As for research with regard to retailers I would definitely second the gathering of opinions from people you trust.

I would, however, urge a little caution where forums and blogs are concerned as some have their own agendas as I know well from my own travels across the web.

As far as antivirus is concerned there are many fine products out there and avast certainly do offer a free version so anyone reading this has no excuse for not getting a copy now!

One always hears rumors that the government is using “former” hackers etc, but frankly I find this hard to believe. A decent “ethical hacker” course teaches more about hacking than *most* so-called hackers know. It’s also possible to study virus-writing and antivirus techniques on many computer science courses these days too, so I don’t think that there is a lack of skills in either direction (malware/antimalware).

When I say most malware is criminal in intent, I cited two examples (botnets for spam and DDoS); but identity theft is the next big one, along with simple “one at a time” credit-card details theft, all the way up to really getting into someone’s life and literally stealing their identity, to gain mortgages, lines of credit. A compromised system is good for many things, and it is why malware is mostly coming out of organized crime these days.

Much computer security, however, is common sense: make sure your system is patched; make sure you are not giving out details (of any description) to people you don’t trust; never make transactions with retailers you don’t know, or if you have never heard of the site, do some research first — rip-off report, forums and related websites are a good starting point; better yet, get recommendations from people you trust.

Of course, I recommend a good antivirus — we (and others) have one available for free, so it needn’t cost a thing. Also run a firewall.

The most secure computer is turned off, and not connected to the internet – not so practical, but with every additional risk one adds (always on internet, for instance), take extra precautions.

I am sure some people will always look at security vendors with a bit of suspicion, because people wonder where the viruses, trojans, spyware, rootkits and other forms of malware come from. Well, all I can add is: it isn’t us. To my knowledge, it never has been, and I would certainly be happy to blow the whistle is it was.

Hope that helps some more.

All the best,

Justin.

Cool… after my hard drive crashes I need a new av product

Seriously though, thanks for taking the time to write such a detailed response Justin, much appreciated.

I totally agree with your comments about the negative publicity that would ensue if an antivirus vendor got caught writing malicious code.

Heck, even employing someone who had connections with such activity in the past could generate quite a negative reaction I reckon.

You do, though, hear about governments employing (ex) hackers in order to give them a different perspective so that they can improve their security measures.

Could a company in the security industry not follow suit or are you saying that the bad guys have evolved into the sort of criminals who would never contemplate such a partnership?

Lastly, for now, when you say that viruses, etc are written with criminal intent what do you mean exactly? Sure, they are disruptive and botnets can be used to DDoS large sites into a corner where they may pay a ‘ransom’ to stop the attack but isn’t it the case that most attacks still ultimately lead to individual cases of id theft and the promotion of spam?

This has been a common accusation towards the antivirus industry for some years, though, knowing many, many players in the industry personally, I can vouch that it’s simply not true.

It IS true that in the early days of the industry, some antivirus vendors DID employ former (and I stress former) virus writers. One reason being that, on the whole, in the early days, many viruses were written for fun and were actually pretty benign, both in intent and underlying motives (most being educational), and the knowledge these early virus writers had was invaluable in beating future virus writers.

I can’t think of one vendor who would risk it now-a-days, or at least certainly not without full public disclosure. The risks to a company’s reputation are just far too large — and you only need to screw that up once to see your company fail.

As the industry has started to mature, however, most of the viruses (and more often trojans and spyware) written today are more criminal in intent. The intent being to harness computers as part of botnets, many aimed at spamming or DDoS attacks which can make those that control them a lot of money.

The days of the lone hacker writing a virus for “fun” are mostly behind us — though, of course, one can never say never.

The vast resources, expense and risk of running an antivirus (or more typically anti-malware) software company really don’t add up, for most vendors, if they were the one’s supplying the malware.

For instance, if one were caught out – the legal, punitive damage downside and risk of imprisonment are far too great to make it worthwhile.

Also, most anti-malware vendors are receiving something like 7000 – 9000 variant samples per day (not all in the wild), and, as such, just to keep up with that kind of volume is costing a fortune and making the job much, much harder.

Therefore, to suggest that there are the spare resources to push out additional threats in order to drive business is simply ludicrous.

Is it possible to say there has NEVER been a bad apple in the industry. Probably not. Can I say with hand-on-heart that the industry is not putting out malware to increase revenues? Yes.

The job is hard enough as it is, without adding to the problem.

The talented and hardworking guys and girls in our industry really want to beat the malware makers. It’s a challenge that is both interesting and hard, and that hardworking talent works long hours, under amazingly tight deadlines and oftentimes these aren’t the best paid jobs in the industry.

Were someone to create a wonderful detection engine that did not require signatures and worked 100%, trust me, we’d all go off and find other wonderful ways to change the world. That software has not made it to the world yet, but our fight has always been with malware makers, and that fight continues every day.

Do we all make money doing that? Absolutely. But I think I can say without caveat that we could all make money elsewhere if we could beat malware forever; so the simple truth is, we don’t need to write malware to drive revenue. The bad guys are doing enough of that already.

Sorry to disappoint that there is no conspiracy. I, for one, would blow it wide open if that were the case.

All the best,

Justin.

Worldwide Operations Manager
ALWIL Software a.s.
http://www.avast.com