TDL4: Much ado about something | SC Media

TDL4: Much ado about something

July 5, 2011
I know it's hardly five minutes since I wrote here about TDL4. But I'm surprised and slightly repelled by the amount of attention it has received – or, more to the point, the nonsense that has been spouted about its indestructibility.

The anti-malware industry is used to being accused of “hyping” threats, scaremongering with the intention of maximizing profits by scaring people into buying security software. I can't deny that ESET and other companies have put a lot of effort not only into tracking the thing, but in providing useful information (links to our various reports in my previous article). It seems pretty clear to me that when Kaspersky described it as "the 'indestructible' botnet" in its own very competent report, those quotes around the "i" word were meant to convey irony, as a blog by Ram Herkanaidu confirms.

So I particularly appreciated Sophos researcher Paul Ducklin's corollary to the Halting Problem, which is usually cited in security circles as proof that an AV program cannot detect all possible malware – or, as Fred Cohen put it, “it is undecidable whether or not a given pair is a viral set”* - as a proof that “You can never write a virus which will evade all possible anti-virus programs, either.” I wish I'd said that. J

I can't help noticing, though, that his point hasn't been taken up by the media. As usual, “the sky is not falling” seems to be less newsworthy than “Fire! Fire!” Fortunately, not all reporters have taken that route. Derek Parkinson of SecurityVibes, Steve Gold of Infosecurity Magazine and SC Magazine's Angela Moscaritolo took a more cautious, balanced view. And just to make my own thoughts clear, I revisited the topic here in the hope of deflating some of the hype.

What really infuriates me, of course, is that at some point in the future, some of the more extreme reports will be dragged out of some media closet as proof of the security industry's hype habit...

prestitial ad