Slashdot Mirror

← Back to Stories (view on slashdot.org)

Malware Modification Contest Has Antivirus Vendors Upset

Posted by Soulskill on from the would-you-like-a-tissue dept.

SkiifGeek writes "Race to Zero, a sideline competition being set up at this year's DefCon, already has some Antivirus vendors steaming over the objectives of the contest. They are upset because it is essentially a polymorphism exercise. Entrants are given a set of malware samples which they must then modify to pass through a battery of antivirus scanners without detection while still carrying a viable payload. Even if competitors ignore the published vulnerabilities and weaknesses affecting antivirus vendors, the competition should turn up some interesting results. It may provide technical insight and concepts for further research as similar competitions have done in the past."

12 of 167 comments (clear)

  1. Re:Oh no! by Lennie · · Score: 3, Interesting

    Yep, security is a process

    --
    New things are always on the horizon
  2. Re:Why should this upset them? by Zero__Kelvin · · Score: 4, Interesting

    "The antivirus vendors are in business to make money. Every one of these issues they have to deal with equates to lost money."
    Exactly right, if you don't count that you have it backwards. Lets start with the edge case 0. If there are Zero viruses, there is no need for the AV software. In fact, within reason the more viruses out there, the more money they make! If viruses are not even a blip on the radar when I do my security landscape evaluation, then the AV companies make no money because I would not purchase their product. If there are many viruses, then an AV company can sit back and wait for others (security folks, e.g.) to justify the purchase of my product. I don't even need a sales force. True, it cost me more to have in house peons gather virus signatures and add them to my database, or add algorithms to my AV tools, but since I don't have to pay nearly as much for a sales force more viruses equals greater profits.

    --
    Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
  3. Trivial by Nikademus · · Score: 2, Interesting

    Bypassing current antivirus process is almost trivial. Just change a few lines and the signature based antivirus will not detect your virus. Now, create a process that automatically changes the few lines in a random order, but create this process as a random evolving like the virus and payload itself. Random jumps (with next payload at good place) with random junk in between should be sufficient to bypass heuristics (who said goto was dead :)). Then you've just killed the whole antivirus industry as we know today.

    Hey,why are the cops ringing at my door???

    --
    I gave up with the idea of an useful sig...
    1. Re:Trivial by Lord+Ender · · Score: 2, Interesting

      Wow... You would have been considered really clever in the virus world... about fifteen years ago.

      Guess what: Your invention has already been created. AF companies have countered with "heuristic" or "behavioral" virus detection. The purpose of this exercise is to game not just the signatures, but the heuristics as well.

      --
      A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
  4. Re:Maybe they should actually fix the problems? by Consul · · Score: 2, Interesting

    Like Default Deny. Marcus Ranum is my hero. ;-)

    --

    -----

    "You spilled my egg... I needed that egg."

  5. Managing short-term and long-term resources by NetSettler · · Score: 3, Interesting

    By having some top-notch creative talent (never mind which color hat they're wearing) take a stab at creating new styles of malware under controlled conditions, they're giving the antivirus vendors a great opportunity to study these creations -- and therefore to be better able to protect against them.

    But what if what the antivirus vendors need is not time to study but time to come up with cures? I've worked on plenty of software where the problem was well-understood, but you could be so pestered to death by people trying to tell you there was a problem that you had no time left to work on a cure.

    I don't follow this community closely, but speaking from general knowledge of software projects over several decades ...

    It seems likely that these competitions do not teach the antivirus vendors what they don't know. It probably creates a firedrill internally where a long-range effort to do a substantive upgrade that would do what people wish for is side-tracked by a short-term need to make sure that people's machines are not broken into by a new stupid trick today, thanks to additional resources provided by well-meaning but "mal-informed" volunteers.

    Resources are always in short supply in companies, and there's a constant need to triage between short-term and long-term planning. Events like this increase the stress on short-term projects, causing them to draw precious resources away from long-term projects. The claim that this provides valuable data to the vendors sounds like spin created by malware vendors who are chuckling all the way to the bank because they get free help from a community of people who I suspect don't realize the harm they are doing.

    What they should be having is competitive events to come up with cool public-domain techniques for recognizing and stopping such malware in the general cases, thus reducing short-term strain on anti-virus vendors.

    --

    Kent M Pitman
    Philosopher, Technologist, Writer

  6. Re:Why should this upset them? by maxume · · Score: 2, Interesting

    I'm sure referencing a wacko supply-sider will make someone mad, but I bet the profit to virus count relationship follows something like the Laffer curve, where at some point malware becomes so pervasive that people at least stop running anything that doesn't come in a box from Walmart and maybe even stop using computers altogether, so they don't need protection anymore.

    --
    Nerd rage is the funniest rage.
  7. Not on Linux. by SanityInAnarchy · · Score: 3, Interesting

    You're right that it's about secure users, but it's much easier to be a secure user on Linux, precisely because you would never download foo.exe -- or foo.sh, or whatever. For the most part, you get things through your package manager, or not at all.

    As such, it is not particularly easy to download and run SomeFamousPersonNaked.bin -- you have to download it to somewhere, then you have to change its permissions, and then you have to run it -- and even then, they still don't have root.

    However, for a very long time, an antivirus actually made some sort of sense on Windows, because you would have exploits from visiting a webpage or reading an email. You actually had a situation where the most security-conscious users would never use the Preview Pane, so that they could delete suspicious emails without looking at them. In that particular kind of insane world, it makes sense to have antivirus -- and that is precisely why antivirus seems so laughable now.

    --
    Don't thank God, thank a doctor!
  8. Re:Oh no! by Kjella · · Score: 2, Interesting

    Having a highly efficient swiss cheese-patching process is still not a mark of good security. Don't interpret that as saying that security is not a process, but the value of doing a one-time job to make a good security design should also not be underestimated. In fact, I think many companies would do well to divert a little more resources to just that...

    --
    Live today, because you never know what tomorrow brings
  9. Re:Why should this upset them? by somersault · · Score: 4, Interesting

    I wonder how long before they start lobbying for it to be illegal to even write something that could be used as malware..

    --
    which is totally what she said
  10. Re:Why should this upset them? by MikeBabcock · · Score: 2, Interesting

    SELinux is quickly helping to fix that problem.

    "wtf is this? You don't need network access or access to this directory, go away."

    Mandatory Access Controls are coming along nicely. About time too.

    --
    - Michael T. Babcock (Yes, I blog)
  11. How bad Symantec really is... by Anonymous Coward · · Score: 1, Interesting
    I recently had to deal with a malicious code incident in my company. Thank god we have a 'defence in depth' implemetation in place, because all protection mechanisms from Symantec have failed. The story I have to tell is realy earthshakingly shoking:


    1. NAV10 by Symantec was not able to detect a virus within a ZIP file even when that ZIP file was copied. Symantecs explanation (paraphrased): "there is no harm possible when a ZIP file containing a virus is just copied" (hinting to performance tradeoff)

    2. NAV10 was not able to detect the ZIP file even when the ZIP file was opened and the contents viewed. Not with WINZIP, not with the Windows built in ZIP viewer. Symantecs explanation (paraphrased): "there is no harm possible when a ZIP file containing a virus is opened and viewed" (hinting to performance tradeoff)

    3. NAV10 was not able to detect the malware without a signature. Now, the malware I am laking about was a primeval IRCbot that is known to mankind for many many years. It did nothing special to hide its actions nor did it contain any means of obfuscation techniques. It was a simple malware ddos bot, connecting to port 7776, updating itself by http, opening an tftp port, spreading through inclusion of itself in other ZIP files it got hold of and through writing itself into the root partitions and trying to start itself with an AUTORUN.INF. It modified the known regisitry keys for its startup and did no use any obfuscation or even rootkit technologies whatsoever. And this amazingly simple and primitive malware was not detected by the heurisitcs engine! Symantecs explanation (paraphrased): "well, bad luck. But with Symantec Endpoint Protection 11 that should be solved as SEP11 contains a behavioural analysis engine that checks for such typical malicious behaviur."

    4. NAV10 does not detect the malware, which copies itself into the root partitions of every device it got hold of with the "hidden" attribute set, without the user explicitly chossing to view hidden files. So, if the users does not see the file, the AV realtime engine does not see it. Symantecs explanation (paraphrased): "if the user can not see the malware he can not execute it, therfore it poses no threat, exept if it started by other means (like autorun) but then other machanisms should catch it)"

    5. After a signature had been supplied, the malware was wrongly detected as Spybot. Only after manual UPX decompression it was detected as an IRCbot. Symantecs explanation (paraphrased): "Bad luck. The UPX compressed signature looked like Spybot"

    6. When the infection had occured prior to SAV10 containing a signature for the virus, SAV10s realtime protection did not detect an infection. Symantecs explanation (paraphrased): "Infected PCsshould get scanned in safe mode, only then detection of already running malware is nearly reliable, supposed that a signature for the malware is in place"

    7. Even after two full scans of all ZIP files on our main fileserver not all instances of ZIP files containing the malware were identified, at least one instance was overlooked and only found when the virus scanner was set to scan the overlooked file IP alone. Symantecs explanation (paraphrased): "as it is not replicable, no comment"

    8. Broken ZIP files containing the malware were not found at all. (But were found by a competitor). Symantecs explanation (paraphrased): "as the ZIP files were damaged beyond repair, there is no need to detect those"

    9. Our File server had no Symantec realtime protection running, as with our OS version it was not able to handle the clustered loadsharing environment

    10. The client side email database file scanning engine was disabled due to heavy performance issues and the users complaining. 11. The email server side AV scanning engine did not detect it due to an outdated scanning engine version

    12. It took me more than tree months and over a week of work to get symantec support to even comment on the issues.