madison

Zero Day

Ryan Naraine and Dancho Danchev
Home / News & Blogs / Zero Day

The rise of the rogue AV testers

By | July 13, 2010, 10:58am PDT

Summary: Costin Raiu: Just as Rogue AV (scareware) products exploded, we are seeing the birth of rogue AV testers. Beware, they will provide a strong, negative value to the entire IT security industry.

Guest editorial by Costin Raiu

Recently, I was sitting around with a number of colleagues from Kaspersky Lab, discussing everybody’s favorite subject: the state of anti-virus testing these days. During the talks, somebody brought up the name of a new, obscure testing organization in the Far East. Nobody else had ever heard of them and so my colleague Aleks Gostev jokingly called them a “rogue Andreas Marx.”

It then occurred to us that some of these new testing labs that have recently appeared mimic the tactics of Rogue AV products. What exactly do I mean? Well, as we know the rogue AV business model is based on selling a false sense of security; we professionals know it is fake, but the victims don’t. People buy a Rogue AV hoping it will solve their security problems, but the products don’t do anything at best, and at worst, install additional malware.

follow Ryan Naraine on twitterRogue AV Testers are somehow similar in behavior. In their case, the business model is no longer based on a false sense of security but instead, on a false sense of insecurity. So, how do they operate? Well, it seems to start with a number of tests which look legitimate, and mimic real world conditions. Then, the tests slowly become more “complicated” and security products do worse and worse. Sometimes, the product that did best in the previous test suddenly becomes the worst in the group. In other cases, all products fail miserably. Finally, the main idea emerges: that all security products are bad and utterly useless. Hence, the false sense of insecurity is promoted through the tests: you are insecure, your money was misspent – beware!

Going further, the rogue AV testers use various techniques such as not disclosing product names in published test results and attempting to sell theses results for exorbitant fees.
Here are some characteristics we identified as being specific to rogue AV testers, that can help you spot them:

  • They are not affiliated with any serious testing organization, such as AMTSO. Sometimes, the Rogue AV Testers could also show fake affiliations or even falsely display (say) the AMTSO logo on their website, in order to remove suspicion and doubt.
  • They publish free public reports, but charge money for the “full” reports. In general, the public reports should look as bad as possible for all the tested products, to maximize the profits from selling the full reports.
  • The public reports are full of charts that look complicated and intelligent, but sometimes reveal amusing mistakes.
  • They claim all AV (or security) products are useless. This is the foundation stone of any business based on the “false sense of insecurity”.
  • They charge for samples and methodology, usually very large sums of money, to make sure the flawed methodology and samples cannot be reviewed externally.Reputable testers will make samples and methodology available for free to the developers of the products they test, instead charge for the rights to publish the results in magazines or for the permission to use the results in marketing materials. Charging money for samples is a clear indication that something wrong is going on.

There are other characteristics, but I think everybody gets the point.

Just as Rogue AV (scareware) products exploded and became one of the most profitable categories of crimeware, I suspect Rogue AV testers will follow. In the process, they will also become an extremely profitable category. And of course, the worst of all, they will provide a strong, negative value to the entire IT security industry.

So, if you are trying to compare security solutions, I recommend sticking to established testing organizations such as Virus BulletinAV-TEST.ORG and AV-COMPARATIVES or reputable magazines, with a good history behind them. If in doubt, ask for AMTSO affiliations and finally, do not forget about the list of hints that can help you spot Rogue AV Testing behavior.

Do not become a victim of the Rogue AV Testers!

* Costin Raiu is the Director of Kaspersky Lab’s Global Research & Analysis Team (GReAT) . This essay was first published in the current issue of Virus Bulletin magazine.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Insecurity, Product, Rogue AV Testers, Security, Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a security evangelist. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

Talkback Most Recent of 18 Talkback(s)

  • Beware rogue wolf-criers
    All right, this has to be said. The AV companies are in the self-serving business of making sure AV products are not *too* good--or no one would buy updates.

    It's my own personal opinion that Microsoft is the only half-way principled AV dealer because they offer MSE (a quite competant product) for *FREE*, including monthly updates.

    I say "half-way" because they do offer a paid product and the MSE license has enough gray area to land a 747 in. Still, malware attacks the OS and the software the OS runs, so it's reasonable that the OS vendor should offer protection *as a base part of the OS*.

    As for Kasperskey and other AV dealers (yes, I'm looking at you Symantec) they routinely up the scare factor so they can sell their stuff.

    Businesses based on fear (insurance, AV, law, politics, etc) are inherently suspect because they're self-serving

    "Great computer you got there. Be a shame if a nasty virus infected it..."

    Call me cynical if you like, but the AV companies have over the years made users mistrust them. I guess the chickens are coming home to roost.
    ZDNet Gravatar
    wolf_z
    14th Jul 2010
  • Self-serving?
    @wolf_z I thought every successful business was self-serving. And pretty much every human and animal, for that matter. You do your best to supply somebody's needs, not just because you're a nice guy, but in the hope somebody will pay you for it. Yes, there is charity, altruism, and FOSS in the world, but they are all enabled by a civilization enriched by individuals and companies just trying to make a buck, euro, or yen for themselves & their families.
    ZDNet Gravatar
    kidtree
    14th Jul 2010
  • You need to read a bit more
    @wolf_z

    "It's my own personal opinion that Microsoft is the only half-way principled AV dealer because they offer MSE (a quite competant product) for *FREE*, including monthly updates."

    Actually, program updates aren't necessarily monthly, just that they have been for the last few. Definitions are updated daily though and the program itself checks several times a day for updates.

    "I say "half-way" because they do offer a paid product and the MSE license has enough gray area to land a 747 in."

    There's no "gray area". MSE is licensed for home PC's or home-based businesses ONLY. Regular businesses must pay for Forefront Client Security (FCS), which costs ~$12US/PC/yr, and is available only through volume licensing. FCS and MSE functionality is the same, except that the current version of FCS has the Windows Defender interface (which is also used by InTune malware protection, as well as the MDOP/DaRT Standalone Sweeper). All of Microsoft's desktop antimalware programs are just front ends for the Microsoft Malware Protection Engine (MSMPENG.EXE).

    If you want centralized management, you'll have to pay extra for the SQL Server licensing to run the management server, and that's big bucks as does the required hardware to run it on, but small businesses shouldn't need that, or else they should consider switching to InTune, which also offers remote PC management along with said MSMPENG.
    ZDNet Gravatar
    Joe_Raby
    14th Jul 2010
  • RE: The rise of the rogue AV testers
    So buy their fake reports and sue them out of existance.
    As for AV vendors being fear based, it may look ike that and there is danger of that but we all know that their are viruses and malware out there and if you think a for profit AV may be part of the fud, use one of the very good and free alternatives.
    using Microsaofts av product will probably be enough for those who are careful so yes use it if you have any incling of what you are doing, or use avg or avast.
    If you are a business you must have something to back up your av product of choice so use a good paid for one.
    But I never trust any one product completely my self so I use one installed product on all systems and once in a while (you decide week or month) I also use one of the other vendors on-line products just to be sure. Installing two is asking for trouble but using the web version (I use housecall) does not cause the same issue with the installed and always active one.
    And please remember people that the fault for the virus and malware issues is Not the user, Not the AV Vendor and not the OS vendor. 100% of the blame must rest squarely on the shoulders of the malware, scareware, virus and now malicious rogue testers. Anyone blaming the user, legit vendors , legit researchers or OS/software vendors is losing focus on the fact that there are criminals out there that must be stopped somehow.
    I'm just not sure our current efforts are focused on the correct people. Yes we have to use av and anti-malware, but we are not seeing enough prosecution of the malware writers. We have to make it not profitable for them and start putting more of them in jail.
    ZDNet Gravatar
    sysop-dr
    14th Jul 2010
  • no effect on linux or servers
    Again this story is limited to Windows only and therefore only relevant to desktop markets.

    In much the same way as "American World Series Football" only really means American Football, and not even including South America, not Canada. Gosh, how quickly the affected pool shrinks. Suddenly we begin to see that it only refers to a very small minority in global markets.

    The crucial word in "strong, negative value to the entire IT security industry" is 'security' because almost no-one bothers to produce anti-virus for linux.

    Windows creates a market for security, an attempt to "shut the door after the horse has bolted", an industry that can only ever really try to play catch-up and depends on occasional spectacular failures in order to convince people to buy-in to it's inevitably doomed products.

    Linux is preemptive and pro-active. So, if you want to pay constant serious concern to security then buy-into Windows but if y9ou would rather just not have malware issues then 'buy'-into linux. A simple choice.

    Regards from
    Tom happy
    ZDNet Gravatar
    Tom6
    14th Jul 2010
  • RE: The rise of the rogue AV testers
    @Tom6, While i understand your logic...it is flawed. Of course nobody bothers to exploit linux. Those operating systems are in the minority. If the tables were turned and linux was the dominating O/S of the world, what are the chances that Windows would be ignored in favor of the more prevalent linux market? Supply and demand. No longer a simple choice. Do you honestly think the population (most of whom have very limited knowledge of a computer) would prefer an O/S that requires a greater amount of knowledge than the current, more popular O/S.

    If people do not want malware, they should use common sense when browsing...end of discussion.
    ZDNet Gravatar
    mstarks67
    14th Jul 2010
  • I wish it were that simple...
    @mstarks67

    But what "common sense" is varies over time as new attack vectors pop up. That is the nature of the "arms race" that Windows/Internet security has become.
    ZDNet Gravatar
    mejohnsn
    15th Jul 2010
  • Complacency
    @Tom6 - a house in the country can have less security than one in the city and not get burgled, which is great as long as it stays in the country.

    Once the city reaches your house, you have to catch up fast, and that's the problem. Windows developers may try harder at security yet appear to fail more often under the heavier attack load; what happens when the same load reaches folks who haven't started to work as hard?

    Apple's hit this already, within a month of exposing Safari to Windows, and are likely to hit this as they emerge as a major smartphone platform.

    Linux is a more fragmented surface, which helps. But the UNIX roots are not always as savvy as you'd expect, e.g. smtp being open to spam unless band-aided, or the inability to always see what type a file is.
    ZDNet Gravatar
    cquirke1
    15th Jul 2010
  • @tom6
    @Tom6, Tom tom tom, i hate to see you say that. Well i hate to see anybody say that really. Its not just a windows issue, just like windows, every OS has security flaws. I think we forget sometimes that Windows holds the majority of the OS market share by an extremely large margin. Why would anybody write a virus for a smaller audience? Its like trying to go to the most 3rd world part of a country and try to sell them a mercedes at sticker price. It just dosnt make sense your not going to get many if any sales.

    Fact of the matter is, there are viruses for every OS out there, (yes including macs) its just not so apparent because there are so few because it is such a smaller target area. Just wait till the one day comes (maybe in our lifetime maybe not) when windows looses the majority of market share, the viruses for other OSes will be higher then windows.

    I will say this though, only an opinion to me, and a logical opinion in my mind. Who knows, that day may never come happy
    ZDNet Gravatar
    OneTwoc21
    14th Jul 2010
  • RE: The rise of the rogue AV testers
    I regularly receive security patches for Ubuntu 10.04.
    Some of them, seem to be anti-escalation, or anti-hijacking patches.
    This would indicate, that Linux has "holes", which could be exploited.
    ZDNet Gravatar
    lehnerus2000
    20th Jul 2010
  • RE: The rise of the rogue AV testers
    I also desire to signal in your RSS feeds. Thank you as soon as once again and maintain up the great operate! nccma cooler
    ZDNet Gravatar
    MACKENZI
    11th Sep
  • RE: The rise of the rogue AV testers
    I used to be more than happy to seek out this internet-site.I wanted to thanks in your time for this glorious read!! I positively enjoying each little bit of it and I have you bookmarked to check out new stuff you weblog post. this thread is amazing i like your work and i appreciate you that you have share a useful stuff thanks for sharing the i shop abatwa
    ZDNet Gravatar
    PEARLINEI
    12th Sep
  • RE: The rise of the rogue AV testers
    I used to be more than happy to seek out this internet-site.I wanted to thanks in your time for this glorious read!! I positively enjoying each little bit of it and I have you bookmarked to check out new stuff you weblog post.Bookmarking now thanks please consider a follow up post. power sa shop
    ZDNet Gravatar
    RHIANNONA
    13th Sep
  • RE: The rise of the rogue AV testers
    I think the representation of this article is actually superb one. This is my first visit to your site. Thanks a lot and keep sharing the information. Keep updating the information for all of us. Thanks ZDNet Government was launched as the brand's first industry vertical, with a mission to cater to IT professionals in the public secto I agree with your post. However, do you have any sources I can cite for my paper wheel car com bury
    ZDNet Gravatar
    SATURNINA
    14th Sep
  • RE: The rise of the rogue AV testers
    Well welcome, hopefully you can become a vital member of the community and really help to push far ahead of google. Which Im sure the development team would love. This will of course earn you alot points too and get you on the leaders board. z d n e t t h a n k Im not sure i come to an agreement with you on every level, howevor it absolutely was a good posting, many thanks for taking the time to put up your ideas.
    ZDNet Gravatar
    TOCCAR
    25th Sep
View More Comments

Talkback - Tell Us What You Think

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
Click Here
Click Here

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
Click Here