Former anti-virus researcher turns tables on industry

A security researcher shunned by the anti-virus community for violating its unwritten rules has attempted to turn the tables, erecting a Web service that virus writers could use to make their creations more stealthy and undetectable for longer periods of time.

At issue is a new site called avtracker.info, which aims to keep tabs on the different automated analysis services used by the security industry, such as Virustotal, ThreatExpert, and Norman Sandbox.

Researchers who unearth new malicious code samples often submit them to these services to learn more about how the malware behaves and to see whether the samples are currently detected by anti-virus products. The results of each scan are shared broadly within the security industry, allowing anti-virus makers that don't detect the malware to incorporate detection for them in future updates that are pushed out to customer PCs

Enter AV Tracker. Armed with up-to-date information about these automated scanning services, malware writers could instruct their creations to quit loading or destroy themselves if they detect they are being downloaded by one of these services.

Austrian hacker Peter Kleissner told Security Fix he created AV Tracker. Kleissner is a young man who many in the community came to know only in August when he spoke at the annual Black Hat security conference in Las Vegas. In his talk, the 18-year-old detailed and released a tool called a "bootkit," which makes it possible for malicious software to compromise a Microsoft Windows PC at a fundamental level (before the operating system even boots up, hence the name).

At the time, Kleissner was employed by Ikarus Software, an Austrian anti-virus firm where he had worked for the previous 14 months. Kleissner said a number of people had complained that his publishing of the bootkit instructions was not in keeping with the company's goal of helping Internet users stay safe online, and that as a result Ikarus asked him to resign. Ikarus did not respond to requests for comment.

Two weeks later, Kleissner found himself exiled from "Incidents & Insights," one of several invite-only security mailing lists maintained by members of the research community. Ken Dunham, the administrator of that list and director of global response for security firm iSight Partners, declined to comment for this story. But according to information shared with Security Fix, Dunham evicted Kleissner from the list after the latter disclosed he had hacked an Internet kiosk in a Zurich airport on his way home from Black Hat.

Last week, Vitaly Kamluk, director of research at Russian anti-virus giant Kaspersky Lab, took aim at Kleissner for the service. In a simmering blog post titled, A Black Hat Loses Control, Kamluk noted that Kleissner sent Kaspsersky and other anti-virus makers and malware scanning partners a sample program designed to harvest the Internet addresses of their scanning machines.

Kamluk said the sample Kleissner submitted also included a taunting message that suggested that Kleissner was working with one of the world's most notorious malware writing gangs. Kamluk also lambasted Kleissner for suggesting that malware writers could use the address information in AV Tracker to attack the malware scanning services.

In an interview with Security Fix, Kleissner acknowledged he was upset at being ostracized by the anti-virus community. But he said he is not working with malware gangs and that his Easter egg message to the ant-virus industry was little more than a joke.

"I'm always doing computer research stuff, and people can use my knowledge or not, but I won't stop publishing things," Kleissner said.

In some sense, what AV Tracker is attempting to do typifies the type of back and forth battle that has been ongoing between the anti-virus industry and malware writers for many years. Entire families of malware will prevent users of infected PCs from visiting security Web sites and forums that offer to help people clean their machines. In addition, many families of malicious software simply won't run if they detect they're being executed inside of analysis tools commonly used by anti-virus researchers.

Some security experts in the anti-virus community are dismissing AV Tracker as a publicity stunt, while others wonder what all the fuss is about.

"I've always assumed virus writers were doing this all along," said Dmitri Alperovitch, vice president of threat research at McAfee,

"That's why I'm not shocked by this."

But Richard J. Zwienenberg, chief research officer at Norman ASA, a Norwegian security firm that operates the malware analyzing service Norman Sandbox, suggested that services like AV Tracker - to the extent that they accurately track up-to-the-minute Internet addresses used by online malware analysis sites - could pose a problem for some security technologies.

"In general of course AV Tracker is not the best thing that can happen. [Whether] it is a big concern depends on the way the malware authors start to use it, and how the products targeted are set up," Zwienenberg said. "If your in-the-cloud solution is based on a single [Internet address] or a small range of [addresses], then you may have a problem if your security is depending on this. Given the open nature of the Internet, events as av-tracker.info are inevitable."

Julio Canto, project manager at virustotal.com, a malware scanning service based in Spain that runs all submitted malware samples through more than three dozen anti-virus scanners, said he's not too concerned about Kleissner's new project. At least not yet: According to Canto, several of the Internet addresses listed on AV Tracker are merely the outward-facing addresses assigned to malware scanning services, or are incorrect entirely.

"It is quite a simplistic point of view assuming that anti-virus vendors or other entities will use static Internet addresses for checking incoming samples," Canto said.

Still, he said, a more comprehensive and timely list of addresses at AV Tracker could become a thorn in the side of the security industry if broadly adopted by malicious software makers.

"If malware writers would start with this kind of stuff, there would be an arms race -- with one side doing blacklisting and the other side moving to fast-replaced Internet ranges and so on, or simply checking from multiple Internet addresses at one time," Canto said. "Unfortunately, I think that is just a drop of water in an ocean of smart people turning to the dark side."

For his part, Kleissner denied he has somehow turned to "the dark side."

"I have done lots and lots of research and helped other anti-virus vendors, and I'm always open for anything," he said. "I won't make a difference between black hats and AV companies. To me it's not good or bad, it's just technology."