Latest news

Post-Worm Panda Attacked

Reader’s advisory: Wired News has been unable to confirm some sources for a number of stories written by this author. If you have any information about sources cited in this article, please send an e-mail to sourceinfo[AT]wired.com.

A battle over secrets broke out between antivirus companies last week, and resulted in one software company’s suspension from the industry’s information-sharing networks.

On January 12th, Panda Software announced to all “Internet users” that it had discovered a new and dangerous worm, HTML/LittleDavinia.

HTML/LittleDavinia turned out to be a tiny threat, affecting only five companies. But Panda itself was hit hard by the LittleDavinia fallout.

The company was quickly attacked by the antivirus industry for making a public announcement about the worm without first notifying other anti-virus researchers and providing samples of the worm, as is required by the industry groups that Panda belongs to, such as the REVS list (Rapid Exchange of Virus Samples).

The LittleDavinia debacle has also left others in the industry hoping that this war of words won’t launch a return to the days when virus application developers hoarded information for their own benefit.

“It used to be a problem in the late 1980s that anti-virus companies would announce detection of a new virus, but then sit on the sample so that anyone else could not add detection of it to their programs. I really hope this will not start happening all over again,” said Mikko Hermanni Hyppönen, manager of Anti-Virus Research at F-Secure Corporation.

Antivirus application developers share code samples and virus information so that they can move quickly to update their software.

All agree that speed is of the essence in the war against viruses, but Panda didn’t provide samples to its colleagues until three days after it issued the press release warning the public about the LittleDavinia worm.

Shortly after the incident, Panda spokesperson Donna Rogers said that an employee out sick with a virus (of the human type) was the one who normally posted information to industry alert lists. His absence caused the delay in posting information, Rogers explained.

Vincent Gullotto, director of Network Associates’ antivirus emergency research team was infuriated with Panda, and said the Panda’s inaction proved that the REVS list should simply be dismantled.

“Panda did not follow the agreed upon processes and send samples to other AV Vendors when releasing a press statement. The REVS program has failed, and so did Panda,” Gullotto fumed.

Network Associates (NAI) has been in the hot seat itself for this same issue. Three years ago, McAfee Associates – now the core of NAI’s antivirus team – warned the public of the Remote Explorer virus, but didn’t pass along samples of the virus to the industry for almost a week, according to Rob Rosenberger, webmaster of Vmyths, a virus industry watch website.

Initially Panda seemed remorseful about the time lag that occurred between its public announcement of LittleDavinia and submitting code to the industry. But as the attacks from other antivirus companies regarding its actions escalated, Panda went on the defensive.

Patrick Hinojosa, Panda’s general manager of U.S. operations, released a statement that declared in no uncertain terms that Panda believed the “public’s right to know about viruses comes first.”

Hinojosa also said that the LittleDavinia threat had been contained only due to “quick action” by Panda.

“Because this is an international company with offices in 40 countries around the world and most viruses are written outside of the United States, Panda often picks up on new viruses before other anti-virus companies,” said Hinojosa. “Therefore we know that our competitors look to us to provide information on new viruses from around the world.

“We are continuing to work on streamlining the means of providing this information to our competitors. It is unfortunate that the embattled Network Associates chose to criticize us for alerting the public and handling the source before we had a chance to notify their company of this threat.”

“While it is important to get the message out to IT folks, it does them no good if their vendor can’t provide them a solution, especially when only one vendor has a sample of the virus, and it (the virus) isn’t in the wild. This only causes the IT person to panic wondering if his environment is going to get hit, and he won’t have a fix for it.”

Andy Antipass, IT chief for SpecTech, said that he agrees with both Panda and NIA

“I appreciate the fact that the Antivirus people are working together to handle whatever threats are out there –- virus protection has to be equal on all anti-virus applications, or we’d have a hell of a mess. Virus companies absolutely must play well with each other.”

But Antipass said he’s less concerned about who gets the news about viruses first –- the public or the antivirus companies.

“I’m happy to hear updates and warnings from whatever company has something to share with me. A new worm or virus is not going to frighten me –- it’s usually just a matter of telling the users, once again, not to open ANY e-mail attachments.”

HTML/LittleDavinia affected users of Microsoft’s Windows 2000. Those who opened an e-mailed attachment that contained the virus were redirected to a website in Spain, which contained code that forced a download of a file containing a Visual Basic Script.

Once downloaded, the script scanned all hard drives connected to the infected computer, and overwrote the contents of all files with HTML code.

The virus no longer poses any threat because the website that contained the script was taken down.

Panda spokesperson Rogers confirmed the company had been suspended from REVS, but neither she nor REVS’ coordinators would say how long Panda would be out of the loop.

A membership statement on the REV website said that “questions will doubtless be asked by other REVS participants if a company does a press release and/or customer alert and no samples are sent to REVS,” and adds that participants who are “not following the spirit of these rules” will be suspended.

“The first suspension will be for a period of 24 hours, and the suspension period will double for each subsequent offence.”

Rosenberger said it was his understanding that the REVS and the AVED distribution networks each gave Panda a one-week suspension for hoarding.

“But that doesn’t even amount to a slap on the wrist, really. The other vendors only did it because Panda wouldn’t get off their high horse. If Panda had said ‘okay, we were stupid for hoarding,’ then they wouldn’t have received any punishment at all,” said Rosenberger.

“Panda will wince from the spanking, but I predict it won’t make a difference in the long run,” said Rosenberger.

“But hoarding does makes a firm look foolish. ‘We’re the only ones on Earth who can save your PC from certain death! We won’t let any other antivirus company help you! Buy our product and you’ll survive the armageddon!’ The truth is that few viruses, and I do mean very few, deserve any attention at all.”

Comment here