Lessons we can all learn from the false-postive 'keylogger' fiasco

Lessons we can all learn from the false-postive 'keylogger' fiasco

Summary: Yesterday a post on NetworkWorld made the false claim that Samsung was shipping notebooks infected with a keylogger. This claim has turned out to be false. So what lessons can all learn from the false-positive 'keylogger' fiasco?

SHARE:
TOPICS: Security
35

Yesterday a post on NetworkWorld made the false claim that Samsung was shipping notebooks infected with a keylogger. This claim has turned out to be false. So what lessons can all learn from the false-positive 'keylogger' fiasco?

  1. No security product is infallible. All are prone to mistakes and false-positives. While it's easy to blame GFI here as it was its VIPRE product that generated the false-positive, I've yet to use a product that hasn't at one time or other thrown up a false-positive.
  2. Check, check and then check again! Most tech-savvy readers will have access to more than one antivirus scanner. This is for good reason. It's always a good idea to sweep a suspect file with a second scanner much like going to another doctor for a second opinion.
  3. VirusTotal.com One of the best ways to double check a file is to upload it to VirusTotal.com and have it scanned by a number of different scanners. It's better to be 100% sure that something is nasty before nuking your PC from orbit.
  4. Keep logs and screenshots One thing that struck me about the NetworkWorld piece was how it didn't offer any evidence in the form of logs or screenshots. If you suspect that your system has been compromised it's a good idea to keep details of what you're up against.
  5. Antivirus companies need to stop using folder path detection This false detection seems to be down to VIPRE antivirus software using folder detection. Here Alex Eckelberry General Manager GFI Security, explains what went wrong: "How does this happen? A researcher has a number of tools at his or her disposal to detect a piece of malware. These include a broad range of detection types based on the malware in question. Sometimes, a simple signature is fine; other times, a more carefully crafted detection is needed. In VIPRE, among some of the detection types are heuristic (meaning, using a method of pattern analysis on the file); behaviorial (looking at the behaviour of a file in VIPRE's emulator to see if it does anything malicious) or signature-based (simply creating a file signature for the file). Part of the heuristic toolkit used might be any number of types of analyses, and these can include looking at the contents of the file for specific patterns that indicate malware. A researcher can also (but rarely) use a folder path as part of a more comprehensive detection set. Imagine you're a researcher: You see the folder name "C:\windows\sl". This is, indeed, something one would never find on a Windows system at the time the detection was written, so the researcher added this folder path to his heuristics for this keylogger. It was peer-reviewed and tested against a broad range of Windows platforms, including every foreign language set. Everything is fine and dandy... except that at some point several years after the original detection was written, Windows Live started using that directory to install Slovenian language files for Windows Live. Samsung started pre-installing Windows Live, including all the languages, and there you have the problem we're having today."
  6. It's never a bad idea to scan new gear for malware It's a good idea to run all new gear that has storage past a malware scanner just in case. Anything that has storage is capable of being a home to malware. Same goes when setting up a new PC. You don't know what's on those discs or in those downloads!

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

35 comments
Log in or register to join the discussion
  • RE: Lessons we can all learn from the false-postive 'keylogger' fiasco

    You forgot the most important lesson: Journalists and publications don't always wait for independent confirmation in the rush to be the first to break a story.
    mbkavka@...
    • RE: Lessons we can all learn from the false-postive 'keylogger' fiasco

      Fully agreed. Even with the fancy titles, the reporter was a total hack who did not do his homework. Publish first, apologize later. Blegh.
      MvdL
      • Yay! I got one "right" for once!

        I thought the story was fishy from the start, and said so on this board yesterday. My mother is so proud of me.
        Dorkyman
      • RE: Lessons we can all learn from the false-postive 'keylogger' fiasco

        @MvdL
        Publish first, apologize later, get sued for libel.

        This is the sort of BS that sticks to a company from trolls and people with an agenda.

        I'm sure we will hear this story mentioned in a few months on blogs and comments, with a negative spin.
        dazzlingd
      • RE: Lessons we can all learn from the false-postive 'keylogger' fiasco

        @Adrian: the biggest lesson from reading this blog post is that your Apple PC does not have a good spell checker. "Postive"? What an 1d1ot.
        nomorebs
    • and they wait weeks

      @mbkavka@...
      to print a retraction which are always in the smallest font possible and always hidden between Linsay Lohan and Justin Bieber articles
      iPad-awan
    • BINGO!

      @mbkavka@...

      You nailed that one perfectly.
      oncall
    • RE: Lessons we can all learn from the false-postive 'keylogger' fiasco

      @mbkavka@... That and security companies invariably will trump things up to sell more product due to paranoia. They have an incentive to get people to act like chicken little.
      snoop0x7b
    • RE: Lessons we can all learn from the false-postive 'keylogger' fiasco

      @ mbkavka@...

      I'd say bloggers almost never wait for independent confirmation before posting comments in line with their biases. Nevertheless, at least Adrian Kingsley-Hughes has updated the original post and admitted in no uncertain terms that it was wrong. This contrasts quite favourably with certain other ZDnet bloggers, whom I shall refrain from naming.
      WilErz
  • RE: Lessons we can all learn from the false-postive 'keylogger' fiasco

    Unfortunately Adrian fell right into it as well. This is not the first time he has "jumped the gun" on a story in the rush to get the clicks. Remember the story about Microsoft stealing it's Bing searches from Google? Disappointing and probably time for me to unsubscribe to this feed.
    steveschwab
  • RE: Lessons we can all learn from the false-postive 'keylogger' fiasco

    "Windows Live started using that directory to install Slovenian language files for Windows Live. Samsung started pre-installing Windows Live, including all the languages, and there you have the problem we?re having today.?

    Why is this crap "pre-installed"? Instead of only being installed from Windows Live when (if) you sign up?
    wkulecz
    • RE: Lessons we can all learn from the false-postive 'keylogger' fiasco

      @wkulecz

      Because that is the OEMs decision. Why is McAfee or some other trial software installed? Why do computers come pre-equipped with Google Toolbars and crappy adware driven games pre-installed.

      Windows has non of this by default.

      My sister just bought her daughter a new laptop and gave it to me first to clean crap like that off and make sure it was set up properly.
      bobiroc
      • RE: Lessons we can all learn from the false-postive 'keylogger' fiasco

        @bobiroc ... Good moves: But ...

        Actually, windows does have plenty of adware and pre-installed games you'll find in almost all MS pre-installs.
        Whenever I purchase a pre-installed machine the first thing I do after seeing if the power switch works is make a full backup and then wipe out all the parttions (except hidden ones for recovery) and do a complete reinstall, installing exactly what I want to be installed. No silly games, anything adware of which there is plenty these days, and then do a Registry cleanup, defrag, pagefile setup and a real Full Backup. It's a lot faster and easier than removing crap, actually, and you get full "recovery" for want of a better word, of the HD space left behind from uninstallling features.
        tom@...
    • RE: Lessons we can all learn from the false-postive 'keylogger' fiasco

      @wkulecz Good point. I've four computers on the go, all ancient and venerable, spanning two WinXP installations, and Linuxes including Puppy, Jolicloud and Ubuntu, none of which have Windows Live, yet I've had no trouble using any of the Windows Live services on any of my OS setups. I use Hotmail and my SkyDrive daily. Who, therefore, really "needs" Windows Live pre-installed?
      TheMartian
  • RE: Lessons we can all learn from the false-postive 'keylogger' fiasco

    No surprise that Adrian missed the most obvious lesson to be learned: that tech bloggers like him are more interested in clicks than facts.
    cantbeme
  • RE: Lessons we can all learn from the false-postive 'keylogger' fiasco

    You forgot this:

    never trust any one with a "computer security expert" title.
    ConceptVBS
    • RE: Lessons we can all learn from the false-postive 'keylogger' fiasco

      @ConceptVBS - Or "Advocate" or "Evangelist" or ... :)
      PollyProteus
    • A closed mind is a great thing to lose

      @ConceptVBS ... Now, that is a really stupid comment, Concept. You trash the masses based on the actions of one. Yeah, right.
      tom@...
  • RE: Lessons we can all learn from the false-postive 'keylogger' fiasco

    I honestly think the lesson we can take from this is that you just cannot trust Apple!
    slickjim
    • RE: Lessons we can all learn from the false-postive 'keylogger' fiasco

      @Peter Perry -Yeah, this one is defintely Apple's fault. ;)
      PollyProteus