11/17/2005

Why Antivirus Companies Fail To Stop Sony’s Rootkit

Filed under: — By Aviran Mordo @ 9:55 am

Wired magazine has published a very interesting article about the “Real Story of the Rogue Rootkit?, this article covers the history of the rootkit, but more than that it raises some very important questions. Why security and antivirus companies failed to detect this malicious application behavior that infected over 500,000 computers around the world ?

From the article:

I truly believed that even in the biggest and most-corporate security company there are people with hackerish instincts, people who will do the right thing and blow the whistle. That all the big security companies, with over a year’s lead time, would fail to notice or do anything about this Sony rootkit demonstrates incompetence at best, and lousy ethics at worst.
Microsoft I can understand. The company is a fan of invasive copy protection — it’s being built into the next version of Windows. Microsoft is trying to work with media companies like Sony, hoping Windows becomes the media-distribution channel of choice. And Microsoft is known for watching out for its business interests at the expense of those of its customers.

What happens when the creators of malware collude with the very companies we hire to protect us from that malware?
We users lose, that’s what happens. A dangerous and damaging rootkit gets introduced into the wild, and half a million computers get infected before anyone does anything.

Who are the security companies really working for? It’s unlikely that this Sony rootkit is the only example of a media company using this technology. Which security company has engineers looking for the others who might be doing it? And what will they do if they find one? What will they do the next time some multinational company decides that owning your computers is a good idea?

These questions are the real story, and we all deserve answers.

My $0.02, antivirus software need to seriously consider an overhaul of their engine technology. All antivirus applications are based on signature files to identify viruses, but for unknown viruses the detection engine lacks. In today’s world an antivirus should monitor application malicious behavior for both the local machine and monitor web traffic, which means that AV should be integrated into the firewall. You can no longer separate the two. And while they are doing that it will be wise to also merge the anti spyware engine.

 

Leave a Reply

You must have Javascript enabled in order to submit comments.

All fields are optional (except comment).
Some comments may be held for moderation (depends on spam filter) and not show up immediately.
Links will automatically get rel="nofollow" attribute to deter spammers.

Powered by WordPress