Race To Zero: It’s Not A Contest, It’s A Protest

Dave G. | May 5th, 2008 | Filed Under: Industry Punditry

Race To Zero is an event that pits hacker-types against an array of AV products. Unofficially hosted at DEFCON this year, it has already sparked the ire of the AV community. This makes sense as we all know that there is little they can do to stop researchers from writing malware that will be undetectable (until their next update). From their perspective, it is a waste of time. And that is somewhat true. Especially their time.

This type of event, along with the Consumer Reports test of 2006, runs the risk of wasting the AV community’s time. Which if we all recall, had no negative impact on society (or even AV vendors). Even still, I acknowledge it is a pain in the ass for them. A combination of bad press, plus a bunch of really crappy malware samples that have to documented, analyzed, detected and removed even though they will most likely never, ever impact a person outside of a lab environment.

The idea that the AV company’s are getting free research is pretty ludicrous. All that happens is that they will have to analyze as many of these modified viruses to figure out how to detect them. It is just another day at the office.

Which gets to the heart of the matter:

This contest isn’t a contest. This contest is a protest. It is a protest against the fact that there is simply not enough innovation in the anti-malware space. The problem is getting worse and all of the solutions appear to come from the same tunnel-vision line of thought. The vendors that do this have successful businesses that run just fine. New malware will get fixed with the same old solution.

The take-away isn’t going to be research that will help the AV industry to see emerging techniques. It will be that there has has to be another way. Events like this should inspire someone fresh to come in and build a better mousetrap, and build the next MFE or SYMC.

14 Comments so far

  • John Fsck

    May 5th, 2008 9:26 pm

    You have summed up this issue precisely.
    Blacklisting sucks. I have however seen some vendors come out and claim a stronger emphasis on heuristic based anti malware measures.

    I think at present AV sucks but it’s the best we have.

  • PaulM

    May 5th, 2008 9:29 pm

    We don’t need another SYMC or MFE. For the past 5 years, they’ve acquired products outside of AV to insulate themselves from Microsoft and now from the seemingly inescapable realization that the *best* AV scanner has about a 60% prevention rate in production. They know the AV scanner as we know it today is doomed. They don’t need to go to Defcon to learn that.

    For that matter, neither do I, but I still think it’s a cool competition.

  • tadda

    May 6th, 2008 9:54 am

    Oh hell yes.

    Please someone with more coding talent than I step up and shake up this space.

    The success of botnets is proof that existing AV/IDS/IPS is not cutting the proverbial mustard.

  • 2LoveBadAV

    May 6th, 2008 2:17 pm

    I left M$ and my MCSE, and went to *BSD, which I had been just reading about, when I auditted how bad AV had been, and is for M$. I tried some old bad stuff, went through, found a few attacks on AV, and how badly they install and leave you open.
    What really buzzed my prop head, was how flagrantly they leave bad heuristics, of allowing some rogue behavior to just pass. F this, I said!
    Happy to have moved on big time! Thank you AV, saved me a few years to get the right path!

    AV is such a bad dependency upon M$.
    And I sure do NOT trust or use some other OSS AV either…

    AV is such a gateway drug. “Our policy is that you must use a on our secure network of secure computers, protect by AV.” GRR. Have it all ways, back stabbing, tape cutting sideways, B-crats!

    Good website, nice FRESH perspectives.

  • Dave G.

    May 6th, 2008 2:50 pm

    @PaulM:

    I meant in terms of success, not how successful their programs are. I’d love to be wrong, but I don’t think it is going to be that interesting a competition. Not that it would change my stance, but I would love to see a contest where malware samples are sent to each AV vendor, and see who can bang out signatures the fastest.

  • John Fsck

    May 6th, 2008 7:37 pm

    Where this competition would be interesting is if it was a test of AV product / behavioural HIPS/AV behaviour at detecting unknown samples. The entire approach of “send us the sample that owned you, we will make sure it doesn’t happen again, or at least until the sample is repacked, then send it to us again”.

  • Dominic White

    May 7th, 2008 1:20 am

    Was at a conference yesterday where Eugene Kasperskey spoke. He was adamant that blacklisting sucked and heuristics is the way forward. But I don’t see it happening. All the AV vendors are now beating the heuristics drum, but the tech isn’t there.

  • Paco

    May 7th, 2008 4:16 pm

    The malware/trojan/virus vs. AV battle is a cat-mouse game that’s been going on for 20 years. Anyone who participates in this contest is only helping the AV vendors get rich by doing their monotonous “reverse engineering” dirty work for them. Just to prove to myself how absolutely shitty the *latest* McAfee is, I downloaded Exploit.Win32.WS_FTP from VX heavens, and ASpacked it. Try it for yourself, I won’t belabor the point. It executes fine when ASPacked and is detected when not packed. I’m sure you can get similar results with UPX or any of the other 20+ binary packers available. Patching binaries to evade signature-based AV engines is not reverse engineering. This is elementary to any real-world malware coder. Hey! I have an idea for a REAL contest: Take all the AV software, have people write *brand new* trojans and malware, and see if the AV engines recognize any of them! I might actually watch that instead of the girls in the pool at the Hard Rock or the pr0n on my TV at Caesars.

  • CBCSearchEngine

    May 8th, 2008 11:24 am

    You might be interested to know that CBC - Search Engine, a Canadian public radio show dealing with the impact of the internet on our daily lives, is taking a look at Defcon’s Race to Zero this week.

    We’re talking to hacker and security expert extraordinaire Dan Kaminsky about the race: exploring why hackers are excited about it, and whether big business has anything to worry about. You can either check us out online at http://www.cbc.ca/searchengine or download the podcast by going to http://www.cbc.ca/podcasting and clicking on Search Engine.

  • PaulM

    May 9th, 2008 2:31 pm

    @ DaveG:

    A contest to see which AV research team can bang out signatures fastest? That’s even more useless. The problem with the AV industry is that they still use that model, and now the malware pushers can repack their binaries and re-obfuscate their JavaScript without rewriting a single line of code, FTW.

    Maybe the competition should be to develop a tuning paradigm and a management interface for white-listing software. Then Dan Kaminsky’s grandma (she’ll already be there) can judge which one is easiest to use.

  • bw

    May 10th, 2008 9:36 am

    av industry is afraid because they can only detect malware written by their own developers :), give them something more complex and they’re getting mad as hell

    im doing software protections and i had and still have so much troubles with av software (just because they can’t bypass protection layer) i really wish there was a progress in av software

  • ac

    May 17th, 2008 4:22 am

    What kind of progress from AV industry would stop user being socially engineered to download and run a trojan? I can’t imagine such.

    The real solution comes in three parts:

    a) user education

    b) program isolation/sandboxing by default if system is configured as the main box/os and not some virtual machine, AV vendors/Microsoft could then whitelist programs on the mainbox.

    c) low level revamp. Move to newer OS architecture and also away from languages that were made with the assumption that the programmer knows both the language and the system as well as the language and system designer. Programmers don’t need low level memory control outside kernel and in many cases not in the kernel either (see Singularity kernel). Write everything in high level until you face a piece where you absolutely need low level control.

  • ac

    May 17th, 2008 4:29 am

    I’ll elaborate on low level revamp: Besides just isolation for programs by default, there needs to be trust chain from the program to the network and so on. Absolutely no way for programs to come in and hook anything. Updates to programs need to begin by the program being updated initiating the update procedure - you wouldn’t trust a random 3rd party to replace/update your brain would you? That’s how things work today, anyone can come with privs and replace files etc.

  • jim

    May 17th, 2008 4:38 pm

    “We’re talking to hacker and security expert extraordinaire Dan Kaminsky”

    HAHAHAHAHAHAHAHAHAHA

    thats the funniest thing I have read all week. Maybe he should spend more time on his books and less time going for headlines ( see his new IDA book for proof of his general uselessness and lack of *real* talent ). Why do people still give this attention whore time?

    • Leave a reply