“I first questioned if the link in the RSS feed was broken. I checked it against the link you provided in your own RSS feed and they proved identical. I surfed to the top of the Avert Labs Blog where I discovered no copy of Muttik’s column. A search on “elephant” failed to bring up any columns. A search of the May archive failed to bring it up. I concluded that direct visitors to the blog could not read Muttik’s column. In hindsight, I should have taken snapshots of McAfee’s blog. (grrrr!) I see you reviewed Muttik’s content for changes. I’ll do the same, then I’ll post an update to my own column.”

At this time, Mr. Rosenberger believes McAfee did remove the column for a short period. “Content reviewers have the power to return any column to ‘draft’ status,” he explained. “I believe someone did this for a few hours with Igor Muttik’s column. Its temporary removal may perhaps have occurred as part of an op-ed review protocol.”

Mr. Rosenberger concedes “I didn’t later re-test the broken link when I posted the text of Muttik’s column; nor did I check Landesman’s blog to see if she replied to the comment I left.” SecurityCritics.org will wait for public comment before deciding if this qualifies as a research failure during follow-up.

In the name of clarification, SecurityCritics.org will (1) change “deleted” to “missing” in the first paragraph’s URL tooptip; (2) change “deleted” to “missing” in the excerpt; (3) change “deleted” to “missing” in the lead-in to the reprint of Mr. Muttik’s column; (4) preface this column with an editor’s note.

Mr. Rosenberger will contact McAfee’s PR team to request their comment on why Mr. Muttik’s column disappeared for a short time.

It is ironic but the extreme growth rate of malware attacks is actually partly due to how successful AV technology really is. Quite simply – if AV scanners were not so successful in blocking trojans and viruses there would be little need for the bad guys to write new ones. One can even say that malware writers are digging an elephant trap for all computer users because lots of new malware demands a response from AV, which can contribute to the slower operation of computers for all of us.

Figuratively speaking, the primary tools that the bad guys are using to dig their side of the trap and evade detection are packers (like UPX and Petite) and protectors (like Armadillo and Themida). Packers are legitimately used to reduce the size of programs (saving disk space), while protectors are legitimately used to prevent patching, hacking or reverse engineering. For malware production, however, packers and protectors are useful as they can often obfuscate original malware beyond recognition by AV.

Commercial protectors are especially loved by malware writers because they can put a protective envelope on top of, say, their spam-bot and it will be well hidden inside. Additionally, it will now really look more like a legitimate file obfuscated with the same protector. Malware writers use this trick more and more frequently.

As a result, on any average computer, AV can frequently encounter, say, a Themida-packed computer game and a Themida-packed spam-bot. To determine what is what an AV product has to know what is “under” the protecting envelope. Unfortunately, this simply cannot be done very quickly. It takes computing cycles…..

We would urge all developers who use software protection to think twice before doing so. There is an increasing risk that your legitimate files will be blocked by AV software by mistake or that there will be an unpleasant slowdown due to long analysis. Either can cause troubles for users. If you feel that you really must use an obfuscating protector at least digitally sign your files. That would reduce the level of suspicion by introducing traceability to the source.

The point is that software protectors are just not a secure software technology any longer because they have been misused so much. Do not use it if you can avoid it.