Malware Modification Contest Has Antivirus Vendors Upset

SkiifGeek writes "Race to Zero, a sideline competition being set up at this year's DefCon, already has some Antivirus vendors steaming over the objectives of the contest. They are upset because it is essentially a polymorphism exercise. Entrants are given a set of malware samples which they must then modify to pass through a battery of antivirus scanners without detection while still carrying a viable payload. Even if competitors ignore the published vulnerabilities and weaknesses affecting antivirus vendors, the competition should turn up some interesting results. It may provide technical insight and concepts for further research as similar competitions have done in the past."

Oh no!

[i_liek_turtles]

We may have to fix our software!

Re:Oh no!

[Lennie]

Yep, security is a process

Re:Oh no!

[Frosty+Piss]

And really, I'm sorry, but what doesn't get these leaches in a tizzy? Anything that threatens their profit model....

Re:Oh no!

[Kjella]

Having a highly efficient swiss cheese-patching process is still not a mark of good security. Don't interpret that as saying that security is not a process, but the value of doing a one-time job to make a good security design should also not be underestimated. In fact, I think many companies would do well to divert a little more resources to just that...

Re:Oh no!

[Lennie]

I totally agree. Spending time on doing it right the first time, using compartments, etc. does make a lot of sense and probably saves you lots of agravation/time in the long run.

Re:Oh no!

[OMNIpotusCOM]

EX-ACT-LY!

This is something that anti-virus company should have been doing themselves CONSTANTLY anyway, and it's only now that someone is doing something they should have been doing all along that they decide to wipe the tomato off their face?

The line between anti-virus and adware/spyware/malware scanner is blurring so much now anyway that they're seemingly just upset over having to do more work. Basically they're just up-selling bloatware now, and scaring grandmothers and soccer mom's into thinking they need a software firewall, virus scanner, email scanner and internet filter is the only way they're getting money right now.

Re:Oh no!

[NotBorg]

Contrast

1. Security vulnerability discovered
2. Anti-vulnerability software gains detection
3. ???
4. Profit

vs

1. Security vulnerability discovered
2. bug report issued to affected software's development process.
4. defective software fixed.
5. ???
6. ???
7. ???
8. Will code HTML for food?

I'm just say'n.

Re:Oh no!

[mortonda]

How dare someone *else* write viruses!!! ;)

Re:Oh no!

"We may have to fix our software!" - by i_liek_turtles (1110703) on Sunday April 27, @01:11PM (#23215170)

Which is why these antivirus companies' "HEURISTICS" engines need improvement!

("Heuristics" = 'smells like a duck, tastes like a duck, & looks like a duck = must be a duck') type type tech in antivirus products (other things too, but the point's there)).

It is important...

What AV Company leads that area, per current results?

Apparently, NOD32 does!

( & has kept such leadership in that category during formal testing @ av-comparatives.org & vb100 the past few years now over all other competition).

NOW, if you don't want scripted viruses (via java/javascript)? Don't run them in your webbrowser, you won't get any of this.

(Yes, that's a PAIN on some sites (so, you need a browser that allows "exception sites", & FireFox will do THAT, via an addon called "noscript" (Flashblock's another one that may help also, due to Adobe's products being rampantly exploited lately)... SECUNIA DATA ON BROWSER SECURITY (dated 04/28/2008):

Opera 9.27 security advisories @ SECUNIA (0% unpatched):

http://secunia.com/product/10615/?task=advisories

Netscape 9.0.0.6 (0% unpatched - but, now discontinued by Mozilla, so it WILL be vulnerable to things FF won't be now & in the future):

http://secunia.com/product/14690/

FireFox 2.0.0.14 security advisories @ SECUNIA (17% unpatched):

http://secunia.com/product/12434/

IE 7 (latest cumulative update from MS) security advisories @ SECUNIA (33% unpatched):

http://secunia.com/product/12366/

----

MOST OF WHAT YOU SEE OUT THERE NOWADAYS ONLINE? Javascript + IFrame exploits... so, getting a secure browser, & creating "exception sites" for running IFrames &/or JavaScript, & for those exception sites ONLY, is a GOOD idea (sites like online shopping &/or online banking come to mind - they OFTEN DEMAND YOU USE JavaScript/Cookies etc. so on those sites, use them, since you are forced to... all others? TURN IT OFF, & BE SAFE(r)).

----

NOW - As far as "std. 'oldschool' binary infectors"? ALL SOFTWARE MAKERS THAT DON'T DO THIS MAY HAVE TO DO AS YOU SAID & I QUOTED:

If apps were coded to say, check their filesize &/or CRC-32 @ startup? They can "self-check" themselves for infestation/infection!

E.G.-> I did a "Dr. Who" (famous science fiction series, longest running there is iirc in fact) that does such checks (& in all of my freeware apps this takes place to protect users) that does this, here:

----

APK Doctor Who ScreenSaver 2008++: review:

http://www.drwhodaily.com/community/index.php?showtopic=386&st=0

(A multithreaded 3D animated screensaver that self-checks itself vs. viral infestation via filesize & crc32 checks @ its startup & also "self-contains" internally its .avi footage to playback from MEMORY (not disk, for speed & efficiency) so it is ONLY 1 MOVING PART to distribute as well (ships)

----

&, it works!

E.G./I.E. -> The screensaver will tell you if it has had its CRC-32 altered, OR, its filesize & warn you + shut itself down, so you are aware of it & so it does not continue to "spread-the-disease"...

(IF every Win32 PE app did that, we'd probably have LESS binary infector/attaching std. viruses imo @ least, & that of others, since my idea for this was "modded up" HERE @ SLASHDOT no less, in last year's "CODING FOR DEFCON" thread, see below):

----

APK CODING FOR DEFCON POST (technique modded up as "technically interes

Re:Oh no!

[sortadan]

Development of malware for the sake of making better solutions is fine, but haven't we seen enough movies where a virus is created in a lab that later destroys the world to know that this is a slippery slope? Does the competition also stipulate that the makers of these viruses also provide a robust solution for detecting them? It's like asking smart people to go make armor piercing ammunition, load it up into guns, then drop them on the street on the bad side of town. Then the smart people go home, and types up on /. how it's horrible that body armor companies don't stop armor piercing bullets. -Dan. I'm trying to edu-mi-kate you slash-dot, just try and follow the logic...

Why should this upset them?

[FlyByPC]

By having some top-notch creative talent (never mind which color hat they're wearing) take a stab at creating new styles of malware under controlled conditions, they're giving the antivirus vendors a great opportunity to study these creations -- and therefore to be better able to protect against them.

Heck, if I were Symantec, McAffee et al -- I'd take the opportunity to try to *recruit* programmers who had interesting entries in the contest! (Better to have them working for you, right?)

Re:Why should this upset them?

The antivirus vendors are in business to make money. Every one of these issues they have to deal with equates to lost money.

Re:Why should this upset them?

[cygtoad]

... they're giving the antivirus vendors a great opportunity to study these creations -- and therefore to be better able to protect against them.) It is so hard to sit on our laurels when these pesky programmers want to invent new stuff for us to work on...

Re:Why should this upset them?

[Zero__Kelvin]

"The antivirus vendors are in business to make money. Every one of these issues they have to deal with equates to lost money."

Exactly right, if you don't count that you have it backwards. Lets start with the edge case 0. If there are Zero viruses, there is no need for the AV software. In fact, within reason the more viruses out there, the more money they make! If viruses are not even a blip on the radar when I do my security landscape evaluation, then the AV companies make no money because I would not purchase their product. If there are many viruses, then an AV company can sit back and wait for others (security folks, e.g.) to justify the purchase of my product. I don't even need a sales force. True, it cost me more to have in house peons gather virus signatures and add them to my database, or add algorithms to my AV tools, but since I don't have to pay nearly as much for a sales force more viruses equals greater profits.

Re:Why should this upset them?

[moosesocks]

Because polymorphism is considerably easier to implement than it is to circumvent (if it's even possible at all).

Essentially, this punches a huge hole in the security model of Norton and McAfee's product lines, rendering them completely ineffective against this sort of threat.

Personally, I've always found it remarkable that they've managed to hold on as long as they have, given just how deeply flawed the very notion of an Antivirus is.

As long as you've got a decently secure operating system, nothing more than a rudimentary antivirus should be necessary.

Re:Why should this upset them?

[Paralizer]

Agreed. If they think this is a bad idea does that mean they don't do it in house? If so, that is very surprising and I would expect any and all anti-virus companies to not only test their software but also actively try to break it. Otherwise their stance must be 'wait and see' and fix bugs as the come up. Unfortunately these bugs can have severe consequences with this type of software, which can (and probably will) lead to their customers losing millions, possibly more, in damages from viruses that slip though holes in detection because the company was too lazy to try to stay one step ahead.

For any anti-virus company that thinks this is a bad idea, I question how much they really care about their customers.

Re:Why should this upset them?

[GIL_Dude]

Sorry, the OS doesn't really make any difference (assuming you have a firewall - which all current operating systems do - to protect against buffer overflows found on inbound ports). What makes the difference is secure users.

I don't care how secure your OS is, if users are going to click on SomeFamousPersonNaked.exe , then they are going to eventually get owned - "secure" OS or not. We've all heard the "Linux doesn't get attacked much because it has an insignificant market share" and sort of argued around it - maybe the real one is "Linux doesn't get attacked much because the average Linux user knows enough to not click on ridiculous shit that gets emailed to them."

I run both Windows and Linux and the only time I have had a AV product tell me "oh noes, there is a virus" is when I have been manually TRYING to infect a system in order to reverse engineer what the damn thing does (in order to create cleanup packages for work). These are in non-networked VM's where we also re-image the host afterwards. But really - a secure USER is what we need. The OS won't make all that much difference compared to the user.

Re:Why should this upset them?

[v1]

Writing software is an investment. You put money in, you get money back. This contest DOES require them to put more money in, but they will get more money BACK. It's "forced investment". Now if you'd rather write a piece of software and then spend the next 6 years merely putting out new-os-compatibility updates, (and how many of those have we seen? many!) you will fall behind, and no one will care about upgrading to version 7 because there's nothing in 7 that their version 5 can't already do, and your product will wither. But that's what some are afraid of, being forced to continually improve their product. Some developers will see this not as an investment in their cash cow, but as an expense.

It's things like this that cause "version 2" to mean something and make us want to buy it. Bug fixes and compatibility updates don't make updates attractive, they don't pay the bills. New features and new functionality do. If anything, Symantec should be happy this is happening.

(and yes, I'm a programmer)

Re:Why should this upset them?

[moosesocks]

I don't care how secure your OS is, if users are going to click on SomeFamousPersonNaked.exe , then they are going to eventually get owned - "secure" OS or not. We've all heard the "Linux doesn't get attacked much because it has an insignificant market share" and sort of argued around it - maybe the real one is "Linux doesn't get attacked much because the average Linux user knows enough to not click on ridiculous shit that gets emailed to them." No. Linux and MacOS do not get attacked, because normal users don't run with the sort of privileges that would allow the virus (or trojan as in your example) to do very much damage or replicate itself.

Similarly, replication of such a virus becomes even more difficult, as E-mail clients and servers both generally tend to block attachments containing executables...

Sure, there are mechanisms for it to happen, but trojans generally don't spread very fast or very far. A true "virus" typically utilizes an OS exploit, or the fact that every *%*$#&ing Windows user runs with full administrative privileges.

Re:Why should this upset them?

[RiotingPacifist]

That is assuming that the user is completely stupid, OTOH if you click dancingpigs.exe and get prompted to give your root password or even just accept/deny, most users will click cancel (if they dont you haven't explained sudo well enough). So then it comes down to which OS has the least privilege escalation attacks.

Re:Why should this upset them?

[maxume]

I'm sure referencing a wacko supply-sider will make someone mad, but I bet the profit to virus count relationship follows something like the Laffer curve, where at some point malware becomes so pervasive that people at least stop running anything that doesn't come in a box from Walmart and maybe even stop using computers altogether, so they don't need protection anymore.

Re:Why should this upset them?

[smaddox]

Given, I haven't actually tried, but it doesn't seem like it would be that hard to implement.

If you can just break your code into several hundred or thousand blocks of nonthreatening code, then all you need is a way to randomize their placement in the binary. It doesn't seem THAT difficult. You could even have it relink itself into a new binary every time it is run.

You would probably need to separate the original programming from the randomization for debugging reasons. In other words you would probably need some sort of metacode that can be compiled into a standard binary and into a randomized binary.

Such a program would probably need to be simulated in order for a AV to detect that it is malicious.

Re:Why should this upset them?

[CastrTroy]

Could a virus sit in waiting, and do nothing that a non-priviledged user wouldn't be able to do, and then avoid any user prompts until it detects that another sudo prompt for a different application has been fired. And then fire something right after that one is passed to cause another prompt. The user would probably just think it's for the other program they just allowed, and let the virus do it's thing. Most prompts just give the app access to whatever they want as soon as you give it permission, and holds on to that permission for the life of the process. I would probably be possible to trick a user into clicking your UAC prompt when they were expecting one for another program.

Re:Why should this upset them?

[Jurily]

I was going to moderate, but I can't let this one slide.

normal users don't run with the sort of privileges that would allow the virus (or trojan as in your example) to do very much damage or replicate itself. A normal user has access to the network and a home directory. How is that not enough for a virus?

Sure, it can't burn itself into the registry or equivalent, but it sure as hell can replicate itself. Hell, it can even cause a lot of headaches when you're lazy like me and have a whole drive mounted in /home/jurily/stuff with full write access.

Trojans are a different beast, of course, as they rely on the OS more heavily.

Re:Why should this upset them?

[Timothy+Brownawell]

Linux and MacOS do not get attacked, because normal users don't run with the sort of privileges that would allow the virus (or trojan as in your example) to do very much damage or replicate itself.

WTF? Any program I run has +rw access to ~ (can start itself from .profile, do arbitrary damage to all the files I actually care about, and steal passwords and the like) and the ability to connect(2) to random parts of the internet (ability to replicate, send passwords, and fetch ads). No privileges beyond this are needed to cause trouble.

The real reason is probably more to do with the size and average competency of the userbase.

Re:Why should this upset them?

[BlueshiftVFX]

I fully agree, they should take this opportunity as a free product testing session and study what is going on there and then learn from it to fix the product. It's win win! someone gets to be "733t" and the vendors get leads on making a better product.

Re:Why should this upset them?

[Kjella]

We've all heard the "Linux doesn't get attacked much because it has an insignificant market share" and sort of argued around it - maybe the real one is "Linux doesn't get attacked much because the average Linux user knows enough to not click on ridiculous shit that gets emailed to them." Which would put a very low upper limit on Linux's market share. The way Linux saves the noobs is that you don't do it in the first place, you go to add/remove programs and find the software you want there. The way Linux saves the warez-wannabes is that Linux doesn't need cracks. I'm sure that if Linux became more mainstream with more commercial software, you could have trusted shops that you could add in the same way as repositories. Think something like tucows, cnet, snapfiles etc. only for Linux. Basicly, for 99% of the population going away from the "download random exes from the Intartubes" would be an upgrade to their security. Even if those sites only ran a basic virus scan and maybe on a tripwire machine. Users need a bigger difference between "opening" the jpg attachment and "opening" SomeFamousPersonNaked.jpg.exe, don't think users will get any smarter. Or just try to scare those users away from Linux so they don't spoil the average, though it'll make nobody safer nor any systems better.

Re:Why should this upset them?

[zwei2stein]

Exactly right, except you forgot one thing:

They dont need actually viruses and malware, they just need people (and businesses) to be afraid of them enough to consider them treat.

All you have to give to people is feeling of security and to make them think that you can shield them from any nasty stuff they might have heard on TV. And people are easily scared because they in general know little about computers.

People are scared and they get AVs (or careless and they wouldnt get AV even if there was billion of virii), so you fight for market share rather than install.

And your only feature you are ging to sell to those people is confidence of unpenetrable shield.

So yeah, AV companies do want perception of threat high and actually threat low. Thats when they make most money.

Every reall threat costs them money, Every imaginary threat makes them money.

Re:Why should this upset them?

[gbjbaanb]

not really. Once the AV company has enough viruses in the wild to persuade you to buy their product, all the viruses past that point is just a costly nuisance to them.

Re:Why should this upset them?

[TehZorroness]

GNU/Linux doesn't get attacked for one reason in particular. There is only one person you need to trust: your distributor. You aren't downloading programs from dozens of sources since it's all free software and it all can be stored in one place (legally).

You don't need to waist time writing millions of lines of code that will become obsolete in under a week. All you need is trust. (Rant: this applies to games to. All the anti-cheat bullshit is a worthless drain on legitimate players).

Re:Why should this upset them?

[petermgreen]

The thing is YOU DO NOT NEED ADMIN PRIVILAGES to do to the stuff most modern virus writers are after.

If the system has user crontabs (most *nix systems do) you can start up soon after boot. Even if not you can start up immediately after login which is sufficiant for a single user machine.

If you are feeling malicous you can also destroy the users data (which on a single user machine is probablly the most important thing on there).

Sending spam and hitting vulnerable services do not generally require any special privilages.

and if they really want root privs they can just edit the menu items so when the user selects that root terminal option and enters thier password the malware gets launched with root privilages as well.

Re:Why should this upset them?

[maxwell+demon]

A normal user has access to the network and a home directory. How is that not enough for a virus?

If the home directory is noexec, it is not enough for a virus. A virus cannot do harm if it doesn't get executed.

Re:Why should this upset them?

[nog_lorp]

Unlike Windows users, however, a virus can't transparently hide itself and make itself run at boot. At best it can make a file named ".totallynotavirus" and add itself to your login script, which isn't too hard to spot. A virus run by a user certainly can't corrupt your virus protection (after sneaking past).

You don't end up with the problem of "I wonder if I have malware-x on my computer, time to boot a different OS from CD and browse my filesystem to check".

Re:Why should this upset them?

"dancingpigs.exe" is requesting extended access to your video services. dancingpigs.exe said:

"In order for the 3D functions in this video to work properly, you must give this picture access to your graphics card. Answering "no" will not allow you to enjoy this film! Answer "yes" to view dancing pigs!"

Would you like to give dancingpigs.exe root access to your video services?

(Yes) (No)

Guess which one the average user will pick...

Re:Why should this upset them?

[RiotingPacifist]

True no system is completly secure, and users do need training, but its a lot easier to just skip all that trouble if the OS has root exploits, so the OS does make a difference.

Re:Why should this upset them?

[maxwell+demon]

Could a virus sit in waiting, and do nothing that a non-priviledged user wouldn't be able to do, and then avoid any user prompts until it detects that another sudo prompt for a different application has been fired. And then fire something right after that one is passed to cause another prompt. The user would probably just think it's for the other program they just allowed, and let the virus do it's thing.

Interesting thought.
Usually sudo will not give another prompt if fired shortly after a previous sudo. So the hypothetical malware would indeed get root access completely unnoticed (once having obtained root access, it can of course easily remove any traces of that root access in log files).

Re:Why should this upset them?

[YaroMan86]

Exactly. A virus for Linux at this point in time probably doesn't stand a snowball's chance in hell on the average Linux system because Linux users are smarter than the average Windows user. (I am generalizing and using a more relative version of smarter here.) That, coupled with the fact there are less than a hundredLinux viruses and a small user base, a Linux virus is not much of a threat... FOR NOW.

But what happens when we actually DO accomplish full-on Linux on the desktop? What happens if, hypothetically, Linux becomes more widely used than Windows? Suddenly the average skill of a Linux user plunges downward, and the virus population for Linux skyrocks. Suddenly a Linux virus doesn't seem so harmless, does it?

Remember nowadays, a virus usually doesn't commit destruction, as that would render a bot in a botnet worhtless, but would rather use it for spamming purposes. There's not need for elevated permissions. On top of that, most of the stuff a virus can destroy without elevation is the stuff the average user cares about anyway: Documents, Music, Pictures, HARD WORK. Irreplaceable things.

If there is a perfectly safe system that is still able to connect to the outside world, it is a system used only by a user who knows how to prevent viruses and knows how to do effective backups. You could also make a bonus by using a fully unprivileged user account.

These are things Windows will never do. Far too often is a user an administrator, and the inner workings of the system exposed. (It wasn't really until the average Windows based itself off of NT that ANYTHING was safe from Security Problem #1: The User. With Windows ME and earlier there are no user permissions, (Windows 2000 and earlier, along the NT line, are luckier and smarter.) and so, all a user has to do is take a stroll and delete files out of the windows directory. No authentication. Worse if a user boots into pure DOS where the usage protection Windows does ("Cannot delete (File), it is currently in use.") they can destroy ANYTHING on the system without any validation or authentication. What the hell was Microsoft thinking?

So, essentially a safe user is this:

1. A user who knows how the system works at least on a rudimentary level.

2. This same user must typically take normal user or lower privileges.

3. This same user must have a knowledge of how a virus finds itself on a system: (E-Mail attachments from bad sources, child porn, warez, etc.)

4. The system uses an operating system with its own effective security model. Typically one that involves user permission levels, if not a full-fledged multi-user system with the default user NOT being an administrator.

5. A good firewall. This is typically a third-party program.

6. Yes, a good antivirus. It may not be as effective as many other techniques, but an AV DOES help, period.

7. A real plus: Knowledge on how to remove a virus manually. (Not as hard as one might think, especially after the virus is identified.)

8. EDUCATION. EDUCATION. EDUCATION!!! If there are other users on the system, TEACH them! It is amazing how effective a little imparting of knowledge will do to make things better and safer.

9. Make sure the other users aren't in a position to infect the system either, as in, restrict their ability to declare things executables, block executables from mail, don't let them install P2P software. (Easy in Linux, since things like apt-get and Synaptic only function with root privileges. Though this can't stop them from installing it in their home folder.

10. Do a regular manual audit of the system. Not only should you keep an eye out for anything unusual, but also keep an eye out for 'unauthorized' software, like P2P.

11. Block torrent/warez sites. Every single time someone comes to me with a virus problem, the first question I ask is "Are you downloading torrents a lot?" and the answer is always "Yes."

12. Not relating to viruses, but a good tip anyway: Before you try any system changes, try the same change on a VM. A nice sandbox is better for fucking up than your own system.

You remember these things, and keep to them, chances are you'll be just fine.

Re:Why should this upset them?

[somersault]

I wonder how long before they start lobbying for it to be illegal to even write something that could be used as malware..

Re:Why should this upset them?

[somersault]

You're never going to have that 'trust' where the internet is concerned (unless you only ever let traffic through from people you know you can trust - and then, how do you *know* you can trust them? :p ). Sure it would be nice if we didn't need anti-cheat measures in games, but there will always be someone pathetic enough to want to try to feel good about themselves by demolishing others, even though they haven't actually developed the skills to do so.. I don't understand it myself, but it's a clearly observable thing..

Re:Why should this upset them?

[somersault]

The thing is though, that you don't really need to be very smart to be safe - just better informed. And better defaults on stuff like Windows so that you can see file extensions. Perhaps a few questions that you get asked when you create a new user account, and if you get it wrong you have to go through a tutorial and then take another test? A little education would go a long way here. Even one of my bosses seems to be getting better at avoiding malware.

Re:Why should this upset them?

[Dextrously]

The only thing anti-virus companies need to sell their product is the fear or threat of a virus. I suppose they believe there is more money in the fear mongering business than legitimate business. They may be right, I don't pretend to know. Having a virus scanner is pretty much a mindset in a windows environment. Even Windows Security Center will whine and complain if you don't have one (until you shoot it in the services.msc if you know what I mean).

Take for example, Network Intrusion Detection Systems. They are supposed to be set up *before* an intrusion takes place. Even if there is no history of previous intrusion, they validate that your network is actually secure. History should have shown us by now that the majority of hax0rs want not only get in your system, but remain their as silently and as long as possible. Thus, a detection system is needed.

An anti-virus companies selling pitch might be "How do you know you don't have a virus, if you don't have a virus scanner?". I am not an advocate for AV software, I'm just saying it as I see it.

Re:Why should this upset them?

[Vellmont]

No. Linux and MacOS do not get attacked, because normal users don't run with the sort of privileges that would allow the virus (or trojan as in your example) to do very much damage or replicate itself.

I never really understand why people think this is true. What exactly are the privileges required to do damage, or replicate? Linux essentially runs as the logged in user. That means you can:

Run a process.
Send email.
Write to any file the user can.

A good virus needs to:

survive a reboot.
find a new target.
send itself to that target.

There's lots of ways to execute a process automatically under linux. Off the top of my head I can think of several. One would be getting in one of the .login, .profile, or all the various different init scripts stored in the users home directory (and belong to the user) that get run when a user logs in. Another would be installing yourself as a plugin to mozilla (I believe you can write to the home direcory to install plugins for just that user). That'd be a pretty nasty one, and might even let you sniff any password/CC/etc they type in.

Once you make sure the virus/worm survives reboot, now you need to target another user. I believe the address book is readable by the logged in user, so there's a big set of new targets. Don't speak SMTP? Well, just read the config file for thunderbird, and find an SMTP server to use. Hell, I think you could even steal the pop/imap/auth SMTP username password, since I don't think it's encrypted by a user selected password by default. Don't spread via email? Well, process's and network connections are all nice and listable to ordinary users. Look to those for guidance.

The only thing protecting Linux is some better written code than is in many Microsoft programs (Outlook, Internet Explorer, etc). Not having root/admin is very little hindrance.

I don't know much about MacOS, but I don't see how it's any different.

Re:Why should this upset them?

Is your home directory noexec? Can you write to your logon scripts?

A clever program could attach to your logon shell (if you can attach to a process with a debugger running as yourself than a malicious program can hijack it) and subvert everything you do from that point on.

Re:Why should this upset them?

WTF? Any program I run has +rw access to ~

A couple of points:

A: If viruses on Linux was a problem, how hard would it be for you to change this without breaking the program (think selinux, apparmor, forking and dropping privileges, virtulization, chroot jails etc... )?

B: If viruses on Linux were to become a problem, how quick would it be for distributions to do whatever the solution found in "A" was per default?

C: How many Linux users would actually google for CD burning software and download it from an untrusted site using a Linux machine?

Basically the only reason you are running Firefox with +rw to ~ is because it is considered an acceptable risk. Were trojans and viruses to start targeting, say Ubuntu, then it would be roughly 6 months, maybe 12 at a stretch , and then all internet facing applications would be sandboxed per default. If you didn't want to wait that long it would be relatively easy to make the changes yourself.

The problem with windows isn't that you can't make it secure. The problem is that you have to work really hard to do so, it is designed in a manner which encourages users to act in insecure ways, and the security measures very often seem to follow the mantra "the user can't blame us if we've told him he is insecure".

Btw, there is a big difference between compromising a user and full root privileges. If you have only compromised the user then it is fully possible for anti-virus software etc to have scans and sanity checks running as root that will spot the intrusion, whereas if you have compromised kernel space then you can destroy the defenses before they have a chance to alert the user. Of course, at the moment this is not necessary or even worthwhile on most Linux desktops, but it is definitely possible.

Re:Why should this upset them?

[FliesLikeABrick]

There's the fact that removal of some malware that uses .profile and does nasty things in ~ is trivial compared to something that gets into a Windows machine. On any Linux or similarly-permissioned system, removal at worst consists of deleting the person's home directory and killing a few processes.

Now, if removing crap from pwned Windows machines was that easy, we'd all be much better off.

Re:Why should this upset them?

[Lord+Ender]

"As long as you've got a decently secure operating system, nothing more than a rudimentary antivirus should be necessary."

Wow. Somebody has never worked in the security field before.

The OS doesn't matter a tenth as much as the user matters. As long as the user has the ability to execute code (with any rights, not necessarily root or admin), then viruses will spread. Links in web pages, instant messages, email attachments... whatever it is, the USER is the problem, not the OS.

OpenBSD would make a fine virus platform if it were the primary desktop OS.

Re:Why should this upset them?

[Timothy+Brownawell]

Of course, this is only relevant for shared systems. If there's only one user (or everyone shares the same login), the difference between removing ~ and reinstalling is just a couple hours.

Re:Why should this upset them?

[drsmithy]

That is assuming that the user is completely stupid, OTOH if you click dancingpigs.exe and get prompted to give your root password or even just accept/deny, most users will click cancel (if they dont you haven't explained sudo well enough).

No, they won't. They'll type in their passwords and click 'OK', because that's the only way they can see to get the computer to do what they want.

There is no way to secure a machine where an ignorant end user can run arbitrary code. Not now, not ever.

Re:Why should this upset them?

[MikeBabcock]

As others will be quick to point out, a random Joe-Linux user won't have to worry about clicking on that random executable because unless it uses a local-root exploit (which SELinux is doing a great job of preventing in many cases), the virus in question can't attack their system files and infect the entire system as a result.

Sure, I could perhaps convince Joe Linux user to run "rm -rf ./.*" which might be entertaining for a bit but infecting the system files still won't happen.

Re:Why should this upset them?

[MikeBabcock]

Sure, but unlike the Windows user, he can then log in as root and clean out his infection from his normal user account and move on with his life.

In the Windows case, I hope you have a backup because its time to re-install Windows.

PS, rkhunter is a great example of a program that detects for real Linux infections, for those looking.

Re:Why should this upset them?

[MikeBabcock]

SELinux is quickly helping to fix that problem.

"wtf is this? You don't need network access or access to this directory, go away."

Mandatory Access Controls are coming along nicely. About time too.

Re:Why should this upset them?

[catagras]

Actually you don't have to download any exe. Just ask a new linux user to follow a tutorial which tells him to add a new repository and then sudo apt-get install super-excellent-app.

Then, being on linux won't be of much help.

Re:Why should this upset them?

[Nero+Nimbus]

They dont need actually viruses and malware, they just need people (and businesses) to be afraid of them enough to consider them treat. Yeah, because the average user considers screen savers, animated cursors, and nude pictures of Britney Spears to be treats.

Re:Why should this upset them?

[moosesocks]

You underestimate humanity.

The next generation is considerably more computer literate, and most Windows users now do have a semi-decent idea of "what not to do" in terms of avoiding nastyware (or at the very least, the average user is more cognicent of this sort of thing than 3-4 years ago).

Re:Why should this upset them?

SELinux has the potential to block this kind of attack. Dan Walsh has developed policies for guest users that would prevent this kind of attack from working. Down the road we can expect web browsers and mail readers to be more confined so that it will be difficult for normal (who may need more access than guest users) to shoot themselves in the foot. Presumably a few people will end up following long winded instructions about how to download their malware and then move it somewhere else and relabel it and then run it, but that is going to be a lot less people than who will just click on a link.

Re:Why should this upset them?

[drsmithy]

You underestimate humanity.

Nope. If anything, I overestimate them. I'm an optimist like that.

The next generation is considerably more computer literate, and most Windows users now do have a semi-decent idea of "what not to do" in terms of avoiding nastyware (or at the very least, the average user is more cognicent of this sort of thing than 3-4 years ago).

No, they don't. They still want to see $CELEBRITY naked. They're still happy to type a few words into a computer to do that. After all, what'the worst that could go wrong ?

Re:Why should this upset them?

[hairyfeet]

Which is why I thought even before I read the six dumbest ideas in computer security that the whole "default permit" way that most computers operate was just insane. How many folks actually still used .wmf files when that bug hit? How many programs are sitting in your average OS that you never use? If we switched from blacklisting to whitelisting our applications and went with a default deny model at the OS IMHO a lot of these bugs would be stopped dead.

And of course I'm sure the biggest threats to computers out there are the Joe and Sally Clueless of this world that click on everything and all the security in the world isn't going to help when the user is willing to happily put in their password and jump through whatever hoops they have to so they can look at the dancing bunny. It once took me a week to figure out why this office network kept getting boned. It turned out little Velma the walking disaster area was bringing infected cds and flash drives from home so she could listen to music and look at her pictures on break. So I know from experience that all the security in the world won't help if you have a user that refuses to listen to you and does what he/she wants to anyway.But that is my 02c,YMMV.

Re:Why should this upset them?

I don't care how secure your OS is, if users are going to click on SomeFamousPersonNaked.exe , then they are going to eventually get owned
Could you fix that link please? It doesn't work for me

Re:Why should this upset them?

I've always considered viruses and malware a treat, but then again I'm a chronic masochist.

Re:Why should this upset them?

[asoulfinder]

You always need a sales force. After all you are competing with other companies in your field. I do agree if there are no viruses, there wouldn't be a need for the software.

Re:Why should this upset them?

[Remusti]

Not really. New threats mean they can sell update subscriptions and new versions of the same old software.

Re:Why should this upset them?

As long as he doesn't run su as the compromised user and give away his root creds.

Re:Why should this upset them?

Wow this is all completely wrong. A Unix virus can modify programs already in your start up scripts. This might require secondary privilege escalation exploits, but those aren't particularly rare on any platform.

Re:Why should this upset them?

[Iamthecheese]

You are an idiot if you liked that. Let me count the ways.

Default Permit
and his ugly twin, Enumerating Badness

The author is saying that every piece of software should be checked by every operating system against some "known good software" list. This is, of course, preposterous. Unless every known version of every piece of software is registered in a central repository, how does the author think the "goodness"(as he puts it) can be verified? Oh, I know, lets let the administrator decide on a per computer basis! He'll need some privilages.. It's at the base of the system... Lets call it "root"!

Penetrate and Patch

Yeah! lets just make software without any bugs right from the start! Why didn't I think of that! He should contact Microsoft right away! But he'll have to patent that idea first, he'll make millions!

Hacking is Cool

I wonder how long the author was living under that rock.. He must be like Golem by now. "my network! my precious!" In any case, few don't realize that hiring crackers has been passe' for a very long time now. Penetration testing, however, is a very important part of security.

Educating Users

The author has outdone himself with this gem. Lets stop educating users altogether! in a really secure network, they don't need not steenkin education! We should just encase our network in a big cement box! Complete security! Because I know he didn't mean that without any spyware checking or seperation of privilage (forsworn in numbers one and two) or even penetration testing we should let our users do whatever they want...

Action is Better Than Inaction Wow, well, I guess if he shoots enough times even a blind man with the Palsy can hit a barn door.

On a related note, all the "minor dumbs" he listed are right on target. Does this man have multiple personalities?

Re:Why should this upset them?

[BLKMGK]

"Sorry, the OS doesn't really make any difference (assuming you have a firewall - which all current operating systems do - to protect against buffer overflows found on inbound ports). What makes the difference is secure users."

Did you just say that the firewall protects against buffer overflows on inbound ports? Block traffic? Yes. Permit traffic? Yes. Inspect for buffer overflows? ..... FAIL! What O/S stopped the WMF exploit? What firewall blocked any of the numerous Flash vulns? I could go on... Did those require you to click on anything? Suggest you do a little further research before being so confident in not being infected without "doing anything" as you're a bit naive. I suspect the RE you claim to been doing could use a little work as well. Hope a network isn't relying on it somewhere.

Re:Why should this upset them?

[mambosauce]

I agree with the flyby, this shouldn't be viewed as a bad thing. I definitely see a chance for new talent to hire.

Re:Why should this upset them?

[symbolset]

There is no way to secure a machine where an ignorant end user can run arbitrary code. Not now, not ever.

And unfortunately if you make a system so secure even a fool can use it, only a fool would want to. /sigh/

BTW, I'm not disagreeing with you. This is the security vs usability dilemma. There is no satisfactory solution.

Re:Why should this upset them?

It could also be because the AV companies realize that in order to combat the next wave of virii they will have to start doing behavior blocking. This technology right now is primitive at best. Anything the AV companies can do to delay the next wave of virii gives them more time to implement this.

If they don't another company will and then McAfee and Norton will lose their market share like Dr. Solomon's Antivirus Toolkit did when it couldn't defend Macro Viruses

Re:Why should this upset them?

[arminw]

....is confidence of unpenetrable shield....

Anti-malware programs are more like a very strong padlock on a flimsy Windows OS door. The padlock may be tough, but the door is easy to kick in or simply take off the hinges. The only one who can make it hard to get into the computer (house) is the maker of the OS (door). OSX and Linux have a stronger door and a good lock. Hanging on a stronger padlock won't give much extra protection against burglars and the padlock sellers know that.

They had a lock picking contest recently, where the owner of the OSX house had to co-operate with a simulated burglar, who then was able to pick the lock and get in. However the basic strength of the OSX and Linux doors is very similar, since they both are based on UNIX, a true, conceived from the ground up as a secure, multi-user system. Windows always was and still is a PERSONAL computer OS where multi-user and security was added on later. If Apple would have pasted security on their old OS9 base, they would have been in the same boat that MS still is.

Re:Why should this upset them?

[piojo]

I agree completely. User permissions are sufficient to run cronjobs, send spam, and (often) steal sensitive information. User permissions are not enough to keylog, but I'm sure a firefox profile directory is often worth as much as a keylogging session.

Re:Why should this upset them?

[arminw]

...Any program I run has +rw access to ~ (can start itself from .profile,...

In order for a program to run, does it not also need execute permission? If none of the users space has execute permissions, the virus can't run the first time. If all the users normal programs are in a read only program folder, how will a nasty program the user may have downloaded into his user space run the first time?

Re:Why should this upset them?

[Nazlfrag]

There's good coverage at http://www.privsecblog.com

If passed into law (this bill already has passed the house twice but never has cleared the Senate), I-SPY would make it a criminal offense punishable by fines and/or up to five years in prison for "intentionally access[ing] a protected computer without authorization, or exceed[ing] authorized access to a protected computer, by causing a computer program or code to be copied onto the protected computer, and intentionally us[ing] that program or code in furtherance of another Federal criminal offense." Similar activity that is designed to defraud or injure a person or cause damage to a protected computer, but is not conducted in furtherance of another Federal offense, subjects the perpetrator to a fine and/or up to two years in prison. I'm fairly sure viruses would fall under at least the bold part. I have no idea how much (if at all) this is a result of lobbying by antivirus vendors.

Re:Why should this upset them?

[jyurkiw]

You're talking about companies who make software that acts as a bullet-proof vest for your system, but in exchange:
1) Increases your system startup time significantly.
2) Systematically interrupt whatever program you're running to notify you it's doing something you probably told it to do.
3) Thrash your RAM whenever it does anything rather than sandbox itself.
4) Insist on running at the highest priority possible and take over your system when it runs rather than something more friendly like...oh...run at a low priority and wait until you're not actually doing anything to take up major resources.

So we're basically wondering why the people who make software that does roughly the same thing as a virus to your system (minus the extremely, intentionally harmful stuff) would get upset at a contest (run at a Defense Convention no less) where the intent is to bypass their software rather than see it as an opportunity to improve their product?

...why is this surprise?

Re:Why should this upset them?

[hairyfeet]

OOOOH, a good thought provoking argument! Repairing Windows boxes I get so few of those!Thanks!

Now,I'll go over your points one by one based on my own experience,Okay?

1.-Default permit-What I believe the author is trying to get at is that I the computer OWNER should be asked at least one time before something runs,as opposed to know where the OS unless it finds something that tells it specifically NOT to run will auto execute anything on the machine. For a good example see ActiveX on any machine prior to Vista. There are a ton of bugs written that can call upon ActiveX and,even though I have never used an ActiveX object in my life,Windows will happily launch it and pwn my system. I think most of us would agree that the USER should be the one deciding what runs on his/her machine,or at least has the option to decide.

2.-Penetrate and patch-On this one he did give an example of what he was talking about,as well as recommend a book that further elaborates. While I have not gotten completely through the book yet,what the main point of discussion is about is compartmentalization. What the author was trying to get at here was it is a LOT easier to write a program from scratch with security in mind than it is to try to fix someone else's mess.As someone who has gone into many a little Mom&Pop shop to find an unpatched mess that would promptly break the one piece of mission critical software in the shop when you tried to update,due to some coder using a bug as a feature,I have to agree with him there. It really isn't any fun trying to fix someone else's mistakes.

3.-educating users-I have the perfect example of this from my own experience-Velma the walking disaster area. Sweet little Velma works at the office of this little insurance company whose name I won't mention. Velma can remember names, phone numbers, birthdays, and business transactions that happened 20 years ago so there is NO WAY they will ever fire little Velma due to the fact she is so valuable to the business relationships they have with their clients. Little Velma is a trusting sort and will happily click on ANY link sent to her,as well as run anything sent by one of her chat buddies. I had set up the machines to only run IE on the Intranet for the proprietary app required by the home office and had Firefox set up with noscript with a whitelist of approved sites.Yet it kept getting pwned.It took me a week until I walked in and found little Velma sliding a cd in her computer that turned out to be FILLED with viruses. I asked her why she didn't tell me she was bringing disks from home.She replied "This isn't from home,my sister sends these to me!" The point being that some users will always see the computer as nothing more than a toaster with a screen,and trying to teach them squat is like pissing in the wind. If you base your security on teaching the little Velmas of this world enjoy your ulcer. I finally locked it down by unhooking her cd, and giving her sister a free program to make MP3s which she can email to Velma so they can be scanned by the virus checker. Yes I know it is a bit of an ugly hack but I couldn't figure out a better way in Win2K Pro in the time alloted. And last I heard they are virus free in spite of little Velma still working there.

4.-Action is better than inaction-Actually you have that one backwards as he said that is a MAJOR stupid idea,and I have to agree. With any major piece of tech there will be unforseen bugs. Better to let OTHER people be the early adopters, see what went wrong from their mistakes, and deploy when it is more mature. Now while I don't have experience with this one personally, as I tend to work with Mom&Pop shops who use older hardware, I have heard a few horror stories from those who have ran into this, mostly with wireless. Remember when nobody thought the signal went very far? Yeah, from what I heard that bit a few early adopters in my area in the butt pretty hard. I don't think anyone here would replace a working Intranet with a "bleeding edge" d

Re:Why should this upset them?

[somersault]

I meant even if the code was not written with the purpose of - or at least was never used for - performing nefarious deeds without authorisation from the user of the computer. Like the RIAA would probably prefer to just get rid of all P2P traffic to make sure that none of their material was being distributed in this way, whether legally or not.

Re:Why should this upset them?

Well, yes and no. A not insignificant number of ubuntu newbies immediately go and pirate Cedega upon discovering they need it to run their windows games, because that's what they've always done. You could no doubt 0wn quite a lot of people simply by sticking a malicious torrent up on TPB. This situation is only going to get worse as Linux becomes more mainstream.

Re:Why should this upset them?

[Timothy+Brownawell]

noexec just mean you can't execute anything *directly*. "perl nastyscript.pl" works just fine with nastyscript.pl on a noexec partition.

Re:Why should this upset them?

[mollymoo]

The CanSecWest competition has seen OS X pwned two years in succession. The Vista exploit was apparently cross-platform and Adobe's fault for making Flash bypass Vista's security mechanisms, which would otherwise have stopped it dead in its tracks. NT is a multi-user OS by design, by the way. I have no love for Microsoft at all, quite the contrary, but from what I read Vista does seem to be moving the right way. Anyway, the security of the OS perhaps isn't the biggest problem. As long as vendors like Adobe keep making stupid programs which want more access than they really need (I ditched Acrobat on OS X because it wanted admin rights for the installer) and users have admin rights which can be granted to the programs they install there will always be gaping holes, no matter how secure the underlying OS.

Re:Why should this upset them?

[ultranova]

There's lots of ways to execute a process automatically under linux. Off the top of my head I can think of several. One would be getting in one of the .login, .profile, or all the various different init scripts stored in the users home directory (and belong to the user) that get run when a user logs in.

Just install yourself as a cron job, to be run once per hour for example. That way you don't even have to stay resident and won't show up in process listing.

Re:Why should this upset them?

[SCHecklerX]

Indeed.

Viruses (not worms) are a stupid user issue. There's not much you can do about that, the thing will get run, and your beloved antivirus program of choice will not protect you from your users.

Re:Why should this upset them?

[FrozenFOXX]

A secure user...so, like, one with handcuffs, right? Chained to his/her desk?

Re:Why should this upset them?

[rtechie]

I don't even need a sales force. True, it cost me more to have in house peons gather virus signatures and add them to my database, or add algorithms to my AV tools, but since I don't have to pay nearly as much for a sales force more viruses equals greater profits. I think this part of your calculation is a little off. Virus scanners are not just signature engines (ideally). I think the "actual threat" of viruses is far less significant that the "percieved threat", and anyone with money prepares for the "perceived threat". I'd draw an analogy with home security systems. The people that buy home security systems are typically the least likely to need them because they are liklely to be relatively wealthy and live in relatively low-crime areas. So even though the threat is comparatilvely low, they implement the expensive home security system.

What the AV companies want is for the ACTUAL threat to be low, but the PERCEIVED threat to be high. This is what the situation USED to be, lots of hype and little actual threat. Now that the threats are actually beginning to match the hype the AV companies are struggling to keep up. New threats directly translate to more development time to meet these threats, and therefore lower profits, that's why the AV companies are pissed about this.

Basically, at this point, they don't need hype. The threats are out there and very real, to the point that most Windows users consider AV a REQUIREMENT. Given that reality, the issue is really competition between the vendors for the "best" AV product and "best" basically means manageability, ease of use, etc. in a corporate environment because that's the majority of AV sales.

Re:Why should this upset them?

[Jurily]

Like I said, I'm lazy. /home/jurily/bin DOES have exec permissions. I like to keep my custom scripts away from portage.

And yes, this is a security/convenience trade-off. I'm a programmer. I don't have time to setup a user just for my executables, thank you.

Noexec is fine for an average user, but where should I, the programmer, put all my stuff?

Re:Why should this upset them?

[Jurily]

Sorry, I'm a Gentoo user with less than enough spare time. You have 5 minutes to explain SELinux if I'm going to use it, I have ten to implement it. Go ahead.

P.S. Last time I installed it, all sorts of nasty things happened to my pre-compiled stuff. What would you do about those? Clock is ticking.

Re:Why should this upset them?

[maxwell+demon]

How successful would be a virus that only can infect the computers of programmers? I guess, not very.

Condensed version:

Waaaaah, they'll point out all the holes in our shitty software, no fair! Mummy!

Can you say Ralph Nader?

[zappepcs]

What would happen if Ralph got involved in the computer antivirus field?

lets translate FTFA

"It will do more harm than good to our company," said Paul Ferguson, a researcher with antivirus vendor TrendMicro. "Responsible disclosure is one thing, but now actually encouraging people to do this (as if the NSA isn't already doing so), as a contest is a little over the top.When really smart people start working on malicious software, we won't be able to keep up" Bold edits added by me.

How about this slogan "Unsafe with any version!"

I think they are afraid that regular joe end users are about to find out that programs meant to protect your pc are always an after the fact effort which leaves you vulnerable until you update and that there is no way to keep you safe from a zero-day facebook exploit. Even the government websites can be malicious until patched/fixed.

And soon, the conclusion will be ... uh, why pay for that. Spybot search and destroy is free, and ClamAV is free. I can just give them a one time donation and get just as good of protection... hmmmm These pricey programs really can't do all that much.

Wow, it would be such a shame if joe bloggs end user found out the truth. tisk tisk

Re:Can you say Ralph Nader?

LoL! ClamAV gets you (and your mailserver) owned dude:

http://secunia.com/advisories/29000/
http://secunia.com/advisories/28907/
http://secunia.com/advisories/28117/
http://secunia.com/advisories/26530/
http://secunia.com/advisories/26038/
http://secunia.com/advisories/25244/
http://secunia.com/advisories/24891/
http://secunia.com/advisories/24187/
http://secunia.com/advisories/23347/
http://secunia.com/advisories/22370/
http://secunia.com/advisories/21374/
http://secunia.com/advisories/19880/
http://secunia.com/advisories/19534/
http://secunia.com/advisories/17434/
http://secunia.com/advisories/17184/
http://secunia.com/advisories/16848/
http://secunia.com/advisories/16180/
http://secunia.com/advisories/15859/
http://secunia.com/advisories/15835/
http://secunia.com/advisories/15811/
http://secunia.com/advisories/15542/
http://secunia.com/advisories/14084/
http://secunia.com/advisories/13900/
http://secunia.com/advisories/11253/
http://secunia.com/advisories/11177/
http://secunia.com/advisories/10826/
http://secunia.com/advisories/10213/

Leave the real work to the adults please, not these kids that can't properly parse PE headers.

Re:Can you say Ralph Nader?

[aaron.axvig]

"Unsafe with any version!"

Hence why I don't run any security products at all. They just pointlessly slow down your computer. I don't remember the last time I got infected (over 5 years?). Just have to be smart. But the security products don't help casual users either. Look at my family's computer...running AVG but someone went and downloaded a bunch of P2P crap and now there is no way short of a Windows re-install that will clean it up.

Re:Can you say Ralph Nader?

[zappepcs]

I fail to see how the statement "And soon, the conclusion will be ... uh, why pay for that. Spybot search and destroy is free, and ClamAV is free. I can just give them a one time donation and get just as good of protection..." is not true?

Solution:
Update to version 0.93.

The vulnerabilities are reported in versions prior to 0.92.1.

Solution:
Update to version 0.92.1. This is exactly what I was saying, and is true of all antivirus software. If you don't stay updated, you are vulnerable. The POINT was why pay so much for it?

Re:Can you say Ralph Nader?

[maxwell+demon]

I don't remember the last time I got infected (over 5 years?).

Well, actually you got infected yesterday. However it's a new kind of virus which not only manipulates your computer, but also your brain. You'll consider your computer's behaviour as absolutely normal, even if it differs extremely from what it was before. Your memory is just manipulated to tell you it was always the way it was now.

Depends on conditions...

[Fallen+Andy]

If this is being run like the hacking laptops thing recently, then what's the big deal? So long as the vulnerabilities are only disclosed to *all* AV vendors in private afterwards...

The AV vendors who are complaining are more afraid of *other* vendors than xploits... If anything found here goes to all then it levels the playing field open source style...

Andy

Re:Depends on conditions...

[chunk08]

Why not just make the results public? Then even the open source players (ClamAV etc.) can fix their software. In fact, they're far more likely to fix these problems then any major vendor.

Re:Depends on conditions...

So long as the vulnerabilities are only disclosed to *all* AV vendors in private afterwards...

Who said anything about "in private"? I hope they post all the entries on their website. Shouldn't consumers have the right to know how they're vulnerable?

Besides, I hardly believe the Defcon crowd will go for a "Trust us, for reasons we can't disclose, the winner was ..." And with all the people at Defcon, the results are bound to get leaked somewhere anyway.

Re:Depends on conditions...

[phantomfive]

The fear they have is that people will realize how useless anti-virus software really is. If there are simple techniques to get around any anti-virus software, and the whole world knows it, then there's not much point in paying to run some AV software that just slows down your computer, is there? Already we know that AV software is useless against 0-day exploits, and if your vendor is making reasonably timed updates, your AV software only has nominal value anyway.

This contest will just go a little farther to help us understand exactly how useful AV software is. I am interested in seeing the results. AV software still has a place in the world, to scan emails to prevent exploits from people who don't patch their systems.

Re:Depends on conditions...

Yes, that's why not.

Re:Depends on conditions...

[Shadow-isoHunt]

Dude, this is DEFCON. No, I'm not making a Sparta joke(although you may be kicked into the pits of /dev/null), the whole point of DEFCON is the sharing of information publically, regardless of your hat. During the course of the convention, everyone is a greyhat, and afterwards everyone walks away a bit wiser. Pretty much everything that gets shown at DEFCON ends up posted on the net a few minutes after the presentation, or atleast after the convention. If it wasn't meant for public consumption it wouldn't be exhibited in public, and there's no way you're going to put a gag on your convention goers.

Re:Depends on conditions...

[chunk08]

But, it was apparent that the people sponsoring the results were not tied to the AV vendors, as they were "in trouble" with them. So, spite the AV vendors, make the results public, the ClamAV guys can fix it, and the AV vendors *have* to fix it.

really helpful

[agnistus]

It would be good to have more contests like these as they would help strengthen existing security software by finding flaws in them.

Trivial

[Nikademus]

Bypassing current antivirus process is almost trivial. Just change a few lines and the signature based antivirus will not detect your virus. Now, create a process that automatically changes the few lines in a random order, but create this process as a random evolving like the virus and payload itself. Random jumps (with next payload at good place) with random junk in between should be sufficient to bypass heuristics (who said goto was dead :)). Then you've just killed the whole antivirus industry as we know today.

Hey,why are the cops ringing at my door???

Re:Trivial

[Kamineko]

They have a job offer for you.

Re:Trivial

It's not *quite* that simple, but you've got the right idea. The truth is that the only viable solution (especially for businesses) is centrally-controlled white-listing. There are a few products on the market that do this very nicely, but they're not so widely known.

Re:Trivial

[Nikademus]

And I will not accept... I am not interested working for companies writing poor software only to profit from their own errors.

Re:Trivial

[CrossChris]

It was funny when I visited Symantec a while ago, and put two nasty bits of malware on their internal network. None of thier silly AV products were able to find them, and one of them is still there, two years later (it phones home occasionally). If Symantec are that bad, then so is the whole of the rest of the industry.

The sooner the general public stop using Windoze, the sooner the 'net will quieten down and we can all get some damn work done!

Re:Trivial

Obviously you've never been a contractor. You get used to it.

Re:Trivial

[DarkOx]

Yea, I hear but its not that simple. A virus still has to be small. You don't have a great deal of room for random crap.

Re:Trivial

[DarkOx]

Windows, and group policy are pretty widely known. I also suspect most decent admins of windows networks are aware of code signing functions present in XP and above. You certainly could lock windows boxes down to only runing executables, wich includes things like activeX controls and the like, which are signed by Microsoft, your own organization, or match hashes you explicitly white list. You would proably also want to disable windows scripting and unsigned vba for applications, which you can also do.

Still I have never come across an organization that would support its admin staff in such an endevor for the general user population or an admin staff large enough to keep up with the whitelisting.

Re:Trivial

Then you've just killed the whole antivirus industry as we know today. Rubbish. All you've done is make it necessary for them to add some new signatures, and that's what they'll do - that's what they always do.

What, do you really think that signatures are static bit patterns? Do you really think that nobody thought of polymorphic viri before? Google "mutation engine" some time - these have been around for almost two decades.

Re:Trivial

[somersault]

I thought viruses would already do stuff like that, hence why there are 'heuristic' options in some AV programs? Don't tell me that the AV vendors are that dumb? Eek, you're telling me, aren't you? :O

Re:Trivial

Unsigned VBA? How's that supposed to work.

Let's see... I'll take reg.exe (allowed by default) or any other meaningful utility to open the GroupPolicy registry key so often that the lock limit is reached. Consequently, MS Office to read the policy and revert to default behaviour. And then you can run it.

If you're taking per-user policies, it gets even worse. Just grant another user access to your profile dir, logout, let him edit your registry file, and zack bang you can manipulate the group policy settings.

That having said, Group Policies don't offer security boundaries. They help providing applications with safe defaults.

Re:Trivial

[somersault]

If you're telling the truth, you'd better hope they don't find out where 'home' is! Hehe

Re:Trivial

[Lord+Ender]

Wow... You would have been considered really clever in the virus world... about fifteen years ago.

Guess what: Your invention has already been created. AF companies have countered with "heuristic" or "behavioral" virus detection. The purpose of this exercise is to game not just the signatures, but the heuristics as well.

Re:Trivial

[Nikademus]

Indeed I wrote a proof of concept about 15 years ago. But still heuristics cannot detect this kind of stuff if internal code and payload changes all the time.
The idea is trivial, not the implementation. That's why antivirus still work the way they do.

Re:Trivial

Random jumps (with next payload at good place) with random junk in between should be sufficient to bypass heuristics (who said goto was dead :)). http://xkcd.com/292/

Re:Trivial

Maybe the cops are there to beat you with a clue stick. Detecting viruses with a simple string search or (heaven forbid) a hash is ancient history, not current technology. The evasion technique you are describing is a polymorphic virus. The anti-virus vendors have been dealing with these for about fifteen years.

Re:Trivial

"Bypassing current antivirus process is almost trivial." - by Nikademus (631739) * on Sunday April 27, @01:40PM (#23215396) Homepage

Which is why their "HEURISTICS" ('smells like a duck, tastes like a duck, & looks like a duck (must be a duck)') type tech in antivirus products is important... who leads that area, per current results? Apparently, NOD32 does & has kept such leadership in that category during formal testing @ av-comparatives.org & vb100 the past few years now over all other competition.

NOW, if you don't want scripted viruses (via java/javascript)? Don't run them in your webbrowser, you won't get any of this.

(Yes, that's a PAIN on some sites (so, you need a browser that allows "exception sites", & FireFox will do THAT, via an addon called "noscript" (Flashblock's another one that may help also, due to Adobe's products being rampantly exploited lately)... , & OPERA HAS LESS KNOWN SECURITY VULNERABILITIES THAN FIREFOX DOES (or, IE too))!

If you search a site like SECUNIA.COM, you can verify the browser vulnerabilities lists, as of today's date, here in these URL's to verify my statements:

=====
SECUNIA DATA ON BROWSER SECURITY (dated 04/28/2008):
=====

Opera 9.27 security advisories @ SECUNIA (0% unpatched):

http://secunia.com/product/10615/?task=advisories

----

Netscape 9.0.0.6 (0% unpatched - but, now discontinued by Mozilla, so it WILL be vulnerable to things FF won't be now & in the future):

http://secunia.com/product/14690/

----

FireFox 2.0.0.14 security advisories @ SECUNIA (17% unpatched):

http://secunia.com/product/12434/

----

IE 7 (latest cumulative update from MS) security advisories @ SECUNIA (33% unpatched):

http://secunia.com/product/12366/

----

MOST OF WHAT YOU SEE OUT THERE NOWADAYS ONLINE? Javascript + IFrame exploits... so, getting a secure browser, & creating "exception sites" for running IFrames &/or JavaScript, & for those exception sites ONLY, is a GOOD idea (sites like online shopping &/or online banking come to mind - they OFTEN DEMAND YOU USE JavaScript/Cookies etc. so on those sites, use them, since you are forced to... all others? TURN IT OFF, & BE SAFE(r)).

----

NOW - As far as "std. 'oldschool' binary infectors"?

If apps were coded to say, check their filesize &/or CRC-32 @ startup? They can "self-check" themselves for infestation/infection!

I did a "Dr. Who" (famous science fiction series, longest running there is iirc in fact) that does such checks (& in all of my freeware apps this takes place to protect users) that does this, here:

----

APK Doctor Who ScreenSaver 2008++: review:

http://www.drwhodaily.com/community/index.php?showtopic=386&st=0

(Multithreaded 3D animated screensaver that self-checks itself vs. viral infestation via filesize & crc32 checks @ its startup)

----

&, it works!

E.G./I.E. -> The screensaver will tell you if it has had its CRC-32 altered, OR, its filesize & warn you + shut itself down, so you are aware of it & so it does not continue to "spread-the-disease"...

(IF every Win32 PE app did that, we'd probably have LESS binary infector/attaching std. viruses imo @ least, & that of others, since my idea for this was "modded up" HERE @ SLASHDOT no less, in last year's "CODING FOR DEFCON" thread, see below):

----

APK CODING FOR DEFCON POST (technique modded up as "technically interesting" etc. et al, for coding securely):

Bad publicity

[perlchild]

I wonder if the only vendors upset, are the ones that are used to vet the entries... Anyone have data? At the end of the contest, all their competitors will be able to know just how badly they did against the polymorphic techniques the entrants used. I imagine that would upset the PR people at those companies. As usual, the technical merit of such a competition is NOT the driving force for any discussion, just money.

Proactive instead of reactive

[teabag_46]

Wouldn't you think that AV firms would be glad of this type of competition? It will allow them to (possibly) find and fix a problem or problems, BEFORE they are found in the wild! This will make them PRO active instead of RE active, and will make them more efficient. If they were to try employing malware/virus writers, to create these software problems for them, instead of waiting for them to arrive at peoples computers, then people might actually think their products are worth paying for!

Re:Proactive instead of reactive

[Fractal+Dice]

I think AV vendors would rather be in the business of selling a placebo than selling a cure.

What I fear personally is recombination, where malware writers start setting up protocols for automatically and randomly exchanging code/modules with other malware without need for human intervention. That's where I feel the next explosion could come from - both in the variety of malware and the speed at which new innovations propagate across various strains. The only thing holding it back would seem to be the profit motive of malware writers - it's hard to control something that's mutating in unpredictable ways.

Re:Proactive instead of reactive

[somersault]

it's hard to control something that's mutating in unpredictable ways. Helloooo, skynet!

Maybe they should actually fix the problems?

[flyingfsck]

The present crop of virus scanners are a really dumb idea, since they don't provide any real protection. Consequently I am all for this kind of competition. Hopefully it will force Microsoft and the AV parasites to create a proper security solution for the MS crapware.

Re:Maybe they should actually fix the problems?

[Consul]

Like Default Deny. Marcus Ranum is my hero. ;-)

Re:Maybe they should actually fix the problems?

Yea, that'll happen. Remind me of when Marcus Ranum has ever done anything relevant in computer security other than come up with lists of things that have nothing to do with reality? Why is he your hero? This loser is worse than Steve Gibson. Jesus Christ.

Re:Maybe they should actually fix the problems?

[Consul]

Well, the idea of Default Deny makes perfect sense to me. Tell the OS which programs are allowed to run, and notify me if something I have not explicitly allowed tries to execute, wherein I can take the opportunity to allow it or not. I run a total of a couple dozen programs, grand total, so it wouldn't be hard to get a system up and running after a new install.

Since you seem to be a security expert in your own right, beyond anything Marcus have ever done, feel free to explain why this basic idea will not work at all.

And he's not really my hero. Notice the smiley on the end there. I just think he has ideas that make sense.

Re:Maybe they should actually fix the problems?

[RiotingPacifist]

hate it to break it to you but your heros an idiot. Everybody knows default deny is a better idea "Enumerating Badness" - sounds like DRM "Penetrate and Patch" - while you spend months trying to figure out how to rework your system to provide the service its meant to & not be exploited, your customers are getting infected. sure go back and fix the problem latter, but 1st you need to protect people. "Hacking is Cool" - Hacking is always going to be cool, just like going on the grass is. "Educating Users" - This still dosent address the dancing pigs problem, if you dont educate users, your just making it harder for them to get their work done. "Action is Better Than Inaction" - A good point on security, but ofc epic fail in real life, if you dont adopt new techniques and benefits of IT, you may not have much of a system to protect in 5 years Marcus sounds like an idiot, hes very good at stating the obvious flaws in IT but really cant offer any solutions

Re:Maybe they should actually fix the problems?

This is Slashdot right? Haven't you been around for the Vista UAC hate? And that's only programs that require administrative access! Now let's try that with all EXEs and DLLs (oh and by the way, did you know you can be infected by malware without the existence of any of these things? Probably not!).

But hey, Marcus Ranum is a genius! Default deny is awesome!

When I launch an installer, I click ALLOW. Maybe it drops a binary in %TMP% for the 2nd stage installer. I click ALLOW. It'll probably drop some proprietary DLLs too, we can't just trust those either as they're executable code, let's click ALLOW for all of those. Now let's repeat this process for years, having never actually downloaded any real malware. You just downloaded a trojaned copy of a program you thought you could trust. What do you click now? And now what do you do? What recourse do you have? What has default deny added to your security? Has it been worth the usability cost?

Keep your day job. Leave the armchair security discussion to professionals like Marcus Ranum!

Re:Maybe they should actually fix the problems?

Hey, this has already been implemented in Windows XP. It's called Software Restriction Policies.

But to come back to your question... it fails on:

- Scripts. If the script interpreter is allowed, it typically allows for interpreting all kinds of scripts.
- Loadable stuff. You know, .HLP and .MDB files are equivalent to executables.
- insecure software. Allow IE to run, surf to a website, and zack back some malicious code is executing within its process.

Re:Maybe they should actually fix the problems?

Nothing will ever force them to create a proper solution. Were you to write a perfect heuristic scan tomorrow that worked 100% (or even 99%) of the time, these guys would do everything they could to bury you and your product. They wouldn't buy or license the product themselves, because then users could just buy their product once and be done with it.

They want the yearly subscriptions with the minimal output of cash for upkeep of what is essentially a blacklist of viruses. If you make a perfect scanner, they can't sell people the same thing over and over again.

Make no mistake: antivirus vendors have NO interest in the best security product possible; they only have interest in the most profitable product that is good enough to keep customers paying them the IV drip of yearly fees for minimal effort. Anyone that believes otherwise is a fool that they most likely call "a satisfied customer".

Problem vs solutions

[gmuslera]

Malware=problem, antivirus/security products are part of the solution. But what if you hit a problem that have no (practical) solution? What if next generation of malware using that technique make very hard/impossible to deal with them? Once you reach the point that you cant tell when something is even potentially malware, all are in trouble.

Probably would be more clear if they were investigating with genetics/biological malware instead of computer one.

Re:Problem vs solutions

[Timothy+Brownawell]

But it *does* have a solution: don't give all your apps full access to ~ . Sandbox everything, and let programs fork and shrink their own sandboxes if they want to. The only part of your web browser that needs arbitrary filesystem access are the save/open dialogs, but there's no way to forbid other filesystem access outside of your profile directory. Maybe if you could do, say, "SaveDialogGenerator foo = new SaveDialogGenerator(System.Filesystem); System.Filesystem = null;" or similar, but no....

Re:Problem vs solutions

[vertinox]

But what if you hit a problem that have no (practical) solution?

All problems have solutions and practicality becomes relative to how much you want to stay virus free.

Imagine a scenario like you mentioned in which there was no known solution, no patch forthcoming from MS or AV vendors, and internet connectivity meant you would be infected.

Then disconnecting your Windows computer from the net and using another operating system might be practical even if it means you have to give up productivity.

Suffice to say, if it were such a major problem that some large organization (the government) would put the pressure on MS to fix the damn problem before they get rooted again.

Eventuality

[amrik98]

By Rice's theorem, proving any non-trivial property of a program is equivalent to the halting problem. Hence AV detection is an ultimately losing battle.

Re:Eventuality

The problem is that we don't need exact results. Rice's Theorem doesn't disprove that you can detect you all viruses and a small set of false positives (with a relative size of zero).

The real proof is that on any sufficiently complicated architecture you can create a self-replicating program that modifies itself so that neither the program nor the modification process omit any signature that could be detected with a L3, L2 or L1 grammar.

Re:Eventuality

[maxwell+demon]

By Rice's theorem, proving any non-trivial property of a program is equivalent to the halting problem. Hence AV detection is an ultimately losing battle. But then, there is no need to be able to prove 100% that the software is harmful. The simple rule could be: If you cannot proof that it isn't harmful, it's a security risk. Of course for that rule to be useful, the class of programs where you can prove it has to be large enough to allow for any useful behaviour. This certainly is hard, and maybe it's not achievable, but I don't know of any proof for that.

Note that the halting problem does not say that you cannot write a program which can tell for some algorithms if they will halt. The halting problem says that no program can decide it on all algorithms. That makes algorithms deciding the halting problem (or an equivalent problem) for some algorithms no less obsolete than G\"odel's proof that not all true theorems can be proven makes proofs in mathematics obsolete.

Re:Eventuality

ZOMG dude you're wrong! Here's why:

1) The OP is OBVIOUSLY college-educated
2) He mentioned Rice's theorem
3) He used the terms "non-trivial" and "halting problem"

I bet he felt good about himself when he posted his academic stupidity.

Re:Eventuality

[makomk]

But then, there is no need to be able to prove 100% that the software is harmful. The simple rule could be: If you cannot proof that it isn't harmful, it's a security risk. Of course for that rule to be useful, the class of programs where you can prove it has to be large enough to allow for any useful behaviour. This certainly is hard, and maybe it's not achievable, but I don't know of any proof for that. The trouble with that idea is stuff like DRM, copy protection, and game anti-cheat functionality. Deliberately written to make it hard to determine anything about what it does, uses malware-like obfuscation techniques, etc.

Re:Eventuality

Counterexample: format.com

oh, and note that Kleene's theorem states that you cannot even generally find a set of loop invariants which is a superset of the invariants you'd need for your proof.

Managing short-term and long-term resources

[NetSettler]

By having some top-notch creative talent (never mind which color hat they're wearing) take a stab at creating new styles of malware under controlled conditions, they're giving the antivirus vendors a great opportunity to study these creations -- and therefore to be better able to protect against them.

But what if what the antivirus vendors need is not time to study but time to come up with cures? I've worked on plenty of software where the problem was well-understood, but you could be so pestered to death by people trying to tell you there was a problem that you had no time left to work on a cure.

I don't follow this community closely, but speaking from general knowledge of software projects over several decades ...

It seems likely that these competitions do not teach the antivirus vendors what they don't know. It probably creates a firedrill internally where a long-range effort to do a substantive upgrade that would do what people wish for is side-tracked by a short-term need to make sure that people's machines are not broken into by a new stupid trick today, thanks to additional resources provided by well-meaning but "mal-informed" volunteers.

Resources are always in short supply in companies, and there's a constant need to triage between short-term and long-term planning. Events like this increase the stress on short-term projects, causing them to draw precious resources away from long-term projects. The claim that this provides valuable data to the vendors sounds like spin created by malware vendors who are chuckling all the way to the bank because they get free help from a community of people who I suspect don't realize the harm they are doing.

What they should be having is competitive events to come up with cool public-domain techniques for recognizing and stopping such malware in the general cases, thus reducing short-term strain on anti-virus vendors.

Re:Managing short-term and long-term resources

[somersault]

You're possibly giving AV vendors a little too much faith - especially since they want to sell subscriptions rather than one-offs. Any AV that could stop all possible viruses, ever, would destroy the whole market. Sad, but true..

Re:Managing short-term and long-term resources

But what if what the antivirus vendors need is not time to study but time to come up with cures?

No study, nothing to cure.

I've worked on plenty of software where the problem was well-understood, but you could be so pestered to death by people trying to tell you there was a problem that you had no time left to work on a cure.

Then you're the victim of management which didn't properly insulate you from idiot users. I once worked with a guy who, when dealing with a crisis, used to tell idiots who called for status, that he'd be right on the problem as soon as people like them quit interfering with his progress.

Even (maybe especially) executives should not be given access to the guy working on the problem. At best, one knowledgeable other person should be in attendance who understands both the problem and what's being done to solve it. All bullshit "need to know" calls should be directed exclusively to that person. Fuck the rest of them.

What they should be having is competitive events to come up with cool public-domain techniques for recognizing and stopping such malware in the general cases, thus reducing short-term strain on anti-virus vendors.

Natch, the AV vendors can then package and sell the hard work of volunteers with no compensation to anyone but their own back pockets. Sure, I'd like to piss away the rest of my life aggrandizing these already fat bastards.

Re:Managing short-term and long-term resources

> Resources are always in short
> supply in companies, and there's
> a constant need to triage between
> short-term and long-term planning.

Management is always as stingy as they think they can get away with, which is what leads to a lack of long-term investment in quality products.

I don't think the purpose of this contest is to *teach* the antivirus vendors how to make better products, it's to light a fire under them to *force* them to do so. I'm all in favor of that. Otherwise they have no motivation to do it because their crappy products are already selling just fine.

> What they should be having is
> competitive events to come up
> with cool public-domain techniques
> for recognizing and stopping such
> malware in the general cases

That's also an excellent idea. Let's have both.

Re:Managing short-term and long-term resources

"Resources are always in short supply in companies" - by NetSettler (460623) * on Sunday April 27, @02:08PM (#23215660) Homepage Well, if there wasn't 6 figure salaries being wasted on useless managers, they perhaps there wouldn't be. Instead of spending on & paying to keep people who can actually do the job here (programmers), companies instead elect to keep overpriced stooges as high-priced babysitters that are NOT needed, called management.

It's a bench mark

[ruin20]

One of the purposes of this contest is to "call out" poorly performing antivirus vendors. The reason people are up in arms is that they area afraid that the results are going to reflect negatively on them. In other words, you're taking a bunch of really smart people and putting them against antivirus and asking them to look for a vulnerability. Although the antivirus are getting a free quality check, they are risking bad press.

Not on Linux.

[SanityInAnarchy]

You're right that it's about secure users, but it's much easier to be a secure user on Linux, precisely because you would never download foo.exe -- or foo.sh, or whatever. For the most part, you get things through your package manager, or not at all.

As such, it is not particularly easy to download and run SomeFamousPersonNaked.bin -- you have to download it to somewhere, then you have to change its permissions, and then you have to run it -- and even then, they still don't have root.

However, for a very long time, an antivirus actually made some sort of sense on Windows, because you would have exploits from visiting a webpage or reading an email. You actually had a situation where the most security-conscious users would never use the Preview Pane, so that they could delete suspicious emails without looking at them. In that particular kind of insane world, it makes sense to have antivirus -- and that is precisely why antivirus seems so laughable now.

Re:Not on Linux.

Plus, if you have to exchange data between many computers with devices such as USB keys, not having autorun enabled by default helps a lot! On Windows, an antivirus also stops this type of infection (as long as the nasty thing is in their malware database).

Re:Not on Linux.

[drsmithy]

You're right that it's about secure users, but it's much easier to be a secure user on Linux, precisely because you would never download foo.exe -- or foo.sh, or whatever. For the most part, you get things through your package manager, or not at all.

Of course, that's because "you" know what you're doing and would act the same, even using Windows.

The typical end user, however, does not.

As such, it is not particularly easy to download and run SomeFamousPersonNaked.bin -- you have to download it to somewhere, then you have to change its permissions, and then you have to run it -- and even then, they still don't have root.

All the attacker needs to do is wrap it in a .tgz file, where permissions are preserved. Just like a .zip file, really, so most people won't see anything different at all.

Re:Not on Linux.

[SanityInAnarchy]

Of course, that's because "you" know what you're doing and would act the same, even using Windows. No, I wouldn't, because on Windows, there are no good package managers. Your best bet is to only install software that's good by reputation, and to do so from their domain -- meaning you're vulnerable to MITM attacks, etc.

All the attacker needs to do is wrap it in a .tgz file, where permissions are preserved. Making it now several more steps -- you still have to unpack the tarball, and double-click the files inside. That's a far cry from clicking an executable, and then "Open from current location" and you're done.

Kind of like syntactic vinegar.

I'm sure...

[Ihmhi]

...that Michelle Madigan would love to get an undercover report of all the big mean hackers making new viruses in Las Vegas. Too bad she was busted last time she tried to spy on Defcon.

What? A real world test? Ev1l H4x0|~z!

[Vellmont]

The vendors reply is just classic. It's essentially an admission that their products don't work. The whole AV industry is built on trying to idenitify existing viruses, and have a signature for them.

Of course, if you find the virus out in the wild and identify it, you've already failed for a lot of people. (but I'm sure they don't like to talk about that).

This is like a safe manufacturer objecting to someone actually trying to break open a safe like a real criminal would. "What! You used a crowbar and liquid nitrogen?! You're just letting the criminals know more about cold+crowbar usage!!! You should know OUR safes protect against sledgehammers VERY well."

Get real AV vendors. Everyone already knows you can't stand up to new viruses, and only protect against the known ones. People still buy your damn software anyway, because it's better than nothing.

just to clarify

[rootpassbird]

"you mean they're making viruses other than ours?"
"shit, they'll all find out!" ... panic.. panic.. panic..

The best AV/AS is your skilled IT staff...

[iMouse]

Actually, I think this is a great exercise!

AV companies have ignored spyware/malware threats for years and treated them as any standard Trojan/worm/virus. It is AMAZING to see how easily a Windows workstation is compromised even with proper AV/AS software installed. If Microsoft and the AntiVirus/AntiSpyware companies don't straighten their act, I can see us going to signed apps in the near future.

The fact is, many spyware/malware packages are toting along very malicious Trojans. The initial downloader Trojan almost always makes it under the detection line of the AV/AS software. While the AV/AS software may detect the malicious Trojan upon download from the downloader Trojan, the downloader Trojan is sometimes started as a service or as a component of Winlogon. This typically gives it an edge on the AV/AS software where it can download and install the malicious Trojan before the AV/AS even starts.

The most amazing thing to do with a spyware infected PC is to scan it with everything you got, make sure all hidden and system files are viewable from Folder Options, then go into windows\system32 and sort the items by date modified or date created. You'll see a wonderful list of kjsdhfkjsh.exe, sdkssk.dll, sdkfjhsl.sys, etc that went completely undetected. This, of course, is completely ignoring the existence of rootkits, Browser Helper Objects, Winsock LSP entries, and a host of other fun stuff.

I often ask myself why the location I work for even bothers purchasing $90,000 worth of antivirus + antispyware products when over 75% of the stuff we deal with every single day goes undetected.

Since we have removal down to a science where I work, I often wonder if the $90,000 would be better spent on two more admins with similar knowledge.

Missed opportunity

[NMerriam]

This seems like a great opportunity for the AV vendors to set up some microphones and video cameras and try to capture as much of the thought process of the entrants as possible. It's not often they'll have dozens of diversely creative programmers explicitly demonstrating in a controlled environment how the products would be attacked in the wild. I'm sure the AV vendors have teams that do this sort of stuff in-house, but having complete outsiders do something will ALWAYS show a team where they've made bad assumptions or gotten too insular in their thinking.

This is basically the same thing they'd get from paying outside consultants 50 grand for a week of brainstorming, the difference being that the results here will be more honest and they can't bury the report afterwards if it damages their egos.

Wisdom follows, pay attention!

The race is meaningless. Nobody cares a damn about your "most elegant polymorphism", "dirtiest obfuscation hack" or the like any more.

The glitch is, you code must have a viable payload according to race rules and that's exactly what we see in real life, too. Modern, professionally developed chinese/russian malware titles have a viable payload, because those gangs are profit-oriented or they are after stealing information and secrets for various three-letter agencies of your liking.

Sorrowfully, your viable payload will be picked up and stopped in its track by modern AV software. They are no longer traditional, fingerprint-only scanners, now they have sandboxing, IPS, heuristics AND comprehensive system check integrated.

The latter one will catch and stop the malware attack as soon as it tries to fiddle with Windows or user-space programs to make something viable illegal profit producing change.

As far as I know, the best such interceptor technology today is finnish F-Secure's "Deepguard 2.0", which integrates sandboxing, personal firewall, IPS and system activity monitoring with a multiple engined fingerprint + heuristic scanner. It is essentially indefeatible according to Dec 2007 german C'T tests, but makes your computer run about 30-50% slower due to its immense resources use.

BTW, please note you cannot test these modern AV defences for efficiency, unless you actually try to run your malware sample. The huge system resource requirement for systems like DeepGuard means they are not used for "on demand" (i.e. manually started scans) because a full HDD check would take several days or weeks to finish.

They are only active for "on-access" scenarios, that is real-life "I'm surfin and some hacked page tries to infect me". This is why AV companies oppose writing new viruses for tests: you have to run them on the AV protected target to fully see if AV can stop them - it probably can, but if not, there is a risk of proliferation and hurting by-stander netizens.

Antivirus detection efficency cannot be adequately tested against idle archive of stored virus file image collections any more, proper, modern testing requires dynamic execution, which should have the IT equivalent of a "Biohazard Level 4 laboratory" environment to be safe.

In fact about 2/3 of all AV vendors have recently started a brand new AV-testing organization to work out safe and sound test procedures and make them into industral standards, because the current hallmark VB100% test is totally outdated.

Re:Oh no! ... Pause for thought?

[ee_smajors]

On the face of it, malware is bad by definition. Those who make their living defending against such malignant cleverness should give pause to consider their visceral response:

Mr. Gates cannot be faulted for the marketing genius that has driven our industry forward, but evolution is a natural selection process (i.e. what does not kill you makes your stronger) There are whole classes of leeches worshiping at the M$ alter, some of them are very well intentioned and bear no malice at all. The priesthood, however, are very aware of their position in this carnival and thus should be wary of allowing members of their congregations from biting the hand that feeds them (just for supplying the food too fast).

As with all religions, the true panic among the priesthood is that a lack of censorship on the transfer of knowledge will overwhelm them and actually expose truth that would deprive them of their livelihood... in this case, universal adoption of a secure operating system (as demonstrated by the recent CanSecWest hacking contest).

Privileges are needed

[DrYak]

There's not need for elevated permissions.

No there is need. Under Linux a non privileged software has only access to high-level network access, such as opening a regular connection. There's no low-level access to network (crafting the data packets as wished) for non privileged software.

Thus a potential running virus, *COULD* connect to its C&C if it receives its orders from an IRC channel.
But the virus won't be able to create spoofed packets (used for sophisticated bounces and DDOS) or specially crafted packets to exploit flaws on the target system.
Whereas under Windows, non-privileged applications CAN craft packets, and users run as administrators anyway.

A non privileged process CAN download Ads from the internet, but it will have a harder time injecting them into the browser window.
An admin-privileged process in Windows could hijack the network stack and rewrite HTML on the fly inserting pop-ups and ads.
Under a non-privileged account in Linux, it can't. The virus will need instead to be able to rewrite the configuration of all gazillion of browser that exist in Linux, either injecting a spyware plugin or rerouting the traffic through a proxy process spawned by the virus. Anyway, the absence of a single point of attack, and the lack of monoculture make Linux a more complicated target.

Also, few user-friendly type distros (Ubuntu and the like) come with a sendmail (or equivalent) configured out-of-the-box for internet message delivery. Usually it's only configured to deliver alerts to the local user account.
A potential operational Spam bot would either have to send directly the spam to the internet and both hope that the network isn't configured to reject email not going out through the SMTP server and hope that the infected machine doesn't sit on a dynamic IP which will automatically get discarded on the receiving machine.
Or the potential Spam Bot will need additional complexity to retrieve the user's SMTP configuration, which will be difficult, both because there's a gazillion of different mail clients under linux, and both because several of them password-encrypt the credential (Thunderbird can do it and all KDE software store their passwords in KWallet which is masterpassword-encrypted by default).
This is security by diversity, and why it's good to avoid monocultures.
This is opposed to Windows, where most users have outlook express, which lacks the ability to encrypt the credentials.

Under Linux, it takes several step to execute code downloaded from a browser, as a reference, see the HOWTOs about downloading the latest GPU drivers straigth from the constructor site instead of using whatever is the regular package management/delivery mechanism used by the distro (you have to manually chmod it "executable". Clicking on it usually opens an editor).
And that's neglecting that it is possible to "noexec" the whole home, in which case it's not even possible to *run* code from ~.
So even if he wanted to, a linux user can't just click on "NataliePortmanNaked.sh" and execute it (unless its a regular package inside Synaptic or YaST, of course) whereas a Windows user can click on "PetrifiedWithHotGrits.exe".

Also, downloading software from random websites isn't as common in Linux as in Windows. Mostly only geeks download software for Linux and usually they download it in (controllable) source form, where anomalies could more easily get spotted.
The regular user will employ the package management system for the distro to get the needed package from the regular repository instead, as because of the diversity of Linux distros, he'll need a custom compiled packagee for the present distro,
ie.: Windows wanting kitten-powered screensaver will google around to find a page proposing some spyware infested screensaver. Anyone can download, but you *need* to be computer-literate and careful about your source to *avoid* getting undesired stuff.

The Linux users will browser Synaptic and download the package "omg-lol-ponie

No van analogy?

[AHuxley]

"drive a truck through the holes in their systems and it isn't going to take much for competitors to bypass most tools."

Trucks are interesting
What about the van?
http://en.wikipedia.org/wiki/Magic_Lantern_(software)
That would be a fun contest.
Find the shoulder road.

Biggest problem with this contest...

It's too easy! Pack it with something tweaked and it'll probably go through. Sorry but the sandbox and heuristic crap just isn't that great. Turn it up and it falses like crazy. When my AV product claims that Skype is a keylogger how likely am I to trust it? And yes I'm serious an AV product did just that and quite a bit more. Just watch, this contest will be a feeding frenzy....

You're wrong about this one

[symbolset]

I'm going to second the anonymous coward on this one. Unless you boot from read-only media once it's running privilege escalations are common enough on all systems that -- it's true -- if they can get you to download, chmod and run their code they can install an invisible rootkit capable of all the nastiness that Windows rootkits can do. Once you're compromised, it's _always_ a wipe and reinstall even in BSD, osX or Linux.

So when you're compiling random code snippets from anonymous donors - do it on a system with restricted rights that boots from read only media. A Knoppix or Ubuntu install CD or other "Live" distro will do the trick usually. Some distributions are engineered to run this way for this very reason -- you have to boot into a different mode in order to change the config or install software. There are also platforms designed this way, and you flash the EEPROM to change the settings.

That said Open software application developers are usually aware of security issues and don't execute every binary blob an anonymous website or mailserver sends them. So yeah, the problem is seen less often. Flash has an execution engine in it, and this is the commonest vector for exploitation on these platforms because they don't have IE, Outlook and ActiveX (the commonest Windows vectors). If you do get exploited, wipe and reinstall - always.

Re:You're wrong about this one

[nog_lorp]

Point taken, thanks.

Re:You're wrong about this one

[Jurily]

if they can get you to download, chmod and run their code they can install an invisible rootkit capable of all the nastiness that Windows rootkits can do If I can convince an admin to install my rootkit, the problem is not with the OS. Difference is, *nix systems DO ask for permission to do nasty things as root.

How bad Symantec really is...

I recently had to deal with a malicious code incident in my company. Thank god we have a 'defence in depth' implemetation in place, because all protection mechanisms from Symantec have failed. The story I have to tell is realy earthshakingly shoking:

1. NAV10 by Symantec was not able to detect a virus within a ZIP file even when that ZIP file was copied. Symantecs explanation (paraphrased): "there is no harm possible when a ZIP file containing a virus is just copied" (hinting to performance tradeoff)

2. NAV10 was not able to detect the ZIP file even when the ZIP file was opened and the contents viewed. Not with WINZIP, not with the Windows built in ZIP viewer. Symantecs explanation (paraphrased): "there is no harm possible when a ZIP file containing a virus is opened and viewed" (hinting to performance tradeoff)

3. NAV10 was not able to detect the malware without a signature. Now, the malware I am laking about was a primeval IRCbot that is known to mankind for many many years. It did nothing special to hide its actions nor did it contain any means of obfuscation techniques. It was a simple malware ddos bot, connecting to port 7776, updating itself by http, opening an tftp port, spreading through inclusion of itself in other ZIP files it got hold of and through writing itself into the root partitions and trying to start itself with an AUTORUN.INF. It modified the known regisitry keys for its startup and did no use any obfuscation or even rootkit technologies whatsoever. And this amazingly simple and primitive malware was not detected by the heurisitcs engine! Symantecs explanation (paraphrased): "well, bad luck. But with Symantec Endpoint Protection 11 that should be solved as SEP11 contains a behavioural analysis engine that checks for such typical malicious behaviur."

4. NAV10 does not detect the malware, which copies itself into the root partitions of every device it got hold of with the "hidden" attribute set, without the user explicitly chossing to view hidden files. So, if the users does not see the file, the AV realtime engine does not see it. Symantecs explanation (paraphrased): "if the user can not see the malware he can not execute it, therfore it poses no threat, exept if it started by other means (like autorun) but then other machanisms should catch it)"

5. After a signature had been supplied, the malware was wrongly detected as Spybot. Only after manual UPX decompression it was detected as an IRCbot. Symantecs explanation (paraphrased): "Bad luck. The UPX compressed signature looked like Spybot"

6. When the infection had occured prior to SAV10 containing a signature for the virus, SAV10s realtime protection did not detect an infection. Symantecs explanation (paraphrased): "Infected PCsshould get scanned in safe mode, only then detection of already running malware is nearly reliable, supposed that a signature for the malware is in place"

7. Even after two full scans of all ZIP files on our main fileserver not all instances of ZIP files containing the malware were identified, at least one instance was overlooked and only found when the virus scanner was set to scan the overlooked file IP alone. Symantecs explanation (paraphrased): "as it is not replicable, no comment"

8. Broken ZIP files containing the malware were not found at all. (But were found by a competitor). Symantecs explanation (paraphrased): "as the ZIP files were damaged beyond repair, there is no need to detect those"

9. Our File server had no Symantec realtime protection running, as with our OS version it was not able to handle the clustered loadsharing environment

10. The client side email database file scanning engine was disabled due to heavy performance issues and the users complaining. 11. The email server side AV scanning engine did not detect it due to an outdated scanning engine version

12. It took me more than tree months and over a week of work to get symantec support to even comment on the issues.

Its actually benificial to do this

[misterjava66]

Quite simply, you CANNOT have excellent defence without a very-good knowledge of offence. As long as the attacking code is open-source, awesome knowledge of how offence does/can work would be gained, and great knowledge of how to defend would be gleened.

Re:

[clint999]

And really, I'm sorry, but what doesn't get these leaches in a tizzy? Anything that threatens their profit model....