1. Introduction.

Recently there has been a lot of hype about the anti-virus product
called "InVircible", produced by Zvi Netiv from NetZ Computing Ltd.,
Israel and distributed as shareware by several companies - mostly
in the USA.

The author of the product is trying hard to push it, using methods
that, according to some, are at least questionable from the business
ethics point of view. He regularly posts to many virus-oriented
public forums, advertising his product as "the ultimate defense
against computer viruses" and often engages in rather low bashing
of the products of his competitors and the competitors themselves.
Even independent anti-virus researchers who do not agree with his
opinion on his product have not escaped his personal attacks and
character assassination tactics.

Another method that he regularly resorts to, is the extensive use
of pseudo-scientific buzzwords instead of the established and
well-known terms in the anti-virus field: "piggybacking virus"
instead of "fast infector", "hyper-correlator and expert system"
instead of "automatic scan string extraction", "anti-piggybacking
SeeThru technology" instead of "tunnelling" or "anti-stealth
techniques", "virus capturing" instead of "decoy launching",
"advanced signature techniques" instead of "heuristics", "generic
methods" instead of "integrity checking", and so on, and so on. The
obvious intent is to confuse the user and to suggest that the
product that uses all those scientifically-sounding
incomprehensible techniques is somehow more advanced than any other
product of the competition. In fact, all those methods have been in
use in many different anti-virus products for years - without the
hype, of course. Sadly, this tactic often succeeds in fooling the
user - not surprisingly, because most users know next to nothing
about the advanced methods used in the contemporary anti-virus
products. They buy the product and rely on it to protect them from
viruses. Since, on a general scale, virus infections are a
relatively rare phenomenon, most users fail to experience the flaws
of the protection that the product provides and therefore fail to
notice the security holes that the product is full of.

Another method often used by the people promoting this product is
to get some satisfied user, whom the product has happened to help,
or to get some person who is completely incompetent in virus
matters to test the product, and then publicize widely the
favorable opinions obtained this way.

Simultaneously, the author of the product himself is not reluctant
to hire known virus distributors to sell his product. For instance,
he is known to have hired Michael Paris to sell his product - and
Michael Paris is well known to have run a BBS with viruses available
on it for download. According to some unconfirmed reports, Tripp
Lewis, the virus writer known under the handle "Firecracker" and a
former member of the virus writing group NuKE, has been selling the
product too.

For any other producer with a conscience this would be an obvious
conflict of interests. Clearly, the author of InVircible does not
fall in this category. Other questionable practices that he engages
into include distributing widely a product that can generate
automatically real viruses with just a few bits changed to disable
their replication capability - "emasculated viruses", as the author
calls them; another meaningless buzzword of his. Obviously the fact
that they can be easily turned into real, spreading and damaging
viruses (sometimes just changing one bit from 0 to 1 would do so)
does not prevent him from supplying them to his unsuspecting users.
This general attitude is confirmed by the reports that some of the
marketing representatives of the product (e.g., in New Zealand) are
freely passing diskettes with real viruses on them to the potential
customers, so that the latter can "evaluate" the product.

In this paper we are trying to take a careful and experienced look
at the security problems that InVircible is full of. We would like
to emphasize that this paper is not a review of the product. It
does not make any attempt to list the good qualities of the product
- the readers can obtain such information from other sources, which
are abundant; not the least from the marketing claims that the
author of the product makes. Here we will try to concentrate only
on the negative sides of the product - on those marketing claims
that are false, and on those security holes that are never
mentioned by the author or by the "reviewers". Our intent is to
warn the potential customers of the product about the possible
dangers that the product presents, to provide them an informed
opinion about the negative sides of the product, and to help them
to make to decide whether to buy or not to buy the product and
whether to rely on it or not to protect them from viruses.

In our tests we used version 6.01D of InVircible. The previous
versions have some additional security holes, but we will not dwell
into that - it is reasonable to assume that the users will try hard
enough to obtain the latest available version of the product.

Each time when we discovered a security hole, we tried to confirm
it by using an existing virus that exploits it. This was not always
possible - the product contains some security holes which no virus
known to us exploits. In those cases we used non-viral programs to
simulate the virus behavior. The alternative would be to write a
virus ourselves - something that contradicts our ethical principles.
However, in all cases we have tried to describe the security holes
with enough details, so that it becomes clear to the users how a
virus could exploit them.

Bookmark/Search this post with:

delicious | digg | reddit | newsvine | furl | google | yahoo | technorati