Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Programming Security IT Technology

Malware Modification Contest Has Antivirus Vendors Upset 167

SkiifGeek writes "Race to Zero, a sideline competition being set up at this year's DefCon, already has some Antivirus vendors steaming over the objectives of the contest. They are upset because it is essentially a polymorphism exercise. Entrants are given a set of malware samples which they must then modify to pass through a battery of antivirus scanners without detection while still carrying a viable payload. Even if competitors ignore the published vulnerabilities and weaknesses affecting antivirus vendors, the competition should turn up some interesting results. It may provide technical insight and concepts for further research as similar competitions have done in the past."
This discussion has been archived. No new comments can be posted.

Malware Modification Contest Has Antivirus Vendors Upset

Comments Filter:
  • Oh no! (Score:5, Insightful)

    by i_liek_turtles ( 1110703 ) on Sunday April 27, 2008 @12:11PM (#23215170)
    We may have to fix our software!
    • Re:Oh no! (Score:4, Interesting)

      by Lennie ( 16154 ) on Sunday April 27, 2008 @12:12PM (#23215182)
      Yep, security is a process
      • Re: (Score:3, Interesting)

        by Kjella ( 173770 )
        Having a highly efficient swiss cheese-patching process is still not a mark of good security. Don't interpret that as saying that security is not a process, but the value of doing a one-time job to make a good security design should also not be underestimated. In fact, I think many companies would do well to divert a little more resources to just that...
        • by Lennie ( 16154 )
          I totally agree. Spending time on doing it right the first time, using compartments, etc. does make a lot of sense and probably saves you lots of agravation/time in the long run.
    • Re:Oh no! (Score:5, Insightful)

      by Frosty Piss ( 770223 ) on Sunday April 27, 2008 @01:03PM (#23215620)
      And really, I'm sorry, but what doesn't get these leaches in a tizzy? Anything that threatens their profit model....
    • EX-ACT-LY!

      This is something that anti-virus company should have been doing themselves CONSTANTLY anyway, and it's only now that someone is doing something they should have been doing all along that they decide to wipe the tomato off their face?

      The line between anti-virus and adware/spyware/malware scanner is blurring so much now anyway that they're seemingly just upset over having to do more work. Basically they're just up-selling bloatware now, and scaring grandmothers and soccer mom's into thinking they
    • by mortonda ( 5175 )
      How dare someone *else* write viruses!!! ;)
  • by FlyByPC ( 841016 ) on Sunday April 27, 2008 @12:12PM (#23215180) Homepage
    By having some top-notch creative talent (never mind which color hat they're wearing) take a stab at creating new styles of malware under controlled conditions, they're giving the antivirus vendors a great opportunity to study these creations -- and therefore to be better able to protect against them.

    Heck, if I were Symantec, McAffee et al -- I'd take the opportunity to try to *recruit* programmers who had interesting entries in the contest! (Better to have them working for you, right?)
    • by Anonymous Coward on Sunday April 27, 2008 @12:21PM (#23215252)
      The antivirus vendors are in business to make money. Every one of these issues they have to deal with equates to lost money.
      • by Zero__Kelvin ( 151819 ) on Sunday April 27, 2008 @12:36PM (#23215350) Homepage

        "The antivirus vendors are in business to make money. Every one of these issues they have to deal with equates to lost money."
        Exactly right, if you don't count that you have it backwards. Lets start with the edge case 0. If there are Zero viruses, there is no need for the AV software. In fact, within reason the more viruses out there, the more money they make! If viruses are not even a blip on the radar when I do my security landscape evaluation, then the AV companies make no money because I would not purchase their product. If there are many viruses, then an AV company can sit back and wait for others (security folks, e.g.) to justify the purchase of my product. I don't even need a sales force. True, it cost me more to have in house peons gather virus signatures and add them to my database, or add algorithms to my AV tools, but since I don't have to pay nearly as much for a sales force more viruses equals greater profits.

        • Re: (Score:2, Interesting)

          by maxume ( 22995 )
          I'm sure referencing a wacko supply-sider will make someone mad, but I bet the profit to virus count relationship follows something like the Laffer curve, where at some point malware becomes so pervasive that people at least stop running anything that doesn't come in a box from Walmart and maybe even stop using computers altogether, so they don't need protection anymore.
        • by zwei2stein ( 782480 ) on Sunday April 27, 2008 @02:01PM (#23216108) Homepage
          Exactly right, except you forgot one thing:

          They dont need actually viruses and malware, they just need people (and businesses) to be afraid of them enough to consider them treat.

          All you have to give to people is feeling of security and to make them think that you can shield them from any nasty stuff they might have heard on TV. And people are easily scared because they in general know little about computers.

          People are scared and they get AVs (or careless and they wouldnt get AV even if there was billion of virii), so you fight for market share rather than install.

          And your only feature you are ging to sell to those people is confidence of unpenetrable shield.

          So yeah, AV companies do want perception of threat high and actually threat low. Thats when they make most money.

          Every reall threat costs them money, Every imaginary threat makes them money.
          • Re: (Score:2, Informative)

            They dont need actually viruses and malware, they just need people (and businesses) to be afraid of them enough to consider them treat.
            Yeah, because the average user considers screen savers, animated cursors, and nude pictures of Britney Spears to be treats.
          • by arminw ( 717974 )
            ....is confidence of unpenetrable shield....

            Anti-malware programs are more like a very strong padlock on a flimsy Windows OS door. The padlock may be tough, but the door is easy to kick in or simply take off the hinges. The only one who can make it hard to get into the computer (house) is the maker of the OS (door). OSX and Linux have a stronger door and a good lock. Hanging on a stronger padlock won't give much extra protection against burglars and the padlock sellers know that.

            They had a lock picking cont
            • The CanSecWest competition has seen OS X pwned two years in succession. The Vista exploit was apparently cross-platform and Adobe's fault for making Flash bypass Vista's security mechanisms, which would otherwise have stopped it dead in its tracks. NT is a multi-user OS by design, by the way. I have no love for Microsoft at all, quite the contrary, but from what I read Vista does seem to be moving the right way. Anyway, the security of the OS perhaps isn't the biggest problem. As long as vendors like Adobe
        • by gbjbaanb ( 229885 ) on Sunday April 27, 2008 @02:08PM (#23216148)
          not really. Once the AV company has enough viruses in the wild to persuade you to buy their product, all the viruses past that point is just a costly nuisance to them.
        • Re: (Score:2, Insightful)

          by Dextrously ( 1086289 )
          The only thing anti-virus companies need to sell their product is the fear or threat of a virus. I suppose they believe there is more money in the fear mongering business than legitimate business. They may be right, I don't pretend to know. Having a virus scanner is pretty much a mindset in a windows environment. Even Windows Security Center will whine and complain if you don't have one (until you shoot it in the services.msc if you know what I mean).

          Take for example, Network Intrusion Detection Systems.
        • by rtechie ( 244489 ) *

          I don't even need a sales force. True, it cost me more to have in house peons gather virus signatures and add them to my database, or add algorithms to my AV tools, but since I don't have to pay nearly as much for a sales force more viruses equals greater profits.

          I think this part of your calculation is a little off. Virus scanners are not just signature engines (ideally). I think the "actual threat" of viruses is far less significant that the "percieved threat", and anyone with money prepares for the "perceived threat". I'd draw an analogy with home security systems. The people that buy home security systems are typically the least likely to need them because they are liklely to be relatively wealthy and live in relatively low-crime areas. So even though the threa

      • Re: (Score:3, Insightful)

        by v1 ( 525388 )
        Writing software is an investment. You put money in, you get money back. This contest DOES require them to put more money in, but they will get more money BACK. It's "forced investment". Now if you'd rather write a piece of software and then spend the next 6 years merely putting out new-os-compatibility updates, (and how many of those have we seen? many!) you will fall behind, and no one will care about upgrading to version 7 because there's nothing in 7 that their version 5 can't already do, and your
    • by cygtoad ( 619016 )

      ... they're giving the antivirus vendors a great opportunity to study these creations -- and therefore to be better able to protect against them.)
      It is so hard to sit on our laurels when these pesky programmers want to invent new stuff for us to work on...
      • by somersault ( 912633 ) on Sunday April 27, 2008 @02:59PM (#23216562) Homepage Journal
        I wonder how long before they start lobbying for it to be illegal to even write something that could be used as malware..
        • Re: (Score:3, Informative)

          by Nazlfrag ( 1035012 )
          There's good coverage at http://www.privsecblog.com [privsecblog.com]

          If passed into law (this bill already has passed the house twice but never has cleared the Senate), I-SPY would make it a criminal offense punishable by fines and/or up to five years in prison for "intentionally access[ing] a protected computer without authorization, or exceed[ing] authorized access to a protected computer, by causing a computer program or code to be copied onto the protected computer, and intentionally us[ing] that program or code in furtherance of another Federal criminal offense." Similar activity that is designed to defraud or injure a person or cause damage to a protected computer, but is not conducted in furtherance of another Federal offense, subjects the perpetrator to a fine and/or up to two years in prison.

          I'm fairly sure viruses would fall under at least the bold part. I have no idea how much (if at all) this is a result of lobbying by antivirus vendors.

          • I meant even if the code was not written with the purpose of - or at least was never used for - performing nefarious deeds without authorisation from the user of the computer. Like the RIAA would probably prefer to just get rid of all P2P traffic to make sure that none of their material was being distributed in this way, whether legally or not.
    • by moosesocks ( 264553 ) on Sunday April 27, 2008 @12:48PM (#23215482) Homepage
      Because polymorphism is considerably easier to implement than it is to circumvent (if it's even possible at all).

      Essentially, this punches a huge hole in the security model of Norton and McAfee's product lines, rendering them completely ineffective against this sort of threat.

      Personally, I've always found it remarkable that they've managed to hold on as long as they have, given just how deeply flawed the very notion of an Antivirus is.

      As long as you've got a decently secure operating system, nothing more than a rudimentary antivirus should be necessary.
      • by GIL_Dude ( 850471 ) on Sunday April 27, 2008 @01:00PM (#23215586) Homepage
        Sorry, the OS doesn't really make any difference (assuming you have a firewall - which all current operating systems do - to protect against buffer overflows found on inbound ports). What makes the difference is secure users.

        I don't care how secure your OS is, if users are going to click on SomeFamousPersonNaked.exe , then they are going to eventually get owned - "secure" OS or not. We've all heard the "Linux doesn't get attacked much because it has an insignificant market share" and sort of argued around it - maybe the real one is "Linux doesn't get attacked much because the average Linux user knows enough to not click on ridiculous shit that gets emailed to them."

        I run both Windows and Linux and the only time I have had a AV product tell me "oh noes, there is a virus" is when I have been manually TRYING to infect a system in order to reverse engineer what the damn thing does (in order to create cleanup packages for work). These are in non-networked VM's where we also re-image the host afterwards. But really - a secure USER is what we need. The OS won't make all that much difference compared to the user.
        • Re: (Score:2, Insightful)

          by moosesocks ( 264553 )

          I don't care how secure your OS is, if users are going to click on SomeFamousPersonNaked.exe , then they are going to eventually get owned - "secure" OS or not. We've all heard the "Linux doesn't get attacked much because it has an insignificant market share" and sort of argued around it - maybe the real one is "Linux doesn't get attacked much because the average Linux user knows enough to not click on ridiculous shit that gets emailed to them."

          No. Linux and MacOS do not get attacked, because normal users don't run with the sort of privileges that would allow the virus (or trojan as in your example) to do very much damage or replicate itself.

          Similarly, replication of such a virus becomes even more difficult, as E-mail clients and servers both generally tend to block attachments containing executables...

          Sure, there are mechanisms for it to happen, but trojans generally don't spread very fast or very far. A true "virus" typically utilizes an OS e

          • by Jurily ( 900488 ) <jurily AT gmail DOT com> on Sunday April 27, 2008 @01:38PM (#23215926)
            I was going to moderate, but I can't let this one slide.

            normal users don't run with the sort of privileges that would allow the virus (or trojan as in your example) to do very much damage or replicate itself.
            A normal user has access to the network and a home directory. How is that not enough for a virus?

            Sure, it can't burn itself into the registry or equivalent, but it sure as hell can replicate itself. Hell, it can even cause a lot of headaches when you're lazy like me and have a whole drive mounted in /home/jurily/stuff with full write access.

            Trojans are a different beast, of course, as they rely on the OS more heavily.
            • Re: (Score:3, Informative)

              by piojo ( 995934 )
              I agree completely. User permissions are sufficient to run cronjobs, send spam, and (often) steal sensitive information. User permissions are not enough to keylog, but I'm sure a firefox profile directory is often worth as much as a keylogging session.
          • by Timothy Brownawell ( 627747 ) <tbrownaw@prjek.net> on Sunday April 27, 2008 @01:39PM (#23215930) Homepage Journal

            Linux and MacOS do not get attacked, because normal users don't run with the sort of privileges that would allow the virus (or trojan as in your example) to do very much damage or replicate itself.

            WTF? Any program I run has +rw access to ~ (can start itself from .profile, do arbitrary damage to all the files I actually care about, and steal passwords and the like) and the ability to connect(2) to random parts of the internet (ability to replicate, send passwords, and fetch ads). No privileges beyond this are needed to cause trouble.

            The real reason is probably more to do with the size and average competency of the userbase.

            • Re: (Score:3, Informative)

              by YaroMan86 ( 1180585 )
              Exactly. A virus for Linux at this point in time probably doesn't stand a snowball's chance in hell on the average Linux system because Linux users are smarter than the average Windows user. (I am generalizing and using a more relative version of smarter here.) That, coupled with the fact there are less than a hundredLinux viruses and a small user base, a Linux virus is not much of a threat... FOR NOW.

              But what happens when we actually DO accomplish full-on Linux on the desktop? What happens if, hypotheti
              • by DrYak ( 748999 ) on Sunday April 27, 2008 @07:15PM (#23218222) Homepage

                There's not need for elevated permissions.

                No there is need. Under Linux a non privileged software has only access to high-level network access, such as opening a regular connection. There's no low-level access to network (crafting the data packets as wished) for non privileged software.

                Thus a potential running virus, *COULD* connect to its C&C if it receives its orders from an IRC channel.
                But the virus won't be able to create spoofed packets (used for sophisticated bounces and DDOS) or specially crafted packets to exploit flaws on the target system.
                Whereas under Windows, non-privileged applications CAN craft packets, and users run as administrators anyway.

                A non privileged process CAN download Ads from the internet, but it will have a harder time injecting them into the browser window.
                An admin-privileged process in Windows could hijack the network stack and rewrite HTML on the fly inserting pop-ups and ads.
                Under a non-privileged account in Linux, it can't. The virus will need instead to be able to rewrite the configuration of all gazillion of browser that exist in Linux, either injecting a spyware plugin or rerouting the traffic through a proxy process spawned by the virus. Anyway, the absence of a single point of attack, and the lack of monoculture make Linux a more complicated target.

                Also, few user-friendly type distros (Ubuntu and the like) come with a sendmail (or equivalent) configured out-of-the-box for internet message delivery. Usually it's only configured to deliver alerts to the local user account.
                A potential operational Spam bot would either have to send directly the spam to the internet and both hope that the network isn't configured to reject email not going out through the SMTP server and hope that the infected machine doesn't sit on a dynamic IP which will automatically get discarded on the receiving machine.
                Or the potential Spam Bot will need additional complexity to retrieve the user's SMTP configuration, which will be difficult, both because there's a gazillion of different mail clients under linux, and both because several of them password-encrypt the credential (Thunderbird can do it and all KDE software store their passwords in KWallet which is masterpassword-encrypted by default).
                This is security by diversity, and why it's good to avoid monocultures.
                This is opposed to Windows, where most users have outlook express, which lacks the ability to encrypt the credentials.

                Under Linux, it takes several step to execute code downloaded from a browser, as a reference, see the HOWTOs about downloading the latest GPU drivers straigth from the constructor site instead of using whatever is the regular package management/delivery mechanism used by the distro (you have to manually chmod it "executable". Clicking on it usually opens an editor).
                And that's neglecting that it is possible to "noexec" the whole home, in which case it's not even possible to *run* code from ~.
                So even if he wanted to, a linux user can't just click on "NataliePortmanNaked.sh" and execute it (unless its a regular package inside Synaptic or YaST, of course) whereas a Windows user can click on "PetrifiedWithHotGrits.exe".

                Also, downloading software from random websites isn't as common in Linux as in Windows. Mostly only geeks download software for Linux and usually they download it in (controllable) source form, where anomalies could more easily get spotted.
                The regular user will employ the package management system for the distro to get the needed package from the regular repository instead, as because of the diversity of Linux distros, he'll need a custom compiled packagee for the present distro,
                ie.: Windows wanting kitten-powered screensaver will google around to find a page proposing some spyware infested screensaver. Anyone can download, but you *need* to be computer-literate and careful about your source to *avoid* getting undesired stuff.

                The Linux users will browser Synaptic and download the package "omg-lol-ponie

            • There's the fact that removal of some malware that uses .profile and does nasty things in ~ is trivial compared to something that gets into a Windows machine. On any Linux or similarly-permissioned system, removal at worst consists of deleting the person's home directory and killing a few processes.

              Now, if removing crap from pwned Windows machines was that easy, we'd all be much better off.

              • Of course, this is only relevant for shared systems. If there's only one user (or everyone shares the same login), the difference between removing ~ and reinstalling is just a couple hours.
            • Re: (Score:3, Interesting)

              by MikeBabcock ( 65886 )
              SELinux is quickly helping to fix that problem.

              "wtf is this? You don't need network access or access to this directory, go away."

              Mandatory Access Controls are coming along nicely. About time too.
            • by arminw ( 717974 )
              ...Any program I run has +rw access to ~ (can start itself from .profile,...

              In order for a program to run, does it not also need execute permission? If none of the users space has execute permissions, the virus can't run the first time. If all the users normal programs are in a read only program folder, how will a nasty program the user may have downloaded into his user space run the first time?
              • Re: (Score:3, Informative)

                noexec just mean you can't execute anything *directly*. "perl nastyscript.pl" works just fine with nastyscript.pl on a noexec partition.

          • No. Linux and MacOS do not get attacked, because normal users don't run with the sort of privileges that would allow the virus (or trojan as in your example) to do very much damage or replicate itself.

            I never really understand why people think this is true. What exactly are the privileges required to do damage, or replicate? Linux essentially runs as the logged in user. That means you can:

            Run a process.
            Send email.
            Write to any file the user can.

            A good virus needs to:

            survive a reboot.
            find a new target.
            send
            • There's lots of ways to execute a process automatically under linux. Off the top of my head I can think of several. One would be getting in one of the .login, .profile, or all the various different init scripts stored in the users home directory (and belong to the user) that get run when a user logs in.

              Just install yourself as a cron job, to be run once per hour for example. That way you don't even have to stay resident and won't show up in process listing.

        • That is assuming that the user is completely stupid, OTOH if you click dancingpigs.exe and get prompted to give your root password or even just accept/deny, most users will click cancel (if they dont you haven't explained sudo well enough). So then it comes down to which OS has the least privilege escalation attacks.
          • Could a virus sit in waiting, and do nothing that a non-priviledged user wouldn't be able to do, and then avoid any user prompts until it detects that another sudo prompt for a different application has been fired. And then fire something right after that one is passed to cause another prompt. The user would probably just think it's for the other program they just allowed, and let the virus do it's thing. Most prompts just give the app access to whatever they want as soon as you give it permission, and h
            • True no system is completly secure, and users do need training, but its a lot easier to just skip all that trouble if the OS has root exploits, so the OS does make a difference.
          • The thing is YOU DO NOT NEED ADMIN PRIVILAGES to do to the stuff most modern virus writers are after.

            If the system has user crontabs (most *nix systems do) you can start up soon after boot. Even if not you can start up immediately after login which is sufficiant for a single user machine.

            If you are feeling malicous you can also destroy the users data (which on a single user machine is probablly the most important thing on there).

            Sending spam and hitting vulnerable services do not generally require any speci
          • by drsmithy ( 35869 )

            That is assuming that the user is completely stupid, OTOH if you click dancingpigs.exe and get prompted to give your root password or even just accept/deny, most users will click cancel (if they dont you haven't explained sudo well enough).

            No, they won't. They'll type in their passwords and click 'OK', because that's the only way they can see to get the computer to do what they want.

            There is no way to secure a machine where an ignorant end user can run arbitrary code. Not now, not ever.

            • You underestimate humanity.

              The next generation is considerably more computer literate, and most Windows users now do have a semi-decent idea of "what not to do" in terms of avoiding nastyware (or at the very least, the average user is more cognicent of this sort of thing than 3-4 years ago).
              • by drsmithy ( 35869 )

                You underestimate humanity.

                Nope. If anything, I overestimate them. I'm an optimist like that.

                The next generation is considerably more computer literate, and most Windows users now do have a semi-decent idea of "what not to do" in terms of avoiding nastyware (or at the very least, the average user is more cognicent of this sort of thing than 3-4 years ago).

                No, they don't. They still want to see $CELEBRITY naked. They're still happy to type a few words into a computer to do that. After all, what'the

            • There is no way to secure a machine where an ignorant end user can run arbitrary code. Not now, not ever.

              And unfortunately if you make a system so secure even a fool can use it, only a fool would want to. /sigh/

              BTW, I'm not disagreeing with you. This is the security vs usability dilemma. There is no satisfactory solution.

        • Not on Linux. (Score:4, Interesting)

          by SanityInAnarchy ( 655584 ) <ninja@slaphack.com> on Sunday April 27, 2008 @01:39PM (#23215932) Journal
          You're right that it's about secure users, but it's much easier to be a secure user on Linux, precisely because you would never download foo.exe -- or foo.sh, or whatever. For the most part, you get things through your package manager, or not at all.

          As such, it is not particularly easy to download and run SomeFamousPersonNaked.bin -- you have to download it to somewhere, then you have to change its permissions, and then you have to run it -- and even then, they still don't have root.

          However, for a very long time, an antivirus actually made some sort of sense on Windows, because you would have exploits from visiting a webpage or reading an email. You actually had a situation where the most security-conscious users would never use the Preview Pane, so that they could delete suspicious emails without looking at them. In that particular kind of insane world, it makes sense to have antivirus -- and that is precisely why antivirus seems so laughable now.
          • by drsmithy ( 35869 )

            You're right that it's about secure users, but it's much easier to be a secure user on Linux, precisely because you would never download foo.exe -- or foo.sh, or whatever. For the most part, you get things through your package manager, or not at all.

            Of course, that's because "you" know what you're doing and would act the same, even using Windows.

            The typical end user, however, does not.

            As such, it is not particularly easy to download and run SomeFamousPersonNaked.bin -- you have to download it to somew

            • Of course, that's because "you" know what you're doing and would act the same, even using Windows.

              No, I wouldn't, because on Windows, there are no good package managers. Your best bet is to only install software that's good by reputation, and to do so from their domain -- meaning you're vulnerable to MITM attacks, etc.

              All the attacker needs to do is wrap it in a .tgz file, where permissions are preserved.

              Making it now several more steps -- you still have to unpack the tarball, and double-click the files inside. That's a far cry from clicking an executable, and then "Open from current location" and you're done.

              Kind of like syntactic vinegar.

        • Re: (Score:3, Insightful)

          by Kjella ( 173770 )

          We've all heard the "Linux doesn't get attacked much because it has an insignificant market share" and sort of argued around it - maybe the real one is "Linux doesn't get attacked much because the average Linux user knows enough to not click on ridiculous shit that gets emailed to them."

          Which would put a very low upper limit on Linux's market share. The way Linux saves the noobs is that you don't do it in the first place, you go to add/remove programs and find the software you want there. The way Linux saves the warez-wannabes is that Linux doesn't need cracks. I'm sure that if Linux became more mainstream with more commercial software, you could have trusted shops that you could add in the same way as repositories. Think something like tucows, cnet, snapfiles etc. only for Linux. Basicly

          • The thing is though, that you don't really need to be very smart to be safe - just better informed. And better defaults on stuff like Windows so that you can see file extensions. Perhaps a few questions that you get asked when you create a new user account, and if you get it wrong you have to go through a tutorial and then take another test? A little education would go a long way here. Even one of my bosses seems to be getting better at avoiding malware.
        • As others will be quick to point out, a random Joe-Linux user won't have to worry about clicking on that random executable because unless it uses a local-root exploit (which SELinux is doing a great job of preventing in many cases), the virus in question can't attack their system files and infect the entire system as a result.

          Sure, I could perhaps convince Joe Linux user to run "rm -rf ./.*" which might be entertaining for a bit but infecting the system files still won't happen.
        • by BLKMGK ( 34057 )
          "Sorry, the OS doesn't really make any difference (assuming you have a firewall - which all current operating systems do - to protect against buffer overflows found on inbound ports). What makes the difference is secure users."

          Did you just say that the firewall protects against buffer overflows on inbound ports? Block traffic? Yes. Permit traffic? Yes. Inspect for buffer overflows? ..... FAIL! What O/S stopped the WMF exploit? What firewall blocked any of the numerous Flash vulns? I could go on... Did those
        • Indeed.

          Viruses (not worms) are a stupid user issue. There's not much you can do about that, the thing will get run, and your beloved antivirus program of choice will not protect you from your users.
      • by smaddox ( 928261 )
        Given, I haven't actually tried, but it doesn't seem like it would be that hard to implement.

        If you can just break your code into several hundred or thousand blocks of nonthreatening code, then all you need is a way to randomize their placement in the binary. It doesn't seem THAT difficult. You could even have it relink itself into a new binary every time it is run.

        You would probably need to separate the original programming from the randomization for debugging reasons. In other words you would probab
      • "As long as you've got a decently secure operating system, nothing more than a rudimentary antivirus should be necessary."

        Wow. Somebody has never worked in the security field before.

        The OS doesn't matter a tenth as much as the user matters. As long as the user has the ability to execute code (with any rights, not necessarily root or admin), then viruses will spread. Links in web pages, instant messages, email attachments... whatever it is, the USER is the problem, not the OS.

        OpenBSD would make a fine virus
      • Comment removed based on user account deletion
    • Agreed. If they think this is a bad idea does that mean they don't do it in house? If so, that is very surprising and I would expect any and all anti-virus companies to not only test their software but also actively try to break it. Otherwise their stance must be 'wait and see' and fix bugs as the come up. Unfortunately these bugs can have severe consequences with this type of software, which can (and probably will) lead to their customers losing millions, possibly more, in damages from viruses that sli
    • By having some top-notch creative talent (never mind which color hat they're wearing) take a stab at creating new styles of malware under controlled conditions, they're giving the antivirus vendors a great opportunity to study these creations -- and therefore to be better able to protect against them.

      But what if what the antivirus vendors need is not time to study but time to come up with cures? I've worked on plenty of software where the problem was well-understood, but you could be so pestered to death by people trying to tell you there was a problem that you had no time left to work on a cure.

      I don't follow this community closely, but speaking from general knowledge of software projects over several decades ...

      It seems likely that these competitions do not teach the antivirus vendors what they don't know. It probably creates a firedrill internally where a long-range effort to do a substantive upgrade that would do what people wish for is side-tracked by a short-term need to make sure that people's machines are not broken into by a new stupid trick today, thanks to additional resources provided by well-meaning but "mal-informed" volunteers.

      Resources are always in short supply in companies, and there's a constant need to triage between short-term and long-term planning. Events like this increase the stress on short-term projects, causing them to draw precious resources away from long-term projects. The claim that this provides valuable data to the vendors sounds like spin created by malware vendors who are chuckling all the way to the bank because they get free help from a community of people who I suspect don't realize the harm they are doing.

      What they should be having is competitive events to come up with cool public-domain techniques for recognizing and stopping such malware in the general cases, thus reducing short-term strain on anti-virus vendors.

      • You're possibly giving AV vendors a little too much faith - especially since they want to sell subscriptions rather than one-offs. Any AV that could stop all possible viruses, ever, would destroy the whole market. Sad, but true..
  • by zappepcs ( 820751 ) on Sunday April 27, 2008 @12:20PM (#23215242) Journal
    What would happen if Ralph got involved in the computer antivirus field?

    lets translate FTFA

    "It will do more harm than good to our company," said Paul Ferguson, a researcher with antivirus vendor TrendMicro. "Responsible disclosure is one thing, but now actually encouraging people to do this (as if the NSA isn't already doing so), as a contest is a little over the top.When really smart people start working on malicious software, we won't be able to keep up"
    Bold edits added by me.

    How about this slogan "Unsafe with any version!"

    I think they are afraid that regular joe end users are about to find out that programs meant to protect your pc are always an after the fact effort which leaves you vulnerable until you update and that there is no way to keep you safe from a zero-day facebook exploit. Even the government websites can be malicious until patched/fixed.

    And soon, the conclusion will be ... uh, why pay for that. Spybot search and destroy is free, and ClamAV is free. I can just give them a one time donation and get just as good of protection... hmmmm These pricey programs really can't do all that much.

    Wow, it would be such a shame if joe bloggs end user found out the truth. tisk tisk
  • by Fallen Andy ( 795676 ) on Sunday April 27, 2008 @12:28PM (#23215302)
    If this is being run like the hacking laptops thing recently, then what's the big deal? So long as the vulnerabilities are only disclosed to *all* AV vendors in private afterwards...

    The AV vendors who are complaining are more afraid of *other* vendors than xploits... If anything found here goes to all then it levels the playing field open source style...

    Andy

    • Why not just make the results public? Then even the open source players (ClamAV etc.) can fix their software. In fact, they're far more likely to fix these problems then any major vendor.
    • Re: (Score:1, Insightful)

      by Anonymous Coward

      So long as the vulnerabilities are only disclosed to *all* AV vendors in private afterwards...

      Who said anything about "in private"? I hope they post all the entries on their website. Shouldn't consumers have the right to know how they're vulnerable?

      Besides, I hardly believe the Defcon crowd will go for a "Trust us, for reasons we can't disclose, the winner was ..." And with all the people at Defcon, the results are bound to get leaked somewhere anyway.

    • Re: (Score:3, Insightful)

      by phantomfive ( 622387 )
      The fear they have is that people will realize how useless anti-virus software really is. If there are simple techniques to get around any anti-virus software, and the whole world knows it, then there's not much point in paying to run some AV software that just slows down your computer, is there? Already we know that AV software is useless against 0-day exploits, and if your vendor is making reasonably timed updates, your AV software only has nominal value anyway.

      This contest will just go a little farth
    • Dude, this is DEFCON. No, I'm not making a Sparta joke(although you may be kicked into the pits of /dev/null), the whole point of DEFCON is the sharing of information publically, regardless of your hat. During the course of the convention, everyone is a greyhat, and afterwards everyone walks away a bit wiser. Pretty much everything that gets shown at DEFCON ends up posted on the net a few minutes after the presentation, or atleast after the convention. If it wasn't meant for public consumption it wouldn't b
  • It would be good to have more contests like these as they would help strengthen existing security software by finding flaws in them.
  • Trivial (Score:3, Interesting)

    by Nikademus ( 631739 ) * <renaud.allard@it> on Sunday April 27, 2008 @12:40PM (#23215396) Homepage
    Bypassing current antivirus process is almost trivial. Just change a few lines and the signature based antivirus will not detect your virus. Now, create a process that automatically changes the few lines in a random order, but create this process as a random evolving like the virus and payload itself. Random jumps (with next payload at good place) with random junk in between should be sufficient to bypass heuristics (who said goto was dead :)). Then you've just killed the whole antivirus industry as we know today.

    Hey,why are the cops ringing at my door???
    • They have a job offer for you.
      • And I will not accept... I am not interested working for companies writing poor software only to profit from their own errors.
    • by DarkOx ( 621550 )
      Yea, I hear but its not that simple. A virus still has to be small. You don't have a great deal of room for random crap.
    • I thought viruses would already do stuff like that, hence why there are 'heuristic' options in some AV programs? Don't tell me that the AV vendors are that dumb? Eek, you're telling me, aren't you? :O
    • Re: (Score:3, Interesting)

      by Lord Ender ( 156273 )
      Wow... You would have been considered really clever in the virus world... about fifteen years ago.

      Guess what: Your invention has already been created. AF companies have countered with "heuristic" or "behavioral" virus detection. The purpose of this exercise is to game not just the signatures, but the heuristics as well.
      • Indeed I wrote a proof of concept about 15 years ago. But still heuristics cannot detect this kind of stuff if internal code and payload changes all the time.
        The idea is trivial, not the implementation. That's why antivirus still work the way they do.
  • I wonder if the only vendors upset, are the ones that are used to vet the entries... Anyone have data? At the end of the contest, all their competitors will be able to know just how badly they did against the polymorphic techniques the entrants used. I imagine that would upset the PR people at those companies. As usual, the technical merit of such a competition is NOT the driving force for any discussion, just money.
  • Wouldn't you think that AV firms would be glad of this type of competition? It will allow them to (possibly) find and fix a problem or problems, BEFORE they are found in the wild! This will make them PRO active instead of RE active, and will make them more efficient. If they were to try employing malware/virus writers, to create these software problems for them, instead of waiting for them to arrive at peoples computers, then people might actually think their products are worth paying for!
    • I think AV vendors would rather be in the business of selling a placebo than selling a cure.

      What I fear personally is recombination, where malware writers start setting up protocols for automatically and randomly exchanging code/modules with other malware without need for human intervention. That's where I feel the next explosion could come from - both in the variety of malware and the speed at which new innovations propagate across various strains. The only thing holding it back would seem to be the pr

  • by flyingfsck ( 986395 ) on Sunday April 27, 2008 @12:50PM (#23215490)
    The present crop of virus scanners are a really dumb idea, since they don't provide any real protection. Consequently I am all for this kind of competition. Hopefully it will force Microsoft and the AV parasites to create a proper security solution for the MS crapware.
    • Re: (Score:3, Interesting)

      by Consul ( 119169 )
      Like Default Deny [ranum.com]. Marcus Ranum is my hero. ;-)
  • Malware=problem, antivirus/security products are part of the solution. But what if you hit a problem that have no (practical) solution? What if next generation of malware using that technique make very hard/impossible to deal with them? Once you reach the point that you cant tell when something is even potentially malware, all are in trouble.

    Probably would be more clear if they were investigating with genetics/biological malware instead of computer one.
    • But it *does* have a solution: don't give all your apps full access to ~ . Sandbox everything, and let programs fork and shrink their own sandboxes if they want to. The only part of your web browser that needs arbitrary filesystem access are the save/open dialogs, but there's no way to forbid other filesystem access outside of your profile directory. Maybe if you could do, say, "SaveDialogGenerator foo = new SaveDialogGenerator(System.Filesystem); System.Filesystem = null;" or similar, but no....
    • But what if you hit a problem that have no (practical) solution?

      All problems have solutions and practicality becomes relative to how much you want to stay virus free.

      Imagine a scenario like you mentioned in which there was no known solution, no patch forthcoming from MS or AV vendors, and internet connectivity meant you would be infected.

      Then disconnecting your Windows computer from the net and using another operating system might be practical even if it means you have to give up productivity.

      Suffice to say
  • ...that Michelle Madigan would love to get an undercover report of all the big mean hackers making new viruses in Las Vegas. Too bad she was busted last time she tried to spy on Defcon.

  • by Vellmont ( 569020 ) on Sunday April 27, 2008 @03:06PM (#23216626) Homepage
    The vendors reply is just classic. It's essentially an admission that their products don't work. The whole AV industry is built on trying to idenitify existing viruses, and have a signature for them.

    Of course, if you find the virus out in the wild and identify it, you've already failed for a lot of people. (but I'm sure they don't like to talk about that).

    This is like a safe manufacturer objecting to someone actually trying to break open a safe like a real criminal would. "What! You used a crowbar and liquid nitrogen?! You're just letting the criminals know more about cold+crowbar usage!!! You should know OUR safes protect against sledgehammers VERY well."

    Get real AV vendors. Everyone already knows you can't stand up to new viruses, and only protect against the known ones. People still buy your damn software anyway, because it's better than nothing.
  • This seems like a great opportunity for the AV vendors to set up some microphones and video cameras and try to capture as much of the thought process of the entrants as possible. It's not often they'll have dozens of diversely creative programmers explicitly demonstrating in a controlled environment how the products would be attacked in the wild. I'm sure the AV vendors have teams that do this sort of stuff in-house, but having complete outsiders do something will ALWAYS show a team where they've made bad a
  • "drive a truck through the holes in their systems and it isn't going to take much for competitors to bypass most tools."

    Trucks are interesting
    What about the van?
    http://en.wikipedia.org/wiki/Magic_Lantern_(software) [wikipedia.org]
    That would be a fun contest.
    Find the shoulder road.

Technology is dominated by those who manage what they do not understand.

Working...