Race to Zero - who needs it?

Race to Zero and how Current AV’s are inadequate to be your first line of defense in the fight against malware!

You wouldn’t carry 1980’s cell phones around with you, but you still use 1980’s technology to protect you?! Funny huh!


Not nearly as funny as the response from the AV community:

The contest was announced Friday. Security vendors began panning it immediately, saying it will simply help the bad guys learn some new tricks.

“It will do more harm than good,” said Paul Ferguson, a researcher with antivirus vendor TrendMicro. “Responsible disclosure is one thing, but now actually encouraging people to do this as a contest is a little over the top.”

Some compared the contest to a controversial 2006 Consumer Reports review of antivirus software. In that article, the magazine created 5,500 new virus samples, based on existing malware, and was roundly criticized by antivirus vendors for contributing to the rapidly expanding list of known malware.

Security companies are already having a hard time keeping up with the torrent of new malware.

With antivirus vendors already processing some 30,000 samples each day, there’s no need for any more samples, said Roger Thompson, chief research officer with antivirus vendor AVG Technologies. “It’s hard to see an upside for encouraging people to write more viruses,” he said via instant message. “It’s a dumb idea.”


One would think that the AV vendors would welcome such a challenge in order to prove how effective their products are.

Sounds to me like they have something to hide.


For those who don’t recognise who I am, I’m the “BOClean Dewd” … heh. Curious that they printed Fergie’s comments … Fergie’s a real good guy. Melih asked me if I wanted to go out and play, and I explained to him that I’d done “defcon” before in the “old days” when it was single-digit and wouldn’t ya know it? My badge came up most often in the “spot the fed” contest. (:TNG)

Defcon, for those who’ve never done it USED to be almost interesting for a few moments here and there, but over the years has descended into a combination of the worst StarTrek convention you can imagine as well as “exhibitors” … in almost every sense of that word. And at least at StarTrek conventions, there be wimmens! Heh. Held in some of the qwappiest hotels in Lost Wages (because the “good hotels” didn’t want a bunch of geeks with tesla coils breaking their slot machines) and literally one of those “you cannot sleep because nobody goes to bed or takes a bath the whole time” kinda deals. I did however express a willingness to Melih that if he wanted to send one or more of our “lab guys” to go out and play this insipid game, I’d be willing to sign off on it as a matter of “told ya!” points, but don’t be surprised if they QUIT. (grin)

That all said, and not speaking OFFICIALLY on behalf of COMODO, I think our mindset towards this is a little bit different from the other vendors in that I think it’ll be a huge waste of time on the part of the participants owing to how this little game is designed. I’m kind of surprised that the rest of the “security community” would be so upset by it all. Then again, I actually took this seriously enough to study the “rules,” the “environment” and what was expected. I think they got in trouble for making part of the rules as “we’ll only notify the AV’s if you let us.” Typical “l33t” defcon. Been there, done that, didn’t play the slots.

What the rules are is that they’ll hand you malcode, you can HEX EDIT it and then submit what you hexed to see which AV’s and other proggies detect it and don’t … but the RULES also state that the hex-edited malware must remain functional and you can only modify strings pretty much. And in the end, the malcode must still work. You don’t get “source code” to roll your own or recompile in something else, so what you’re stuck doing is hexing or repacking the code with another packer or group of packers. In the end, I don’t see a lot of success amongst the contestants aside from picking off the “low hanging fruit.”

In the BOClean realm, we first saw all of this “technique” back in 2003 when used against BOClean by a German “analyst” of various security products, part of “marketing” by others in the business. At that time, we changed from using easily guessed “string” signatures as well as hiding our databases in memory so that they could not be “read and then defeated” by the simple act of looking. This particular game is going to depend on the visibility of database information in the various security products and again, I see this as not going to be as effective as the participants plan. I think most of the AV’s and other security products will do a lot better than expected.

The trick of “hex editing” though has been around for a long time and most “signatures” where that is the SOLE means of detection have moved away from looking at mutexes and the other commonly-used tricks and more towards actual code sections. Muck with those, and the malware won’t work any longer. I don’t quite get why all the ruckus over this particular “Picard vs. Kirk” circle- … uhhhhh … thingy. :slight_smile:

But defcon? … heh. Got better. No thanks. (:KWL)

You might be interested to know that CBC - Search Engine, a Canadian public radio show dealing with the impact of the internet on our daily lives, is taking a look at Defcon’s Race to Zero this week.

We’re talking to hacker and security expert extraordinaire Dan Kaminsky about the race: exploring why hackers are excited about it, and whether big business has anything to worry about. You can either check us out online at www.cbc.ca/searchengine or download the podcast by going to www.cbc.ca/podcasting and clicking on Search Engine.

Heh. Thanks MUCH for the Dan Kaminsky piece! I’ve always gotten a kick out of his laid-back style … reminds me of myself about 20 years ago. :slight_smile:

I’m also amused that it’s going to be at the Riviera this year … tells me the Riviera is the next project for “Controlled Demolition” somewhere around September or October since “there be hackerz” there in August. Heh. Did defcons, saw the lay of the land and waking up in a fog every morning and not remembering a darned thing of any of the trips after getting home. Heh. Defcon CAN be fun, don’t get me wrong … but the TRUE “perps” won’t be there, only the kibbitzers and vendors. I’d spot more useful stuff in some of the “security forums” … or my own email. (grin)

I also looked over the details of the “race,” and all I came away from it with is “OK, kegger” … I already possess a “masters degree in projectile vomiting from the 6th floor of a hotel terrace into a parking lot whilst missing every parked car” from 20+ years ago. Keggers just don’t do it for me anymore. Heh. Hexing already compiled code is what the 13 year olds consider “l33t” but the folks HE’S talking about do their tricks with SOURCE which they exchange (usually for cash) … fact is, it’s no longer “I’m OLD enough to get into a casino now” … it’s commercial crime syndicates with real money and real coders that are the danger these days. And governments looking to set up for that “cyber war” we hear so much about (as laughed at by the host on CBC). He’s right in that a catastrophe from too many PR releases hasn’t happened, but the risk itself is for real were it not for the continuing efforts of that same “security industry.” But THESE kids are not going to be the cause. Nor will much useful information be shared other than the usual pathetic sources of “ain’t I kewl?” (yawn)

This particular little “dog and pony show” is little more than that in the scheme of things. A sideshow. I’m CERTAIN that they can break things … hell … for every other line of code I write, I can break everything given that I know how it’s wired and can recompile it to bite a bag. The real problem is that there’s plenty of code out there that was deliberately written to be broken, if not today, perhaps it’s a “sleeper cell” … and there’s the REAL issue.

I’d actually get a KICK out of doing another Defcon if COMODO will pick up my BAR TAB (but they won’t, heh - some contractual thing about no booze or drugs or hookers) … but as to anything useful, nope … ain’t worth the trip. I suspect that folks would much rather we COMODO folk be “on the job and receiving” (I know a few folks that are going, and they’ll report back anything “interesting”) and DOING what we do, rather than pumping a keg on a waterbed. Though I must admit, if there weren’t REAL work to do, nothing wrong with that. :stuck_out_tongue:

But Defcon? Definitely a party … not much real use beyond that …

I wouldn’t mind watching you there. (:KWL)