Security standoff over PC-PDA malware code
Mobile antivirus researchers and antivirus companies are at loggerheads over access to code for a PC-to-mobile Trojan.
The Mobile Antivirus Researchers Association (MARA) said last week that it had received proof-of-concept code last week for Crossover, which MARA claims is malware that can jump from a Windows desktop machine to a Windows Mobile Pocket PC handheld.
Antivirus vendors and researchers usually collaborate by sharing code with competitors. This reciprocal arrangement seems to have broken down on this occasion, with several major antivirus vendors including Sophos and McAfee complaining that they don't yet have access to the code.
MARA claims that some antivirus vendors had attempted to "bully" the code out of them, while the antivirus companies say they aren't prepared to comply with the conditions that MARA wants to impose on them before they get access to the code for Crossover.
"A small number [of antivirus vendors] have refused to sign any agreement, and have made comments to the effect that, 'we're the experts, not you, so hand it over right now.' Some of them have even tried to bully individual members into bypassing the proper protocol," MARA said in a statement on its Web site.
"That is unfortunate, since it would be illegal to distribute malware without a signed agreement. There has to be a chain of custody in place," said MARA.
Antivirus vendor Sophos confirmed it had been in contact with MARA, but denied using strong-arm tactics to try to gain the code.
"That isn't Sophos. I cannot imagine anyone here being so rude. I know the guy who dealt with this at Sophos, and he's very polite," said Graham Cluley, senior technology consultant at Sophos.
McAfee said it had also been contact with the group, but had not "bullied" any MARA members.
"McAfee hasn't put any pressure on them," said Greg Day, security analyst at McAfee. "It would surprise me to see anyone bullying them, because sharing code is all about trust and mutual consent," he added.
Sophos and McAfee are unhappy because they have been told that before they can get the code they must first join MARA, which would force them to share code with all MARA members.
"We can't help but feel this is a hold-to-ransom rather than a goodwill gesture," said Day.
"Basically we have to join their club." said Cluley. "If they asked us we would have to provide all of our virus samples within 24 hours. None of the major antivirus companies are members of their group — no-one wants to join. We wrote to them, they said we could only have the code if we joined up, so we said 'no, thank you very much'."
But a MARA spokesman denied that all antivirus vendors had been reluctant to sign up.
"Several major antivirus companies and security corporations are already signing up with us," Cyrus Peikari, a MARA representative, told ZDNet UK.
Peikari denied that his organisation refused to share code with non-MARA members, but said that antivirus vendors would have to sign a "mutual trading and ethics agreement".
"MARA provides samples of malware to antivirus vendors and other parties that have a legitimate research need. There is absolutely no requirement to become a MARA member. We are happy to provide samples even if you choose not to join MARA. In this case, we simply ask you to sign a mutual trading and ethics agreement," said Peikari.
"Trading malware is a sensitive business; for ethical and legal reasons there should be a written chain of custody. And if an antivirus vendor prefers not to use the MARA agreement, then they are welcome to suggest one that is to their liking," Peikari added.
Cluley said that Sophos was particularly unhappy about one particular stipulation of MARA's.
"If we joined, we couldn't share any identifying information about MARA members, so if we found someone in the group publishing virus source code, or co-authoring articles with known virus writers, we couldn't divulge that information," said Cluley.
Cluley also claimed that some members of MARA had links with people thought to be virus writers.
"We don't want to touch that with a bargepole. What kind of message would that send to our customers?" said Cluley.
McAfee also said that "some of the papers from MARA had apparently been co-authored by a member of the 29A virus group," and said that it would take time to build up the trust necessary to share virus samples.
"It's important to share samples with 100 percent faith, and that faith has yet to be proven in MARA. Groups share on a personal level, and that requires a build-up of trust over time," said Day.
Peikari denied that MARA members had co-authored MARA papers with virus writers or published virus source code.
"We have read articles where antivirus executives say that MARA has published virus source code. We believe that this may be libel. It is certainly not true: a couple of MARA members contributed to an article on the Dust virus [the first Pocket PC Trojan] last year that also had a separate, Part III written by a virus writer, in which he lists some proof of concept code. However, contrary to some reports, this was never published by MARA," said Peikari.
Informit.com, which is part of Pearson Education, published an article in 2004 called Reverse-Engineering the First Pocket PC Trojan. Its authors included both Peikari and Ratter, who is understood to be a member of 29A. But according to Peikari, he and Ratter produced separate parts of the article and never worked together.
With the code of the Crossover virus not being made available to antivirus vendors, some concerns have been raised that customers are at risk because antivirus vendors have not developed an effective signature. McAfee denied that this was a security risk.
"This is not a critical issue for our customers, as this virus hasn't been seen in the wild," said Day. "McAfee has a broad range of security products, many of which have behavioural controls which would be able stop an attack."