Not nearly as funny as the response from the AV community:
The contest was announced Friday. Security vendors began panning it immediately, saying it will simply help the bad guys learn some new tricks.
"It will do more harm than good," said Paul Ferguson, a researcher with antivirus vendor TrendMicro. "Responsible disclosure is one thing, but now actually encouraging people to do this as a contest is a little over the top."
Some compared the contest to a controversial 2006 Consumer Reports review of antivirus software. In that article, the magazine created 5,500 new virus samples, based on existing malware, and was roundly criticized by antivirus vendors for contributing to the rapidly expanding list of known malware.
Security companies are already having a hard time keeping up with the torrent of new malware.
With antivirus vendors already processing some 30,000 samples each day, there's no need for any more samples, said Roger Thompson, chief research officer with antivirus vendor AVG Technologies. "It's hard to see an upside for encouraging people to write more viruses," he said via instant message. "It's a dumb idea."
http://www.pcworld.com/businesscenter/article/145148/security_vendors_slam_defcon_virus_contest.htmlOne would think that the AV vendors would welcome such a challenge in order to prove how effective their products are.
Sounds to me like they have something to hide.
Regards,
Mike
For those who don't recognise who I am, I'm the "BOClean Dewd" ... heh. Curious that they printed Fergie's comments ... Fergie's a real good guy. Melih asked me if I wanted to go out and play, and I explained to him that I'd done "defcon" before in the "old days" when it was single-digit and wouldn't ya know it? My badge came up most often in the "spot the fed" contest.
Defcon, for those who've never done it USED to be almost interesting for a few moments here and there, but over the years has descended into a combination of the worst StarTrek convention you can imagine as well as "exhibitors" ... in almost every sense of that word. And at least at StarTrek conventions, there be
wimmens! Heh. Held in some of the qwappiest hotels in Lost Wages (because the "good hotels" didn't want a bunch of geeks with tesla coils breaking their slot machines) and literally one of those "you cannot sleep because nobody goes to bed or takes a bath the whole time" kinda deals. I *did* however express a willingness to Melih that if he wanted to send one or more of our "lab guys" to go out and play this insipid game, I'd be willing to sign off on it as a matter of "told ya!" points, but don't be surprised if they QUIT. (grin)
That all said, and not speaking OFFICIALLY on behalf of COMODO, I think *our* mindset towards this is a little bit different from the other vendors in that *I* think it'll be a huge waste of time on the part of the participants owing to how this little game is designed. I'm kind of surprised that the rest of the "security community" would be so upset by it all. Then again, I actually took this seriously enough to
study the "rules," the "environment" and what was expected. I think they got in trouble for making part of the rules as "we'll only notify the AV's if you let us." Typical "l33t" defcon. Been there, done that, didn't play the slots.
What the rules are is that they'll hand you malcode, you can HEX EDIT it and then submit what you hexed to see which AV's and other proggies detect it and don't ... but the RULES also state that the hex-edited malware must remain functional and you can only modify strings pretty much. And in the end, the malcode must still work. You don't get "source code" to roll your own or recompile in something else, so what you're stuck doing is hexing or repacking the code with another packer or group of packers. In the end, I don't see a lot of success amongst the contestants aside from picking off the "low hanging fruit."
In the BOClean realm, we first saw all of this "technique" back in 2003 when used against BOClean by a German "analyst" of various security products, part of "marketing" by others in the business. At that time, we changed from using easily guessed "string" signatures as well as hiding our databases in memory so that they could not be "read and then defeated" by the simple act of looking. This particular game is going to depend on the visibility of database information in the various security products and again, I see this as not going to be as effective as the participants plan. I think most of the AV's and other security products will do a lot better than expected.
The trick of "hex editing" though has been around for a long time and most "signatures" where that is the SOLE means of detection have moved away from looking at mutexes and the other commonly-used tricks and more towards actual code sections. Muck with those, and the malware won't work any longer. I don't quite get why all the ruckus over this particular "Picard vs. Kirk" circle- ... uhhhhh ... thingy.
But defcon? ... heh. Got better. No thanks.
Author