Security firms have split over the merits of a hacking contest aimed against anti-virus packages planned for August's Defcon conference. Anti-virus firm Sophos reckons the exercise will serve only to increase the volume of malware in circulation, further taxing the resources of already hard-pressed security firms. However, net …
anti virus vendors scared?
oh shock...an industry that is going to have it's products tested outside their own labs is upset.....
they might actually have to produce a product that works and doest crap up your machine..symantec Im talking about you!!
It says a lot that probably the most effective anti-virus I have used is also the free one while other vendors have to bundle their bloatware with hardware vendors
After-the-fact people say It Sucks, Before-the-fact people say It Rocks
Here is how to tell a "reactive" or, after-the-fact PC security firm from a "pro-active" or, before-the-fact firm:
ATF: "If people really want to test the quality of different anti-virus products there are well established ways of doing it."
BTF: "The general idea of investigating my own product by trying to find and fix its weaknesses is valid."
ATF: "Anti-virus researchers will be working at detecting malware that needn't have ever been created in the first place."
BTF: "Contest organisers said that the exercise will help to demonstrate shortcomings in signature-based virus detection."
ATF: "The last thing the world needs is more malware. It's really disappointing to see that Defcon appears to be condoning the creation of malware in this way."
BTF: "They also want to highlight weaknesses among anti-virus vendors exposed by the testing process."
Nice to see an anti-virus firm get scared for once.
This is a nice demonstration of just how unworkable the whole anti-virus nonsense has become. Anti-virus databases have grown to colossal sizes and are growing bigger by the moment and at an accelerated pace.
It's an unworkable model and I think their bleating about this competition highlights this fact - ie - they are running like mad-men just to stand still in their fight against the bugs!
Just how stupid does this situation of running huge databases of virus profiles and running anti-whatever software have to get before business and the public at large wake up to the fact that they are running a swiss-cheese of an OS (ie - MS Windows, because let's face it, no other OS gives two-hoots about viruses because by and large, they aren't susceptible to them)
There are basically three reasons why AV companies hate this
This competition goes seriously afoul of ethical code that every AV company has agreed to follow. So AV industry has not other choice than blast idea like this.
Secondly the risk of participants releasing malware by accident or doing it for kicks after the competition is way too high.
And finally I have serious doubts that these guys would know how to properly install manage large group of major AV products properly. So AV vendors are afraid that they would get bad reputation just because these idiots would not know how to use the product properly.
Very likely they would just try to scan the files with AV without trying to run them, which would mean that products that use runtime heuristics would suffer.
The biggest virus is Windows
The devil's biggest con was to convince everyone he didn't exist..
What an utter idiocy
I find myself in complete agreement with Graham.
"Contest organisers said that the exercise will help to demonstrate shortcomings in signature-based virus detection." What a piece of crock. Signature-based virus detection detects KNOWN MALWARE, by definition. By modifying a virus, the organizers will be creating a new, UNKNOWN one. All this contest would be "demonstrating" is what is a "shortcoming" of every kind of software - that it is not very good at doing what it isn't supposed to do.
Such a contest serves absolutely no purpose except for the organizers to advertise themselves by creating a controversial subject. If they *really* cared about proper testing of security software, they would have done it *properly*. There are many valid ways of testing (and demonstrating the shortcomings) of security software that do not involve using it for tasks it isn't supposed to do.
For instance, a behavior blocker (e.g., a personal firewall) could be tested against various tunneling techniques. A rootkit detector could be tested against various stealth techniques and so on, and so on.
If you want to think about it...
It feels a great deal like how cowpox was used to innoculate people against the much deadlier/contagious smallpox, to be honest.
However, I agree that there are some short-sightness in the planning of the contest. The most obvious point is the "review" process--surely a seperate, vetted team working with the AV firms would be a better, if more expensive way to slipstream the results?
Also, physical security would be a huge help--provide computers without any data devices installed (such as CD burners, floppies, and USB ports,) and do a thourough check in and out of the contestants for any "outside material."
Lastly, making your own malware is obviously not the best idea, so... why not simply strongly reccomend polishing up their anti-malware skills instead? The fact that you can crack a virus isn't at all that dissimilar to writing your own. (The main difference between black hats and white hats--and greys in between--is that the blacks don't care about cracking viruses, only modifying them.)
Under these conditions instead, then... let the games begin.
Boo hoo hoo...
Oh dear. You mean that having a detection database of everything under the sun isn't a sustainable model? When are these companies going to tumble to the fact that enumerating badness is hard, while enumerating goodness really isn't?
Realistically, how many programs does the average user run? Far fewer than the number of malware signatures in any given update from an AV vendor.
I have always rated Sophos in the past which is why I find this particularly disappointing.
I would have thought that the anti-virus vendors would take this opportunity to prove themselves best-of-breed and to exercise their heuristic scanning engines against the most evasive of attackers.
Sounds to me.......
....like certain AV vendors are worried about how their products are going to fare. Ok, so Virus databases will get bigger. That's going to happen anyway. But what's to say that the method of modification used by someone during the contest is the same method that some bright spark hadn't though of already and was already starting modify known virus code?
I'd rather have AV vendors be PRO-active instead of RE-active, in the same way that i'd rather the virus couldn't get on my machine then have to put up with a couple of days worth of infection until the vendor sorted out an update.
This will end in tears!
Anything that doesn't kill you makes you stronger
Current AV vendors complain that these hacking "contests" are taking them away from their "mission" of stopping attacks out in "the wild". Unfortunately the AV vendors, for the most part, accept some losses on the part of their user community as key to their detection strategy. "Hey, aren't there some sheep missing down in the south forty? Maybe we better go look for a wolf there..."
Signature based protection is going the same way DRM for music is going: we all know it ultimately doesn't work, but there is a huge industry based on it and it will go kicking and screaming all the way to the point where it is over run by attacks before admitting that it's not working. If DEFCON can make a positive statement that signature based detection is really failing across the board, especially with rapidly spreading widely based zero day attacks, then some good may come of this exercise.
Let the games begin!
Of course, the antivirus industry is nervous about this contest -- so far, they have been able to blindside their customers about their shortcomings. But Anti-malware products are, of course, only applications like all others and so are obviously vulnerable to exploits and other security problems. Instead of telling people how dangerous this contest is, they should joyfully join in: this is a great chance for them to learn about their own security problems, and somebody else is paying the bill, too!
The argument about the growing size and memory footprint struck me as particularly stupid; those databases have been constantly growing for decades; this contest is not going to change that in any direction -- except maybe it could even slow the growth of the database by presenting the manufacturers with a few generic detection methods that could replace a few dozen specific signatures. After all, the participating hackers are going to publish their code, which is more than most malware writers in the wild do.
Which in turn invalidates the argument about anti-malware personnel now having to cope with the "mal"ware created during the contest. They most likely will have free access to the source code, so it's going to make their lives easier, not harder -- you can bet that any methods demonstrated in the contest would have made it into the wild within the year anyway, contest or not.
"The end result is that detection databases grow in size, require more memory and take up more space on users' computers - all because Race to Zero thought this was a good idea."
Because AV software is normally dainty and petite, the CPU and hard disk barely know its there. AV sadly still seems to me like closing the gate after the horse has bolted.
These days productivity/gameplay is minimised, our PCs are so busy protecting themselves they've forgotten about us.
Because this would never happen if there wasn't a competition
What a stupid, stupid thing to get all riled up about. There are already plenty of new strains of various bits of malware in the wild, and AV people are always, always going to be playing catch up. Only this time, they have a target they can whinge at.
The best thing to do is to hire a nice law firm who can point out that by modifying software to evade virus filters, the coders or competition organisers are guilty of infringing some deeply tedious DMCA-a-like law. Or better yet, lobby the law makers to criminalise this sort of programming which is clearly intended to aid and encourage criminal elements!
"Not yet seen in the wild"
Whenever I read 'Not yet seen in the wild' I think, "Now there is a virus that they invented in their lab". So what is the difference between them inventing a new strain and someone else doing the job for them?
Paris, just cos' to see her in the wild might be fun.
Why dont they see this as good?
Surely, this is a good thing for AV vendors?
A group of highly skilled attackers are going to find ways to circumvent the current protection. Then, the vendors will be informed. It just means someone responsible will find the hole so it can be patched, before some miscreant can find the hole and exploit it, possibly for months before its patched.
if you were to take the same situation, but a pentest instead, you'd have vendors stampeding over dead mothers graves to get the chance.
Just my tuppence worth.
"Anti-virus firm Sophos reckons the exercise will serve only to increase the volume of malware in circulation."
Then do what you promised when we bought your software, protect us!
How are the big Anti-Vir companies THIS worried about a bunch of geeks with debuggers? Surely they have full time employees and a development budget?