May 29 2009

Oops! McAfee expert slanders Armadillo, Themida

We learn easy lessons by watching others learn hard lessons
No Gravatar

{Corrections & clarifications: Igor Muttik’s column reappeared a few hours after this column went public. A McAfee representative responded to this column at our request. Please see the comments section below for details.}

Yesterday, McAfee expert Igor Muttik posted a column titled “Who digs the elephant trap?” on his firm’s “Avert Labs Blog.” Someone took it down a few hours later. I suspect it got yanked over this portion:

“We [at McAfee] would urge all developers who use software protection to think twice before doing so. There is an increasing risk that your legitimate files will be blocked by [McAfee’s] AV software by mistake or that there will be an unpleasant slowdown [for your customers] due to long analysis… The point is that software protectors [particularly Armadillo and Themida] are just not a secure software technology any longer because they have been misused so much [by malware authors]. Do not use it if you can avoid it.”

Muttik makes some amazing claims here:

  1. “Think twice” before you protect the software you develop;
  2. McAfee may block your legit software “by mistake”;
  3. McAfee may “slowdown” your customers’ computers; and
  4. Armadillo & Themida “are just not a secure software technology any longer.”

No wonder McAfee yanked Muttik’s blog entry! And yet someone at the firm decided to keep Francois Paget’s “I’m a dufus” column online. Go figure.

“Rob, didn’t you recently point out McAfee’s vetting problem?” I did indeed — but I don’t think this one qualifies. I feel McAfee correctly implemented their employee blog, and I surmise Muttik followed protocol when he posted his column. I’ll bet a soda he simply screwed up.

“Then why did you write this column, Rob?” Ah, good! You’re thinking. Muttik reveals a dangerous thought process here. He naïvely thinks antivirus software should trump other types of security software. He then offers a non sequitur to stop using Armadillo & Themida: “[it’s] just not a secure software technology any longer because they have been misused so much [by malware authors].”

Muttik needs to realizeremember two important facts. First, “users don’t buy a PC to run antivirus software.” They buy a PC to surf the Internet, do word processing, read email, blah blah blah. Second, “there’s more to computer security than just antivirus software.” Muttik’s team doesn’t stop reverse engineering, piracy, code breaking, blah blah blah.

We, too, need to remember these two important facts. The rest of us can learn a lesson the easy way by watching Muttik learn it the hard way…

On a sidenote: antivirus expert Mary Landesman mentioned Muttik’s column only in passing. It’s unlike her to miss something this blatant.

“What up, girl?” Did you post it in a rush before your second cup of coffee?

  • By Rob RosenbergerNo Gravatar, 29 May 2009 @ 4:22 pm

    The full text of Igor Muttik’s missing blog entry follows, for your edification:

    It is ironic but the extreme growth rate of malware attacks is actually partly due to how successful AV technology really is. Quite simply – if AV scanners were not so successful in blocking trojans and viruses there would be little need for the bad guys to write new ones. One can even say that malware writers are digging an elephant trap for all computer users because lots of new malware demands a response from AV, which can contribute to the slower operation of computers for all of us.

    Figuratively speaking, the primary tools that the bad guys are using to dig their side of the trap and evade detection are packers (like UPX and Petite) and protectors (like Armadillo and Themida). Packers are legitimately used to reduce the size of programs (saving disk space), while protectors are legitimately used to prevent patching, hacking or reverse engineering. For malware production, however, packers and protectors are useful as they can often obfuscate original malware beyond recognition by AV.

    Commercial protectors are especially loved by malware writers because they can put a protective envelope on top of, say, their spam-bot and it will be well hidden inside. Additionally, it will now really look more like a legitimate file obfuscated with the same protector. Malware writers use this trick more and more frequently.

    As a result, on any average computer, AV can frequently encounter, say, a Themida-packed computer game and a Themida-packed spam-bot. To determine what is what an AV product has to know what is “under” the protecting envelope. Unfortunately, this simply cannot be done very quickly. It takes computing cycles…..

    We would urge all developers who use software protection to think twice before doing so. There is an increasing risk that your legitimate files will be blocked by AV software by mistake or that there will be an unpleasant slowdown due to long analysis. Either can cause troubles for users. If you feel that you really must use an obfuscating protector at least digitally sign your files. That would reduce the level of suspicion by introducing traceability to the source.

    The point is that software protectors are just not a secure software technology any longer because they have been misused so much. Do not use it if you can avoid it.

  • By Corrections & clarificationsNo Gravatar, 30 May 2009 @ 2:29 am

    Roughly twelve hours after this column went to press, antivirus expert Mary Landesman posted a comment on her blog to this column’s author. She noted the fact Igor Muttik’s column was visible on McAfee’s website. Ms. Landesman questioned if Mr. Rosenberger made a mistake. Mr. Rosenberger replied in a comment to Ms. Landesman:

    “I first questioned if the link in the RSS feed was broken. I checked it against the link you provided in your own RSS feed and they proved identical. I surfed to the top of the Avert Labs Blog where I discovered no copy of Muttik’s column. A search on “elephant” failed to bring up any columns. A search of the May archive failed to bring it up. I concluded that direct visitors to the blog could not read Muttik’s column. In hindsight, I should have taken snapshots of McAfee’s blog. (grrrr!) I see you reviewed Muttik’s content for changes. I’ll do the same, then I’ll post an update to my own column.”

    At this time, Mr. Rosenberger believes McAfee did remove the column for a short period. “Content reviewers have the power to return any column to ‘draft’ status,” he explained. “I believe someone did this for a few hours with Igor Muttik’s column. Its temporary removal may perhaps have occurred as part of an op-ed review protocol.”

    Mr. Rosenberger concedes “I didn’t later re-test the broken link when I posted the text of Muttik’s column; nor did I check Landesman’s blog to see if she replied to the comment I left.” will wait for public comment before deciding if this qualifies as a research failure during follow-up.

    In the name of clarification, will (1) change “deleted” to “missing” in the first paragraph’s URL tooptip; (2) change “deleted” to “missing” in the excerpt; (3) change “deleted” to “missing” in the lead-in to the reprint of Mr. Muttik’s column; (4) preface this column with an editor’s note.

    Mr. Rosenberger will contact McAfee’s PR team to request their comment on why Mr. Muttik’s column disappeared for a short time.

  • By Rob RosenbergerNo Gravatar, 30 May 2009 @ 5:05 am

    Update. My RSS feed reader did something unusual: it retrieved a duplicate feed for Igor Muttik’s column, as if it had been re-published. A similar duplicate feed occurred for Guilherme Venere’s column “A closer look at Swine Flu spam” (originally?) published on 1 May.

  • By Joris EversNo Gravatar, 2 June 2009 @ 6:35 pm

    A quick note from McAfee. The Muttik blog post is online as you noticed in your update, it was taken offline briefly just for a couple of additions.
    Joris Evers
    McAfee PR

Other Links to this Post