Race to Zero aims to stump antivirus scanners

A new contest to be held at this year's DefCon in Las Vegas in August hopes to prove that signature-based antivirus is dead, a move that one leading antivirus researcher says is "not a good idea."

The goal of the Race to Zero is simple: obfuscate a malicious code so that it evades well-known antivirus engines.

Contestants will be given a sample set of viruses and malicious code that they must modify and then upload through the contest portal. Once accepted, the sample will be sent through a number of leading antivirus engines (perhaps using VirusTotal.com to provide real time test results). The first team or individual who manages to evade all the antivirus engines wins that round. The organizers promise that each round will increase in complexity.

On the contest site, organizers list six reasons for hosting this event:

1. Reverse engineering and code analysis is fun.
2. Not all antivirus is equal and poorly performing antivirus vendors should be called out.
3. Signature-based antivirus products can be easily circumvented.
4. It's easier to modify malicious software than it is to write signature protection for it.
5. Signature-based antivirus is dead.
6. Antivirus is just part of the larger picture, you need patching, firewalling and sound security policies to remain virus free.

But Dave Marcus, security research and communications manager at McAfee Avert Labs, said: "Encouraging research that results in better evasion techniques for malware writers is not a good idea. How many identities will be lost and how much data will be stolen from users as a result of the new techniques and evasions that are created? Security research should center around bettering detection not evasion."

DefCon 16 will be held August 8-10 at the Riviera Hotel in Las Vegas.

[Bill Harmeyer]

Race to Zero

The race itself is, in my opinion, nothing more than a scam, as a way to create a virus mess that could disable the entire internet system, even if only for a moment. Such an attempt is the same type of thing that terrorists would love to see happen. In my opinion, whoever came up with this idea, should be heavily prosecuted.

[Leria]

No, they should not be heavily prosecuted

And this was the people who make anti-virus software who came up with this idea. Secondly, they will not be on the real internet itself, they will be on a 'local intra-net' with no access to the internet and will be trying to get virus software to ignore their viruses on many machine with many different anti-virus programs.

[bluemist9999]

I think contests like these are a great idea, just like crash tests are a great idea for cars.

When you break something, it gives the vendor the chance and information to improve it for everyone. It means antivirus software needs to focus on system behavior and system monitoring more than signature matching.

The human body, in contrast, uses a "only if I have a known signature am I good." Anything that lacks that specific signature is attacked. It seems to work pretty well for us. I'm not sure how well it would work for computers, though.

In practice, good system security relies on several fronts---firewalls, good system security, system patches and updated antivirus packages. Relying on only one of these isn't wise.

[TV James]

Short-sighted

"Security research should center around bettering detection not evasion."

Or, you could pay attention to this content and get ready to learn a lot.

Prior to 9/11, someone (FBI? CIA?) thought of the use of airplanes as a weapon. Sadly, the report didn't make it into the right hands and that one slipped past us.

But, bottom line, they recognize the value in trying to think like the terrorists.

You can sit there and wait for the next virus to come out and then try to write a new downloadable patch for it. Or you can be proactive and try to get out ahead of this stuff, or at least be better prepared for it.

Contest or no, this "research" is happening. At least with a contest, it's out in the open where people can see it -- and learn from it before it's released into the wild.

[Leria]

A good idea

This is a wonderful idea. If you want to prevent attacks from malware and virus authors, you have to THINK those those malware and virus authors, and show people how you did something.

This is no different than backwards engineering a program to find 'bugs' and fixing those bugs in the programs.

[dcase99]

Poor idea

Wouldn't it be more productive so see what vendors could provide total protection instead?

[sysopdr]

No w here is someone to blame.

I have been saying not to blame the developers and by that i mean Microsoft or Linus T or Mozilla or othe OS and application developers, but here we have a different story.
There are really only the MalZ to blame.
But if you are going to make a product and call it an anti-virus and you don't detect all of the virii or rootkits than you can be pointed at as the ones with a problem. Can they detect a mutating virus? Do they know what a mutating virus is? Do they have one to test with, do they want one? These guys are going to provide them with more then one.
Have they told everyone that all 3 of the major OS platforms are currently vulnerable to a single viral attack due to them all running on the same hardware? We can't blame Microsoft for this, or Lunus T or Apple, they provide a way to use cheap hardware for computing.
I have already developed a test app that demonstrates the abilty to attack and infiltrate undetected (without re compiling or any change) all three platforms using the x86 instruction set. And there is lots of examp[les of mutating code out there. And stealth virii that can infiltrate an application without changing the checksum of the infected app, and remain hidden in the app.
These Race to Zero guys are trying to get the point across that a stealth virus using technologies to morph the payload can attack and not be detected by the current set of AV ware out there.
It's already be done, and we should be glad this has been done only by white hats so far. (As far as we know anyway.)
The current status quo only benifits the MalZ and the AV developers who make their living only if the MalZ stay in business. Yes they have been handy to have around but unless they can morph in the same way the MalZ have they are doomed to be redundant.
We who are entrusted with the care and security of the systems and users in our care have to have the information we need to do our jobs. Depending on someone else to keep a new technology a secret is an untenable position to be in. By having researchers out there trying to keep ahead of the MalZ and telling us when there is a risk so that we can put up defenses and workarounds; we are able to assess our vulnerability and make the actions needed to protect our charges.
I would rather I got the word there is a problem at the same time the MalZ do rather then weeks after.
So what i recommend is that these types of research and publicity events proceed and at the same time the researchers of security faults also proceed and tell us what you learn as soon as you learn it.
At the same time we will also have our private challenges and research so that we keep ahead of the MalZ. As well we need to step up enforcement of the people who are putting attacks out there. The people who develope attacks and give them to the MalZ must also be hunted down, but at the same time the guys trying to learn what these guys do to keep us ahead of the MalZ should be encouraged and funded.

The only reason we have not seen any of these in the wild yet is that greedy criminal minds also seem to be lazy and haven't bothered to learn how to develop virii in self mutating machine code using only low level x86 instructions.
It would cost them more to get the code to work then they could make from it. But with the resurgence of state and politically (religious) sponsored MalZ, especially in the mid and far east, it's just a matter of time before there is one in the wild. And todays AV tools will not be able to even think of detecting them. Telling people that they are vulnerable is a good thing. Finding how it will be done before it gets done is even better, because then we can find a way to combat it. Hiding the issue is stupid. Only if you think obscurity is security would you want to stop activities such as Race to Zero.

[vtnntv]

How many times have we heard, "AV is dead" or "Why spend $50 for anti-virus, when I still get viruses."? I recently, listen to a Avert (McAfee) podcast (http://podcasts.mcafee.com/audioparasitics/archives.html) recently where they complained about how awful this "Race to Zero" is because the competition won't release the code or bypass techniques without the author's permission. They went on jabbering on how this competition "only benefits the bad guys, not the good guys and at least they could do is give us the techniques".

Sigh.

Welcome to big business security. Last time I checked, if any of the AV vendors truly cared about security and the consumers, they would unite efforts and share all their "secrets" and code among each other. However, in truth - they don't.

"Race to Zero" is a game to expose the known weaknesses of AV and how the vendors either don't care about security, giving consumers false hope and protection, or they don't know. Which means, they do not have the ability or skill set to provide consumers with products they need.

"Race to Zero" will shake the foundation of consumer's confidence. It will rattle the security professionals' soul in questioning how valuable is AV and is this "control" (and I will use this term loosely) needed. And if the competition can remain untouched by the vendors (as their lawyers charge up the hill with their guns a blazing), it will lead to the demise of several vendors.

I am provoked when I hear the McAfee podcast of "how shalt though challenge us" and try to give some validity of how this event is wrong. Not only is it right, it is critical. AV is the money making division for these vendors. When you add corporate and consumer revenue, this is a multi-billion dollar industry. With all the malware being released on a daily basis, how can we not stand up and question the value of AV and the vendor who provides it?

If McAfee had any respect or common sense, they would be working with "the bad guys" and pay them for their "research". Heck, if consumers had any common sense, they would stop buying products from vendors that continually produce products with incomplete, untested, insecure code (Microsoft).

There is a fundamental issue - security is "big business".

Too bad, the vendors are really worried about their dollar then really tackling the security issues we face. McAfee, start solving the malware issue then to show arrogance and ignorance. Become a constructive part of the solution and don't whine because an entrepreneur (Race to Zero competitor) won't give you his code/technique.

At the end of the day, AV is broke and if vendor's keep masquerading the truth, they will soon find themselves no longer selling the "snake oil" on ice. As a security professional, I prefer to be "shaken" not stirred.




vtnntv

[vtnntv]

How many times have we heard, "AV is dead" or "Why spend $50 for anti-virus, when I still get viruses."? I recently, listen to a Avert (McAfee) podcast (http://podcasts.mcafee.com/audioparasitics/archives.html) recently where they complained about how awful this "Race to Zero" is because the competition won't release the code or bypass techniques without the author's permission. They went on jabbering on how this competition "only benefits the bad guys, not the good guys and at least they could do is give us the techniques".

Sigh.

Welcome to big business security. Last time I checked, if any of the AV vendors truly cared about security and the consumers, they would unite efforts and share all their "secrets" and code among each other. However, in truth - they don't.

"Race to Zero" is a game to expose the known weaknesses of AV and how the vendors either don't care about security, giving consumers false hope and protection, or they don't know. Which means, they do not have the ability or skill set to provide consumers with products they need.

"Race to Zero" will shake the foundation of consumer's confidence. It will rattle the security professionals' soul in questioning how valuable is AV and is this "control" (and I will use this term loosely) needed. And if the competition can remain untouched by the vendors (as their lawyers charge up the hill with their guns a blazing), it will lead to the demise of several vendors.

I am provoked when I hear the McAfee podcast of "how shalt though challenge us" and try to give some validity of how this event is wrong. Not only is it right, it is critical. AV is the money making division for these vendors. When you add corporate and consumer revenue, this is a multi-billion dollar industry. With all the malware being released on a daily basis, how can we not stand up and question the value of AV and the vendor who provides it?

If McAfee had any respect or common sense, they would be working with "the bad guys" and pay them for their "research". Heck, if consumers had any common sense, they would stop buying products from vendors that continually produce products with incomplete, untested, insecure code (Microsoft).

There is a fundamental issue - security is "big business".

Too bad, the vendors are really worried about their dollar then really tackling the security issues we face. McAfee, start solving the malware issue then to show arrogance and ignorance. Become a constructive part of the solution and don't whine because an entrepreneur (Race to Zero competitor) won't give you his code/technique.

At the end of the day, AV is broke and if vendor's keep masquerading the truth, they will soon find themselves no longer selling the "snake oil" on ice. As a security professional, I prefer to be "shaken" not stirred.




vtnntv