Comments on: Race to Zero aims to stump antivirus scanners
A controversial new competition at DefCon this year will ask researchers to evade current antivirus products.
Most Popular
15 sites that went kaput in 2009
Web sites launch all the time, but they also shut their doors. We highlight 15 that bit the dust this year.
Top 10 news stories of the decade
Let the debate begin: Was the iPhone more important than iTunes? Was anything bigger than Google finding a great business model? CNET offers its list of the 10 most important stories of the '00s.
About Defense in Depth
Covering computer viruses and computer crime, Robert Vamosi goes beyond the hype to provide you with expert interviews of the top security researchers, as well as offering the hands-on, nontechnical advice you'll need to stay safe online.
Add this feed to your online news reader
Defense in Depth topics
When you break something, it gives the vendor the chance and information to improve it for everyone. It means antivirus software needs to focus on system behavior and system monitoring more than signature matching.
The human body, in contrast, uses a "only if I have a known signature am I good." Anything that lacks that specific signature is attacked. It seems to work pretty well for us. I'm not sure how well it would work for computers, though.
In practice, good system security relies on several fronts---firewalls, good system security, system patches and updated antivirus packages. Relying on only one of these isn't wise.
Or, you could pay attention to this content and get ready to learn a lot.
Prior to 9/11, someone (FBI? CIA?) thought of the use of airplanes as a weapon. Sadly, the report didn't make it into the right hands and that one slipped past us.
But, bottom line, they recognize the value in trying to think like the terrorists.
You can sit there and wait for the next virus to come out and then try to write a new downloadable patch for it. Or you can be proactive and try to get out ahead of this stuff, or at least be better prepared for it.
Contest or no, this "research" is happening. At least with a contest, it's out in the open where people can see it -- and learn from it before it's released into the wild.
This is no different than backwards engineering a program to find 'bugs' and fixing those bugs in the programs.
There are really only the MalZ to blame.
But if you are going to make a product and call it an anti-virus and you don't detect all of the virii or rootkits than you can be pointed at as the ones with a problem. Can they detect a mutating virus? Do they know what a mutating virus is? Do they have one to test with, do they want one? These guys are going to provide them with more then one.
Have they told everyone that all 3 of the major OS platforms are currently vulnerable to a single viral attack due to them all running on the same hardware? We can't blame Microsoft for this, or Lunus T or Apple, they provide a way to use cheap hardware for computing.
I have already developed a test app that demonstrates the abilty to attack and infiltrate undetected (without re compiling or any change) all three platforms using the x86 instruction set. And there is lots of examp[les of mutating code out there. And stealth virii that can infiltrate an application without changing the checksum of the infected app, and remain hidden in the app.
These Race to Zero guys are trying to get the point across that a stealth virus using technologies to morph the payload can attack and not be detected by the current set of AV ware out there.
It's already be done, and we should be glad this has been done only by white hats so far. (As far as we know anyway.)
The current status quo only benifits the MalZ and the AV developers who make their living only if the MalZ stay in business. Yes they have been handy to have around but unless they can morph in the same way the MalZ have they are doomed to be redundant.
We who are entrusted with the care and security of the systems and users in our care have to have the information we need to do our jobs. Depending on someone else to keep a new technology a secret is an untenable position to be in. By having researchers out there trying to keep ahead of the MalZ and telling us when there is a risk so that we can put up defenses and workarounds; we are able to assess our vulnerability and make the actions needed to protect our charges.
I would rather I got the word there is a problem at the same time the MalZ do rather then weeks after.
So what i recommend is that these types of research and publicity events proceed and at the same time the researchers of security faults also proceed and tell us what you learn as soon as you learn it.
At the same time we will also have our private challenges and research so that we keep ahead of the MalZ. As well we need to step up enforcement of the people who are putting attacks out there. The people who develope attacks and give them to the MalZ must also be hunted down, but at the same time the guys trying to learn what these guys do to keep us ahead of the MalZ should be encouraged and funded.
The only reason we have not seen any of these in the wild yet is that greedy criminal minds also seem to be lazy and haven't bothered to learn how to develop virii in self mutating machine code using only low level x86 instructions.
It would cost them more to get the code to work then they could make from it. But with the resurgence of state and politically (religious) sponsored MalZ, especially in the mid and far east, it's just a matter of time before there is one in the wild. And todays AV tools will not be able to even think of detecting them. Telling people that they are vulnerable is a good thing. Finding how it will be done before it gets done is even better, because then we can find a way to combat it. Hiding the issue is stupid. Only if you think obscurity is security would you want to stop activities such as Race to Zero.
Sigh.
Welcome to big business security. Last time I checked, if any of the AV vendors truly cared about security and the consumers, they would unite efforts and share all their "secrets" and code among each other. However, in truth - they don't.
"Race to Zero" is a game to expose the known weaknesses of AV and how the vendors either don't care about security, giving consumers false hope and protection, or they don't know. Which means, they do not have the ability or skill set to provide consumers with products they need.
"Race to Zero" will shake the foundation of consumer's confidence. It will rattle the security professionals' soul in questioning how valuable is AV and is this "control" (and I will use this term loosely) needed. And if the competition can remain untouched by the vendors (as their lawyers charge up the hill with their guns a blazing), it will lead to the demise of several vendors.
I am provoked when I hear the McAfee podcast of "how shalt though challenge us" and try to give some validity of how this event is wrong. Not only is it right, it is critical. AV is the money making division for these vendors. When you add corporate and consumer revenue, this is a multi-billion dollar industry. With all the malware being released on a daily basis, how can we not stand up and question the value of AV and the vendor who provides it?
If McAfee had any respect or common sense, they would be working with "the bad guys" and pay them for their "research". Heck, if consumers had any common sense, they would stop buying products from vendors that continually produce products with incomplete, untested, insecure code (Microsoft).
There is a fundamental issue - security is "big business".
Too bad, the vendors are really worried about their dollar then really tackling the security issues we face. McAfee, start solving the malware issue then to show arrogance and ignorance. Become a constructive part of the solution and don't whine because an entrepreneur (Race to Zero competitor) won't give you his code/technique.
At the end of the day, AV is broke and if vendor's keep masquerading the truth, they will soon find themselves no longer selling the "snake oil" on ice. As a security professional, I prefer to be "shaken" not stirred.
vtnntv
- by vtnntv May 12, 2008 12:34 PM PDT
- How many times have we heard, "AV is dead" or "Why spend $50 for anti-virus, when I still get viruses."? I recently, listen to a Avert (McAfee) podcast (http://podcasts.mcafee.com/audioparasitics/archives.html) recently where they complained about how awful this "Race to Zero" is because the competition won't release the code or bypass techniques without the author's permission. They went on jabbering on how this competition "only benefits the bad guys, not the good guys and at least they could do is give us the techniques".
- Like this Reply to this comment
-
(9 Comments)Sigh.
Welcome to big business security. Last time I checked, if any of the AV vendors truly cared about security and the consumers, they would unite efforts and share all their "secrets" and code among each other. However, in truth - they don't.
"Race to Zero" is a game to expose the known weaknesses of AV and how the vendors either don't care about security, giving consumers false hope and protection, or they don't know. Which means, they do not have the ability or skill set to provide consumers with products they need.
"Race to Zero" will shake the foundation of consumer's confidence. It will rattle the security professionals' soul in questioning how valuable is AV and is this "control" (and I will use this term loosely) needed. And if the competition can remain untouched by the vendors (as their lawyers charge up the hill with their guns a blazing), it will lead to the demise of several vendors.
I am provoked when I hear the McAfee podcast of "how shalt though challenge us" and try to give some validity of how this event is wrong. Not only is it right, it is critical. AV is the money making division for these vendors. When you add corporate and consumer revenue, this is a multi-billion dollar industry. With all the malware being released on a daily basis, how can we not stand up and question the value of AV and the vendor who provides it?
If McAfee had any respect or common sense, they would be working with "the bad guys" and pay them for their "research". Heck, if consumers had any common sense, they would stop buying products from vendors that continually produce products with incomplete, untested, insecure code (Microsoft).
There is a fundamental issue - security is "big business".
Too bad, the vendors are really worried about their dollar then really tackling the security issues we face. McAfee, start solving the malware issue then to show arrogance and ignorance. Become a constructive part of the solution and don't whine because an entrepreneur (Race to Zero competitor) won't give you his code/technique.
At the end of the day, AV is broke and if vendor's keep masquerading the truth, they will soon find themselves no longer selling the "snake oil" on ice. As a security professional, I prefer to be "shaken" not stirred.
vtnntv