Friday, August 17, 2012

About utter incompetence of malware "analysts" and journalists

Prerequisites: 

We have a software product, named RawDisk. This is a kernel-mode driver which is used to perfom several security-sensitive operations regarding access to disks on sector level for both reading and writing. In particular it can be used to write filesystem internal structures, MBR itself. Uses of such driver are numerous - from performing search across the disk to performing optimization of the disk to backups of locked files and more. The driver is signed with a code signing certificate. Our customers embed the driver to their software. We perform certain inspection of the customer base, i.e. we would not sell the product to individuals or to customers with no clear identification (without an address, phone etc). This is done to prevent misuse of the driver. Also, the driver can be bound to particular EXE file names to further harden misuse.

Story:

Some not identified script kiddies have crafted a malware which wipes victim's disks. To do actual wiping they have used our driver, probably stolen from some of our clients software (I am ommiting copy control technical details here for security).

The malware was discovered by several security companies. Only two of them, McAfee and Symantec, properly identified the driver as being stolen from legitimate software. Kaspersky Labs and several other wanna-be-specialists from other companies have made conclusion that those script kiddies managed to create the driver and sign it using "stolen private cryptographic key of EldoS Corporation" which is complete bullshit, that misleads people and takes analysis in wrong direction of searching for kernel-mode developers  (though script kiddies most likely are not capable of creating kernel-mode code).

Now some journalists have copy-pasted the above mentioned bullshit in their articles, without checking.

NONE of the above security companies contacted us for cooperation in identifying the source of the signature and/or the driver. NOBODY bothered to contact us about possibly stolen private key. NO journalist requested additional information or comments from us. Moreover, analysts from McAfee, which sent us a brief note about malware, didn't ever respond to our offer to find out where the driver has leaked from.

I claim this to be utter incompetence of those "security specialists" and journalists. And when you decide to buy some "security software" to protect your computer, think if you can trust people who don't want to find the roots of the problem, who are not interested in details of the case and who don't really stand for security.