Tuesday, September 29, 2009

Ethical Malware Creation Courses

My attention was drawn to a storm brewing up concerning the teaching of how to create malware. Apparently McAfee Avert Labs is advertising its Focus ’09 conference next month in Washington, D.C. and including a session titled: "Avert Labs — Malware Experience"
"Join experts from McAfee Avert Labs and have a chance to create a Trojan horse, commandeer a botnet, install a rootkit and experience first hand how easy it is to modify websites to serve up malware. Of course this will all be done in the safe and closed environment, ensuring that what you create doesn't actually go out onto the Internet."
This has already gotten a few malware experts a little hot under the collar. For example Michael St. Neitzel (VP of Threat Research and Technologies over at Sunbelt) decrees...
"This is unethical. And it’s the wrong approach to teaching awareness and understanding of malware. This would be like your local police giving a crash-course on how to plan and execute the perfect robbery -- yet to avoid public criticism, they teach it in a ‘safe environment’: your local police station."
Now, personally, I can't but feel an aspect of deja vu to all this banter. This argument about teaching how modern malware is built and hands-on training in its development has been going on for quite some time.

I remember having almost identical "discussions" back in 2000 when I helped create the ISS "Ethical Hacking" training course delivered in the UK (which was later renamed to "Network intrusion and prevention" around 2004 because some folks in marketing didn't like the term hacking) and later rolled out globally. Back then - practically a decade ago - there were claims that I was helping to teach a new generation of hackers... showing them the tools and techniques to break in to enterprise networks and servers. Within 3 years, such ethical hacking or penetration testing courses were a commodity - with just about every trade booth at a major security conference providing live demonstrations of hacking techniques.

Irrespective of the comparison with Ethical Hacking, training in the art of malware creation has been going on for ages. Just about any security company that does malware research has had to develop an internal training system for bringing new recruits up to pace with the threat - and of course they have to know how to use the tools the criminals are using to create their crimeware. So, for practically the entire lifetime of the antivirus business, people have been trained in malware development.

Whats all the waffle about "unethical" anyway? Is there a worry that trade secrets are going to be lost, or that a new batch of uber cyber-criminals are suddenly going to materialize? It doesn't make much sense to me. The bad guys already know all this stuff - after all, the antivirus companies follow their criminal counterpart's advances; it's not the other way around.

Looking back at the development of commercial Ethical Hacking courses and all the airtime nay-sayers got about training a new generation of hackers, I'm adamant these the availability of courses dramatically improved the awareness of the threat for those that needed to do something against it and enabled them to understand and better fortify their organizations. I only wish such courses had existed several years before 2000 - so we'd all be in a more advanced defensive state.

I honestly can't understand why the anti-malware fraternity has been so against educating their customers, and security professionals in general, the state of the art in malware creation and design. Hands-on training and education really works.

Good on McAfee - I'm backing the course, and want to see this type of education as easily available as that for penetration testing.

In fact you'll probably remember me mentioning that I'm also a proponent of making sure penetration testers and internal security teams use their own malware creations in pentests to check their defense in depth status. My, didn't that raise a ruckus too.


  1. The analogy with the penetration testing training is flawed. You can (and should) teach new malware researchers by showing them relevant malware samples and letting them figure out how they work. This method, besides making them understand how the code functions, it also trains them in the use of specific RE tools (like IDA, Olly, WinDbg, etc). It also offers a more realistic view of the malcode out there. Simply writing malware offers much more limited advantage.

    I suspect that the McAfee show will be more like one presented by an illusionist: carefully organized so that as many as possible resulting samples will be caught by McAfee and as little as possible by competitors. In my opinion this show is unnecessary and unethically misleading (by suggesting that in the big picture McAfee performs substantially better than their competitors).

  2. This comment has been removed by a blog administrator.

  3. the only ethical malware creation was the benign malware creation done before we knew the extent of the unintended consequences.

    now that those unintended consequences are known, we also know that ethical malware creation is a fantasy.

  4. i find it that they are arguing what is ethical and unethical. that question is completely irrelevant. the question of whether X is ethical or not lies in the individual's own core values.

    Teaching people how easy it is to spread malware is a bit of a double edged sword. you immediately bring a sense of solidarity against malware seeing firsthand how EASY it is to be completely destructive, but you also run the risk of actually teaching people how to do the very thing you are trying to prevent....

    and if my experience human nature has typically been held under less light than even wild animals....why not ? humans love bashing themselves, how evil we are and etc.