Slashdot Mirror

← Back to Stories (view on slashdot.org)

Malware Modification Contest Has Antivirus Vendors Upset

Posted by Soulskill on from the would-you-like-a-tissue dept.

SkiifGeek writes "Race to Zero, a sideline competition being set up at this year's DefCon, already has some Antivirus vendors steaming over the objectives of the contest. They are upset because it is essentially a polymorphism exercise. Entrants are given a set of malware samples which they must then modify to pass through a battery of antivirus scanners without detection while still carrying a viable payload. Even if competitors ignore the published vulnerabilities and weaknesses affecting antivirus vendors, the competition should turn up some interesting results. It may provide technical insight and concepts for further research as similar competitions have done in the past."

7 of 167 comments (clear)

  1. Re:Why should this upset them? by Anonymous Coward · · Score: 5, Informative

    The antivirus vendors are in business to make money. Every one of these issues they have to deal with equates to lost money.

  2. Re:Maybe they should actually fix the problems? by Anonymous Coward · · Score: 1, Informative

    Hey, this has already been implemented in Windows XP. It's called Software Restriction Policies.

    But to come back to your question... it fails on:

    - Scripts. If the script interpreter is allowed, it typically allows for interpreting all kinds of scripts.
    - Loadable stuff. You know, .HLP and .MDB files are equivalent to executables.
    - insecure software. Allow IE to run, surf to a website, and zack back some malicious code is executing within its process.

  3. Re:Why should this upset them? by YaroMan86 · · Score: 3, Informative

    Exactly. A virus for Linux at this point in time probably doesn't stand a snowball's chance in hell on the average Linux system because Linux users are smarter than the average Windows user. (I am generalizing and using a more relative version of smarter here.) That, coupled with the fact there are less than a hundredLinux viruses and a small user base, a Linux virus is not much of a threat... FOR NOW.

    But what happens when we actually DO accomplish full-on Linux on the desktop? What happens if, hypothetically, Linux becomes more widely used than Windows? Suddenly the average skill of a Linux user plunges downward, and the virus population for Linux skyrocks. Suddenly a Linux virus doesn't seem so harmless, does it?

    Remember nowadays, a virus usually doesn't commit destruction, as that would render a bot in a botnet worhtless, but would rather use it for spamming purposes. There's not need for elevated permissions. On top of that, most of the stuff a virus can destroy without elevation is the stuff the average user cares about anyway: Documents, Music, Pictures, HARD WORK. Irreplaceable things.

    If there is a perfectly safe system that is still able to connect to the outside world, it is a system used only by a user who knows how to prevent viruses and knows how to do effective backups. You could also make a bonus by using a fully unprivileged user account.

    These are things Windows will never do. Far too often is a user an administrator, and the inner workings of the system exposed. (It wasn't really until the average Windows based itself off of NT that ANYTHING was safe from Security Problem #1: The User. With Windows ME and earlier there are no user permissions, (Windows 2000 and earlier, along the NT line, are luckier and smarter.) and so, all a user has to do is take a stroll and delete files out of the windows directory. No authentication. Worse if a user boots into pure DOS where the usage protection Windows does ("Cannot delete (File), it is currently in use.") they can destroy ANYTHING on the system without any validation or authentication. What the hell was Microsoft thinking?

    So, essentially a safe user is this:

    1. A user who knows how the system works at least on a rudimentary level.

    2. This same user must typically take normal user or lower privileges.

    3. This same user must have a knowledge of how a virus finds itself on a system: (E-Mail attachments from bad sources, child porn, warez, etc.)

    4. The system uses an operating system with its own effective security model. Typically one that involves user permission levels, if not a full-fledged multi-user system with the default user NOT being an administrator.

    5. A good firewall. This is typically a third-party program.

    6. Yes, a good antivirus. It may not be as effective as many other techniques, but an AV DOES help, period.

    7. A real plus: Knowledge on how to remove a virus manually. (Not as hard as one might think, especially after the virus is identified.)

    8. EDUCATION. EDUCATION. EDUCATION!!! If there are other users on the system, TEACH them! It is amazing how effective a little imparting of knowledge will do to make things better and safer.

    9. Make sure the other users aren't in a position to infect the system either, as in, restrict their ability to declare things executables, block executables from mail, don't let them install P2P software. (Easy in Linux, since things like apt-get and Synaptic only function with root privileges. Though this can't stop them from installing it in their home folder.

    10. Do a regular manual audit of the system. Not only should you keep an eye out for anything unusual, but also keep an eye out for 'unauthorized' software, like P2P.

    11. Block torrent/warez sites. Every single time someone comes to me with a virus problem, the first question I ask is "Are you downloading torrents a lot?" and the answer is always "Yes."

    12. Not relating to viruses, but a good tip anyway: Before you try any system changes, try the same change on a VM. A nice sandbox is better for fucking up than your own system.

    You remember these things, and keep to them, chances are you'll be just fine.

  4. Re:Why should this upset them? by Nero+Nimbus · · Score: 2, Informative

    They dont need actually viruses and malware, they just need people (and businesses) to be afraid of them enough to consider them treat. Yeah, because the average user considers screen savers, animated cursors, and nude pictures of Britney Spears to be treats.
  5. Re:Why should this upset them? by piojo · · Score: 2, Informative

    I agree completely. User permissions are sufficient to run cronjobs, send spam, and (often) steal sensitive information. User permissions are not enough to keylog, but I'm sure a firefox profile directory is often worth as much as a keylogging session.

    --
    A cat can't teach a dog to bark.
  6. Re:Why should this upset them? by Nazlfrag · · Score: 2, Informative
    There's good coverage at http://www.privsecblog.com

    If passed into law (this bill already has passed the house twice but never has cleared the Senate), I-SPY would make it a criminal offense punishable by fines and/or up to five years in prison for "intentionally access[ing] a protected computer without authorization, or exceed[ing] authorized access to a protected computer, by causing a computer program or code to be copied onto the protected computer, and intentionally us[ing] that program or code in furtherance of another Federal criminal offense." Similar activity that is designed to defraud or injure a person or cause damage to a protected computer, but is not conducted in furtherance of another Federal offense, subjects the perpetrator to a fine and/or up to two years in prison. I'm fairly sure viruses would fall under at least the bold part. I have no idea how much (if at all) this is a result of lobbying by antivirus vendors.
  7. Re:Why should this upset them? by Timothy+Brownawell · · Score: 2, Informative

    noexec just mean you can't execute anything *directly*. "perl nastyscript.pl" works just fine with nastyscript.pl on a noexec partition.