Was it Necessary to Create RexSpy?

Carl Weinschenk

There are a couple of interesting takeaways from this story in RCR News.


The first is that the virus described, which uses a secret SMS message to eavesdrop on just about anything the target device does, appears to be potentially very dangerous.


The other element of interest is how the virus, called RexSpy, came about. SecurStar Gmbh, a German firm, is credited in the story as having developed the Trojan as a "demonstration."


We are making no accusations against SecurStar and have no reason to think the company has anything but the good of the public in mind. We question, however, the appropriateness of developing something dangerous for any reason. Remember, it was just this summer that Consumer Reports got its figurative head handed to it for creating 5,500 viruses as part of a spyware test.


A medical firm developing a real virus in order to demonstrate the seriousness of an illness would be in big trouble. The situation would be even worse if it was even plausible that the reason it developed the virus was to show how efficient its products are in treating it.


In this case, it doesn't seem that creating the Trojan even was necessary. In the story, the company's CEO, Wilfried Hafner, is quoted as saying that "any programmer can develop a similar Trojan horse application without any great investment of time or effort."


This cuts both ways: If creating RexSpy was so easy, then perhaps it's no big deal that SecurStar did so. Certainly, it doesn't approach what Consumer Reports did in terms of sheer numbers. On the other hand, if creation of the Trojan is so simple, why bother?


Could the net impact be to call attention to the vulnerability -- and lead savvy developers to use it as a stepping stone to the creation of more sophisticated viruses that, perhaps, wouldn't be as easy to disarm? After all, innocuous proof-of-concept viruses such as Cabir often are followed by the real and dangerous deal. Creating anything bad is playing with fire.


Proving out vulnerabilities by writing actual viruses may be necessary and a normal way for security researchers to do things. We also are aware, however, that this is an increasingly competitive business, so we hope people aren't taking unnecessary risks. Whatever the dynamics, developing test tube viruses seems like something that should be done with extreme discretion and a minimum of publicity.

Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.


Add Comment      Leave a comment on this blog post
Nov 23, 2006 12:01 PM Tim Johnson Tim Johnson  says:
Consumer Reports doesn't sell security software.  Securstar wrote RexSpy and sells software to protect your phone from eavesdropping.Smells like a protection racket.  I've always suspected antivirus companies might be writing viruses to help sell their software, but i never thought one would admit it in public.   Reply
Aug 19, 2009 4:46 PM jimmyx jimmyx  says:

i want to warn everyone against using securstar products ! i've been in prison for 1 year partly because i refused to decrypt my drive but despite using their drivecrypt product law enforcement somehow decrypted my drive. securstar has a backdoor in it or some key to give access to law enforcement. how else can they be selling their "encryption" products in the US ?


Post a comment





(Maximum characters: 1200). You have 1200 characters left.




Subscribe Daily Edge Newsletters

Sign up now and get the best business technology insights direct to your inbox.

Subscribe Daily Edge Newsletters

Sign up now and get the best business technology insights direct to your inbox.