Lessons from the Samsung rootkit that never existed

A language pack for a European country gets labeled as a keylogger and quickly roils the blogosphere

A lot of malicious software originates in the former Eastern Bloc and other once-communist nations. Theories of why that is vary: Perhaps unemployed workers in those countries are highly educated in technology disciplines and remain steeped in a culture of underground capitalism from the communist era. Or, more simply, it could be the a lack of a legal framework to prosecute cybercrime.

Security software firm GFI Software went unintentionally overboard protecting against Balkan malware, classifying the entire Slovenian language as malicious. Under certain settings, GFI's Vipre malware scanning engine labeled the Windows/SL directory found on some Samsung computers as malicious, mistaking it for the StarLogger rootkit. Rootkits hide themselevs on a victim's system to escape detection; in reality, the directory contains localization files for the south-central European nation of Slovenia.

The false positive came to light when a blogger for Network World (a sister publication to InfoWorld) posted that he had discovered rootkit software on a new Samsung laptop Wednesday using the Vipre malware scanner. Within 24 hours, both Samsung and GFI Software confirmed that the software was not detecting a true rootkit. GFI apologized for the mistake on Thursday, calling it a false positive.

"A Slovenian language directory for Windows Live is causing us considerable headaches this morning, and we have no one to blame but ourselves," Alex Eckelberry, general manager of GFI Security, wrote in the post.

The problem, according to a post on the GFI Labs blog, is that its software can use directory paths as a detection method if the scanning software is set to a very aggressive mode of detection.

"The detection was based off of a rarely-used and aggressive Vipre detection method, using folder paths as a heuristic," Eckelberry says. "I want to emphasize 'rarely,' as these types of detections are seldom used, and when they are, they are subject to an extensive peer review and QA process."

Eckelberry apologized to Samsung and blogger Mohamed Hassan for the mistake.

Security experts started twittering their criticism of the mistake in short order, with at least one antivirus rival blaming Vipre, despite the fact that GFI noted that only running Vipre in a non-standard mode will generate the false positive.

Hassan has become the focus of the most vociferous criticism. To some extent, that criticism is justified: If the IT consultant and blogger had sought out and waited for positive confirmation of the rootkit, the article would have been stopped before it became widely published.

However, if it's true that a support person at Samsung actually told Hassan that "we just put it (the rootkit) there to find out how the computer is being used," then the technology company has to share a part of the blame as well.

Finally, others blame journalists who telegraphed Hossan's story without adequate confirmation. Ultimately, the speed at which the story propagated itself is a testament to the nature of news coverage in the digital age. Information is a virus -- even if it's not written in Slovenian.

This story, "Lessons from the Samsung rootkit that never existed," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.

Copyright © 2011 IDG Communications, Inc.

How to choose a low-code development platform