Linked by Thom Holwerda on Thu 5th Nov 2009 17:29 UTC
Bugs & Viruses Computers are taking on ever more important roles in our daily lives. They used to be simple tools to get simple things done - work-related, mostly, maybe a few simple games, and that was it. However, over time, they have become the central hubs for all sorts of data - including precious data. For his Master of Fine Arts thesis project, Zach Gage illustrated just how important our computer data has become.
Order by: Score:
"Malware"
by Mark Williamson on Thu 5th Nov 2009 17:38 UTC
Mark Williamson
Member since:
2005-07-06

"Kind of odd, as the game's website, as well as the game itself, have warnings plastered all over them about the whole deleting files business."

If you look at it from that perspective, it does look odd. But to put it another way:

If somebody I knew sent me a random binary saying "Hey, dude, this is cool!" and the binary has the explicit goal of doing something somewhat dangerous that other apps do not, you bet I expect the malware software to warn me. Not stop me running it, if I'm aware it's an art project, etc. But still...

In case you're thinking "he shouldn't run random binaries people have e-mailed", I don't. But it's clearly a known-harmful app, so though I don't think it's strictly malware (no malicious intent) I think it's reasonable to expect a warning from the same software that protects you from other known-harmful code.

And that's leaving aside the fact that parents sharing a computer with their young kids or employers with business desktops, or whatever have pretty strong reasons to want to block apps that operate in an unfamiliar way and will delete data, even if they do warn you first!

It's fireworks night here in the UK. Fireworks are not bombs, they are designed with recreational not destructive intent. But they are still treated with caution since they are dangerous. I think this app is similar.

Reply Score: 2

RE: "Malware"
by umccullough on Thu 5th Nov 2009 17:57 UTC in reply to ""Malware""
umccullough Member since:
2006-01-26

If somebody I knew sent me a random binary saying "Hey, dude, this is cool!" and the binary has the explicit goal of doing something somewhat dangerous that other apps do not, you bet I expect the malware software to warn me. Not stop me running it, if I'm aware it's an art project, etc. But still...

In case you're thinking "he shouldn't run random binaries people have e-mailed", I don't. But it's clearly a known-harmful app, so though I don't think it's strictly malware (no malicious intent) I think it's reasonable to expect a warning from the same software that protects you from other known-harmful code.


So, you trust your malware software to warn you of every impending threat?

Seems like you've possibly fallen into the trap this article was trying to portray... You've put your trust into software written by others to protect your data for you.

If you're not backing it up and taking precautionary measures to prevent data loss, then you're ultimately just wandering around in a dangerous world hoping that everyone is watching out for you.

I think an example program like this should be given to all first time computer users (even if it doesn't actually delete their files, but just pretends to), to remind them that not all that glitters is gold, and clicking on something neat and shiny could have dire consequences if they aren't thinking ahead.

Reply Score: 2

RE[2]: "Malware"
by Mark Williamson on Thu 5th Nov 2009 18:26 UTC in reply to "RE: "Malware""
Mark Williamson Member since:
2005-07-06


So, you trust your malware software to warn you of every impending threat?


No, I just don't think that it should ignore known threats that it could trivially warn against. If a friend sent me this program without warning me what it did, I'd consider it rude. If software that behaves in a trojan-like way is known to the anti-malware vendors, then I would consider it irresponsible if they didn't add it to their database. Their target audience isn't me, it's more vulnerable users who could benefit from these warnings.

I shouldn't rely on getting a malware warning. But I see absolutely nothing odd about the anti-malware vendors flagging up this software, it's exactly what they should be doing and represents fairly sensible behaviour on their part, IMO. Whether anti-malware software should be necessary is a somewhat independent issue...


Seems like you've possibly fallen into the trap this article was trying to portray... You've put your trust into software written by others to protect your data for you.

If you're not backing it up and taking precautionary measures to prevent data loss, then you're ultimately just wandering around in a dangerous world hoping that everyone is watching out for you.


I think that's quite a lot to infer from what I said! There's also a "trap" in assuming that because technically literate users are able to protect their personal machines against such threats that nobody else has a legitimate usecase for anti-malware software. I think a corporation (or parent, or long-suffering family computer-fixer) would be justified in installing anti-malware software just to reduce the instances of pain that irresponsible or ignorant users might present to them. It doesn't have to be a complete fix to be worth the effort, if it saves the admin a spate of "please restore backups of these files that a game deleted" then that's desirable.

If I were in this position, I'd prefer that the software flag up known applications that look like a game and yet delete files. In this case it is known, so it's been listed as malware and I think that's the sensible precaution for the vendors to take.

Note, though, that it does sound to me like the author has been responsible in warning users of the functionality of the program so I do not consider this to be true malware - there's no malice. I just think it's still a reasonable thing to block by default as for most users it probably doesn't do something they want!


I think an example program like this should be given to all first time computer users (even if it doesn't actually delete their files, but just pretends to), to remind them that not all that glitters is gold, and clicking on something neat and shiny could have dire consequences if they aren't thinking ahead.


I'd agree with that - most computer users seem completely unaware of the extent to which they rely on good behaviour from their software and often can't understand why they'd be at risk anyhow.

Reply Score: 2

RE[3]: "Malware"
by umccullough on Thu 5th Nov 2009 19:15 UTC in reply to "RE[2]: "Malware""
umccullough Member since:
2006-01-26

If software that behaves in a trojan-like way is known to the anti-malware vendors, then I would consider it irresponsible if they didn't add it to their database. Their target audience isn't me, it's more vulnerable users who could benefit from these warnings.


In order to "behave like a trojan" - the software would pretty much have to do something other than what it says it will do. Since it specifies exactly what it will do, I don't consider it to be a "trojan" by the definition.

Dangerous, yes, trojan, no.

It's really no more dangerous than the rm command - it just gives the user a fun, random way to do the same thing that a user can already do on their own.

"Seems like you've possibly fallen into the trap this article was trying to portray... You've put your trust into software written by others to protect your data for you.

If you're not backing it up and taking precautionary measures to prevent data loss, then you're ultimately just wandering around in a dangerous world hoping that everyone is watching out for you.


I think that's quite a lot to infer from what I said!
"

I inferred a possibility based on what you claimed should happen with your anti-malware software - nothing more.

There's also a "trap" in assuming that because technically literate users are able to protect their personal machines against such threats that nobody else has a legitimate usecase for anti-malware software.


I never said anti-malware software was useless - but if you rely on it to protect your data, you're doing it wrong. It should be viewed as a time-saving product, not a data-saving product: it can occasionally save you the time of having to restore from backups due to data loss. I believe you alluded to this also in your followup statement (which I didn't quote).

If I were in this position, I'd prefer that the software flag up known applications that look like a game and yet delete files. In this case it is known, so it's been listed as malware and I think that's the sensible precaution for the vendors to take.


Where do you draw the line for "looks like a game"? I've seen some pretty fancy/shiny looking software that has the sole purpose of altering files on your system (possibly destroying them) without backing them up first. Sometimes this software just begs you to click a button and destroy data by making the button so nice and pleasant looking ;)

As it turns out, I've seen software I use daily flagged as "malware" because the vast majority of people don't know how to use it properly, or doesn't understand the consequences of running it. In some cases, this software has been added/removed/added/removed from malware listings repeatedly over several years because the malware software authors can't decide if it's legitimate or not.

In the end, by choosing anti-malware software, you've chosen to let someone else decide what's best for you. You're also relying on them to do it right in the first place, which is no guarantee.

Always backup your important data.

Reply Score: 2

RE[4]: "Malware"
by Mark Williamson on Thu 5th Nov 2009 21:15 UTC in reply to "RE[3]: "Malware""
Mark Williamson Member since:
2005-07-06

In order to "behave like a trojan" - the software would pretty much have to do something other than what it says it will do. Since it specifies exactly what it will do, I don't consider it to be a "trojan" by the definition.

Dangerous, yes, trojan, no.


Neither do I - but if it looks like one thing and does another, then that is behaving somewhat like a trojan. It doesn't make it a trojan - trojans are malware and I don't think this is. But its appearance would still seem to be misleading...


It's really no more dangerous than the rm command - it just gives the user a fun, random way to do the same thing that a user can already do on their own.


At least with the rm command you know what you're deleting. Most of the time, depending on how much fun you have with globs!

"
I think that's quite a lot to infer from what I said!


I inferred a possibility based on what you claimed should happen with your anti-malware software - nothing more.
"

I don't actually use any anti-malware software, so I don't know what exactly is normally expected behaviour. I was merely pointing out what I saw as a logical inconsistency in the article's suggestion that listing this software as malware is peculiar. I think malware vendors are right to list this, even though I think individual users should take responsibility for their stuff where possible.

<snipped some stuff>


Where do you draw the line for "looks like a game"? I've seen some pretty fancy/shiny looking software that has the sole purpose of altering files on your system (possibly destroying them) without backing them up first. Sometimes this software just begs you to click a button and destroy data by making the button so nice and pleasant looking ;)


That's true :-) I think in this case the difference is (relatively) clearcut in that the software is trying to mimic the appearance and user-facing functionality of space invaders whilst also performing a function that no sane person would expect space invaders to perform.

In this case the software is doing the honourable thing and warning users about what it *really* does, so it's not actually trying to deceive them. But I'm happy to see other tools attempting to protect users from their stupidity / misunderstanding.

I know computer users who I can imagine would think the warning messages were some kind of plot background for the game, or click through without reading them. Do these people deserve to lose data? They'll lose it eventually but I wouldn't want to speed the process for them ;-)


As it turns out, I've seen software I use daily flagged as "malware" because the vast majority of people don't know how to use it properly, or doesn't understand the consequences of running it. In some cases, this software has been added/removed/added/removed from malware listings repeatedly over several years because the malware software authors can't decide if it's legitimate or not.


Not really related but - I had a friend who kept an archive of virus code for educational purposes (and, in his case, it really *was* for educational purposes). Whenever he plugged in the hard drive that contained it, his AV software would go insane and slow down his PC for a considerable length of time, even though they were meant to be there (and weren't being run).

Out of interest, what sorts of things do you find keep going in and out of malware rating? It's certainly something I can imagine happening in the same way I can think of some network admin tools sometimes being "hacker tools". Just curious.


In the end, by choosing anti-malware software, you've chosen to let someone else decide what's best for you. You're also relying on them to do it right in the first place, which is no guarantee.


True. This *is* the case with all software, in a sense - people assume that their operating system will prevent other users bypassing permissions checks, that their word processor will not silently alter their data ... At the end of the day, though, you just can't remove the human element from your computer system and people do have to take responsibility for foul-ups that they let a computer perpetrate.


Always backup your important data.


Amen. (in fact, this discussion reminded me to do another backup for offline storage!)

Reply Score: 2

RE[5]: "Malware"
by umccullough on Thu 5th Nov 2009 21:39 UTC in reply to "RE[4]: "Malware""
umccullough Member since:
2006-01-26

Out of interest, what sorts of things do you find keep going in and out of malware rating? It's certainly something I can imagine happening in the same way I can think of some network admin tools sometimes being "hacker tools". Just curious.


Actually, pretty harmless stuff that is generally classified as "distributed computing" software.

Examples include BOINC, distributed.net's dnetc, Seventeen or Bust's sb.exe client, etc.

Being a member of several distributed computing forums and mailing lists (and even committing changes to some of them), I often see people reporting "<some famous company>'s antivirus product has flagged <some app> as malware, how can we get it removed from their list?".

Often times the very purpose of the software is what causes it to be labeled malware, namely: It runs in the background (often as a service, or program that starts up automatically), it eats up CPU resources, it downloads new work, and uploads results to the server, it reports some basic usage info (for statistics purposes).

While these activities don't destroy data, neither does the majority of malware out there. Most of it is classified as malware simply because it's running without the user's knowledge, regardless of what it actually does.

Reply Score: 2

RE[6]: "Malware"
by Mark Williamson on Thu 5th Nov 2009 21:57 UTC in reply to "RE[5]: "Malware""
Mark Williamson Member since:
2005-07-06


Actually, pretty harmless stuff that is generally classified as "distributed computing" software.


That's interesting. From what you said, re the software running in the background eating resources and therefore looking malware-ish, is it picked up based on heuristic detection? Or is this behaviour somehow causing anti-malware vendors to add it to their signature lists?

I must admit that my first (naive, I hope!!!) impulse was to think that, perhaps, some script kiddies try to improve their scores in distributed computation competitions by trojanning their clients onto others' machines. I can just about imagine this being done but it's not something I've thought about before. Have you ever known this happen?

Reply Score: 2

RE[7]: "Malware"
by umccullough on Thu 5th Nov 2009 22:44 UTC in reply to "RE[6]: "Malware""
umccullough Member since:
2006-01-26

That's interesting. From what you said, re the software running in the background eating resources and therefore looking malware-ish, is it picked up based on heuristic detection? Or is this behaviour somehow causing anti-malware vendors to add it to their signature lists?


Ah, that's an excellent question indeed.

In the cases I have seen reported - the anti-malware vendors had specifically labeled the product as such (giving it a "name" and everything).

Thus, it wasn't necessarily the behavior of the software, but rather someone having reported the behavior of the software to the vendor.

I must admit that my first (naive, I hope!!!) impulse was to think that, perhaps, some script kiddies try to improve their scores in distributed computation competitions by trojanning their clients onto others' machines. I can just about imagine this being done but it's not something I've thought about before. Have you ever known this happen?


Oh indeed. In fact, there have been known-reported trojans out there whose sole purpose was to install a distributed computing app in a hidden location and start it running. In those cases, the app being dropped by the trojan is not the malware, however, but the trojan itself.

Fortunately, in almost all cases where this behavior has been detected, the projects have blacklisted the user and removed all their statistics. Almost every distributed project out there makes a disclaimer that installation of the software on a machine without the owners permission is illegal and subject to fines and or imprisonment (or both).

In some cases, I even suspect system admins for corporations likely are finding the software installed by some employee (perhaps who is no longer working there), and probably reports it as malware. Again, this is not a case of the software being malware, but rather an abuse of corporate resources. The same argument could be used if someone was using a corporation's high-end server to compile nightly builds for some large FOSS project - and yet gcc is not malware ;)

Reply Score: 2

Comment by Vanger
by Vanger on Thu 5th Nov 2009 18:02 UTC
Vanger
Member since:
2007-11-28

It's an art. It is ok to label it as trojan, too.

By destroing files it shows, how we are destroying our time.

After all, every file that was not backuped, was not so important.
Any second of our life that was wasted, wasn't so important too.

Reply Score: 2

RE: Comment by Vanger
by StephenBeDoper on Thu 5th Nov 2009 20:40 UTC in reply to "Comment by Vanger"
StephenBeDoper Member since:
2005-07-06

It's an art.


Heh.

"One art, please!"

Sorry, couldn't resist.

Reply Score: 2

RE[2]: Comment by Vanger
by Vanger on Fri 6th Nov 2009 09:15 UTC in reply to "RE: Comment by Vanger"
Vanger Member since:
2007-11-28

It's two arts!

Reply Score: 1

RE: Comment by Vanger
by Soulbender on Fri 6th Nov 2009 11:01 UTC in reply to "Comment by Vanger"
Soulbender Member since:
2005-08-18

.

Edited 2009-11-06 11:06 UTC

Reply Score: 2

Puh-lease
by tomcat on Thu 5th Nov 2009 18:35 UTC
tomcat
Member since:
2006-01-06

This whole argument is silly. It's malware. It destroys data. The average person doesn't read documentation or on-screen notices (we all know this -- they click-through practically everything), so the deletion of files will be unexpected and unwanted. Which is precisely what malware does.

Reply Score: 1

RE: Puh-lease
by sbenitezb on Thu 5th Nov 2009 18:41 UTC in reply to "Puh-lease"
sbenitezb Member since:
2005-07-22

Well, that should teach people to read what's on screen and not blindly click whatever button pops up first. Knowing that most people act dumb in front of computers, then it should be labeled as malware because it exploits human behaviour.

Reply Score: 2

RE: Puh-lease
by umccullough on Thu 5th Nov 2009 19:18 UTC in reply to "Puh-lease"
umccullough Member since:
2006-01-26

so the deletion of files will be unexpected and unwanted. Which is precisely what malware does.


Sounds like you've relabeled malware as: Anything that doesn't prevent the user from hurting themselves with.

I suspect there are a multitude of tools that come with your operating system that allow a user to destroy their files if they simply click through the warnings without paying attention.

Reply Score: 2

RE[2]: Puh-lease
by tomcat on Thu 5th Nov 2009 19:48 UTC in reply to "RE: Puh-lease"
tomcat Member since:
2006-01-06

Sounds like you've relabeled malware as: Anything that doesn't prevent the user from hurting themselves with.

I suspect there are a multitude of tools that come with your operating system that allow a user to destroy their files if they simply click through the warnings without paying attention.


Let's say that you download a piece of software of unknown/untrusted origin, you run it, and you get the UAC prompt which says that the software is trying to do something which requires elevated privileges. You click "OK", and it proceeds to damage your machine. Is that malware or not? You got a warning. You had an opportunity to decline. Is there really much of a difference?

Call it social engineering. It leverages well known human behaviors -- the tendency of people to ignore documentation and on-screen information dialogs -- to do damage to your machine. And it's designed to wantonly destroy data. It isn't a defect. It's intentional. That isn't art. It's malware.

Edited 2009-11-05 19:54 UTC

Reply Score: 2

RE[3]: Puh-lease
by umccullough on Thu 5th Nov 2009 20:16 UTC in reply to "RE[2]: Puh-lease"
umccullough Member since:
2006-01-26

Let's say that you download a piece of software of unknown/untrusted origin, you run it, and you get the UAC prompt which says that the software is trying to do something which requires elevated privileges. You click "OK", and it proceeds to damage your machine. Is that malware or not? You got a warning. You had an opportunity to decline. Is there really much of a difference?


You jumped over the part where the "malware" application starts up and before anything bad happens, the user is shown a full screen of red text declaring: "If you destroy an alien ship, it will destroy a file on your disk", along with a disclaimer about data loss as a result of using the software...

And if the user chooses to continue from there, doing what was described by the introduction screen, that the results would be exactly as described.

That's not malware, it's just User Idiocy.

Reply Score: 2

RE[4]: Puh-lease
by tomcat on Fri 6th Nov 2009 03:38 UTC in reply to "RE[3]: Puh-lease"
tomcat Member since:
2006-01-06

"Let's say that you download a piece of software of unknown/untrusted origin, you run it, and you get the UAC prompt which says that the software is trying to do something which requires elevated privileges. You click "OK", and it proceeds to damage your machine. Is that malware or not? You got a warning. You had an opportunity to decline. Is there really much of a difference?


You jumped over the part where the "malware" application starts up and before anything bad happens, the user is shown a full screen of red text declaring: "If you destroy an alien ship, it will destroy a file on your disk", along with a disclaimer about data loss as a result of using the software...

And if the user chooses to continue from there, doing what was described by the introduction screen, that the results would be exactly as described.

That's not malware, it's just User Idiocy.
"

I agree that users SHOULD read onscreen notices, but the reality is that they DON'T. It's one of the reasons why malware has become such a persistent problem. Perhaps a better way to evaluate this software is to examine its purpose. IMHO, it was created to create chaos and destroy data -- no different than any other malicious malware. Even if there's a disclaimer.

Reply Score: 2

RE[5]: Puh-lease
by azior on Fri 6th Nov 2009 13:09 UTC in reply to "RE[4]: Puh-lease"
azior Member since:
2009-09-24

I agree that users SHOULD read onscreen notices, but the reality is that they DON'T. It's one of the reasons why malware has become such a persistent problem.


That's exactly what this software wants to prove. Even with warnings people do stupid things. If they are hurt they will blame the software instead of their ignorance.

This software/art project is a very explicit way of making this clear and makes us geeks more aware of this problem. We can try and act accordingly.

People learn about the dangers of driving and are instructed to use safety measure to avoid them. With computers, they don't know about all the dangers involved.

But these people are not at fault. Since computers have become such an import factor of our lives, they should be made aware of the dangers and safety measures. But who can and will?

PS: I want that game on a virtual machine!

Reply Score: 1

RE[5]: Puh-lease
by n4cer on Sun 8th Nov 2009 18:36 UTC in reply to "RE[4]: Puh-lease"
n4cer Member since:
2005-07-06

I agree that users SHOULD read onscreen notices, but the reality is that they DON'T. It's one of the reasons why malware has become such a persistent problem. Perhaps a better way to evaluate this software is to examine its purpose. IMHO, it was created to create chaos and destroy data -- no different than any other malicious malware. Even if there's a disclaimer.


Plus, what if someone with malicious intent repackages this software (standalone or with a collection of other games, for example) and removes the notices of data loss? Better to be proactive and detect it now, and I agree, it should be classed as malware. Even if not the developer's intent, people don't expect a game to delete their data.

A Symantec rep in the CNET article actually mentions this scenario:

"We are concerned that somebody could take this and modify it in some way where users aren't aware of the consequences," Kevin Haley, director of product management at Symantec Security Response, said in an interview on Wednesday. "We want to make people aware of what's on their machine and they can make the decision on whether to run it or not."

Edited 2009-11-08 18:37 UTC

Reply Score: 2

RE[6]: Puh-lease
by umccullough on Mon 9th Nov 2009 06:30 UTC in reply to "RE[5]: Puh-lease"
umccullough Member since:
2006-01-26

Plus, what if someone with malicious intent repackages this software (standalone or with a collection of other games, for example) and removes the notices of data loss? Better to be proactive and detect it now, and I agree, it should be classed as malware. Even if not the developer's intent, people don't expect a game to delete their data.


Do you really believe it's so difficult for someone to add this "feature" to any other game out there? Deleting files on a disk is a pretty trivial task...

Reply Score: 2

RE[7]: Puh-lease
by n4cer on Mon 9th Nov 2009 16:24 UTC in reply to "RE[6]: Puh-lease"
n4cer Member since:
2005-07-06

Do you really believe it's so difficult for someone to add this "feature" to any other game out there? Deleting files on a disk is a pretty trivial task...


No, I don't believe it's difficult, and the response should be similar in such cases. It's largely about expected behavior. If I made/hacked a game to acquire your PII or CC#s, or randomly encrypt/corrupt your data, would you not consider that malware even if I gave notice of what I'd be doing? If not my version, would you consider a repackaged release of my game (sans notices) by a third-party malware?

You don't even need admin privileges to do this, so what good is AV software if it doesn't warn the user about these types of apps?

Reply Score: 2

Art?
by sbenitezb on Thu 5th Nov 2009 18:39 UTC
sbenitezb
Member since:
2005-07-22

I wouldn't consider this an art. It's an engineering thing.

I would launch it with chroot and copy some random directories to test it if I really wanted to.

Reply Score: 3

Interesting
by DominoTree on Thu 5th Nov 2009 18:53 UTC
DominoTree
Member since:
2007-03-14

Interesting idea. Reminds me of psDooM - a Doom-based process manager (http://psdoom.sourceforge.net/)

Think it'd be a bit more fun if a file were deleted if you died or lost the game, however. A bit of incentive.

Reply Score: 1

RE: Interesting
by KrustyVader on Thu 5th Nov 2009 21:06 UTC in reply to "Interesting"
KrustyVader Member since:
2006-10-28

I think this is the original release.
http://www.cs.unm.edu/~dlchao/flake/doom/

It was (or is) a strange tool, the only one i know where a process can defend itself.

Reply Score: 1

RE[2]: Interesting
by DominoTree on Thu 5th Nov 2009 22:08 UTC in reply to "RE: Interesting"
DominoTree Member since:
2007-03-14

I think you're right ;) - That was the one I was looking for, I specifically remember the bit about the game's controlling terminal being killed by another monster ;)

Reply Score: 1

npcomplete
Member since:
2009-08-21

"Although touching aliens will cause the player to lose the game, and killing aliens awards points, the aliens will never actually fire at the player," he explains, "This calls into question the player's mission, which is never explicitly stated, only hinted at through classic game mechanics. Is the player supposed to be an aggressor? Or merely an observer, traversing through a dangerous land?"


So can the player win by not destroying the aliens and avoiding touching them?

His deeper message is the most interesting part of the experiment to me. In fact perhaps it would better illustrate his point about assumptions and real unintended and unknown consequences if he simply warned in big letters about the serious real permanent consequences to the user's machine but did not specify what they were. Would people still choose to risk shooting at the aliens?

Edited 2009-11-06 09:32 UTC

Reply Score: 1