Mistaken identity of a security program

About a month ago we received a report of an alleged security program designed to protect computers against malicious programs that use USB memory sticks to spread. A good example of malware that spreads using removable USB media is W32/LiarVB-A.

The alleged security software, named Disk Knight, is developed by a Bangladeshi student and its idea is simple: if a USB key is protected by Disk Knight the program will prevent the launch of any other process on the computer and display a message prompting the user to block or allow the starting process.

Since USB malware is typically launched when the USB key is inserted, Disk Knight can prevent any virus from infecting the computer via that route. This sounds like a good idea.

Disk Knight dialogue

However, the problem is in the implementation. Once the Disk Knight program is installed and starts protecting the computer, it will copy itself to every inserted “unprotected” USB key, making it “protected”. Furthermore, if the newly protected USB key is subsequently inserted into another computer, Disk Knight will run and install itself onto the computer, all without the user’s consent. This behaviour and the lack of control from the user side makes Disk Knight a computer virus.

Examining Disk Knight’s documentation and code it is difficult to decide whether the creator was aware that his security software is in fact a virus but we assumed that there was no malicious intention in his work and decided not to detect it as malware. Eventually, after receiving a second report from another user having problems removing Disk Knight, we have decided to classify it as a PUA (potentially unwanted application) and added detection for it.

This case reminded me of a seminal paper on the subject of beneficial computer viruses written by Vesselin Bontchev, a required reading for anybody interested in this intriguing area of computer virus research. If only Disk Knight’s creator had read this paper and implemented the required changes we would have had no need for detection of this potentially useful software.