Judge Not (harshly) Lest Ye Be Judged (harshly)
In the modern, professional threat landscape there is still room, albeit tiny, for malware which is written by the proverbial ‘script-kiddy’. As a case in point we do continue to very occasionally see autorun worms written in Visual Basic Script, and of course we ensure that they are detected.
issue is that the allowance for malware written by novices can lead to consternation when a judgement call needs to be made on the status of a file. Recently we at K7TCL encountered a VBS file which removes a particular Anti-Virus vendor’s security product without requesting prior confirmation. This harked back to the old days of DOS BAT file Trojans which ran commands such as ‘DELTREE /Y’, ‘DEL *.* /Y’ and ‘FORMAT /Q’, to the, presumably, eternal amusement of the script-kiddy who arrogates kudos. However, the VBS file in question could also very well have been written quite legitimately by Technical Support personnel of a competing security company to avoid conflicts between Anti-Virus products, i.e. one product may need to be uninstalled before another can be installed. The decision-making process on the file was further complicated by the fact that several other security products classified it as a ‘kill AV’ Trojan. “Malware or not malware?”, that was the question.
Take it from us, proving that a clean file is actually clean is not always an easy task. On the contrary, it is generally far from straightforward. Many a time it depends on skill, wit and judgement. In the case of our candidate VBS file we decided against detecting it. This was primarily because we recognised that its functionality could not be considered inherently malicious. In addition, quite importantly, the coding style with variable names, etc, seemed to suggest that the script was not written by a trouble-maker, but rather by somebody who perhaps ought to have been a little more careful about requesting user interaction before deleting things. An additional comment explicitly stating the origin of the file and the purpose of the code would have been ideal. The concept of ‘perceived intent’ was the ultimate arbiter in the decision-making process.
Senior Manager, K7TCL