Tuesday, April 5, 2011

False Positive

The big news last week in consumer electronics was that Samsung was not installing keylogging software on their new laptops.
Security consultant Mohammad Hassan was using VIPRE, a malware scanner from GFI. VIPRE had reported a localization package as an infection called StarLogger. StarLogger is in a class of malware known as keyloggers, which record a users' key presses to collect information like user names and passwords as they're typed. StarLogger usually installs itself to the C:\WINDOWS\SL directory which, as it so happens, is also the installation directory of Windows' Slovenian language pack.
I don't do malware research on consumer electronics so I'm not familiar with how they're supposed to be reported. However, sprinting to a major tech blog to report the latest malware is probably not the preferred method. And anyway, computer malware is such a rapidly evolving battlefront that signature-based defenses have not been effective in quite some time. The list of blocked items is so long that system performance is often affected more by the scan than the infection. Heuristic (behavior-based) scans aren't much better, either. So many of the tricks the old code monkeys used to program with are practically worms and viruses in their own right.
So, while there is enough blame to go around most of it belongs on us. We get the blame for letting the story get ahead of the news and jumping at "cyber-threats" around every corner.