Skip navigation.
Home

Race to Zero: A Golden Opportunity for the Antivirus Industry

|

A new contest called Race to Zero is being held at Defcon this year. The premise is that you take a modern virus and modify it to evade detection by antivirus companies. The AV industry is officially crying foul, saying that this only encourages bad behavior. The organizers say it will point out the shortcomings of modern AV engines.

I'm going to ruin part of the contest: It's scandalously easy to circumvent any antivirus engine with a trivial amount of work. There has been evidence of this: The Consumer Reports scandal is one of them. The point is that it is not difficult to apply some seemingly minor and trivial modification that completely evades detection. The AV companies know it, the malware authors know it, the only people who don't have a clue are the consumers. Shaking their confidence of spending $60 per year on updates is something that the AV vendors fear. That's why the lawyers are probably going to get involved very quickly.

In lieu of this sure to be scandalous con drama, I propose a secondary contest. Antivirus vendors all race each other to develop signatures for the new variants as quickly as possible. Bring your best analysts to Defcon, or engage the home analysts, and show the true value of a good AV company: its signature development and reverse engineering teams.

However if the participant

However if the participant does not give his or her prior consent this would be in direct conflict with rule 4 "Modified samples will not be submitted to antivirus vendors unless authorised by contest participants".

rule change?

That rule would have to be flexed a little bit.

You mean broken in half? :)

You mean broken in half? :)

Sometimes the best way to

Sometimes the best way to fix something is to destroy it. :) It's sort of a moot point, I seriously doubt any of the major AV vendors would engage in this sort of activity.

fix != destroy Why do the

fix != destroy

Why do the big companies cry??

They've historically benefited from hackers' creativity.

I say shut up and send some undercover agents to defcon!

Peace.

---
mago

i would also submit

that why would anyone want to give up their techniques for making undetectable code?

I'll definitely be watching this one.

If I was an AV id pay big money for access to this contest.

V.

I notice Sophos are majorly

I notice Sophos are majorly dodging this one.

Graham Clueless maybe?

Graham Clueless maybe?

Ha! I see your love for the

Ha! I see your love for the soap box king hasn't waned over the years.

Not really

The problem is that you don't really need any sort of sophistication to get around AV. Sometimes you can double-pack and executable and it works, other times you just have to substitute nops.

Holistic approach by AV Vendors

Great piece. AV vendors are also fooling customers with their marketing of holistic AV signatures that are able to detect anomalies in network/ app traffic, but the sigs either become too broad in scope in their holistic evaluation or simply applicable to a few mutations of existing malware strains.

Shaken - Not Stirred!

How many times have we heard, "AV is dead" or "Why spend $50 for anti-virus, when I still get viruses."? I recently, listen to a Avert (McAfee) podcast (http://podcasts.mcafee.com/audioparasitics/archives.html) recently where they complained about how awful this "Race to Zero" is because the competition won't release the code or bypass techniques without the author's permission. They went on jabbering on how this competition "only benefits the bad guys, not the good guys and at least they could do is give us the techniques".

Sigh.

Welcome to big business security. Last time I checked, if any of the AV vendors truely cared about security and the consumers, they would unite efforts and share all their "secrets" and code among each other. However, in truth - they don't.

"Race to Zero" is a game to expose the known weaknesses of AV and how the vendors either don't care about security, giving consumers false hope and protection, or they don't know. Which means, they do not have the ability or skill set to provide consumers with products they need.

"Race to Zero" will shake the foundation of consumer's confidence. It will rattle the security professionals' soul in questioning how valuable is AV and is this "control" (and I will use this term loosely) needed. And if the competition can remain untouched by the vendors (as their lawyers charge up the hill with their guns a blazing), it will lead to the demise of several vendors.

I am provoked when I hear the McAfee podcast of "how shalt though challenge us" and try to give some validity of how this event is wrong. Not only is it right, it is critical. AV is the money making division for these vendors. When you add corporate and consumer revenue, this is a multi-billion dollar industry. With all the malware being released on a daily basis, how can we not stand up and question the value of AV and the vendor who provides it?

If McAfee had any respect or common sense, they would be working with "the bad guys" and pay them for their "research". Heck, if consumers had any common sense, they would stop buying products from vendors that continually produce products with incomplete, untested, insecure code (Microsoft).

Too bad, the vendors are really worried about their dollar then really tackling the security issues we face. McAfee, start solving the malware issue then to show arrogance and ignorance. Hopefully you will become "shaken" and not "stirred".

vtnntv

Critique

There were a couple of things that could have been done better about Race to Zero. The first was that the AV industry should have been fully involved. Like I mentioned they should have been asked to be included in the defense / offense setup. The other thing is that the obfuscated binaries weren't actually verified to run so all of the obfuscations could have completely destroyed the original virus.

To say the contest was wholesale evil was wrong. What happened there is nothing that doesn't happen to them all the time anyway. The whole virus industry is very asymmetrically slanted in favor of the attackers. What was good about this contest was that it made a little press out of the whole thing.