Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Friday, March 03, 2006

Antivirus groups fight over Crossover sharing

A virus that spreads from PCs to mobile devices has become the focus of a power play between the antivirus industry and the relatively young Mobile Antivirus Research Association, which obtained the only sample of the program.  The Mobile Antivirus Research Association, a collection of professors, authors and security professionals, announced it had “characterized’ the first program to spread from PCs to a mobile device, a virus dubbed Crossover.  In a rare occurrence in computer-virus circles, MARA appears to be the only organization to obtain a copy of the program—normally, such virus samples are sent by the creator to the major antivirus firms and shared among virus experts.  The exclusive access to the virus, and MARA’s insistence that companies join its membership before being given access to the code, has antivirus companies up in arms.  Among other rules, the document would have required that the company share its entire database of virus samples, Hypp√∂nen said.  However, without the agreement, the Mobile Antivirus Research Association would not know if a new member would abide by the rules, said member and spokesperson Cyrus Peikari, the author of five books on security and the CEO of security firm Airscanner.  “Malware trading, which is illegal in many countries, should be done with a written chain of custody,” Peikari said.

The debate over the virus sample has highlighted a rift between the more the conservative antivirus industry and a group of security researchers that do not adhere to the industry’s stance against publishing virus code and associating with virus writers.

Many security researchers believe that open disclosure of security vulnerabilities leads to better security.  As those researchers begin to study viruses, worms and bot software, they argue that the same logic means the open discussion of threatening vectors for worms. 

Last month, security researcher Kevin Finisterre admitted to creating the three versions of the OSX/InqTana worm and sending them to antivirus companies as a way to highlight weaknesses in Apple’s operating system.

“We work with people on a trust basis, people who have been in the industry and are known to us,” said Joe Telafici, director of operations for the antivirus emergency response team (AVERT) at security firm McAfee.

Graham Cluley, senior technology consultant at rival antivirus firm Sophos, also mentioned the articles as a reason for questioning the group’s conduct.  “Right now, none of us can protect against this virus because we haven’t seen the code,” Cluley said.

Posted on 03/03