First published: 17th June 2008
Allan Dyer
Marketing is NOT Education!
Last Friday was the 13th June, Black Friday! Days like that used to trigger a peak of interest in viruses: for a few days before, reporters would call up for predictions and advice to prevent disaster, and for a few days after, reporters would call for damage estimates and advice on recovery. Oh, and some users would call with problems. The more the damage, predicted or reported, then the better the headlines, so reporters tended to focus on the more exaggerated predictions and estimates. Less responsible marketing droids would take advantage of this, and more responsible predictions and advice would be overshadowed and overlooked.
Then a brilliant marketing driod came up with the "Virus Calendar" - print the virus activation dates for the year on a nice big poster, with your company name on it, of course. This is presented as an "educational" tool - raising awareness about the virus problem, and helping people deal with it. It does nothing of the sort. It raises fear and anxiety about the problem, and focuses attention on one, relatively insignificant detail: the activation date. Activation dates are probably the second easiest feature of a virus to change, after the text messages - on an old, non-polymorphic DOS virus, just search for the date check OS call, and change the values in the conditional test just afterwards. Trivial to do without access to the source code. In any case, many viruses don't have a calendar date trigger for their payload. The calendar does have a small, diagnostic utility: it is the morning of March 6th, and someone calls up saying their PC won't boot. The technician considers that it might be a Michelangelo activation; but a good technician also considers it might be a disk crash, power supply failure, other software failure, etc... an investigation is still needed. In the end, it doesn't matter if the data was lost to a virus or a disk crash, what matters is whether adequate protection was in place - where are your backups? The calendar doesn't tell you. I don't think any IT department used those calendars for their planning, either; "OK, we have to complete the preventive sweep of all PCs by 18:00 on 5th March. Remember, we're looking for Michelangelo. In two months, we have another sweep to prepare for, that time for Friday 13th". A sane IT department works to prevent infection in the first place.
So why do I say that McAfee's "Mapping the Mal Web" is the new Virus Calendar? It presents itself as a tool to help users, saying, "For the first time, Mapping the Mal Web offered a comprehensive guidebook for web tourists - where it was safe to surf and where surfers should avoid." As an annual report, it can (possibly) reveal what the situation was, but not what it will be. This year's report, the second, compared to last year's demonstrates the danger. Assuming, for the moment, that both were accurate, then, the attentive "web tourist" would, after reading the first report, carefully avoid visiting .tk (Tokelau) domains, and view .hk (Hong Kong) domains as only one eighth of the risk. The first report directs surfers to the domains that are identified as high risk in the second report!
In addition, apart from the specific advice being damaging, the general message focuses attention on an unimportant detail, distracting from truly useful advice. For the Virus Calendar, the detail is the date, the evil meme is, "you can avoid viruses by watching a calendar". For "Mapping the Mal Web" the detail is the TLD, the evil meme is, "you can avoid malware by avoiding certain TLD's". I visit .hk websites every day, according to McAfee's report, about one in five of those should be malicious - why haven't I encountered hundreds of malicious .hk sites in the past year? There must be a difference between my surfing behaviour and the surfing behaviour of the users studied by McAfee. Most of the .hk sites I visit are related to a company or organisation I know. Most I have visited before. Others have been linked from a site I know, or a friend or business contact provides the link. This does not guarantee that the sites are safe, maybe the linking site was hacked, or the person I knew fooled, but it makes it less likely. It might account for the difference between my experience, and that of the users McAfee studied. Unfortunately, we don't know because McAfee did not provide sufficient detail about those users. Were they users who, in general, had no interest in Hong Kong people and events, but who would click on any link arriving in spam? If they were, we could expect a very low number of legitimate .hk sites and a very high incidence of malicious .hk sites in their surfing. The lesson to learn, and the lesson that McAfee's report distracts from, is to be cautious about the links you follow - especially those arriving in unexpected emails.
McAfee's first two "Mapping the Mal Web" reports have been misleading, and they encourage unsafe user behaviour. I ask McAfee to apologise and to present a plan for making their third annual report truly useful.