Tuesday, April 29, 2008

Antivirus Vendors Pan Free Research From DefCon Contest

Via arstechnica.com -

A new contest focused on testing antivirus and malware software has been announced for the DefCon hacker conference in August. Antivirus vendors are crying foul, but they could very well be ignoring one of the best opportunities to improve their own products.

Called "The Race to Zero," this sideline contest provides hackers with samples of virus and malware code. The challenge is to modify the code in such a way that it can successfully circumvent antivirus products running at a central portal at the conference.

The Race to Zero web site explains that the goal is not to crowdsource new viruses, saying, "Not all antivirus is equal, some products are far easier to circumvent than others. Poorly performing antivirus vendors should be called out." The site also states that modified samples will not be released into the wild and that a key element of the contest's big picture is that "you need to look at controlling your endpoint devices with patching, firewalling and sound security policies to remain virus free."

Race to Zero will award the overall winning team or individual for successful code that passes through the AV products in each round. In addition, other awards will be given for things like "most elegant obfuscation," "dirtiest hack of an obfuscation," "comedy value," and "most deserving of beer." Details have not been released as to what each of these awards will be (though beer appears to be involved).

Obviously, virus and malware authors don't need a conference to collaborate on attacking AV products, but that isn't stopping the vendors from slamming Race to Zero. "[The contest] will do more harm than good," TrendMicro's Paul Ferguson told Network World. "Responsible disclosure is one thing, but now actually encouraging people to do this as a contest is a little over the top."

Roger Thompson, chief research officer at AVG Technologies, says vendors are already processing 30,000 code samples each day. "It's hard to see an upside for encouraging people to write more viruses."

On the other side of this coin, however, is a mountain of criticism against AV vendors that their products are falling behind in the use of emerging techniques and technologies. As malware organizations adopt Software as a Service business models, statements on the Race to Zero web site that "signature-based antivirus is dead" and "people need to look to heuristic, statistical and behaviour-based techniques to identify emerging threats" echo a growing dissatisfaction with the AV industry.

Instead of trying to deride Race to Zero, the AV industry could have a chance at working with the contest to harness what, in reality, could turn out to be some of the best research available on new malicious techniques. "You get what you pay for," as the old saying goes, but in the case of Race to Zero, the AV industry could be passing up a veritable gold mine of free ideas on how to better fight new threats.

------------------------------------------

Fergie is a long time friend and I hold him in great respect, but personally I feel that people need to be shown what AV really is....just another tool.

Tons of people still think that running AV is grand protection from everything, but this just isn't true. AV protects solid protection from known threats, but new emerging threats from a targeted attack are rarely stopped. The information is out there...for all to see.

Like it not, but showing people the truth is the essence of Defcon.

Do you think lock makers love the lockpick village? Of course not.

Should we not highlight the flaws in those silly RFID chips that the government wants to stick in everything? Of course we should.

Locks and RFID cards offer a layer of protection as well.

But in the end, they are just another tool.

No comments:

Post a Comment