Slashdot Mirror


Malware Modification Contest Has Antivirus Vendors Upset

SkiifGeek writes "Race to Zero, a sideline competition being set up at this year's DefCon, already has some Antivirus vendors steaming over the objectives of the contest. They are upset because it is essentially a polymorphism exercise. Entrants are given a set of malware samples which they must then modify to pass through a battery of antivirus scanners without detection while still carrying a viable payload. Even if competitors ignore the published vulnerabilities and weaknesses affecting antivirus vendors, the competition should turn up some interesting results. It may provide technical insight and concepts for further research as similar competitions have done in the past."

11 of 167 comments (clear)

  1. Re:Oh no! by Lennie · · Score: 3, Interesting

    Yep, security is a process

    --
    New things are always on the horizon
  2. Re:Why should this upset them? by Zero__Kelvin · · Score: 4, Interesting

    "The antivirus vendors are in business to make money. Every one of these issues they have to deal with equates to lost money."
    Exactly right, if you don't count that you have it backwards. Lets start with the edge case 0. If there are Zero viruses, there is no need for the AV software. In fact, within reason the more viruses out there, the more money they make! If viruses are not even a blip on the radar when I do my security landscape evaluation, then the AV companies make no money because I would not purchase their product. If there are many viruses, then an AV company can sit back and wait for others (security folks, e.g.) to justify the purchase of my product. I don't even need a sales force. True, it cost me more to have in house peons gather virus signatures and add them to my database, or add algorithms to my AV tools, but since I don't have to pay nearly as much for a sales force more viruses equals greater profits.

    --
    Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
  3. Trivial by Nikademus · · Score: 2, Interesting

    Bypassing current antivirus process is almost trivial. Just change a few lines and the signature based antivirus will not detect your virus. Now, create a process that automatically changes the few lines in a random order, but create this process as a random evolving like the virus and payload itself. Random jumps (with next payload at good place) with random junk in between should be sufficient to bypass heuristics (who said goto was dead :)). Then you've just killed the whole antivirus industry as we know today.

    Hey,why are the cops ringing at my door???

    --
    I gave up with the idea of an useful sig...
    1. Re:Trivial by Lord+Ender · · Score: 2, Interesting

      Wow... You would have been considered really clever in the virus world... about fifteen years ago.

      Guess what: Your invention has already been created. AF companies have countered with "heuristic" or "behavioral" virus detection. The purpose of this exercise is to game not just the signatures, but the heuristics as well.

      --
      A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
  4. Re:Maybe they should actually fix the problems? by Consul · · Score: 2, Interesting

    Like Default Deny. Marcus Ranum is my hero. ;-)

    --

    -----

    "You spilled my egg... I needed that egg."

  5. Managing short-term and long-term resources by NetSettler · · Score: 3, Interesting

    By having some top-notch creative talent (never mind which color hat they're wearing) take a stab at creating new styles of malware under controlled conditions, they're giving the antivirus vendors a great opportunity to study these creations -- and therefore to be better able to protect against them.

    But what if what the antivirus vendors need is not time to study but time to come up with cures? I've worked on plenty of software where the problem was well-understood, but you could be so pestered to death by people trying to tell you there was a problem that you had no time left to work on a cure.

    I don't follow this community closely, but speaking from general knowledge of software projects over several decades ...

    It seems likely that these competitions do not teach the antivirus vendors what they don't know. It probably creates a firedrill internally where a long-range effort to do a substantive upgrade that would do what people wish for is side-tracked by a short-term need to make sure that people's machines are not broken into by a new stupid trick today, thanks to additional resources provided by well-meaning but "mal-informed" volunteers.

    Resources are always in short supply in companies, and there's a constant need to triage between short-term and long-term planning. Events like this increase the stress on short-term projects, causing them to draw precious resources away from long-term projects. The claim that this provides valuable data to the vendors sounds like spin created by malware vendors who are chuckling all the way to the bank because they get free help from a community of people who I suspect don't realize the harm they are doing.

    What they should be having is competitive events to come up with cool public-domain techniques for recognizing and stopping such malware in the general cases, thus reducing short-term strain on anti-virus vendors.

    --

    Kent M Pitman
    Philosopher, Technologist, Writer

  6. Re:Why should this upset them? by maxume · · Score: 2, Interesting

    I'm sure referencing a wacko supply-sider will make someone mad, but I bet the profit to virus count relationship follows something like the Laffer curve, where at some point malware becomes so pervasive that people at least stop running anything that doesn't come in a box from Walmart and maybe even stop using computers altogether, so they don't need protection anymore.

    --
    Nerd rage is the funniest rage.
  7. Not on Linux. by SanityInAnarchy · · Score: 3, Interesting

    You're right that it's about secure users, but it's much easier to be a secure user on Linux, precisely because you would never download foo.exe -- or foo.sh, or whatever. For the most part, you get things through your package manager, or not at all.

    As such, it is not particularly easy to download and run SomeFamousPersonNaked.bin -- you have to download it to somewhere, then you have to change its permissions, and then you have to run it -- and even then, they still don't have root.

    However, for a very long time, an antivirus actually made some sort of sense on Windows, because you would have exploits from visiting a webpage or reading an email. You actually had a situation where the most security-conscious users would never use the Preview Pane, so that they could delete suspicious emails without looking at them. In that particular kind of insane world, it makes sense to have antivirus -- and that is precisely why antivirus seems so laughable now.

    --
    Don't thank God, thank a doctor!
  8. Re:Oh no! by Kjella · · Score: 2, Interesting

    Having a highly efficient swiss cheese-patching process is still not a mark of good security. Don't interpret that as saying that security is not a process, but the value of doing a one-time job to make a good security design should also not be underestimated. In fact, I think many companies would do well to divert a little more resources to just that...

    --
    Live today, because you never know what tomorrow brings
  9. Re:Why should this upset them? by somersault · · Score: 4, Interesting

    I wonder how long before they start lobbying for it to be illegal to even write something that could be used as malware..

    --
    which is totally what she said
  10. Re:Why should this upset them? by MikeBabcock · · Score: 2, Interesting

    SELinux is quickly helping to fix that problem.

    "wtf is this? You don't need network access or access to this directory, go away."

    Mandatory Access Controls are coming along nicely. About time too.

    --
    - Michael T. Babcock (Yes, I blog)