Standoff over PC-to-mobile jumping code

Virus code isn't shared between some researchers and antivirus companies, amid allegations of "bullying."
Written by Tom Espiner, Contributor

Mobile antivirus researchers and antivirus companies are at loggerheads over access to code for a PC-to-mobile Trojan.

The Mobile Antivirus Researchers Association (MARA) said that it had received proof-of-concept code last week for Crossover, which MARA claims is malicious software that can jump from a Windows desktop machine to a Windows Mobile Pocket PC handheld.

Antivirus companies and researchers usually collaborate by sharing code with competitors. This reciprocal arrangement seems to have broken down on this occasion, with several major antivirus companies, including Sophos and McAfee, complaining that they don't yet have access to the code.

MARA researchers said that some antivirus companies had attempted to "bully" the code out of them, while the antivirus companies say they aren't prepared to comply with the conditions that MARA wants to impose on them before they get access to the code for Crossover.

"A small number (of antivirus vendors) have refused to sign any agreement and have made comments to the effect that 'we're the experts, not you, so hand it over right now.' Some of them have even tried to bully individual members into bypassing the proper protocol," MARA said in a statement on its Web site that was no longer available Monday. It is still viewable in a Google cache.

"That is unfortunate, since it would be illegal to distribute malware without a signed agreement. There has to be a chain of custody in place," the MARA statement read.

Antivirus company Sophos confirmed it had been in contact with MARA, but denied using strong-arm tactics to try to gain the code.

"That isn't Sophos. I cannot imagine anyone here being so rude. I know the guy who dealt with this at Sophos, and he's very polite," said Graham Cluley, senior technology consultant at Sophos.

McAfee said it had also been in contact with the group, but had not "bullied" any MARA members.

"McAfee hasn't put any pressure on them," said Greg Day, security analyst at McAfee. "It would surprise me to see anyone bullying them, because sharing code is all about trust and mutual consent," he added.

Terms of membership
Sophos and McAfee are unhappy because they have been told that before they can get the code they must first join MARA, which would force them to share code with all MARA members.

"We can't help but feel this is a 'hold to ransom' rather than a goodwill gesture," Day said.

"Basically, we have to join their club," Cluley said. "If they asked us, we would have to provide all of our virus samples within 24 hours. None of the major antivirus companies are members of their group; no one wants to join. We wrote to them. They said we could only have the code if we joined up, so we said, 'No, thank you very much.'"

But a MARA spokesman denied that all antivirus companies had been reluctant to sign up.

"Several major antivirus companies and security corporations are already signing up with us," Cyrus Peikari, a MARA representative, told ZDNet UK.

Peikari denied that his organization refused to share code with non-MARA members, but said that antivirus companies would have to sign a "mutual trading and ethics agreement."

"MARA provides samples of malware to antivirus vendors and other parties that have a legitimate research need. There is absolutely no requirement to become a MARA member. We are happy to provide samples, even if you choose not to join MARA. In this case, we simply ask you to sign a mutual trading and ethics agreement," Peikari said.

"Trading malware is a sensitive business; for ethical and legal reasons there should be a written chain of custody. And if an antivirus vendor prefers not to use the MARA agreement, then they are welcome to suggest one that is to their liking," Peikari added.

Cluley said that Sophos was particularly unhappy about one particular stipulation of MARA's.

"If we joined, we couldn't share any identifying information about MARA members. So if we found someone in the group publishing virus source code, or co-authoring articles with known virus writers, we couldn't divulge that information," he said.

Who's in the group?
Cluley also claimed that some members of MARA had links with people thought to be virus writers.

"We don't want to touch that with a bargepole. What kind of message would that send to our customers?" Cluley said.

McAfee also said that "some of the papers from MARA had apparently been co-authored by a member of the 29A virus group," and said that it would take time to build up the trust necessary to share virus samples.

"It's important to share samples with 100 percent faith, and that faith has yet to be proven in MARA. Groups share on a personal level, and that requires a build-up of trust over time," Day said.

Peikari denied that MARA members had co-authored MARA papers with virus writers or published virus source code.

"We have read articles where antivirus executives say that MARA has published virus source code. We believe that this may be libel. It is certainly not true: A couple of MARA members contributed to an article on the Dust virus (the first Pocket PC Trojan) last year that also had a separate, Part III written by a virus writer, in which he lists some proof-of-concept code. However, contrary to some reports, this was never published by MARA," Peikari said.

As the code of the Crossover virus is not being made available to antivirus companies, some concerns have been raised that customers are exposed, because antivirus companies have not developed an effective signature to match suspect code with. McAfee denied that this was a security risk.

"This is not a critical issue for our customers, as this virus hasn't been seen in the wild," Day said. "McAfee has a broad range of security products, many of which have behavioral controls which would be able stop an attack."

Editorial standards