Malware Modification Contest Has Antivirus Vendors Upset

SkiifGeek writes "Race to Zero, a sideline competition being set up at this year's DefCon, already has some Antivirus vendors steaming over the objectives of the contest. They are upset because it is essentially a polymorphism exercise. Entrants are given a set of malware samples which they must then modify to pass through a battery of antivirus scanners without detection while still carrying a viable payload. Even if competitors ignore the published vulnerabilities and weaknesses affecting antivirus vendors, the competition should turn up some interesting results. It may provide technical insight and concepts for further research as similar competitions have done in the past."

Oh no!

[i_liek_turtles]

We may have to fix our software!

Re:Oh no!

[Lennie]

Yep, security is a process

Re:Oh no!

[Frosty+Piss]

And really, I'm sorry, but what doesn't get these leaches in a tizzy? Anything that threatens their profit model....

Why should this upset them?

[FlyByPC]

By having some top-notch creative talent (never mind which color hat they're wearing) take a stab at creating new styles of malware under controlled conditions, they're giving the antivirus vendors a great opportunity to study these creations -- and therefore to be better able to protect against them.

Heck, if I were Symantec, McAffee et al -- I'd take the opportunity to try to *recruit* programmers who had interesting entries in the contest! (Better to have them working for you, right?)

Re:Why should this upset them?

The antivirus vendors are in business to make money. Every one of these issues they have to deal with equates to lost money.

Re:Why should this upset them?

[Zero__Kelvin]

"The antivirus vendors are in business to make money. Every one of these issues they have to deal with equates to lost money."

Exactly right, if you don't count that you have it backwards. Lets start with the edge case 0. If there are Zero viruses, there is no need for the AV software. In fact, within reason the more viruses out there, the more money they make! If viruses are not even a blip on the radar when I do my security landscape evaluation, then the AV companies make no money because I would not purchase their product. If there are many viruses, then an AV company can sit back and wait for others (security folks, e.g.) to justify the purchase of my product. I don't even need a sales force. True, it cost me more to have in house peons gather virus signatures and add them to my database, or add algorithms to my AV tools, but since I don't have to pay nearly as much for a sales force more viruses equals greater profits.

Re:Why should this upset them?

[moosesocks]

Because polymorphism is considerably easier to implement than it is to circumvent (if it's even possible at all).

Essentially, this punches a huge hole in the security model of Norton and McAfee's product lines, rendering them completely ineffective against this sort of threat.

Personally, I've always found it remarkable that they've managed to hold on as long as they have, given just how deeply flawed the very notion of an Antivirus is.

As long as you've got a decently secure operating system, nothing more than a rudimentary antivirus should be necessary.

Re:Why should this upset them?

[GIL_Dude]

Sorry, the OS doesn't really make any difference (assuming you have a firewall - which all current operating systems do - to protect against buffer overflows found on inbound ports). What makes the difference is secure users.

I don't care how secure your OS is, if users are going to click on SomeFamousPersonNaked.exe , then they are going to eventually get owned - "secure" OS or not. We've all heard the "Linux doesn't get attacked much because it has an insignificant market share" and sort of argued around it - maybe the real one is "Linux doesn't get attacked much because the average Linux user knows enough to not click on ridiculous shit that gets emailed to them."

I run both Windows and Linux and the only time I have had a AV product tell me "oh noes, there is a virus" is when I have been manually TRYING to infect a system in order to reverse engineer what the damn thing does (in order to create cleanup packages for work). These are in non-networked VM's where we also re-image the host afterwards. But really - a secure USER is what we need. The OS won't make all that much difference compared to the user.

Re:Why should this upset them?

[Jurily]

I was going to moderate, but I can't let this one slide.

normal users don't run with the sort of privileges that would allow the virus (or trojan as in your example) to do very much damage or replicate itself. A normal user has access to the network and a home directory. How is that not enough for a virus?

Sure, it can't burn itself into the registry or equivalent, but it sure as hell can replicate itself. Hell, it can even cause a lot of headaches when you're lazy like me and have a whole drive mounted in /home/jurily/stuff with full write access.

Trojans are a different beast, of course, as they rely on the OS more heavily.

Re:Why should this upset them?

[Timothy+Brownawell]

Linux and MacOS do not get attacked, because normal users don't run with the sort of privileges that would allow the virus (or trojan as in your example) to do very much damage or replicate itself.

WTF? Any program I run has +rw access to ~ (can start itself from .profile, do arbitrary damage to all the files I actually care about, and steal passwords and the like) and the ability to connect(2) to random parts of the internet (ability to replicate, send passwords, and fetch ads). No privileges beyond this are needed to cause trouble.

The real reason is probably more to do with the size and average competency of the userbase.

Re:Why should this upset them?

[zwei2stein]

Exactly right, except you forgot one thing:

They dont need actually viruses and malware, they just need people (and businesses) to be afraid of them enough to consider them treat.

All you have to give to people is feeling of security and to make them think that you can shield them from any nasty stuff they might have heard on TV. And people are easily scared because they in general know little about computers.

People are scared and they get AVs (or careless and they wouldnt get AV even if there was billion of virii), so you fight for market share rather than install.

And your only feature you are ging to sell to those people is confidence of unpenetrable shield.

So yeah, AV companies do want perception of threat high and actually threat low. Thats when they make most money.

Every reall threat costs them money, Every imaginary threat makes them money.

Re:Why should this upset them?

[gbjbaanb]

not really. Once the AV company has enough viruses in the wild to persuade you to buy their product, all the viruses past that point is just a costly nuisance to them.

Re:Why should this upset them?

[YaroMan86]

Exactly. A virus for Linux at this point in time probably doesn't stand a snowball's chance in hell on the average Linux system because Linux users are smarter than the average Windows user. (I am generalizing and using a more relative version of smarter here.) That, coupled with the fact there are less than a hundredLinux viruses and a small user base, a Linux virus is not much of a threat... FOR NOW.

But what happens when we actually DO accomplish full-on Linux on the desktop? What happens if, hypothetically, Linux becomes more widely used than Windows? Suddenly the average skill of a Linux user plunges downward, and the virus population for Linux skyrocks. Suddenly a Linux virus doesn't seem so harmless, does it?

Remember nowadays, a virus usually doesn't commit destruction, as that would render a bot in a botnet worhtless, but would rather use it for spamming purposes. There's not need for elevated permissions. On top of that, most of the stuff a virus can destroy without elevation is the stuff the average user cares about anyway: Documents, Music, Pictures, HARD WORK. Irreplaceable things.

If there is a perfectly safe system that is still able to connect to the outside world, it is a system used only by a user who knows how to prevent viruses and knows how to do effective backups. You could also make a bonus by using a fully unprivileged user account.

These are things Windows will never do. Far too often is a user an administrator, and the inner workings of the system exposed. (It wasn't really until the average Windows based itself off of NT that ANYTHING was safe from Security Problem #1: The User. With Windows ME and earlier there are no user permissions, (Windows 2000 and earlier, along the NT line, are luckier and smarter.) and so, all a user has to do is take a stroll and delete files out of the windows directory. No authentication. Worse if a user boots into pure DOS where the usage protection Windows does ("Cannot delete (File), it is currently in use.") they can destroy ANYTHING on the system without any validation or authentication. What the hell was Microsoft thinking?

So, essentially a safe user is this:

1. A user who knows how the system works at least on a rudimentary level.

2. This same user must typically take normal user or lower privileges.

3. This same user must have a knowledge of how a virus finds itself on a system: (E-Mail attachments from bad sources, child porn, warez, etc.)

4. The system uses an operating system with its own effective security model. Typically one that involves user permission levels, if not a full-fledged multi-user system with the default user NOT being an administrator.

5. A good firewall. This is typically a third-party program.

6. Yes, a good antivirus. It may not be as effective as many other techniques, but an AV DOES help, period.

7. A real plus: Knowledge on how to remove a virus manually. (Not as hard as one might think, especially after the virus is identified.)

8. EDUCATION. EDUCATION. EDUCATION!!! If there are other users on the system, TEACH them! It is amazing how effective a little imparting of knowledge will do to make things better and safer.

9. Make sure the other users aren't in a position to infect the system either, as in, restrict their ability to declare things executables, block executables from mail, don't let them install P2P software. (Easy in Linux, since things like apt-get and Synaptic only function with root privileges. Though this can't stop them from installing it in their home folder.

10. Do a regular manual audit of the system. Not only should you keep an eye out for anything unusual, but also keep an eye out for 'unauthorized' software, like P2P.

11. Block torrent/warez sites. Every single time someone comes to me with a virus problem, the first question I ask is "Are you downloading torrents a lot?" and the answer is always "Yes."

12. Not relating to viruses, but a good tip anyway: Before you try any system changes, try the same change on a VM. A nice sandbox is better for fucking up than your own system.

You remember these things, and keep to them, chances are you'll be just fine.

Re:Why should this upset them?

[somersault]

I wonder how long before they start lobbying for it to be illegal to even write something that could be used as malware..

Can you say Ralph Nader?

[zappepcs]

What would happen if Ralph got involved in the computer antivirus field?

lets translate FTFA

"It will do more harm than good to our company," said Paul Ferguson, a researcher with antivirus vendor TrendMicro. "Responsible disclosure is one thing, but now actually encouraging people to do this (as if the NSA isn't already doing so), as a contest is a little over the top.When really smart people start working on malicious software, we won't be able to keep up" Bold edits added by me.

How about this slogan "Unsafe with any version!"

I think they are afraid that regular joe end users are about to find out that programs meant to protect your pc are always an after the fact effort which leaves you vulnerable until you update and that there is no way to keep you safe from a zero-day facebook exploit. Even the government websites can be malicious until patched/fixed.

And soon, the conclusion will be ... uh, why pay for that. Spybot search and destroy is free, and ClamAV is free. I can just give them a one time donation and get just as good of protection... hmmmm These pricey programs really can't do all that much.

Wow, it would be such a shame if joe bloggs end user found out the truth. tisk tisk

Managing short-term and long-term resources

[NetSettler]

By having some top-notch creative talent (never mind which color hat they're wearing) take a stab at creating new styles of malware under controlled conditions, they're giving the antivirus vendors a great opportunity to study these creations -- and therefore to be better able to protect against them.

But what if what the antivirus vendors need is not time to study but time to come up with cures? I've worked on plenty of software where the problem was well-understood, but you could be so pestered to death by people trying to tell you there was a problem that you had no time left to work on a cure.

I don't follow this community closely, but speaking from general knowledge of software projects over several decades ...

It seems likely that these competitions do not teach the antivirus vendors what they don't know. It probably creates a firedrill internally where a long-range effort to do a substantive upgrade that would do what people wish for is side-tracked by a short-term need to make sure that people's machines are not broken into by a new stupid trick today, thanks to additional resources provided by well-meaning but "mal-informed" volunteers.

Resources are always in short supply in companies, and there's a constant need to triage between short-term and long-term planning. Events like this increase the stress on short-term projects, causing them to draw precious resources away from long-term projects. The claim that this provides valuable data to the vendors sounds like spin created by malware vendors who are chuckling all the way to the bank because they get free help from a community of people who I suspect don't realize the harm they are doing.

What they should be having is competitive events to come up with cool public-domain techniques for recognizing and stopping such malware in the general cases, thus reducing short-term strain on anti-virus vendors.

Not on Linux.

[SanityInAnarchy]

You're right that it's about secure users, but it's much easier to be a secure user on Linux, precisely because you would never download foo.exe -- or foo.sh, or whatever. For the most part, you get things through your package manager, or not at all.

As such, it is not particularly easy to download and run SomeFamousPersonNaked.bin -- you have to download it to somewhere, then you have to change its permissions, and then you have to run it -- and even then, they still don't have root.

However, for a very long time, an antivirus actually made some sort of sense on Windows, because you would have exploits from visiting a webpage or reading an email. You actually had a situation where the most security-conscious users would never use the Preview Pane, so that they could delete suspicious emails without looking at them. In that particular kind of insane world, it makes sense to have antivirus -- and that is precisely why antivirus seems so laughable now.

Privileges are needed

[DrYak]

There's not need for elevated permissions.

No there is need. Under Linux a non privileged software has only access to high-level network access, such as opening a regular connection. There's no low-level access to network (crafting the data packets as wished) for non privileged software.

Thus a potential running virus, *COULD* connect to its C&C if it receives its orders from an IRC channel.
But the virus won't be able to create spoofed packets (used for sophisticated bounces and DDOS) or specially crafted packets to exploit flaws on the target system.
Whereas under Windows, non-privileged applications CAN craft packets, and users run as administrators anyway.

A non privileged process CAN download Ads from the internet, but it will have a harder time injecting them into the browser window.
An admin-privileged process in Windows could hijack the network stack and rewrite HTML on the fly inserting pop-ups and ads.
Under a non-privileged account in Linux, it can't. The virus will need instead to be able to rewrite the configuration of all gazillion of browser that exist in Linux, either injecting a spyware plugin or rerouting the traffic through a proxy process spawned by the virus. Anyway, the absence of a single point of attack, and the lack of monoculture make Linux a more complicated target.

Also, few user-friendly type distros (Ubuntu and the like) come with a sendmail (or equivalent) configured out-of-the-box for internet message delivery. Usually it's only configured to deliver alerts to the local user account.
A potential operational Spam bot would either have to send directly the spam to the internet and both hope that the network isn't configured to reject email not going out through the SMTP server and hope that the infected machine doesn't sit on a dynamic IP which will automatically get discarded on the receiving machine.
Or the potential Spam Bot will need additional complexity to retrieve the user's SMTP configuration, which will be difficult, both because there's a gazillion of different mail clients under linux, and both because several of them password-encrypt the credential (Thunderbird can do it and all KDE software store their passwords in KWallet which is masterpassword-encrypted by default).
This is security by diversity, and why it's good to avoid monocultures.
This is opposed to Windows, where most users have outlook express, which lacks the ability to encrypt the credentials.

Under Linux, it takes several step to execute code downloaded from a browser, as a reference, see the HOWTOs about downloading the latest GPU drivers straigth from the constructor site instead of using whatever is the regular package management/delivery mechanism used by the distro (you have to manually chmod it "executable". Clicking on it usually opens an editor).
And that's neglecting that it is possible to "noexec" the whole home, in which case it's not even possible to *run* code from ~.
So even if he wanted to, a linux user can't just click on "NataliePortmanNaked.sh" and execute it (unless its a regular package inside Synaptic or YaST, of course) whereas a Windows user can click on "PetrifiedWithHotGrits.exe".

Also, downloading software from random websites isn't as common in Linux as in Windows. Mostly only geeks download software for Linux and usually they download it in (controllable) source form, where anomalies could more easily get spotted.
The regular user will employ the package management system for the distro to get the needed package from the regular repository instead, as because of the diversity of Linux distros, he'll need a custom compiled packagee for the present distro,
ie.: Windows wanting kitten-powered screensaver will google around to find a page proposing some spyware infested screensaver. Anyone can download, but you *need* to be computer-literate and careful about your source to *avoid* getting undesired stuff.

The Linux users will browser Synaptic and download the package "omg-lol-ponie