Friday, May 02, 2008

Testing Signature-based Antivirus Products Contest

This is both interesting, yet irrelevant and outdated as well :

"The Race to Zero contest is being held during Defcon 16 at the Riviera Hotel in Las Vegas, 8-10 August 2008. The event involves contestants being given a sample set of viruses and malcode to modify and upload through the contest portal. The portal passes the modified samples through a number of antivirus engines and determines if the sample is a known threat. The first team or individual to pass their sample past all antivirus engines undetected wins that round. Each round increases in complexity as the contest progresses."

What are the reactions of security vendors, AVs in particular? The best remark - "Security vendors began panning it immediately, saying it will simply help the bad guys learn some new tricks."

The bad guys will learn new tricks from the good guys modifying binaries to prove that anti virus signature scanning isn't working? There's no shortage of creativity and innovation on behalf of malware authors, and in reality,the good guys are supposed to learn from the bad guys in the sense of the techniques, tools and tactics they use to achieve such a high-level degree of now automated polymorphism. Moreover, the only thing the bad guys can learn from the good guys are the techniques the good guys use to make the bad guys' living a pain, in fact obtain the tools and see their malware through the eyes of a good guy.

Moreover, as I've already pointed out in a previous post, undetected malware or malware with the lowest possible detection rate is no longer created, it's being generated thanks to :

"DIY nature of malware building, the managed undetected binaries as a service coming with the purchase of proprietary malware tools, the fact that malware is tested against all the anti virus vendors and the most popular personal firewalls before it starts participating in a campaign, and is also getting benchmarked and optimized against the objectives set for its lifecycle."

Nowadays, even a script kiddies' favorite Remote Administration Tool is empowered with such advanced point'n'click DIY type of features such as anti-sandboxing and anti-reverse engineering, either through the use of built-in such features, or outsourcing the process to someone who's excelling at the process. Undetected malware isn't just coming as a product these days, it's also getting pitched as a managed service on a per obfuscated binary basis.

Thankfully, signature based malware scanning is slowly becoming just one of the many other alternative malware and behaviour detection approaches available within antivirus solutions these days, given the possibilities for artificially messing up the industry's count for malware variants.