Hackers of the world will once again unite at DEFCON 16, this August 8th, one of the industry's top conferences. The world's best and brightest security minds will deliver presentations and papers, sharing their latest research during the three day event. As usual, DEFCON is home to a number of classic hacker contests, including the Phreaking Challenge, Capture the Flag, Mystery Challenge, Hacker Jeopardy and the once great, Spot the Fed contest. A few new events debuting this year include, BuzzWord Survivor, Hardware Hacking Village and the unnecessarily controversial Race-to-Zero contest.
Due to the lack of technical comprehension, the Race-to-Zero event has received a substantial amount of controversial publicity. However, media and vendor misperception is relatively common when it comes to any hacker-cons. This is sometimes due to their never having actually attended one. Therefore, I felt it was important to report, as a hacker and journalist, some facts.
Contrary to popular belief, this is not a seminar aimed at teaching malicious code writing. Furthermore, it is not a meeting for malware authors, to share methodologies of evading AV detection. Demonstrating the human nature of "fearing what is not understood", individuals from several AV companies have advocated their cowardice:
Sophos senior technology consultant Graham Cluley said, "The last thing the world needs is more malware. It's really disappointing to see that Defcon appears to be condoning the creation of malware in this way.
McAfee Avert Labs' security research and communications manager Dave Marcus claimed, "Encouraging research that results in better evasion techniques for malware writers is not a good idea. How many identities will be lost and how much data will be stolen from users as a result of the new techniques and evasions that are created? Security research should center around bettering detection not evasion."
TrendMicro researcher Paul Ferguson said, "It will do more harm than good. Responsible disclosure is one thing, but now actually encouraging people to do this as a contest is a little over the top."
AVG Technologies' chief research officer Roger Thompson stated, "It's hard to see an upside for encouraging people to write more viruses. It's a dumb idea."
New viruses will not be created and no modified or variant code will be publicly released. The rules of the contest are well explained on their website. Participants are provided with samples of viral code, which they modify in attempt to evade multiple AV engines. Advancement to subsequent rounds is achieved when the code's rate of detection is zero, hence the name, Race-to-Zero.
While the original sample code provided may be modified, it may not be functionally changed. Furthermore, the code must exploit the original vulnerability, despite modification. In addition to fostering the education of reverse engineering, this event will help raise awareness to the inefficiencies of signature-based detection, and reveal the true (in)effectiveness of current AV products.
When AV companies release new updated products, they may have to do more than just improve the user interface, change the name slightly (2008 edition!) and tweak their marketing strategy.
Then again I've never coded AV detection software before....only malware.
I can be reverse engineered or disassembled at:
With 20+ years of industry experience, Noah Schiffman is a former black-hat hacker turned security consultant. Coding at an early age, he developed one of the early text/graphic editing applications and started his first software company in 1980 when he was 11 years old. With the advent of networking technologies, he soon mastered the art of manipulating telco switching systems, known as "Phone Phreaking". This soon led to his career as a computer hacker, performing penetration testing, reverse engineering, cryptographic attacks, corporate espionage, digital surveillance and other ethically questionable projects.
His clients have consisted of Fortune 500 companies and various government agencies.
He has authored a number of articles for SearchSecurity.com, on topics ranging from kernel mode and metamorphic viruses to corporate data loss prevention.
The Leader in Network Knowledge
Umm... seems like working out evasion is the idea
"New viruses will not be created and no modified or variant code will be publicly released. The rules of the contest are well explained on their website. Participants are provided with samples of viral code, which they modify in attempt to evade multiple AV engines. Advancement to subsequent rounds is achieved when the code's rate of detection is zero, hence the name, Race-to-Zero. "
So, the contest gets the coders to write code that evades all AV engines and methods, yet does not:
"Contrary to popular belief, this is not a seminar aimed at teaching malicious code writing. Furthermore, it is not a meeting for malware authors, to share methodologies of evading AV detection. "
So, am I missing something here?
"Participants are provided with samples of viral code, which they modify in attempt to evade multiple AV engines. Advancement to subsequent rounds is achieved when the code's rate of detection is zero, hence the name, Race-to-Zero"
You're getting people to write code no antivirus engine detects, yet this will not instruct them in those techniques as they find out which methods succeed?
I don't fear the contest, but I do think you're not making sense. That is sort of like saying that a person can't learn from the life experiences that they have. I think anyone who actually follows the simple art of learning knows that most people learn by doing. Your defense of rules does not apply when the people who choose the rules are those who don't play by "the rules" to begin with - it's a moot point.
I am not sure who you expect to believe that people engaged in buidling code to evade antivirus engines won't turn that around and simply do just that "in the wild."
There once was an Israeli AV company that held such a contest for virus authors who wrote the best virus. Sensible AV companies were appalled by the idea (I know I was). There isn't much good in teaching others how to evade antivirus unless you intend for them to author more viruses - whether for pay or pure spite.
I am always amazed at how the vandalism aspect of cracking is glorified as knowledge and called hacking. Real knowledge comes when you can find a solution that creates good, not a solution to cause harm to others. If you want to have a best-code contest, why not try to find a way to improve what antivirus engines detect instead of working to build better evasion techniques, or is that simply too hard of a challenge when you might have to face the difficulty of doing just that? After all, the AV coders have a fairly tough job - they have to be right all the time. A cracker has to get lucky once - and he considers that to be a "great feat."
It is far easier to destroy than to build, and far easier to be a critic than a creator. I admire hackers that can build solutions. In my opinon, malware authoring is definitely for teenagers and those who don't want to expend the effort to have to work at building a solution. Just vandalize and go - and never worry about the consequences to anyone else, right?
I just wish that people who call themselves hackers would stop if they don't have the ability to create solutions, only problems. That's why the public equates "hacking" with script kiddies and malware - because people think that it's "cool" to be a vandal. It's just not IMHO. It's simply vandalism and hooliganism wrapping itself in a false sense of cool.
My favorite hackers write code that builds something that solves problems for real people. That's real hacking IMHO - helping others and making the world a better place.
So here's a real challenge: Have teams build an AV engine or code a malware scanner that works, and then have other teams hack against that. You might find out how really, really tough it is and learn something in the process. That would be something I think everyone would find an acceptable challenge. Make it even more interesting - no one gets to choose which side they end up on beforehand. Then try the contest. That would probably give some people a taste of reality and the difficulty in coding a product to stop those who only have to get lucky one time when the other side has to be lucky every time.
Have a nice day. Don't worry, be happy.
freecode
Much ado about nothing
Adaptive malware/viruses capable of self modification (with the intent to avoid detection by signature-based AV systems) been in existence since at least 1990 (ex: the Whale virus) and continue to be a real threat in the wild. This alone should have prompted AV vendors to research and develop other more sophisticated strategies for detecting malicious code.
It is naive to think that the "Race to Zero" will introduce a fundamentally new methodology for avoiding detection or spawn a new generation of malicious hackers (unless you have had your head in the sand - or perhaps up a less hygienic location - for the past ten years).
It has long been noted that signature detection is seriously flawed as a method of AV protection and this contest simply provides an opportunity to emphasize this point in a controlled and public environment.
What is new is the "name and shame" aspect of this particular contest and likely the reason that AV vendors are less than comfortable with it.
Keep in mind that the point of this contest is not to explore if signature based AV systems can be defeated (this is a given), but how quickly.
In my own semantics a "hacker" is someone who, in an unstructured environment and with highly limited resources solves a problem, often employing unconventional logic.
In MacGuyver's case it could have been creating a thermobaric weapon with a book of matches and a Q-tip or in the case of many college students, making a bong out of equipment stolen from a chemistry lab. In our case, it is defeating a commercial AV system.
Conversely, I would refer to those who work in structured environments with resources of adequate quantity and quality as “engineers”.
Do you really think similar events aren't scheduled by the safe cracking and bank-robbing crowd?
Kirk out.
Much ado about nothing
Adaptive malware/viruses capable of self modification (with the intent to avoid detection by signature-based AV systems) been in existence since at least 1990 (ex: the Whale virus) and continue to be a real threat in the wild. This alone should have prompted AV vendors to research and develop other more sophisticated strategies for detecting malicious code.
It is naive to think that the "Race to Zero" will introduce a fundamentally new methodology for avoiding detection or spawn a new generation of malicious hackers (unless you have had your head in the sand - or perhaps up a less hygienic location - for the past ten years).
It has long been noted that signature detection is seriously flawed as a method of AV protection and this contest simply provides an opportunity to emphasize this point in a controlled and public environment.
What is new is the "name and shame" aspect of this particular contest and likely the reason that AV vendors are less than comfortable with it.
Keep in mind that the point of this contest is not to explore if signature based AV systems can be defeated (this is a given), but how quickly.
In my own semantics a "hacker" is someone who, in an unstructured environment and with highly limited resources solves a problem, often employing unconventional logic.
In MacGuyver's case it could have been creating a thermobaric weapon with a book of matches and a Q-tip or in the case of many college students, making a bong out of equipment stolen from a chemistry lab. In our case, it is defeating a commercial AV system.
Conversely, I would refer to those who work in structured environments with resources of adequate quantity and quality as “engineers”.
Do you really think similar events aren't scheduled by the safe cracking and bank-robbing crowd?
Kirk out.
Much ado about nothing
Adaptive malware/viruses capable of self modification (with the intent to avoid detection by signature-based AV systems) been in existence since at least 1990 (ex: the Whale virus) and continue to be a real threat in the wild. This alone should have prompted AV vendors to research and develop other more sophisticated strategies for detecting malicious code.
It is naive to think that the "Race to Zero" will introduce a fundamentally new methodology for avoiding detection or spawn a new generation of malicious hackers (unless you have had your head in the sand - or perhaps up a less hygienic location - for the past ten years).
It has long been noted that signature detection is seriously flawed as a method of AV protection and this contest simply provides an opportunity to emphasize this point in a controlled and public environment.
What is new is the "name and shame" aspect of this particular contest and likely the reason that AV vendors are less than comfortable with it.
Keep in mind that the point of this contest is not to explore if signature based AV systems can be defeated (this is a given), but how quickly.
In my own semantics a "hacker" is someone who, in an unstructured environment and with highly limited resources solves a problem, often employing unconventional logic.
In MacGuyver's case it could have been creating a thermobaric weapon with a book of matches and a Q-tip or in the case of many college students, making a bong out of equipment stolen from a chemistry lab. In our case, it is defeating a commercial AV system.
Conversely, I would refer to those who work in structured environments with resources of adequate quantity and quality as “engineers”.
Do you really think similar events aren't scheduled by the safe cracking and bank-robbing crowd?
Kirk out.