn't flat. Yeah, we know already.
As for signature scanners being 'mostly useless' because they don't reliably stop never before seen malware, I suppose we should do away with law enforcement because they can only investigate after a crime has been committed? I'd rather detect the vast majority of threats than none at all. But the real chuckle comes over the alleged "hold over antivirus technology" the vendors' supposedly possess. Is that why there are hundreds of signature-based scanners, behavior analyzers, HIPS, VM solutions, and others flooding the market? Is that why there are industry conferences where antivirus researchers routinely openly publish and discuss the methods they've found successful? Is that why there are so many free antivirus scanners, removal tools and rootkit detectors offered by these vendors?
Perhaps I'm peeved most by the virus writing class because I'm currently funding my own son's college education. Knowing firsthand just how expensive that is, it's hard to fathom his being tricked into taking a class which not only offers no scientific value, but is also so grounded in baseless justifications.
Signature-based antivirus isn't perfect. It's not a panacea for all the security woes that befall us. But it is a critical component of any defense arsenal and one that deserves a bit more respect. Indeed, for the vast majority of users who don't have a degree in computer science, it's the most accessible and affordable protection they can get.
Comments
Good thing that your son isn’t taking a sailing course from Sonoma State University!
There is good reason to understand “OS hacks”, and the AV industry is always looking for talented developers to write engines, interfaces, and backend systems. Reversing is an interesting specialty as well. There is just no need for new virus writers coming out of an undergrad course.
The industry certainly has no stranglehold on those technologies. There are even open source AV engines out there. Why doesn’t he join one of those efforts?
Nice writeup.
Wow, your ignorance is amazing. I am a computer science grad student. I don’t have any anti-virus software because I am very careful about how I use my computer. I used Norton’s and my computer got infected twice. I changed my usage policy and got serious about security. Apart from these anti-virus programs not working they are a resource hog. With thousands of variants of viruses coming out everyday it is impossible scientifically to detect for every possible virus. It will take too long! That is why white listing is also an alternative now. There is nothing wrong with learning about viruses. In fact right now, it is the responsible thing to do. I find it ridiculous that people in this day and age think like this. It is wrong for Computer Professionals not to know about how viruses are written so we can defend against them.
Malware is just software code. Saying that computer professionals need to ‘know about how viruses are written…to defend against them’ isn’t very practical as it implies there’s some ‘tell-tale’ indicator. As you yourself state, it’s impossible to “detect for every possible virus”. And creating new viruses won’t narrow that gap nor will it provide any benefit whatsoever. If education is the goal, there are plenty of existing malware from which to learn. In general though, it doesn’t seem your comments have much to do with the original commentary, so I’m wondering if you’re responding to something else entirely???