Malware Modification Contest Has Antivirus Vendors Upset

← Back to Stories (view on slashdot.org)

Malware Modification Contest Has Antivirus Vendors Upset

Posted by Soulskill on Sunday April 27, 2008 @05:07AM from the would-you-like-a-tissue dept.

SkiifGeek writes "Race to Zero, a sideline competition being set up at this year's DefCon, already has some Antivirus vendors steaming over the objectives of the contest. They are upset because it is essentially a polymorphism exercise. Entrants are given a set of malware samples which they must then modify to pass through a battery of antivirus scanners without detection while still carrying a viable payload. Even if competitors ignore the published vulnerabilities and weaknesses affecting antivirus vendors, the competition should turn up some interesting results. It may provide technical insight and concepts for further research as similar competitions have done in the past."

13 of 167 comments (clear)

Oh no! by i_liek_turtles · 2008-04-27 05:11 · Score: 5, Insightful

We may have to fix our software!
1. Re:Oh no! by Frosty+Piss · 2008-04-27 06:03 · Score: 4, Insightful
  
  And really, I'm sorry, but what doesn't get these leaches in a tizzy? Anything that threatens their profit model....
  
  --
  If you want news from today, you have to come back tomorrow.
Why should this upset them? by FlyByPC · 2008-04-27 05:12 · Score: 5, Insightful

By having some top-notch creative talent (never mind which color hat they're wearing) take a stab at creating new styles of malware under controlled conditions, they're giving the antivirus vendors a great opportunity to study these creations -- and therefore to be better able to protect against them.

Heck, if I were Symantec, McAffee et al -- I'd take the opportunity to try to *recruit* programmers who had interesting entries in the contest! (Better to have them working for you, right?)

--
Paleotechnologist and connoisseur of pretty shiny things.
1. Re:Why should this upset them? by Anonymous Coward · 2008-04-27 05:21 · Score: 5, Informative
  
  The antivirus vendors are in business to make money. Every one of these issues they have to deal with equates to lost money.
2. Re:Why should this upset them? by Zero__Kelvin · 2008-04-27 05:36 · Score: 4, Interesting
  
  "The antivirus vendors are in business to make money. Every one of these issues they have to deal with equates to lost money."
  Exactly right, if you don't count that you have it backwards. Lets start with the edge case 0. If there are Zero viruses, there is no need for the AV software. In fact, within reason the more viruses out there, the more money they make! If viruses are not even a blip on the radar when I do my security landscape evaluation, then the AV companies make no money because I would not purchase their product. If there are many viruses, then an AV company can sit back and wait for others (security folks, e.g.) to justify the purchase of my product. I don't even need a sales force. True, it cost me more to have in house peons gather virus signatures and add them to my database, or add algorithms to my AV tools, but since I don't have to pay nearly as much for a sales force more viruses equals greater profits.
  
  --
  Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
3. Re:Why should this upset them? by moosesocks · 2008-04-27 05:48 · Score: 4, Insightful
  
  Because polymorphism is considerably easier to implement than it is to circumvent (if it's even possible at all).
  
  Essentially, this punches a huge hole in the security model of Norton and McAfee's product lines, rendering them completely ineffective against this sort of threat.
  
  Personally, I've always found it remarkable that they've managed to hold on as long as they have, given just how deeply flawed the very notion of an Antivirus is.
  
  As long as you've got a decently secure operating system, nothing more than a rudimentary antivirus should be necessary.
  
  --
  -- If you try to fail and succeed, which have you done? - Uli's moose
4. Re:Why should this upset them? by GIL_Dude · 2008-04-27 06:00 · Score: 4, Insightful
  
  Sorry, the OS doesn't really make any difference (assuming you have a firewall - which all current operating systems do - to protect against buffer overflows found on inbound ports). What makes the difference is secure users.
  
  I don't care how secure your OS is, if users are going to click on SomeFamousPersonNaked.exe , then they are going to eventually get owned - "secure" OS or not. We've all heard the "Linux doesn't get attacked much because it has an insignificant market share" and sort of argued around it - maybe the real one is "Linux doesn't get attacked much because the average Linux user knows enough to not click on ridiculous shit that gets emailed to them."
  
  I run both Windows and Linux and the only time I have had a AV product tell me "oh noes, there is a virus" is when I have been manually TRYING to infect a system in order to reverse engineer what the damn thing does (in order to create cleanup packages for work). These are in non-networked VM's where we also re-image the host afterwards. But really - a secure USER is what we need. The OS won't make all that much difference compared to the user.
5. Re:Why should this upset them? by Jurily · 2008-04-27 06:38 · Score: 4, Insightful
  
  I was going to moderate, but I can't let this one slide.
  normal users don't run with the sort of privileges that would allow the virus (or trojan as in your example) to do very much damage or replicate itself. A normal user has access to the network and a home directory. How is that not enough for a virus?
  
  Sure, it can't burn itself into the registry or equivalent, but it sure as hell can replicate itself. Hell, it can even cause a lot of headaches when you're lazy like me and have a whole drive mounted in /home/jurily/stuff with full write access.
  
  Trojans are a different beast, of course, as they rely on the OS more heavily.
6. Re:Why should this upset them? by Timothy+Brownawell · 2008-04-27 06:39 · Score: 4, Insightful
  
  Linux and MacOS do not get attacked, because normal users don't run with the sort of privileges that would allow the virus (or trojan as in your example) to do very much damage or replicate itself.
  WTF? Any program I run has +rw access to ~ (can start itself from .profile, do arbitrary damage to all the files I actually care about, and steal passwords and the like) and the ability to connect(2) to random parts of the internet (ability to replicate, send passwords, and fetch ads). No privileges beyond this are needed to cause trouble.
  
  The real reason is probably more to do with the size and average competency of the userbase.
7. Re:Why should this upset them? by zwei2stein · 2008-04-27 07:01 · Score: 4, Insightful
  
  Exactly right, except you forgot one thing:
  
  They dont need actually viruses and malware, they just need people (and businesses) to be afraid of them enough to consider them treat.
  
  All you have to give to people is feeling of security and to make them think that you can shield them from any nasty stuff they might have heard on TV. And people are easily scared because they in general know little about computers.
  
  People are scared and they get AVs (or careless and they wouldnt get AV even if there was billion of virii), so you fight for market share rather than install.
  
  And your only feature you are ging to sell to those people is confidence of unpenetrable shield.
  
  So yeah, AV companies do want perception of threat high and actually threat low. Thats when they make most money.
  
  Every reall threat costs them money, Every imaginary threat makes them money.
  
  --
  -- Technology for the sake of technology is as pathetic as eschewing technology because it's technology.
8. Re:Why should this upset them? by gbjbaanb · 2008-04-27 07:08 · Score: 4, Insightful
  
  not really. Once the AV company has enough viruses in the wild to persuade you to buy their product, all the viruses past that point is just a costly nuisance to them.
9. Re:Why should this upset them? by somersault · 2008-04-27 07:59 · Score: 4, Interesting
  
  I wonder how long before they start lobbying for it to be illegal to even write something that could be used as malware..
  
  --
  which is totally what she said
Can you say Ralph Nader? by zappepcs · 2008-04-27 05:20 · Score: 5, Insightful

What would happen if Ralph got involved in the computer antivirus field?

lets translate FTFA
"It will do more harm than good to our company," said Paul Ferguson, a researcher with antivirus vendor TrendMicro. "Responsible disclosure is one thing, but now actually encouraging people to do this (as if the NSA isn't already doing so), as a contest is a little over the top.When really smart people start working on malicious software, we won't be able to keep up" Bold edits added by me.

How about this slogan "Unsafe with any version!"

I think they are afraid that regular joe end users are about to find out that programs meant to protect your pc are always an after the fact effort which leaves you vulnerable until you update and that there is no way to keep you safe from a zero-day facebook exploit. Even the government websites can be malicious until patched/fixed.

And soon, the conclusion will be ... uh, why pay for that. Spybot search and destroy is free, and ClamAV is free. I can just give them a one time donation and get just as good of protection... hmmmm These pricey programs really can't do all that much.

Wow, it would be such a shame if joe bloggs end user found out the truth. tisk tisk

--
Support NYCountryLawyer RIAA vs People