Friday, November 6, 2009

Lose/Lose and psDoom: Art, Games, or Malware?

Now and then, a program comes along about which the security community has difficulty agreeing on a classification.  Such is the case with a Mac software "art project" called Lose/Lose, described by its creator as "a video-game with real life consequences."  If you don't read the warnings carefully, Lose/Lose might appear to be a simple Space Invaders-like game where you shoot at alien spaceships to protect your own ship and earn points, but in this case doing so has the dangerous side effect of deleting your personal files as demonstrated in this Symantec video:



In spite of all the recent press coverage of Lose/Lose, fewer than half of Mac antivirus makers currently offer detection of the program. (Specifically, the Mac antivirus programs that detect it include CA Anti-Virus, Intego VirusBarrier X5, ProtectMac AntiVirus, Sophos Anti-Virus, Symantec Norton AntiVirus, and Trend Micro Security, while conversely ALWIL Avast!, BitDefender, ClamXav, Dr.Web, Kaspersky Anti-Virus, McAfee VirusScan/Security, and PC Tools iAntiVirus do not detect it.  See VirusTotal's analysis, as well as Intego's blog post and ProtectMac's malware list since these programs are not included in VirusTotal.)

Some security analysts, including Chris Boyd from FaceTime Communications/SpywareGuide and Vitalsecurity.org, feel that it's laughable to identify Lose/Lose as malware or a Trojan horse, pointing out that the Web site hosting the so-called malicious file—not to mention the application itself—includes a warning in red capital letters explaining that the program will delete files.  In his article, Boyd points out that part of Symantec's justification for flagging Lose/Lose as malware is that "there's nothing stopping someone with more malicious intentions from modifying it slightly and then passing it on to unsuspecting users."  In light of this rationale, Boyd mentions psDoom, an old game based on the DOOM engine that allows players to kill running processes by shooting at demons, and suggests that if Symantec and other companies are going to flag Lose/Lose as malware because it can cause data loss when used carelessly and "on the basis someone could 'modify and do naughty things with it'" they should be consistent and consider psDoom to be malware as well.

I asked Ben Nahorney, senior information developer at Symantec and author of the article quoted by Boyd, what his thoughts were regarding psDoom.  Nahorney replied:
"While psDoom is similar in nature to Lose/Lose, it doesn't cause any irreparable damage on the computer. Yes, playing it will likely result in your computer crashing, but restarting the computer will fix any issues. In comparison, Lose/Lose is deleting files on the computer and provides no 'undo' option. Based on this, we consider it to be behaving maliciously."
Nahorney's explanation makes sense, although one could argue that psDoom can cause irreparable damage, for example if a user had unsaved data in one of the applications that psDoom killed.  As is the case with Lose/Lose, a user who plays psDoom without reading the warnings may inadvertently become a victim of data loss.  However, losing a few unsaved documents is probably not as bad as losing a substantial amount of one's personal files, so Symantec maintains that psDoom is less of a threat because it's less likely to cause significant damage.

Graham Cluley, senior technology consultant at Sophos who also recently published an article on Lose/Lose, shared with me his opinion about Lose/Lose vs. psDoom:
"Personally I wouldn't want either running on my corporate network. With Sophos Anti-Virus we have an application control functionality that allows sysadmins to control what categories of software users can run beyond just malware protection.  I would say that psDoom was probably a candidate for inclusion in an app control category."
In other words, although Sophos doesn't detect psDoom as malware, Cluley suggests that system administrators concerned about psDoom may want add a custom exclusion for it.

Lenny Zeltser, member of the board of directors at SANS Technology Institute and incident handler at the Internet Storm Center, shared his opinion with me:
"psDoom is a novelty process manager with a game-like user interface. Its purpose and capabilities are clear to its user. In this, it is no different from Task Manager, Process Explorer, and other process managers. If psDoom was unclear about its purpose, attempted to mislead the user, or had hidden capabilities, such as a backdoor, then I'd consider it malware."
Zeltser makes a good point that psDoom was originally intended as a *nix process manager with a fun interface, although it's worth noting that the Mac version is listed as a game rather than a system administration utility on VersionTracker and CNET Download.com.  Zeltser continues:
"Lose/Lose is similar to psDoom in that it provides a game-like front-end for performing system tasks: deleting files. A major difference between Lose/Lose and psDoom is that the processes psDoom kills will less likely to lead to permanent loss of significant amount of data, while the files Lose/Lose deletes may truly hurt the user. Another significant difference, because Lose/Lose seems to pick the files to delete at random, Lose/Lose behaves very much like the game of a Russian roulette. Some people may need to be protected from themselves when playing Russian roulette. Lose/Lose is pretty clear about its adverse effects on the system, because its opening screen states 'KILLING IN LOSE/LOSE DELETES YOUR FILES.'  I can see some users not realizing that the files are deleted in a real sense, especially in our world of short attention spans. Taking these factors into account, I would consider Lose/Lose as 'potentially unwanted software,' rather than malicious software."
The final person to respond with his thoughts was Peter James, a spokesman for Mac-exclusive antivirus maker Intego who recently wrote about Lose/Lose on Intego's blog.  Said he:
"We will block this program, as we will any other similar program. However, psDoom is unlikely to be used very much, since it is an X11 program, and does not run natively on Mac OS X. The problem with such programs, though, is that unsavvy users may run such programs and cause damage or, in the case of lose/lose, delete files. We have many enterprise customers who certainly don't want programs like this run on their computers."
James makes a very good point about psDoom being much more difficult to run than Lose/Lose.  When I tried to run it, I discovered that I had to make the program executable first by running chmod from the command line (which a novice is not going to know to do since it's not even mentioned in the documentation).  After that, I was able to get psDoom to run on Snow Leopard, but even then the process management functionality did not work properly, which seems to be caused by a difference in UNIX commands starting with Leopard.  If I couldn't easily get psDoom to kill any processes on the latest release of Mac OS X, it's doubtful that accidental process termination and data loss while playing psDoom will be a problem for the vast majority of users, which is quite a dramatic difference from Lose/Lose.  In spite of this, based on what James said it appears that Intego will soon be the only antivirus vendor to detect psDoom.

Lose/Lose is variously detected (mostly by non-Mac antivirus software) as Application.OSX.Loselose.A, Game/KillFiles, Mac.LoseLose, MacOS!IK, MACOS/LoseLose, MacOS/Loselose.A, OSX_LOSEGAM.A, OSX.Loosemaque, OSX.LoseGame, OSX/LoseGame-A, OSX/LoseLose.A, OSX/LoserGame, Trojan:MacOS_X/Loosemaque.A, and Trojan.OSX.Loselose.A.

psDoom is not currently detected by any antivirus engine.


For more from the JoshMeister on Security, please subscribe to the RSS feed or follow me on Twitter.

2 comments:

  1. Nice article :)

    To be clear, I have no issue with companies flagging it should they choose to do so - my biggest concern with this (and what initially made me get rather annoyed, to say the least) was that they called it a "trojan", when everything we know about this program is that the guy has gone out of his way to tell you what it does.

    We all know "trojan" is going to get more eyeballs than "program that tells you what it's going to do, both on its website and ingame" and I don't think it's a direction they should have gone down. At time of writing, they still don't mention the (perfectly reasonable) disclosure on their threat summary.

    "malware"? Sure, you can make a case for that - even the creator said he was "kind of ok with it". But "trojan"? No. It's the most overt "trojan" I've ever seen!

    ReplyDelete
  2. (Note regarding the previous comment: "paperghost" is the nickname of Chris Boyd, who I mentioned in the article.)

    ReplyDelete

Comment moderation is enabled. (If you wish to contact Josh privately, you can leave a comment and ask that it not be published.)