IS THERE A LAWYER IN THE LAB?

MALCHO

IS THERE A LAWYER IN THE Nowadays a vast amount of malicious or unwanted code is

financially motivated. We could even say that there are only
LAB? trace amounts of infiltration which exist only to demonstrate
Juraj Malcho the presumed ability of the author (whether maliciously
ESET spol. s.r.o., Aupark Tower, 16th floor, motivated or not). Proof-of-Concept (PoC) virus writing is not
as popular as it used to be. In fact, if a security researcher
Einsteinova 24, 851 01 Bratislava, Slovakia
nowadays hears the term PoC the first image that comes to
mind is a chronic, even pathological search for security
Email malcho@eset.sk vulnerabilities and exploits programming. And yet often the
underlying motivation is far from altruistic service or efforts to
improve software reliability and security. On the contrary, new
ABSTRACT security vulnerabilities are now very much in demand on the
black market, and present great opportunities for illegal
With the broadening possibilities and the ever-growing
income. That is the reason why PoC code and vulnerabilities
number of computer users, many applications are being
tend to gravitate more easily towards malware authors than to
developed that have hidden or fraudulent intentions, or which
the respective software developers.
are at best of doubtful usefulness. The motivation behind these
applications is financial profit and they typically target the And that’s how we get to the typical malware of today, which
technically low-skilled members of the population. Many such takes advantage of some type of vulnerability – whether a
applications are not the typical malware used in cybercrime technical or a human one. The decision about whether malice
nowadays (like bots or spyware trojans), but rather potentially is intended and threat classification is very straightforward and
unsafe or unwanted applications. However, this dubious unambiguous in this case. For an AV company the main
software is often associated with groups responsible for problem here is implementing detection. The protection
malware dissemination, and is often distributed using unfair schemes in modern malware tend to be complicated, new
practices such as spam campaigns or push-installations variants are coming out in huge volumes and the professional
performed by malware. groups on the other side work deliberately on evading
detection. The income of these criminal groups is mostly
When AV labs note these practices and add detection of such
derived from trading stolen credentials or any data stolen from
applications to their products, this causes a conflict of interests
compromised computers, or by renting botnet services, such as
between AV software vendors and the suppliers of such
adware push-installations, advertisement and spam delivery or
potentially unwanted software. These conflicts sometimes
DDoS attacks.
result in legal battles, dragging many people into the
decision-making process, including the legal department, and
consuming a significant amount of a company’s human and THE GREY ZONE – ADWARE, SPYWARE,
financial resources. The decision to detect such software is in POTENTIALLY UNWANTED APPLICATIONS
many cases made even more difficult by the users themselves:
Let’s leave the clearly defined malicious code aside and focus
different individuals, social groups and even nations have very
more on greyware – the software from the grey zone. The
different desires and opinions.
complications with these applications are not usually inherent
This paper explores the topics mentioned above and considers in code complexity, code protection/obfuscation, or in
the boundary between legitimate and illegitimate applications. implementing detection. The problem lies in the decision as to
The problems are explained with reference to several case whether the software is or is not malicious, or if it’s actually
studies documenting our experiences with such software. useful somehow. Of course, one will automatically assume
Based on our records of such incidents we will outline the that the decision criteria have to be subjective and possibly
rising trend of complaints and legal cases over time. ambiguous to some extent – every user could have a different
opinion or different desires. So the boundary between good
MALWARE IN CURRENT CYBERCRIME and evil, usefulness and uselessness is unclear. Even different
AV companies might have different views on various issues
It has been quite a long time since the first personal computers
and the philosophy might differ somewhat, leading to
hit the market, during which time many serious vulnerabilities
disagreements even among the experts.
and design faults have been discovered, and many things have
changed. Mankind has slowly got used to the fact that every Naturally, these companies cooperate closely (and not only in
new technology can be misused, or rather, we can be fairly order to evade similarly conflicting situations). Over the years
sure that someone will try to misuse it, whether merely to several projects and organizations have been established in
prove the concept of misuse, or to initiate a serious threat order to introduce generally respected rules and best practices
against people and/or the infrastructure. The design of new that have been developed and discussed within the community.
devices and technology must therefore take into account the One of the goals is to create a stable reference point which can
securing of the data, dataflow, and any communication in be used in discussions of controversial issues. Let’s mention a
general. However, the systems that are being developed today few of the initiatives that are most related to the topic of this
are more and more complex, so even though huge effort is article: the Anti-Virus Product Developers Consortium
invested in security, faults are quite often introduced during (AVPD), the Anti-Spyware Coalition (ASC) and the Anti-
either the design or the implementation stage. The growing Malware Testing Standards Organization (AMTSO). AVPD [1]
number of technologies and devices broadens the attack was formed to provide an open forum in which developers
surface available to the attackers who try to make profits by could work toward common goals such as product testing,
exploiting existing security flaws. And that’s exactly the product certification, surveys, studies and market research.
domain of computer infiltrations. ASC [2] is a group dedicated to building a consensus about

VIRUS BULLETIN CONFERENCE SEPTEMBER 2009 1

 IS THERE A LAWYER IN THE LAB? MALCHO

definitions and best practices in the debate surrounding days before a good reason for detection is found. That’s
spyware and other potentially unwanted technologies. And where the AV companies expend a lot of resources nowadays.
finally, AMTSO [3] was founded in May 2008 as an It is beyond the scope of this article to talk in detail about the
international non-profit association that focuses on addressing ASC rules and best practices: the relevant documents are
the global need for improvement in objectivity, quality and available on the ASC website. In the following text we will
relevance of anti-malware testing methodologies. More focus on several concrete examples from history, through
information about these organizations and initiatives can be which we will illustrate the problems that AV companies
found on their web pages. encounter every day in regard to grey zone software.

SPECIFICS OF THE GREY ZONE SOFTWARE ZLOB. THE EASY STUFF…

Let’s have a closer look at the previously mentioned One of the first problematic cases is the notorious devastator
problematic software where the decision-making process of Windows boxes – Win32/TrojanDownloader.Zlob. The first
about its malicious intent or legitimacy is complicated and variants appeared in autumn 2005. As with other new
tricky. What kind of software is it? Well, put very simply – unknown families, it wasn’t immediately clear how big this
it’s the software that is, in fact, completely useless and issue would become, whether it would be just one of many
doesn’t provide any real value. Or, in other words, if the generic trojan downloaders, or whether it would become a
software is actually paid for, then the only party that gets any long-term systematic project. That’s why the first detections
genuine benefit from it is the author/company that develops carried names like Win32/TrojanDownloader.Agent.NCW
it. That’s a very simple and elegant definition, right? But in (ESET) or Trojan-Downloader.Win32.Agent.uz (Kaspersky).
the real world, endless discussions could be held regarding But shortly after, thanks to the activity of the group behind it,
the usefulness or legitimacy of these kinds of software. the family earned its unique identification – Zlob. As time
What’s worse, sometimes it even leads to lawsuits. It happens went by new variants that were fine-tuned to evade detection
more and more often that after a lengthy analysis an AV by specific AV products started to appear on a daily basis. It
company decides to detect some application and a few was one of the first cases of one-on-one fights between a
months later the developers complain about unjustified criminal group and AV companies where financially motivated
detection and request that the false positive (FP) be fixed. The malware was involved. But the other party became bored after
rounds of decisions and considerations that follow are usually some time and tried a new trick – they complained about the
very uneasy due to the collision of interests. There are many detection and requested that we cancel it (Figure 1).
factors that need to be taken into account – not only the
software itself, but also the user base, and it is necessary to From: support [mailto:support@emediacodec.com]
Sent: Wednesday, April 12, 2006 4:28 PM
verify the company’s credibility and to analyse the To: xxx
distribution channels that are used. Subject:

The distribution channels themselves can easily turn a Hello xxx.

legitimate application into an unwanted one. Basically we We are eMediaCodec support team. we would like to
know why your software
have two reasons to flag an application as potentially unsafe
NOD32 detects our codec as virus “Win32/
or unwanted: the application is being misused by some TrojanDownloader.Zlob.II”.
malware, or the distribution model constitutes direct Our emediacodec is provided with Terms and
incitements to illegal profit. In the first case you could think Conditions located at
of countless system tools that are often misused by malware http://www.emediacodec.com/terms.html where we
to enhance its features. Some examples are the system tools describe in details what is
the codec itself. We do tell surfers about what
from SysInternals/Microsoft, various password crackers/ being installed on their computers.
password recovery tools, using remote administrator tools to
We would very appreciate if you remove our
implement backdoors, and so on. In the second case (the use eMediaCodec from your virus list.
of dubious distribution channels) we’re talking about a pay- Thanks
per-install business model where the distributor earns a small
cut of the profit for every successful installation of the Figure 1: emediacodec.com complaint.
software. This effectively means that the software is often
Of course, however unprofessional this letter might look, it
spread by malware and automatically installed on a victim’s
raises doubts and some uncertainty and forces one to verify
PC, or offered in spam campaigns.
the issue. There’s a curious link to their website where you
A very important piece of information is the incentive for can, allegedly, find all the information about the codec. Well,
detection itself. Often it comes in the form of a request from as far as I remember, apart from installing other malware and
the customers who notice strange and unexpected behaviour advertisement delivery there was never any real all-playing
on the part of their PCs. Rogue companies and their products codec functionality. More complaints followed and were
(rogue anti-virus, rogue anti-spyware) have their fraud repeated a few times, but eventually the group behind Zlob
fine-tuned to every little detail – the product and their website started generating such massive new waves of these trojans
has a professional look, and often they are inspired by real that they realized there wasn’t the slightest chance of success
anti-virus software. The websites are full of fake FAQ lists, in this direction. The number of files belonging to the Zlob
along with lots of forged positive reactions and testimonies family reached the thousands, endless numbers of computers
from non-existent users, etc. Even if we base our decisions on have been infected to date, and the trojan itself has undergone
relatively clear rules and recommendations such as those a turbulent evolution. Nowadays, a PC infected with the Zlob
made by the ASC, the decision is difficult and time trojan will end up with a rogue anti-virus or spyware on the
consuming to make. An in-depth analysis can take hours and system (among other things). Despite all the troubles, good

2 VIRUS BULLETIN CONFERENCE SEPTEMBER 2009

 IS THERE A LAWYER IN THE LAB? MALCHO

news arrived from the malware authors in January 2009 when But this isn’t true of the software that actually gets
they left a message for Microsoft employees in one of their downloaded by the trojan downloader – this one is classified
most recent trojans (Figure 2): as adware, spyware or an unwanted application. Why?
Because even though its installation is forced, usually there is
For Windows Defender’s Team:
an End-User Licence Agreement (EULA) which explains all
I saw your post in the blog (10-Oct-2008) about my aspects regarding the rogue software, and to which the user
previous message.
actually confirms his agreement. So the software has actually
Just want to say ‘Hello’ from Russia. been installed with the user’s consent. Of course, the EULA
You are really good guys. It was a surprise for me says nothing about the means of distribution and the software
that Microsoft can respond on threats so fast.
vendors themselves disclaim involvement with the
I can’t sign here now (he-he, sorry), how it was distribution channels. They are more or less successful in this,
some years ago for more seriously vulnerability for
all Windows ;)
depending on the case. Anyway, this is the time when it’s
necessary to investigate any subtle features and details about
Happy New Year, guys, and good luck!
the software, for example those mentioned in the ASC
P.S. BTW, we are closing soon. Not because of your documents. The most important attributes are its invasiveness,
work. :-))
its impact on system stability, security and integrity, the
So, you will not see some of my great ;) ideas in
extent to which the authors are trying to obfuscate the code
that family of software.
and evade detection and so on. These days we register
Try to search in exploits/shellcodes and rootkits.
hundreds of families of such rogue applications, and the level
Also, it is funny (probably for you), but Microsoft of pretended legitimacy and their quality varies from childish
offered me a job to help improve some of Vista’s
protection. It’s not interesting for me, just a
trivial attempts to solutions that look seriously professional.
life’s irony. The birth and first indications of the spreading of these
Figure 2: Message from Zlob author(s) to Microsoft. applications date back to 2005, when families like
WinAntivirus1 appeared. Again, the first steps in its evolution
It seems that at least the original authors of the trojan plan to were very similar to the case of Zlob, and even here we
abandon the project. However, this family is already so full- received complaints (Figure 3) about detecting this incredibly
blown and developed that we cannot say for certain that this useful software.
will be the final end of Zlob. On the contrary, it’s very likely
some other group will continue to operate and improve it. Subject: NOD32 detects our products as malware
Date: 21 Aug 2006 10:21:51 -0500
From: xxx@winsoftware.com
To: xxx
ROGUE ANTI-VIRUS/ANTI-SPYWARE.
I am contacting you on behalf of WinSoftware
THINGS GET TRICKY… Company.
Recently our Quality Assurance Department discovered
The topic of fake/rogue anti-virus or anti-spyware products that parts of our product,
has been touched upon already in the section on Zlob. Briefly WinAntiVirus Pro 2006, were added to your anti-
summarized, this is software that pretends to be a legitimate malware database, and are currently being detected
as malware.
anti-virus solution, fools users into believing that non-existent WinSoftware believes this may have been done
malware was found on the system, and usually also offers the inadvertently; nevertheless this has a big impact
possibility of removal of the imaginary infiltrations. The goal on our Company’s reputation and on customer
satisfaction level. WinSoftware, therefore, requests
of this fraudulent theatre is to force the user to buy the full
that you remove these product from your base no
product that allegedly removes the malware even more later than fourteen (14) days from receipt of this
effectively than the evaluation version, which itself got notification.
installed onto the PC via illegitimate channels. The victim, in Please confirm receipt of this message.
fact, pays for a graphical bubble, which is sitting on the system Best regards,
tray, consumes the system resources and, what’s more, risks xxx
having his/her payment card details compromised or stolen. Senior Vice-President, Legal Compliance
WinSoftware Ltd.
This category of potentially unwanted software or spyware is
a good candidate for close examination of the means of Figure 3: winsoftware.com complaint.
distribution and for demonstrating the differences in
classification of the various software components that partake It has to be noted that, compared to the Zlob complaints we
in the process of computer infection. It all usually starts in a received, this one looks immeasurably more professional and
pretty uncompromising manner, an unequivocal infection by a serious. We see a stronger choice of words, they mention
code that nobody would have a problem defining as malware. damage to the company’s reputation and the request to
The typical scenario involves a security vulnerability, usually remove the detection is followed by a 14-day deadline.
built into an automated exploit pack, hosted somewhere on Furthermore, during the installation the user agrees to a
the Internet. It’s not unusual to see legitimate websites being EULA, putting himself/herself fully into the hands of the
compromised, having iframe redirects inserted into their creators of this alleged anti-virus. Of course, for any serious
HTML code. The iframes point to an attacker’s server, which AV company such an application cannot be tolerated on the
serves the malicious code. The installers/downloaders have all customers’ PCs: therefore WinAntivirus, along with tens and
the typical features of trojans, so everything is pretty clear so hundreds of other families of rogue applications, stayed in the
far and there’s no need to spend too much time deciding about 1
The names of rogue applications (especially AVs) starting with the
the classification. Usually these codes fall into the trojan or words Win- or Antivirus- have, for obvious reasons, become very
trojan downloader categories. popular.

VIRUS BULLETIN CONFERENCE SEPTEMBER 2009 3

 IS THERE A LAWYER IN THE LAB? MALCHO

malware databases. But compared to Zlob there’s a significant

difference – fake AVs are not classified as trojans, but are
rather put into the adware/spyware category, which means
that they belong to extended sets of virus definitions2. Simply,
they lack the necessary level of aggressiveness and
invasiveness that would clearly make them a trojan3.
Finally, we need to mention that nowadays the rogue AVs are
being distributed along with other malware that is directly
related to botnets: what’s more, they’re often being distributed
by worms. Considering the obvious similarities in the
protecting packers and obfuscation techniques, it’s clear that
behind the scenes there are always the same group(s), so there
is no doubt about their illegitimate intentions.

ADWARE – DELIVERING (UNSOLICITED?)

ADVERTISEMENTS. THE EASY PART
What about generic adware – software primarily specializing Figure 4: An example of a green software site.
in the delivery of unsolicited advertisements? Software falling
into this category is extremely diverse and, from the malware/ adware on their PC unless they aren’t aware of the
adware/spyware classification point of view, there are implications and of how ineffective and unstable it will make
examples that fall into all of the categories, from trojans their PC. But is this really true?
through adware to potentially unwanted applications. The
more aggressive the software4, the easier it is to make the
EVER HEARD OF ADWARE IN CHINA? OH
decision about its classification. On the other hand, with
rising aggressiveness the complexity of detection MY…
implementation also grows proportionally. Let’s find out. Putting aside all other problems with China as
As has been said already, the decision process is often much one of the world’s greatest malware producers, the Chinese
more time consuming than the process of creating detection are very talented in many areas, from cultural to
patterns. In fact, the genuine anti-virus and the problematic technological. China is known for its problem with piracy, as
malware are two pieces of software standing against each well as with software that, even though having some other
other, having their existence in the system approved by specific functionality, displays various advertisements. This
EULAs, which the user has (often unknowingly and without adware (dare I call it this in front of Chinese PC users?) is,
reading) agreed to. And to prove that the vendors of this day after day, becoming a nightmare for every virus analyst.
dubious software really mean it, we’ve seen several legal But deeper investigation reveals that the adware phenomenon
cases in the past, such as this one. In 2007, a company named is just one of the results of the complicated software situation
Zango (also known as 180Solutions), notorious as an adware in China. One part of the problem is ‘green’ software. If you
provider, made a charge against Kaspersky Lab, complaining think this term is somehow related to initiatives related to
that it was unjustly blocking software that Zango provides. In writing environment-friendly code then you’re totally wrong.
doing so, Zango alleged that Kaspersky was damaging its As mentioned above, China is different and the word ‘green’
reputation and preventing it from doing business. The initial is no exception.
decision of the court sounded quite positive, as it basically ‘Green’ software usually means a standalone package, where
stated that an interactive computer service provider (in the there’s no need to install the program, just download, double
context of content filtering) has the right to block material click and there’s your Adobe Photoshop CS4 full version (see
that he or his customers consider objectionable. Still, it wasn’t Figure 4). Of course, before packaging, the software needs to
the end of the story, and further appeals followed. However, be cracked, modified and ‘improved’ to fix problems like
the final good news came in April 2009 when Zango installing all over the disk, licence activation etc. There’s no
announced that it was going out of business. need to worry about the serial numbers or licence keys:
As we can see, adware detection and classification quite often they’re very easy to obtain as there are tens and maybe
involves walking on thin ice (see also the next section) and hundreds of sites6 that offer these green packages. For some
subtle details can make a huge difference. Any detection that people green software equals free software, and in some cases
turns out to be unjustified (at least in the eyes of the law) can it’s even localized. The green websites have all of their
cost an AV company a great deal in terms of resources and material comprehensively organized so it’s very easy to
time. But it’s the mission of an AV company to listen to the navigate for anybody who wants to get a copy of their
requests of its customers and to protect their computers from favourite application. Also, there are custom OS packages that
undesired software. Generally, nobody5 wants to have any people go for when buying DIY machines. For example
‘Windows XP – XXXX edition’ would be a Windows XP
2
This has, of course, evolved over time and the organization of customization done by XXXX group. Pretty much standard
malware databases and collections may have changed from company Windows, no need of activation of course, possibly with some
to company, which could have led to reclassification.
3 additional commonly used software pre-installed7.
Well, we could hold a long discussion on this topic.
4
Some good examples would be Win32/TrojanDownloader.Swizzor
6
or Win32/Adware.Virtumonde. For example http://www.onegreen.net/.
5 7
Even though Zango claimed the opposite. For example http://www.shenduxp.com/.

4 VIRUS BULLETIN CONFERENCE SEPTEMBER 2009

 IS THERE A LAWYER IN THE LAB? MALCHO

What’s interesting is the fact that these servers closely don’t have to, deliver advertisements. Quite often they evolve
monitor the quality of the software they provide and make over time from ad-delivering to non-ad-delivering. Their main
sure they don’t offer infected content. There are no noble or problem is that they often use the open distribution model of
altruistic reasons behind this – it’s only about money. If the affiliates who get their cut for every successful installation. In
site is safe and trusted it gets positive reviews, more page hits our current botnet era this model can be (and is) heavily
and more downloads are performed and thus they make more misused to gain quick and easy money, so it’s a common
money on the online advertisements they display. practice for these applications to be distributed by spam or
So why are we talking about this? As with the known Chinese even trojans. This results in more money being poured into
black-market ‘original’ CDs and DVDs, it is often very hard the pockets of the criminal groups, and the installation of
to distinguish between the original version and a hack coming these applications onto a large number of PCs without the
from a green site. Thus many people and businesses could users’ consent.
unknowingly run illegal software even though they are strictly Since these companies do business with online casinos, their
against it in principle. In such an environment the software relationship with money is very tight and they don’t hesitate
vendors are pushed to distribute their software for free but – to attack AV companies with requests to cease detection even
with some ads inside. And that’s how well-known legitimate at the price of a lawsuit. Thus the work of virus analysts
software vendors actually start to create adware – welcome to evolved into a new and unexpected dimension, and the
the Chinese software business model! resolution of these issues has become extremely time
Lots of people in China are well aware of the malware threat consuming.
and know they are surrounded with these password-stealing
trojans and other stuff. They actually feel that if they pay for THE COMPLAINTS TIMELINE
anti-virus it’s going to make them much safer. Having their Let’s have a look at what all this has meant to a specific AV
box protected, they can go on to use the green software which company – ESET. Over the last three and a half years we have
of course isn’t generally considered illegal. The AV that they come across over 20 cases where it was necessary to involve
paid for and trust is expected to protect them from possible the legal department. Roughly summarized and at a
threats that might be lurking at any of those green websites. conservative estimate, it cost us more than 1,150 man-hours
And of course, the AV definitely shouldn’t block all the good and involved at least 530 employee interactions (not counting
and useful software, green or not, which (even though full of our external consultants or partners). Some of the incidents
ads) is still considered to be standard and absolutely normal – have been successfully resolved and closed, while many of
for the Chinese. them are still open and have been causing trouble for months.
So what about the rest of the world? People are extremely Typically, the load is not balanced but rather comes in spikes.
allergic to even the slightest hint of advertising, having all Figure 5 displays the timeline of the number of employee
those neat ad-blockers and filters, demanding removal of any interactions involved in resolving detection complaints per
applications that would exhibit this behaviour. So what month.
exactly is adware? Does it really matter? To what extent are
common computer users able to distinguish between what is
and what is not good for them and make the right choice? Are
we going to end up with double standards?8 This issue really
causes heavy headaches in any virus lab around the world.

AND THERE ARE MORE CONFLICTS OUT

THERE
The most problematic applications are those developed by
relatively well-established companies that have real customers
who seriously make use of their services. The mutual
customers of such a company and of an AV solution provider
then request that they are allowed to run both of the
applications without conflicting or blocking each other. On
the other side of the river there is a group of users who are Figure 5: The number of incidents per month where ESET
very sensitive about their computers and won’t allow the employees were involved in resolving detection complaints.
installation of anything that they do not fully trust. Corporate
networks and IT systems are very specific environments Of course, not all cases are equally complicated and the
where many (types of) applications are undesired/unwanted amount of time spent varies. Basically, it grows
even though probably nobody would object when installing proportionally to the number of people involved and the graph
them on a home PC. Quite often these applications might be is similar to Figure 5, with only slight differences (Figure 6).
installed via dubious channels that the users might not be able
to control and so the software indeed gets onto the PC as Again, let me remind you that these numbers are rather
unsolicited content. conservative, as it’s hard to determine the exact amount of
time that virus analysts had to spend analysing endless
The hot topic of today is online casinos. There are vast numbers of software packages, comparing different versions
numbers of people who want to play – and win – as it’s real and variants. Based on the graphs we see that in the last 12
money that gets into the game. These applications can, but months the average load was 46 man-hours, involving over 21
8
It actually seems exactly so. people per month, as opposed to an average of 16 man-hours/

VIRUS BULLETIN CONFERENCE SEPTEMBER 2009 5

 IS THERE A LAWYER IN THE LAB? MALCHO

just selling a specific piece of software. We are offering a

service that allows even technically less adept people to keep
their PCs in a relatively good condition, despite the danger
that’s lurking everywhere in the digital world. In the end,
natural evolution has resulted in convergence between AV
companies, or IT security specialists generally, and law
enforcement. These people cooperate to fight cybercrime
worldwide regardless of company boundaries, regardless of
working hours and regardless of the missing pages in the law.
In these undefined cases there’s no other way but to follow
one’s instincts and morals – which are qualities that are
absolutely natural to these folks. So when an AV specialist
decides that some piece of software isn’t very much to his
liking and that it’s potentially unsafe/unwanted/problematic,
Figure 6: The number of man-hours spent on resolving the chances are good that he’s right.
detection complaints per month.
six people per month in 2006, which means triple growth in REFERENCES
three years. Also, the spikes reach as high as 130 man-hours [1] ICSA Labs Anti-Virus Product Developers
per month, which is almost equivalent to a full-time Consortium. https://www.icsalabs.com/icsa/topic.
employee. Of course, in reality it is not possible to stay within php?tid=fb33$17e3028d-905a8eba$0310-9492444d.
these mathematically calculated boundaries: every task (not to
[2] Anti-Spyware Coalition.
mention the extra time spent switching between tasks) also
http://www.antispywarecoalition.org.
takes its own time to manage. With the growing number of
dubious software cases and all those people using proven and [3] Anti-Malware Testing Standards Organization.
time-tested methods of deceiving inexperienced, trusting http://www.amtso.org/.
computer users, it’s clear that these numbers will increase in [4] Anti-Spyware Coalition Risk Model Description.
the future and the growth will probably not remain linear. http://www.antispywarecoalition.org/documents/
riskmodel.htm.
CONCLUSIONS [5] Zlob – best wishes with a hidden message.
As we can see in the interactions between AV companies and http://mad.internetpol.fr/archives/8-Zlob-Best-
the providers of various dubious applications, the encounter Wishes-With-A-Hidden-Message.html.
with the law is starting to be a daily routine. As with any legal [6] US District Court, Western District of Washington at
case, these issues are quite challenging, as well as time Seattle. Zango, Inc vs. Kaspersky Lab, Inc.; case no.
consuming time and expensive. Past experience has shown C07-0807-JCC. http://www.taugh.com/
that security failed to keep up with technology; these days we zangokaspersky230ruling.pdf.
realize that legislation has pretty much the same problem, and
it’s very hard to deal with all the issues that result from the [7] Roberts, P. Infringement lawsuit blasts security
technological possibilities and opportunities. Parasitism is Who’s Who on app control. http://blogs.the451group.
ruling the world and every now and then a smart guy appears com/security/2009/01/07/infringement-lawsuit-
trying to squeeze out some money from society – and of blasts-security-whos-who-on-app-control/.
course, it’s the law that matters, not morality. This applies to
the fraudulent software we have mentioned in this paper, or to
applications that target inexperienced, trusting people (for
example, the ‘I Am Rich’ application for iPhones for $1,000),
or even to attempts to make money out of a ridiculous patent.
The perfect example could be the case of a company named
Information Protection and Authentication of Texas LLC9 [7]
that is suing pretty much the whole AV industry for patents
infringement. But you cannot avoid these things, it’s
impossible to exhaustively cover our current world with
simple comprehensive rules.
In the end, all that’s left is morality, and the moral
implications of such issues; it may be straightforward to reach
a resolution, and it may be really, really difficult. Defining
what is and what isn’t moral isn’t really within the scope of
this document but…
For current AV companies morality is a very fundamental
issue. One needs to realize that running an AV company isn’t
9
Paul Roberts really hit the nail on the head in his article [7] saying
that this company appears to exist solely for the purpose of exercising
its patent ownership rights in court.

6 VIRUS BULLETIN CONFERENCE SEPTEMBER 2009