AV vendors Race-to-Zero Clue

Hackers of the world will once again unite at DEFCON 16, this August 8th, one of the industry's top conferences.  The world's best and brightest security minds will deliver presentations and papers, sharing their latest research during the three day event.  As usual, DEFCON is home to a number of classic hacker contests, including the Phreaking Challenge, Capture the Flag, Mystery Challenge, Hacker Jeopardy and the once great, Spot the Fed contest.  A few new events debuting this year include, BuzzWord Survivor, Hardware Hacking Village and the unnecessarily controversial Race-to-Zero contest.

Due to the lack of technical comprehension, the Race-to-Zero event has received a substantial amount of controversial publicity.  However, media and vendor misperception is relatively common when it comes to any hacker-cons.  This is sometimes due to their never having actually attended one. Therefore, I felt it was important to report, as a hacker and journalist, some facts.

Contrary to popular belief, this is not a seminar aimed at teaching malicious code writing.  Furthermore, it is not a meeting for malware authors, to share methodologies of evading AV detection.  Demonstrating the human nature of "fearing what is not understood", individuals from several AV companies have advocated their cowardice:

Sophos senior technology consultant Graham Cluley said, "The last thing the world needs is more malware. It's really disappointing to see that Defcon appears to be condoning the creation of malware in this way.

McAfee Avert Labs' security research and communications manager Dave Marcus claimed, "Encouraging research that results in better evasion techniques for malware writers is not a good idea. How many identities will be lost and how much data will be stolen from users as a result of the new techniques and evasions that are created?  Security research should center around bettering detection not evasion."

TrendMicro researcher Paul Ferguson said, "It will do more harm than good.  Responsible disclosure is one thing, but now actually encouraging people to do this as a contest is a little over the top."

AVG Technologies' chief research officer Roger Thompson stated, "It's hard to see an upside for encouraging people to write more viruses.  It's a dumb idea."

New viruses will not be created and no modified or variant code will be publicly released.  The rules of the contest are well explained on their website.  Participants are provided with samples of viral code, which they modify in attempt to evade multiple AV engines.  Advancement to subsequent rounds is achieved when the code's rate of detection is zero, hence the name, Race-to-Zero. 

While the original sample code provided may be modified, it may not be functionally changed.  Furthermore, the code must exploit the original vulnerability, despite modification.  In addition to fostering the education of reverse engineering, this event will help raise awareness to the inefficiencies of signature-based detection, and reveal the true (in)effectiveness of current AV products.

When AV companies release new updated products, they may have to do more than just improve the user interface, change the name slightly (2008 edition!) and tweak their marketing strategy.

Then again I've never coded AV detection software before....only malware.

I can be reverse engineered or disassembled at: greyhat@computer.org

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2008 IDG Communications, Inc.

IT Salary Survey 2021: The results are in